It was bound to happen, and it always pays to be first: Who’s going to estimate how much damage MyDoom did?
Rob Rosenberger, editor of Vmyths, predicted it right: The winner is British security consultant mi2g, which reckons the damage will cost us all $38.5 billion. That’s a lot of cash. Vmyths is not impressed, dismissing it as ‘completely absurd’, and pointing to its previous reports on the company’s statements. Mi2g, it should be pointed out, has threatened to sue Vmyths in the past, so perhaps we’ll see a robust rebuttal.
I’m not able to explore how mi2g got their figure, since the full text of the report must be bought — for £29.38 including taxes — unless you’re a member of their Inner Sanctum (which costs £352.50 per quarter). Would buying that report be included in the estimated overall cost of MyDoom? (I did request a review copy, but my email to the form-based contact page bounced, ominously).
Reporters, Vmyths say, have already picked up the figure: It points to a report in The Web Host Industry Review, and adds it believes “major media outlets will fall like dominoes — mi2g’s declaration is simply too large for them to ignore”. Rob may be right, again: TechWeb have also picked it up, but so far nothing from the major agencies.
I have to agree with Rob that these kind of estimates are a bit too headline-grabbing to be useful. Anything with a figure in tends to be too much for a reporter to ignore. Mi2g, for its part, has been assiduously estimating the cost since it first appeared: $400 million on January 27, doubling later the same day, $3 billion the next day, before leaping to $19 billion the day after that.
Talking of which, I never got any further to establishing whether a figure of $55 billion attributed to a Trend Micro spokesman for the cost of viruses last year was real or an error (and if so, an error by the reporter or by Trend Micro). Funny how the PR people go to earth when they’re grappling with tricky questions.
I’m posting an email I’ve received from mi2g in response to this posting:
Thank you for your email which arrived safely (see below) despite the undeliverable bounce message you may have received per your comments in http://loosewire.typepad.com/blog/. Please accept our apologies.
As you know we have been estimating economic damages for hacker attacks, malware and digital risks for over five years and records go back to 1995. The initial estimates of MyDoom were small as you have correctly indicated in your article. In fact, most malware never makes it to $1 million in economic damages during its lifetime.
Our cyberliability insurance work for Lloyd’s of London syndicates – operating in business interruption, workers’ compensation as well as property and liability – over the past seven years has been the inspiration behind modelling computer crime and its impact. We calculate digital risk economic damage worldwide on the basis of overtime payments, contingency outsourcing, loss of business, bandwidth clogging, productivity erosion, management time reallocation, cost of recovery and software upgrades. This is then fed into our Economic Valuation Engine for Damage Analysis (EVEDA) model, which continues to be refined and fine-tuned for the insurance and reinsurance industry. The content indicators of the monthly reports can be accessed from here: http://www.mi2g.com/cgi/mi2g/sips.php
You may wish to review our FAQ: http://www.mi2g.com/cgi/mi2g/press/faq.pdf
We assess our conclusions against sampled evidence from private and publicly listed corporations; universities and schools; large and small government and non-government organisations; as well as home users that report online delays, congestion and email service disruption worldwide during a major malware epidemic, DDoS or hacker attack.
Loss adjusting and economic damage calculation is not an exact science at all but as a relative indicator it can work very well. We do feel that society consistently underestimates the reliance we have on computer networks and the level of damage that occurs on a global scale when disruptive events take place.
Regards
_____________________________________________________________________________
Jan Andresen
mi2g Intelligence Unit