Virus Protection Program Cost Analysis
NOTE: Although this paper was originally issued in March, 1997, the pricing cost model and protection concepts remain valid. Because the study that acted as the foundation for this analysis was developed before costly network-aware viruses (worms such as Melissa and LoveLetter) existed, it is likely that these costs are underestimated. Since many of these viruses attack upon infection, the costs for Policy-Based and Periodic Scanning protections are likely to be significantly higher. Several incidents within the DOE and Federal community have acted as empirical examples of the various protection schemes and reinforced the validity of the paper's conclusions.
Introduction
In January, 1997, the National Computer Security Association (NCSA, now known as the ICSA, International Computer Security Association) published an article that provides a statistical model for computing the cost of virus encounters and various protections to an organization [NCSA Virus Lab, "Virus Costs vs. Various Protection Strategies", NCSA News, January, 1997, pp. 8-10]. It provides a basis for comparing the ultimate costs of implementing various protection programs, ranging from no policy to the ultimate strategy where policies are in place and supported by full-time monitoring programs. Although the complete model was not detailed in the article, general assumptions were defined, and these can be extrapolated to the DOE Headquarters environment to allow an analysis of the costs from computer viruses and the cost savings of the protective process that has been implemented by the Automated Systems Security Incident Support Team (ASSIST).
Does the NCSA provide a real-world model? While it is difficult to confirm the exact cost of a virus exposure, their estimates of the numbers of exposures per 1,000 PCs (30 per quarter) correlates very closely to the historical numbers at DOE Headquarters, which currently has approximately 6,000 PCs operating in everyday usage. Based on these numbers, there should be approximately 180 exposures at Headquarters per quarter. In actuality, the average for the past 10 quarters (6/1/94 to 12/31/96) has been approximately 145 exposures (which the ASSIST calls "incidents", see the table below), well within acceptable range for association with the NCSA's numbers. Therefore, it appears that the NCSA's propositions concerning exposure rates correlate satisfactorily with the Headquarters environment, so we can make the assumption that other figures, including costs, can be applied, and so the study can be used to achieve actual cost estimates for the Virus Protection Program.
| Quarter |
Incidents |
Quarter |
Incidents |
Quarter |
Incidents |
| |
|
Q1,'95 |
116 |
Q1,'96 |
137 |
| |
|
Q2,'95 |
212 |
Q2,'96 |
152 |
| Q3,'94 |
115 |
Q3,'95 |
168 |
Q3,'96 |
133 |
| Q4,'94 |
220 |
Q4,'95 |
104 |
Q4,'96 |
95 |
Quarterly Virus Incidents, DOE Headquarters
Note that all costs in this paper are annual. The figures include the costs of support staff and end user time, loss of user productivity, and data loss or system support to recover the system. The data loss/recovery costs account for less than 10% of the total.
Protection Options
The NCSA study examined three major protection options:
- Policy-based (a written policy where users are "required" to scan all diskettes and files for viruses before use and to perform daily scans of their systems).
- Periodic scanning (where scans are performed automatically, perhaps during system initiation or network login).
- Full-time, background protection (where a real-time virus monitoring program, launched during system initiation, is active whenever the system is functional).
The ultimate baseline for all of these scenarios is a complete lack of protection.
Although, in theory, the number of exposures (attempted infections from external sources) remains constant for each of these scenarios, the results of the exposures will vary as the protections improve. Obviously, more viruses will be detected sooner with a monitor in effect, minimizing the potential for encounters (3 to 10 PCs infected) and disasters (11 or more PCs infected). The wider the propagation of the virus, the greater the cost of eradication and recovery. The NCSA developed cost averages for encounters and disasters, estimated the number of incidents that will occur for each scenario, and then used these to determine the total annual costs.
No Protection
Today, the computer virus threat is so pervasive that few organizations have no protection policies (although this is not as rare for small agencies and contractors). Nevertheless, the NCSA estimates that the total cost would be $1.84 million per year for every 1,000 PCs. At DOE Headquarters, this would extrapolate out to over $11 million dollars annually, a significant expenditure.
| Cost of no protection program |
| $11,000,000 |
Policy-based Protection
Experience has shown that relying on users to provide their own protection is ineffective. Any procedure that is intrusive (such as requiring users to take diskettes to a special scanning station) or impinges on productivity (such as waiting for system scans to complete) eventually reaches a point where noncompliance is the rule, and the NCSA's model reflects that. Reliance on user actions for protection results in only 4 detections of the 30 exposures. Thirteen exposures will result in encounters (3-10 infected PCs), with the remainder leading to disasters, requiring significant resources to counteract. For the year, this approach would cost approximately $5 million at DOE Headquarters.
| Cost of policy-based protection only |
| $5,000,000 |
Periodic Scanning
As expected, implementing an automated scanning mechanism to ensure some degree of policy compliance increases the number of detections and reduces the number of encounters and disasters, with a corresponding reduction in costs. The article provides estimates for several thresholds:
Percent of PCs
scanned daily |
Annual cost (for 6,000 PCs)
(in millions) |
| 50% |
$2.688 |
| 70% |
$2.01 |
| 100% |
$1.878 |
Because of the intrusiveness of scanning (where users may have to wait minutes for a scan to complete), experience has shown that users are likely to deactivate the process (either by eliminating the invocation from the AUTOEXEC.BAT file or escaping from the run). Therefore, the 70% threshold should be considered the best case scenario (with the 50% level being more realistic), and it will be used for further comparisons.
| Cost of periodic scan policy |
| $2,010,000 |
Full-time Monitoring
The use of a full-time monitoring program has numerous advantages that promote its usage. In particular, it is the least intrusive to the user (unless a virus is detected). Therefore, users, who may not even know it is running, are unlikely to deactivate it once it is installed. It also minimizes the window of opportunity for a virus for spread, providing detection immediately upon attempted infiltration. As a result, encounters and especially disasters are virtually eliminated. Even if only 50% of user systems are protected by a monitor, the NCSA estimates that only 1 exposure in 10 will become an encounter. More importantly, only 1 exposure in 3000 will result in a disaster. The greater the degree of protection, the lower these numbers become, with corresponding reductions in costs. The NCSA provides four threshold figures:
| Percent of PCs monitored |
Annual cost
(for 6,000 PCs) |
| 30% |
$864,000 |
| 50% |
$330,000 |
| 80% |
$78,000 |
| 100% |
$62,400 |
At DOE Headquarters, we have managed to obtain almost universal monitoring protection against computer viruses. However, holes are occasionally found, so the 80% figure is used as the applicable number for this environment, although actual compliance is probably higher.
| Cost of full-time monitoring |
| $78,000 |
Other Protections
From the outset, the ASSIST has propounded a philosophy that "protection starts at the desktop," and this is confirmed by the NCSA study. "Viruses infect desktop PCs, not servers. There are many routes to desktop PCs which circumvent servers, and many ways through servers that would circumvent most server-based protections." In particular, boot sector viruses, the most predominant kind, cannot infect or propagate through servers. In addition, "putting virus protection in a Web browser has emotional appeal, but the great majority of viruses do not get to the desktop PCs via browsing and are not likely to in the near future." The same holds true for e-mail and firewall protections. "In fact, it is easy to show that placing anti-virus [packages] full-time in the background...is many-fold better, in terms of cost reduction, than placing full-time protection in all browsers, firewalls, e-mail systems, and servers combined!"
Conclusions
The article summarizes the philosophy that has driven the ASSIST since its formation (as the DOE Headquarters CERT) in 1992:
"If your organizational approach to computer viruses is haphazard and mostly reactive, [then] viruses cost a lot. If your approach is reasonably proactive, then the computer virus problem can be among the least costly of all computer security problems you will face at your organization."
This is proven by the projected costs of improved protections. The following table provides a cost comparison for the various protection options that can be implemented at DOE Headquarters.
| Option |
Annual cost
(for 6,000 PCs) |
| No Protection |
$11,000,000 |
| Policy-only |
$5,000,000 |
| Periodic Scanning |
$2,010,000 |
| Full-time Monitoring |
$78,000 |
Based on the NCSA model, the conclusion is definitive. "The single most important thing an organization can do to address the virus problem is to maximize the user of desktop based, full-time, background protection... Focusing on increasing the number of desktop PCs with full-time background protection is far more effective (in terms of total cost reduction) than any other thing a security manager can do to combat the virus problem." This has been the heart of the Headquarters virus protection program from the outset.
While the Headquarters environment has embraced this philosophy (going so far as to develop its own anti-viral monitor to provide the necessary protective shield), there remain other DOE sites and contractors that persist in maintaining less effective policies. The NCSA study provides a means of educating security managers of the benefits of expanded protections, even though the cost of software and implementation (which are not included in the annual numbers) may seem daunting at first.
The threat, and its costs, also justifies the proactive efforts performed by the DOE Headquarters ASSIST, which performs many functions beyond simple virus response. Its continual review of virus threats to DOE resources has allowed DOE to address problems early, preventing potential disasters. Although operating with a budget of less than $200,000, it has been instrumental in the implementation of the current virus protection program, the benefits of which are now being borne out by the NCSA study. It has taken significant steps to educate DOE staff and users about the virus threat, and it has coordinated the implementation of new and improved anti-viral software at DOE Headquarters, providing guidance across organizational lines to reduce duplication of effort and ensure the realization of the most effective policies and procedures.
Last Reviewed: 3/24/2008
|
 |
