Declining cost of malware attacks?

[nihil]

This is rather interesting, apparently the annual cost of corporate malware attacks has been declining over the past couple of years:

Story:

http://home.businesswire.com/portal/...00639&vnsId=41

I guess this is in line with the reported change of emphasis by malware authors from disruptive to commercial gain?

I also suspect that the drop of $4.5 billion is more than made up for by the increase in computer based fraud

[MrLinus]

Is it more that perhaps fewer corporations are reporting it? Bad news can have an adverse affect on stock market and company confidence. I'm still curious as to what the CSI/FBI survey will say this year when it's released.

[nihil]

Yes, that is a thought, but I think that the way these incidents are reported has some influence?

Traditional malware attacks don't seem to get reported by specific victim. That is usually DoS attacks, frauds, server compromises and leaking customer confidential information. Certainly not good for your corporate or institutional image.

Here is Kaspersky's analysis of what was going the rounds for May 2007:

http://www.kaspersky.com/news?id=207575528

Mostly worms and trojans it would seem?

[MrLinus]

So perhaps changing the kind of attacks or how they are detected? What was once malware is now a trojan?

[nihil]

I actually believe that there has been a shift in direction in the "malware industry". We don't seem to have the disruptive/destructive items that we used to get.

Today it seems to be more about building bot armies, delivering adware, harvesting passwords, credit card details account details and the like.

The malware tries to stay hidden to retain control of the victim which can then be used for all sorts of nefarious activities?

I can certainly remember the days when skiddies would brag about having a bot army of several hundred machines. From what I read, todays bot herders have armies of tens of thousands?

Sure, it still costs to clean up a corporate or institutional network, but I think that the decline of almost 25% in reported costs is partly explained by the lack of purely destructive items.

I suspect that another factor is that a lot of the stuff we are seeing is not new, but is a variant on an existing malware. I would expect generic detection to be reasonably effective against those, and that larger users would have that in place and up to date?

Perhaps the bad guys are playing the numbers game? It may take more effort to infect 2,000 private, home network and small business systems, but if you infect a 2,000 seat corporate environment, as soon as you are detected you lose the lot?

Also, the figures could be misleading, as they are almost certainly from larger users. The costs of small and home users are probably not collected or reported.

[nihil]

It is the result of a survey then extrapolated:

http://www.computereconomics.com/

These surveys are anonymous so I don't think that there is a particular incentive to hush things up. Come to think of it, you don't hear about particular institutions being hit by viruses............. only about frauds?

[nihil]

Remember that the bank or CC company often have to pick up the tab, or they get fined:

http://www.fsa.gov.uk/pages/Library/...2007/060.shtml

[brokencrow]

Consider the source...

http://en.wikipedia.org/wiki/Computer_Economics

...I wonder who they're in bed with.

Depending on who's picking up the tab, sometimes it pays well to
paint things as "a bright, shiny lie."

[nihil]

Hmmmm,

They have been around for almost 30 years and claim:

The firm does not accept research sponsorships from technology vendors.

As for bright shiny lies, I don't really buy that. $13 billion is better than $17.5 billion, but it is still one hell of a lot?

The concept does seem to be supported by reports from security product vendors, security bodies and law enforcement agencies as well.

I do wonder about the costings myself, based on what I see "hackers" being accused of. Like I have a security incident and I bring in consultants, new processes, new procedures, new hardware, new software, additional staff training.............. and I claim that is all a "cost" of the incident?

In reality most of the cost is money I should have spent up front preventing the incident in the first place.

"Trust me, I am a creative accountant"