On Thu, 15 Jul 2004, Dave Dennis wrote:
Tell them that every time they click on that thing, it costs $1000 to disinfect the LAN and keep the firewall up to date.
Sean quoted some numbers sometime ago for 'average cost of virus outbreak per enterprise' I don't recall the specifics, but they were staggeringly high... On a whim/notecard lets try this: 1) enterprise network with 10,000 user systems (we'll assume no 'servers' got/get infected in this ficticous dreamland of an example) 2) 1 user clicks attachment and gets <pick your flavor of email trojan/virus> which spreads to 50% of the user PC's before action is started to clean them. 3) assume a 'large' infosec/helpdesk group: 20 people 4) assume average cost per sec/help employee at 100,000/yr (including benefits+OT for this incident) 5) assume all other sec/help work stops to stem the virus flow 6) assume it takes 1 day (complete 14 hour day) to cleanse the bad machines (5k machines, which is 5000/20/14 = 17.8machines/person/hour or 3.3 mins to clean each machine and move to next machine... 'lightening fast staff'!) 7) So for 1 day we tied up 20 people for 14 hours: 100000/1880*8*20 + 100000/1880*6*20*2 = $21276.60 That accounts ONLY for the sec/help people to do their 14 hours/person of work (assuming 2xnormal OT rate, count that out and its still: $14893.62) No, keep in mind that during this 14 hours the following other things did NOT happen: 1) 5000 people doing their normal job due to their PC being dead 2) 20 sec/help people NOT doing their normal work 3) 1 exec still happily playing solitaire... These calculations are 'back of the irc-bot' calculations, and do leave some things out... for instance server outages due to virus infections, service outages due to network outages, lost revenue due to service outages or lack of capacity to manage customer requests/complaints/orders/blah... These events are highly costly, no matter how many times we make this arguement it's not clear that anyone that should be listening IS listening. Often the resulting response is: "Well, buy more/better virus protection software!" (from the same clicker-of-attachments) or "Shouldn't our AV have caught this?" AV is but one part of the equation, user education and consequences are some of the other part(s).
Caveat: have yet to actually try this approach, but seems like it would have a chance at least.
you'd sure think it would, sadly it doesn't seem to...