2005 Malware Report: Executive Summary

Note: for more recent statistics, please see the extended description for our most recent Malware Report.

This Research Byte is an executive summary of our recent study, the 2005 Malware Report: The Impact of Malicious Code Attacks [purchase] which is based on interviews and surveys with approximately 150 end-user organizations and data gathered from IT security organization over the past year. This study serves as a source of statistics for developing the business case, budgets, and spending plans for antimalware initiatives.

Changing Nature of Malware Costs and Threats
As we look back at the malware trends of 2005, there is good news and bad news. The good news is that, from the perspective of economic impact, 2005 was the first time since 2002 that total worldwide financial losses from malware actually declined (Figure 1). The bad news is that the nature of malware (viruses, worms, trojans, spyware, adware, and other malicious code) is changing: from overt threats targeting operating system vulnerabilities and users generally, to more focused, covert attacks targeting specific companies or business sectors. In other words, the economic impact of malware is dropping—unless you are an organization or industry sector that is specifically being targeted.

A combination of factors are responsible for the estimated decline in 2005. First, companies have become more effective in hardening the network infrastructure. Second, antivirus and anti-malware vendors have continually engineered advances in security technology that have helped lessen the severity of traditional malware attacks. Third, the shifting focus of malware attacks from overt and generalized attacks on the Internet to covert and targeted attacks on specific companies and industries has lessened the cost impact on organizations in general while increasing it for those few organizations that, for whatever reason, are chosen as targets.

Our study also found that in 2005 the motivation of malware authors continued to shift from a general desire to inflict damage to an intent to gain financially, through theft of personal information such as credit card data or by gaining access to financial accounts.

Malware Event Costs by Major Category in 2005
Computer Economics reviews several cost aspects in analyzing a specific malware event. Organizations participating in our cost review are asked to associate cost damage information by several categories to help determine where the costs of a specific event had the most impact on their organization. The elements of malware financial impact include the following:

• The labor expense associated with analyzing, repairing, and cleansing of operating systems, applications, databases, networks, and machines.
   
• The procurement cost of tools (such as anti-virus and anti-malware software) required to assist technicians in performing the tasks listed above, as well as the costs of any products deployed to harden the environment as a direct result of a single or series of high profile attacks.
   
• The expenses associated with hiring consultants or contract personnel to assist in any of the tasks listed above.
   
• Loss of productivity, caused by the inability of employees to interact with systems affected by the attack.
   
• The potential and direct loss of revenues due to a denial of service (DOS) or a significant slowdown of services that are offered via the Internet or other electronic channels that may have been impacted.

According to our research, the most cost-intensive category in 2005 was “labor.” This is a shift from our 2004 study, which ranked “loss of business revenue” as the most costly category. Loss of revenue was ranked second in the 2005 study. The 2005 Malware Report: The Impact of Malicious Code Attacks [purchase] provides a detailed breakdown of each of the major categories in terms of percentage of total malware cost for 2005. 

The change in ranking is representative of the shift in the nature of malware attacks. As many companies have implemented IT security best-practices–including automated protection and removal of viruses, spyware, adware and other malware–the total economic impact of malware has actually dropped from the 2004 level. At the same time, more focused attacks result in infections that may require a greater manual effort to eradicate, especially as newer malware attacks are designed to leave the user’s computer running with the malicious code running in the background. In other words, there may be less direct loss of productivity or disruption of business but still significant labor required to address the threat and remediate infected system.

Furthermore, as the nature of malware attacks changes to covert attacks for financial gain, organizations that are specifically targeted are becoming less willing to disclose such incidents. This may be leading to an under-reporting of the category of “loss of business revenue.”

Treating Malware as a Crime
This shifting landscape is making the task of calculating worldwide cost estimates a much more challenging exercise. As mentioned, the hidden costs of targeted attacks may actually be driving overall cost damages much higher on an annual basis, but more data is needed to quantify these losses.

IT vendors have developed sophisticated tools to aid in the fight against malware and other cyber-crimes, and they are increasing their efforts to help minimize the threats posed by new criminal activities. Likewise, law enforcement agencies have become much more proactive in the fight against cyber-crime, and international cooperation has improved significantly over the past two years. This is not to say that security vendors and government agencies could not do more, but they are certainly stepping up their efforts and are heading in a positive direction.

Despite these efforts, the key to minimizing new malware-related threats will likely depend on a change in corporate philosophy regarding the disclosure of information surrounding targeted attacks. According to the latest CSI/FBI Computer Crime and Security Survey (released in July 2005), as much as 80% of all cyber-crime activity goes unreported Corporate executives need to realize that failure to involve law enforcement only encourages cyber-criminals in their efforts and leaves them free to operate against other businesses.

Until targeted organizations are willing to report such activity, it will be difficult for law enforcement to apprehend the criminals and break up the organizations that profit from such crimes.

January 2006

This Research Byte is an executive summary of our recent study, the 2005 Malware Report: The Impact of Malicious Code Attacks [purchase] which is widely referenced in the business press as a source of information regarding the worldwide economic impact of malware on business. Business and IT executives will find this study a valuable source of economic statistics for justifying new anti-malware initiatives.

Based on our interviews and surveys of IT security professionals in 2005, and data gathered from IT security organizations, the full study includes:

• Examples of targeted attacks on specific organizations that were publicized in 2005.
   
• An analysis of the financial impact of IT security incidents by type in 2005, including malware, spam, unauthorized access (by insiders and outsiders), misuse of network by insiders, financial theft/fraud, phishing/pharming, and theft of proprietary data.
   
• A breakdown of the costs of malware events in 2005 by cost category, including software tools, hardware tools, labor, consulting, lost business/revenue, non-productive employee time, and other costs. Costs are presented as a percent of the total cost.
   
• The average annual financial impact of malware per company in 2005, with data reported at the 25th percentile, median, and 75th percentile.
   
• A list of major malware attacks with the highest worldwide financial impact by year since 1999.
   
• The top ten all-time most costly malware attacks with worldwide estimated economic impact.
   
• The annual worldwide financial impact of malware by year, from 1995 to 2005. 

The 2005 Malware Report: The Impact of Malicious Code Attacks is available for purchase on our website at https://avasant.com/report/malware-report-the-impact-of-malicious-code-attacks-jan-2006/.

Please note that we also have a comprehensive report on the state of IT Security. Read the IT Security Study abstract now.