Money for Nothing: The Real Cost of Malware

Updated: April 30, 2009

Viruses , Trojan horses and other types of malware are worthless, but they most certainly affect your company's bottom line. The cost of anti-malware tools and measures, combined with the loss of productivity that occurs when security technologies fail to halt an attack, can amount to big bucks. Technology research firm Computer Economics Inc. reports that malware damages worldwide in 2006 totaled $13.3 billion. That's bad news, of course, but just how many dollars is malware costing your business?

You may feel that malware's cost is inestimable. But it actually can be quantified through some straightforward analysis. Here's what to factor in to the equation.

Assign values. You need to assign a value to your company's data. Determine how much it would cost to restore or re-create different types of lost information. Some types of data, such as sales records, tax information and contact information, will be relatively easy to restore (at least if you regularly back up data). Other kinds of information, including sales data and email received since the last backup, will be much more difficult to reassemble (if it can be done at all). In any case, try to place a dollar figure on the cost of recently received information. (Remember: The more often you back up data, the lower this cost will be.)

Estimate the loss potential. Determine the cost of recovering from a malware attack, including lost productivity and IT staff time. You also need to include revenues that were lost due to systems that were compromised by an attack. Additionally, factor in the potential cost of fines and penalties for violating confidentiality and privacy agreements by allowing the disclosure of sensitive information during a security breach. By estimating these amounts, you can determine the SLE (single loss expectancy) — in other words, the expense of recovering from a single attack.

Determine the risk potential. Now you have to figure out the potential for a malware attack. If, based on past experience, you estimate that your business suffers a significant malware attack approximately once per year, your business has an ALE (annual loss expectancy) that equals the cost of that single attack. If you estimate two attacks per year, the ALE doubles. In any event, multiplying the SLE by the ALE shows the dollar amount that malware is costing your business each year.

Begin planning your anti-malware budget. The ALE will give you a rough idea of the maximum amount you should spend on malware countermeasures. Many companies may wish to spend far less, however. That's because there are situations in which businesses are willing to accept a higher malware risk, either because the likelihood of an attack is so low or the cost of mitigating the risk is so high. Alternatively, an organization could mitigate the risk by purchasing insurance.

Knowing how much malware is costing your business can be an invaluable tool for setting security budgets and determining whether particular anti-malware technologies and methodologies are pulling their weight.

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more