[ISN] Texas University Calculates Financial Benefits Of Its Spam, Virus Defenses

From: InfoSec News (isn@private)
Date: Fri Oct 31 2003 - 01:06:58 PST

  • Next message: InfoSec News: "Re: [ISN] Microsoft posts 'revisions' to security bulletins"

    Forwarded from: Richard Caasi <caasi@private>
    
    http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=15600902&_loopback=1
    
    By Bob Violino
    Secure Enterprise
    October 29, 2003
    
    When Lew Wagner, chief information security officer of the M.D.
    Anderson Cancer Center at the University of Texas, began to build a
    business case for investing hundreds of thousands of dollars in
    technology to help thwart spam and viruses, he took it a step further
    than most IT shops. Realizing that calculating the value of reduced
    risk is a murky arena often riddled with holes and question marks,
    Wagner sought concrete return-on-investment metrics to boost his
    argument.
    
    "The ROI perspective comes from the fact that if you have impact
    against your IT and network resources, it results in downtime and lost
    ability to get things done," Wagner says.
    
    Spam has been particularly costly. Wagner says the hospital and
    research institution's 13,000 employees would have received up to
    25,000 spam messages per day had it not been for a spam-prevention
    service implemented earlier this year. In June alone, the service
    detected and blocked enough spam to account for more than half of all
    the messages received.
    
    Wagner says spam threatened not only network performance but also
    worker productivity. He estimates that it costs the medical center $1
    for each unwanted mail message that gets through to users' computers.
    He figures the Houston medical center receives about 620,000 spam
    messages during an average month, so successfully blocking them would
    theoretically free up $620,000 for other activities.
    
    Wagner's figures are derived from independent studies on the cost of
    cleanup and the center's own experience.
    
    "We know we've been hit a certain number of times in the past," Wagner
    says. "We know we will have so many virus and service attacks, and we
    know how much it costs to fight them."
    
    Crunching The Numbers
    
    Analysts are mixed on whether Wagner's cost-per-spam figure overstates
    the problem. Chris Williams, an analyst at Ferris Research, says users
    don't spend enough time clearing their inboxes to warrant such a high
    estimate. Still, he doesn't dispute that spam is a costly problem.
    Spam will cost U.S. businesses $10 billion in 2003--the result of
    lower productivity, loss of legitimate messages and the need for
    increased bandwidth and storage, according to Williams' research.
    
    The $1-per-spam estimate may represent the far right of the spectrum,
    but it's conceivable, says analyst Rebecca Wettemann of Nucleus
    Research.
    
    Spam costs U.S. companies $874 per employee per year in lost
    productivity, based on hourly pay of $30 and a work year of 2,080
    hours, according to a recent Nucleus report. "There are a number of
    factors involved with spam, and the impact is different for every
    organization," Wettemann says.
    
    Virus Attacks
    
    Viruses are also a major problem for M.D. Anderson, which at one time
    was being bombarded by at least one serious virus attack--Klez,
    MyParty.com and Nimbda, for instance--every month. Based on what it
    cost to clean up the Nimbda outbreak in September 2001, Wagner
    estimates virus-cleanup costs at roughly $1 million per outbreak.
    
    "We knew that if we could stop spam and viruses from coming into our
    network, we could free up money for research on new cancer-fighting
    drugs, to treat more patients, and for revenue-generating purposes and
    new projects," Wagner says.
    
    Preventing the losses was part of Wagner's business case for buying
    security products, such as network- and server-level antivirus and
    antispam software from Trend Micro and a Web-based vulnerability-
    detection tool called WebInspect from SPIDynamics.
    
    The Trend Micro antivirus package, which cost $150,000 plus $20,000 in
    annual maintenance fees, is stopping thousands of viruses each month
    from reaching the medical center's computers, Wagner says.
    
    "I could tell the CFO that we were freeing up $12 million with a
    $150,000 investment," Wagner says. "We are in a sense creating revenue
    by freeing up money that would have been otherwise wasted. That's a
    very compelling ROI argument."
    
    [...]
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Oct 31 2003 - 05:29:19 PST