Truth About Computer Security Hysteria
Show me the virus metrics!Rob Rosenberger, Vmyths co-founder
Monday, 27 September 1999
LET'S SAY VIRUSES got big in 1986, and let's say the web got big in 1996. Time for a simple comparison.
Website metric utilities grew immensely popular in the last three years. Immensely popular. Corporate webmasters log every visit and generate all kinds of reports for their bosses. They can tell how many people visited on a given day, how many pages they viewed, how much e-commerce it generated, and so on. They pay big bucks for web traffic analysis tools with eye-popping charts & graphs. Webmasters archive their log files for posterity, too.
Compare this to virus metric utilities, which don't exist. (Technically, we shouldn't call this a "comparison.") Viruses got big ten years before the web came along, yet virus fighters can't generate a single chart for their bosses.
Sure, antivirus software keeps an activity log, but most programs limit the file size by default. Old data gets overwritten just so it won't fill up your hard disk. Nobody really bothers to store this data for posterity. Why should they? No virus metric utilities exist.
Webmasters can analyze web visits three years after the web got big. Virus fighters cannot analyze virus detections thirteen years after viruses got big. Doesn't this seem odd?
Virus fighters sometimes fall prey to urban legends because little or no evidence exists to contradict those legends. You might actually hear a computer security expert spout "generally accepted facts" such as:
It gets worse. Do you know about the annual "ICSA Virus Prevalence Survey"? Computer security experts treat it as the Gospel. However, it relies entirely on input submitted by — you guessed it — virus fighters. How can these respondents support the claims they make?
This problem stretches all the way to the White House if you can believe it. A 1997 presidential report declared viruses a serious threat without producing a single metric to back up the claim. I myself attacked the report for this reason. Still, President Clinton wants to spend more tax dollars on a threat he can't document.
First, CIOs don't expect computer security managers to produce virus metrics. They probably wouldn't even know what to do with such a report (at least not at first).
Second, computer security personnel like to tell anecdotes. "Why, my folks removed a virus from the CFO's computer just last week..." Then they follow it up with a worst-case scenario: "you know full well what would happen if a virus exposed the CFO's bonus recommendations for next year..."
Third, virus fighters cite national & international "surveys" like the ICSA Virus Prevalence Survey. (See above.)
Fourth — when cornered — virus fighters can generate reports from technician support products, e.g. Remedy or Magic Help Desk. Those packages do contain some virus-related data, but they don't contain enough. For example, they don't count viruses detected on file servers or stopped at the email gateway. On top of this, they don't produce reports specifically geared toward virus metrics.
Then, of course, we get into the same problems of unreliable data. Many "virus" support tickets have nothing at all to do with viruses, while many "non-virus" support tickets uncover viruses. Technicians notoriously fail to enter detailed descriptions when they handle a help desk ticket. (No offense to technicians! Their budgets & salaries seldom give them flexibility to keep PCs running smoothly.) If a "virus report" comes from a technician support product, it's probably not a real virus report.
Schrader admits the eDoctor reports don't match up to a webmaster tool like WebTrends. Still, I believe it qualifies as an excellent start. I can't wait for other vendors to follow with their own report modules. God knows we need them.
Unfortunately, we'll never truly know what happened in the last thirteen years of virus attacks. We lost the most valuable data of all — the beginning. Shameful.
You know what upsets me the most? We didn't lose all of this data because of a virus...