Calculating Return: What Security Can Do for You

The cost to businesses from the SQL Slammer Worm ran into the billions of dollars, according to many analyst estimates. The 376-byte packet of code slowed network traffic to a crawl in January by forcing unpatched installations of Microsoft SQL Server 2000 to spew replicas of the worm over the Internet.

But even though malicious code is a constant threat, companies should not panic, says David Lawson of Greenwich Technology Partners in New York. Instead, they should define and establish reasonable levels of protection.

“An important first step is to evaluate risk accurately,” he says, “rather than responding willy-nilly to the threat du jour.”

Although benchmark costs taken from industry peers can be useful, nothing compares with having a record of one’s own. “It’s difficult to make a good budget or spending decision without actual facts,” Lawson says.

He developed a calculator that lets companies estimate how much incidents like SQL Slammer have cost them. The calculator then assesses how much loss a given level of security might have prevented.

The example shows the impact of a SQL Slammer attack on a global manufacturing company. Three levels of security are assessed: basic, in which a single person is responsible for identifying and installing required patches; intermediate, in which teams of staff are responsible for applying patches; and high end, in which the company uses a system that automatically checks for and applies patches.