Last year's direct damage attributed to malware totaled US$13.3 billion globally, down from US$14.2 billion in 2005 and US$17.5 in 2004, according to the report, "The Economic Impact of Viruses, Spyware, Adware, Botnets, and Other Malicious Code."
Mark McManus,
Computer Economics' vice president of IT research, attributed the three-year decline to two factors: The widespread use of anti-malware technology and a shift in cyber criminals' focus from creating havoc to profiting from their work.
"Anti-malware technology is becoming more widely deployed and is fairly effective in defending against many types of malware threats," he noted. "Virtually all business computers are protected by anti-virus systems, either at the desktop or firewall, or both."
In addition, malware authors are now motivated more by financial gain than disrupting systems, as they were in the past. Malware authors no longer release malware merely for electronic "vandalism," McManus said.
"They design malicious code to quietly use infected machines to send spam, steal credit card numbers, perpetuate click-fraud, display advertisements, or provide a back door into the organisation's network."
That "implies" that indirect or secondary damages are likely increasing, according to McManus. A spyware attack that causes on a few thousand dollars in labor costs to clean up, for instance, could well allow an attacker to steal a password, then infiltrate a network and download critical inside information, which could lead to substantial secondary losses that "could be devastating."
Computer Economics didn't put a number on the indirect costs associated with fighting malware, however. One of the major challenges in quantifying the impact of malware is that only 28 percent of organizations track both the frequency and economic impact of malware attacks, according to the report.
"Almost two thirds (63 per cent) track the number of events but do not account for the economic impact . . . [and] nearly one tenth do not track any information regarding malware attacks at all."
The hidden costs include what Computer Economics calls the "preventive" measures -- deploying technology solutions such as antivirus hardware and software and managing the ongoing personnel costs for IT security staff -- associated with protecting systems from malware.
The company defines direct costs as those associated with labor to analyse, repair and cleanse infected systems, loss of user productivity, loss of revenue due to loss or degraded performance of system, and other expenses directly caused by a malware attack.
"Just because we saw another drop doesn't mean this will continue in 2007," McManus said. "Direct costs are on track to climb higher than in 2006 because of the large number of major malware attacks we saw in the first two quarters of this year."
Other findings from the report:
At the median, organisations experience five malware events per year, jumping to 10 events per year for organisations with more than 5,000 computers.
The most common source of a malware infection is email, followed by browsing malicious websites and infected PCs/laptops joining a corporate network.
Although destructive viruses have greater direct economic impact, survey respondents perceived spyware and hacker tools as the two most serious types of malware threats they face.
There was a clear consensus that the spyware threat level is increasing.