4.1- Incident Size DistributionFirst, we present some interesting results on the distribution of incident sizes in our population which support our theoretical conclusion that central reporting and response can be quite effective. Fig. 5a shows the distribution of incident sizes during a six-month period when the above-mentioned anti-virus strategies were first being deployed in the various components of our sample population. 
Figure 5: a) Fraction of incidents of given size during six-month periods when strategies were first being deployed. b) Fraction of infected PCs involved in incidents of given size during the same time period.
Figure 6: a) Fraction of incidents of given size during 1992. b) Fraction of infected PCs involved in incidents of given size during 1992.
During this period, the average incident size was 3.4 PCs. Most (63%) of the incidents involved just zero or one PCs. (The incident size is defined to be zero if a foreign diskette is caught before it can infect any of an organization's PCs.) Only 12% of the incidents involved more than 5 PCs. However, Fig. 5b presents a different view of the same data. Even though incidents larger than 5 PCs were fairly rare, they accounted for 60% of the total number of infected PCs. Thus the larger incidents actually accounted for most of the problem! Fig. 6 shows the corresponding distributions for 1992, after the anti-virus strategies had been in place for some time. The average incident size was cut by more than a factor of two to just 1.6 PCs. In the vast majority of cases (83%), the infection was caught before it could infect more than one PC. Only 2.5% of the incidents involved more than 5 PCs, and these large incidents accounted for only 27% of the total number of infected PCs.
It should be noted that these incident size distributions do not have the
exponential form predicted by Eq. 4. For example, for
the 1992 data, the average incident size of 1.6 leads to an estimated
In any case, the net effect of the anti-virus policies introduced a few years ago was to create a more hostile environment for computer viruses, reducing the average incident size by a factor of two in this instance. In organizations which have not yet implemented active response policies, we can expect the average incident size to be larger than the 1.6 PCs that we have attained. As a check on this, we have been able to compare our results with those obtained by Dataquest [3]. Unfortunately, the question they asked their survey participants confused the distinction between incidents and infected machines. However, by making some assumptions about how the survey participants interpreted the question [4, 5], we find that, in the third quarter of 1991, the average incident size among the organizations surveyed by Dataquest was roughly between 2.4 and 3.2. This is reasonably close to the figure of 3.4 PCs that we observed in our population when anti-virus policies were just being put into place.
We are aware of some conscientious organizations not included in
our sample population which, despite having purchased a site license
for anti-virus software, suffer from persistent, chronic infections.
These organizations appear to be above the epidemic threshold. The
theoretical results of Section 3.2.2 indicate that, by implementing
central reporting and response, these organizations could bring
virus incidents to a swift termination without doing anything to
change
|
(using Eq. 
and
rates among the various
members of the sample population.