>
2.1- Measuring Computer Virus PrevalenceWe have learned much about the extent of the PC-DOS virus problem by collecting virus incident statistics from a fixed, well-monitored sample population of several hundred thousand PCs for six years. The sample population is international, but biased towards the United States. It is believed to be typical of Fortune 500 companies, except for the fact that central incident management is used to monitor and control virus incidents.
Briefly, the location and date of each virus incident is recorded, along with
the number of infected PCs and diskettes and the identity of the virus.
From these statistics, we obtain more than just an understanding of the virus problem
within our sample population: we also can infer several aspects of the
virus problem worldwide. Figure 1 illustrates how this
is possible. From the perspective of one of the organizations that comprises our sample population, the world is full of computer viruses that are continually trying to penetrate the semi-permeable boundary that segregates that organization from the external world. At a rate depending on the number of computer virus infections in the world, the number of machines in the organization, and the permeability of the boundary, a computer virus will sooner or later make its way into the organization. This marks the beginning of a virus incident. Assuming that the permeability of the boundary remains constant, the number of virus incidents per unit time per machine within the set of organizations that makes up our sample population should be proportional to the number of computer virus infections in the world during that time period. (In fact, our measure will lag the actual figure somewhat, since incidents are not always discovered immediately.)
Figure 1: Computer virus spread from an organization's perspective. White circles represent uninfected machines, black circles represent infected machines, and gray circles represent machines in the process of being infected. Throughout the world, computer viruses spread among PCs, many of them being detected and eradicated eventually. Left: Occasionally, a virus penetrates the boundary separating the organization from the rest of the world, initiating a virus incident. Right: The infection has spread to other PCs within the organization. The number of PCs that will be infected by the time the incident is discovered and cleaned up is referred to as the size of the incident.
|
