6- ConclusionThe utility of studies like these is to understand the problem as it exists today and to point the way towards actions that can be taken to manage the risk. We have seen how difficult it can be to extract useful answers from such a study. Great care must be taken in framing the questions to be asked, and in interpreting the data that are collected. We are interested in three broad sets of questions:
Once we understand (3), we should be able to predict the answers to (2). In the meantime, our current study focuses on measuring the answer to (2) over the last two years. We have presented a methodology which involves careful collection of data on PC-DOS virus incidents from a stable, fixed population. We record the date and location of the incident, the name of the virus and the number of PCs that are infected. We record this data at the time of the incident, rather than depending upon the accuracy of people's memory. We can say very accurately which viruses we have seen in this population, when we first saw them, and how often we see them. In fact, only 15% to 20% of the more than 700 viruses in our collection have ever been seen ``in the wild'' in this population. Even among those that have been seen, a small minority of them account for the majority of incidents, with Stoned and 1813 accounting for about 34%, and the top ten viruses accounting for about 69%. We analyzed incidents from the most frequently occurring viruses. Some, such as the Joshi virus, appear to be increasing in frequency. Others, like the Bouncing Ball and perhaps the 1813 virus, appear to have reached an equilibrium in which their frequency does not increase or decrease dramatically. Others, such as the Brain virus, are virtually extinct. This is in qualitative agreement with our theoretical model of computer virus spread [2]. The total number of virus incidents per quarter is increasing, though not as dramatically as others have predicted. Its increase is due to a combination of two effects: some viruses are becoming more prevalent, and the number of different viruses observed ``in the wild'' is increasing. In the vast majority of incidents in our sample population, only a single PC is infected. Since we do not see large outbreaks of any particular virus, we are confident that there is very little spread within our sample population. On the other hand, we see that there are sustained, ongoing infections in the world outside of our sample population, at least for some viruses. Our reinterpretation of the Dataquest survey and results from our own studies suggest that populations of computer users within the business and government sectors that are only weakly armed against computer viruses can expect an average incident size of 3 to 4 PCs. Our most recent statistics indicate that the following simple steps can help control the problem, cutting this figure by more than half:
Since we know that PCs seldom get infected from within the sample population, we conclude that the number of incidents per quarter reflects the number of times an infected diskette has entered this population from the rest of the world. By measuring the increase in incidents in our sample population, we get an approximate measure of the relative increase in the number of infected PCs in the world as a whole. We think that studies like those described here are an important way to start understanding the risks computer viruses pose in the world today. Surveys that carefully follow our advice can provide a valuable complement to our work. As we understand more about how computer viruses spread worldwide, we will be able to predict how these risks will change in the upcoming years. While we are making progress on this more global understanding, the models available today do not allow reliable predictions to be made. This will be an important part of our future work.
|