3.2- Viral Spread in OrganizationsThe second new model views viral spread from the perspective of an organization. This establishes a connection between important theoretical parameters and quantities that we can (and have) measured in our studies of virus incidents. In addition, it suggests an important strategy for limiting viral spread within organizations. From an organization's perspective (Fig. 4), the world is full of computer viruses that are continually trying to penetrate the semi-permeable boundary that segregates the organization from the external world. At a rate depending on the number of computer virus infections in the world, the number of machines in the organization, and the permeability of the boundary, a computer virus will sooner or later make its way into the organization. This marks the beginning of a virus incident. After the initial penetration, the virus may spread among several other machines within the organization. Eventually, some user will discover that his machine is infected, and take steps to eliminate it. In the ideal case, that user will also inform either his neighbors or some central agency, which will then look for the virus on neighboring machines. The incident terminates when all machine infections stemming from the initial one are cleaned up.
Figure 4: Computer virus spread from an organization's perspective. White circles represent uninfected machines, black circles represent infected machines, and gray circles represent machines in the process of being infected. Throughout the world, computer viruses spread among PCs, many of them being detected and eradicated eventually. Left: Occasionally, a virus penetrates the boundary separating the organization from the rest of the world, initiating a virus incident. The frequency with which this occurs depends upon the fraction of infected machines in the world, the number of machines in the organization, and the success of the organization in filtering out infectious contacts with the outside world. Right: The infection has spread to other PCs within the organization. The number of PCs that will be infected by the time the incident is discovered and cleaned up (the size of the incident) depends upon inherent characteristics of the virus and the effectiveness of the organization's anti-virus policies, particularly the extent to which anti-virus software is being used.
An organization should have two goals: to limit the influx of viruses and to limit internal spread whenever a virus does manage to penetrate the organizational boundary. Centralized reporting and response can provide much valuable information about these two aspects of the organization's success in dealing with the virus problem. The number of incidents reflects the success of the organization in filtering out infectious contacts with the external world. It can also be used to infer the relative trends in virus prevalence in the external world, provided that the organization or collection of organizations being monitored is large enough to yield decent statistics. We shall carry this out in Section 4. The average incident size (the number of infected machines per incident) reflects the organization's success in limiting the spread of viruses once they get into the organization. The next two subsections treat these two characteristics of virus incidents from a theoretical point of view.
|