2. UF Cost Study Structure
Early in this task, it was decided to not include students in this study.   While about 7,000 UF students were in UF residence halls, the other 40,890 were in apartments and homes in or close to Gainesville.   Detailed analysis of how their costs might be structured and then sampled led to the conclusion this study would consider only UF faculty and staff.   Part of this decision was due to factors in the following paragraphs.

The UF provides office-based hardware, software and network access for all faculty and staff with office-based positions.   The same resources are provided for home-based work when approved by a staff member's supervisor and department.   Faculty also have home-based micro systems provided by various UF funds.   Many faculty and staff members also have laptops provided by UF funds or purchased by those individuals.

The software supported by UF on micros in offices and residences and on laptops included operating systems, work applications, and anti-virus packages.   While students have access to this software, the UF does not provide micro hardware for students.   On campus sites for faculty, staff, and students have ethernet 10/100/1000 megabyte access.   All UF students, faculty, and staff have dial-up (56K) access to UF systems; monthly quotas paid by the UF Provost total 30 hours for undergraduates, 60 hours for graduate students, and 120 hours for faculty and staff.   Individuals pay for connection time (at $.008/minute) over these quotas.   In addition, many users have DSL or cable access from their residences; these higher-speed connectivity modes can be paid by the UF if an individual often does employment-related work from their residence.   Wireless is being distributed throughout the campus: Cisco virtual private network (VPN) software is provided by the UF and its use by all wireless users is strongly encouraged.

Data on the costs of hardware, software and connectivity provided was in the UF's financial systems.   Except for a contract with Networks Associates Technology, Inc., to provide McAfee VirusScan Enterprise, no other central object-specific expenditures had been made by the UF for user software to prevent attacks and minimize consequences.   Substantial resources have been allocated for all IT security issues in general, and a dedicated full-time IT security staff was started in April, 1999.

This work focused on the time UF employees used to respond to the attacks and lost because systems were disabled, i.e., productivity erosion, Number 5 in mi2g's list.   The other components in the mi2G list were (a) not applicable to the UF or (b) could not be measured in a timely manner.   Four groups of UF employees were defined for this study.   They were as follows.

1. Faculty.
2. Administrative and Office Staff excluding 3 and 4.
3. Information Technology (IT) Staff excluding 4.
4. Network Management Staff.

The survey forms for all four UF employee groups included common information requests regarding individuals'

• departments and classification,
• office workstations,
• residence workstations,
• laptops,
• access from residences,
• time spent cleaning up and maintaining hardware on 2, 3, & 4 in this list,

"D.   Your time spent on all activities including reading and deciding what you should do, getting software, installing and running software, and/or deleting garbage e-mails and files in response to the MSBLAST, SoBIG and Nachi attacks:

Estimated Time for A: ____ Hours. ____ None.

Estimated Time for B: ____ Hours. ____ None.

Estimated Time for C: ____ Hours. ____ None."

Individual were asked to supply the following information on each of their workstations at their office (A), at their residence (B) and (C)laptops.   Space was provided for two micros in each group; respondents were asked to add columns if they had more than two.

"Operating System (s)     ______________     _________________
 Scheduled System
  Upgrade Downloads:     (   ) Yes (   ) No       (   ) Yes (   ) No
 Scheduled Virus Scan
  Upgrade Downloads:     (   ) Yes (   ) No       (   ) Yes (   ) No"

The intent of the questions on scheduled downloads of operating system and virus scan upgrades and patches was to be able to determine whether such automatic action would be correlated with the amount of time individuals lost due to the attacks.   A much more detailed form that would have attempted to capture more relevant information on this question was not used because of its length and difficulty.   For example, following the saying, "The only safe computer is one that is not turned on." [4] asking questions about when a given micro in a location was or was not turned on increased the form by a factor of four.

It was expected there would be major differences in time lost due to clean up and maintenance by the four employee groups defined for this study.   In addition, it was expected that some individuals would be denied access for their system for some time due to the attacks.   So, all groups excluding the network managers were asked the following.

"E.   Excluding your time estimates in D., what amount of time were you not able to work on your system(s) because of required maintenance and clean up caused by the viruses and worms?

      ___________ Hours.     (   ) None."

The network managers were not asked this question about lost down time.   Rather, they were asked for estimates of their total support time for their users and whether they run centralized department or group automated software updates and patches in Questions E and F.

"E.   Excluding your time estimates in D., what amount of time did you spend supporting others as part of your normal job duties for maintenance and cleanup. Include time spent on direct support with user workstations and maintaining and cleaning servers.

      ____Hours.     ____None.

F.   Does your department/group use any automated systems for installing operating system and/or virus updates to end-user workstations?

      ____ Yes     ___No"

Both forms ended with an open-ended question.   It asked for general comments and comments about department/college and UF support.   [Go to the table of contents.]

3. Structured Sampling
A structured sampling was used for the study.   It was expected that individuals managing network would have the highest total average times since they were responsible for the network systems, servers, and supporting users.   All known individuals doing network management were contacted via a network managers listserv e-mail list.   They were not required to have a formal management position, but, rather, were responsible for managing networks in their departments or groups as well as other IT direct or support duties.   Of the estimated 289 UF employees with these network management duties, 83 responded to the on-line questionnaire shown in Exhibit 1 below.   This was about 3 times more than the number of respondents expected from individuals managing networks.   Of these, 10 (12 percent) reported they were on faculty lines.

The user form shown in Exhibit 2 below was distributed in paper form to a mix of faculty, administrative and office staff, and non-network manager IT employees.   In total, 95 forms usable forms were returned to the author.   It was anticipated that all IT employees would have the lowest lost cleaning and maintenance time of the three groups and that administrative and staff employees would have the highest lost time.   The reverse was the case.   [Go to the table of contents.]

4. Survey Results
The population and sample sizes and some general descriptive statistics are shown in Table 1.

The support time per individual managing networks was 30.8 hours.   This statistic was presumably affected by the number of networks, servers, and users a given network manager supported.   Complications in elaborating on this dimension of demand on their times resulted in a large number of detailed questions being eliminated from the questionnaire.  

Imputing the average sample results, Table 1 [B], to the UF populations by group gave a total 54,556 hours, Table 1 [C], of lost time due to the attack episode.   Caveats on this imputation include known problems with the initial UF population F.T.E. values.   There was no way to reconcile the "official" line designations shown on Table 1 [A] with what activities individuals were actually performing.   It is likely the F.T.E.'s for faculty, administration and office staff positions are overstated and those for IT, excluding network management, are understated.

Given this and other caveats, and a work week defined as 5 days at 8 hours in office and 2 in residences, work hours for each of the employee groups were calculated as shown in Table 1 [D] .   Then, given that the episode and remedy work lasted

          * 1 week, the episode cost the UF 9.0 percent of all work hours, and

          * 4 weeks, the episode cost the UF 2.3 percent of all work hours.

So based on the sample results and assumptions regarding imputing them to the UF populations, the episode cost the UF between 2.3 and 9.0 percent of all employees' work hours since it spanned between one and 4 week for most all users.   A different view based on the average man-year hours at the UF leads to the conclusion the VWS episode cost the UF 32 man-years of time: 32 employee-years were diverted from expected teaching, research, and service activities in response to the attack on IT resources.   Based on the pay and fringe benefit rates of the four identified population subgroups, the dollar cost to the UF was $1,902,730 Fall Semester, 2003.   [Go to the table of contents.]  

4. Prevention Policies
Some of the cleaning and maintenance activities will, presumably, help prevent the scope and extent of future attacks.   A logical question follows.   What policies should the UF adopt and/or recommend to the various classes of employees to minimize the scope and extent of future attacks.   All respondents were asked whether they used scheduled downloads of software: upgrades and patches that could help any individual minimize the effects of future attacks.

The responses on the existing use of scheduled downloads and related times for cleaning and maintaining systems after the attack episode does not support the conclusion such scheduled downloads did reduce time required for cleaning and maintaining systems.  All 178 respondents are included in the following results shown in Table 2.   The designation "...-Yes" indicates that all office, home, and laptop micros had scheduled updates and patches.   The designation "...-No" indicates that at least one micro did not have them.   While this strict logic was used in classifying users as "...-Yes" or "...-No", most users either had all their micros scheduled for updates and patches or had none so scheduled.  

Users responding No to operating system, virus scan, and both had lower average cleaning and maintenance times than users responding Yes.   In all cases, the standard deviations are greater than the means meaning the results are not normally distributed (Normal distributions with these means and standard deviations would have to have negative hour values, a physical impossibility).   So, t-statistic tests are inappropriate for comparisons.

More detailed analysis is needed for tests of statistical significance.   Review of the data suggests that employee group may significantly influence these results.   This could be in part to a perceived lower degree of confidence in scheduled, as compared to manually controlled updates and patches by more technically proficient users.  

Another complicating variable is the communication mode.  Dial-up phone service was used from residences by 59.6 percent of all respondents.   Software downloads take very much larger by phone as contrasted with DSL (10.7 percent of all respondents) or cable (29.8 percent), so users may find carrying updates home more efficient and safe if they have dial-up connectivity.   In addition, firewall packages such as the free version of Zone Alarm [7] recommend turning off traffic to one's system if it is to be unattended for long periods of time, e.g., while away from one's residence at work, regardless of the type of connectivity.   In addition, some users prefer to have manual control over what gets downloaded on their systems.[8]

Yet another plausible explanation of the inconclusive results shown in Table 2 is that the less technically proficient users at the UF have their system managed in part by the network managers that are, in fact, doing an excellent job for these users.   If this is, in fact, the case, low cleaning and maintenance times on the part of the administrative and office staff members would be expected.   The function for these users is carried on continuously by their network support managers with the result they own work times are lower than would otherwise be the case.

Other factors that were not in the questions -- in part because long, involved questionnaires tend to get ignored -- may be keys to the process.   For example, a user with the current operating system updates and patches and virus scan updates could still get infected if a virus or worm arrived after the last updates but before the operating system defect was discovered and fixed by the vendor or before the virus cleaner was released by the vendor.   Simple timing patterns with frequent use of virus scans and full-time use of firewalls may be the most significant factors in the continuing battle against VWS attacks.

It may also be that different defense policies will be appropriate for office based systems, residence based systems, and laptops.   They may have to reflect individual preferences and possibilities across employee groups.   While managers can require practices of employees, faculty typically resist mandated policies.  

More sophisticated data analysis, perhaps with Analysis of Variance to isolate factors or conditions such as employee type, location, and/or connectivity, may give results that support the use of automatic or scheduled software updates and patches.   The inconclusive results shown in Table 2 do not suggest automatic or scheduled updates and patches are of no value for all users.   The results suggest setting prevention policies will be much more complicated than some simple one-for-all approach.   [Go to the table of contents.]

6. Conclusions, Implications, & VWS Costs 2
The cost of the VWS attack and response covering the period August 15, 2003 through September 15, 2003 was between 2.3 percent and 9.0 percent of employee time at the UF, depending on whether the average time span of the episode was 4 weeks or 1 week.   In absolute terms, the time costed out to $1,902,730 at the cost plus fringe benefit rates of the four employee groups identified for this work.   A different view based on a UF F.T.E. man years was that the episode took 32 employee man years away from normal work activities, or 32 man years of productive employee time was lost.   Given the official 12,058 F.T.E. UF employees at the time, this cost is relatively small, .26 percent, on an annual basis if it is not repeated.   The sky is not falling, or is it?

Analysis of cleaning and maintenance time per micro to date was inconclusive, raising questions and supporting no simple policy recommendation.   While there may not be any simple policy recommendations possible on this problem, work on variables and conditions likely affecting these outcomes will continue.   This will include various combinations of employee type, micro location, dial-up access, and IT support level.   A plausible hypothesis for the higher cleaning and maintenance times by network management staff members, 3.26 hours per micro, as compared to other IT employees at 1.03 hours per micro, administration and office employees at .86 hours, and faculty at .65 hours is that the more technically knowledgeable knew more that could be done and, in fact, took more time to care for their micros.

A follow-on study, VWS Costs 2, will look at how members of the UF community, including students, now defend their micros against attacks.   It will look at the way individuals are doing, using, or not using the following.

• operating system upgrades and patches,
• virus scan software,
• firewall software,
• anti-spy software,
• anti-spam software
• access via VPN, and
• other defenses.

Finally, a fit to the trend suggested by the Computer Security Institute in the introduction above implies identified VWS will likely grow exponentially in the future.   The present 70,000 could grow to 1,399,000 by 2010!   A new component of the IT industry has come into being as a result of the growth from 200 identified viruses and worms in 1990.   The Yankee Group coined the term "vulnerability management services",VMS's.   It prepared a report that included recommendations for VMS vendors and enterprise buyers of its services.   One statement in their Executive Summary has the full endorsement of Kathy Bergsma, the UF's Information Security Manager.

"Enterprise security teams are overwhelmed with the volume of information from intrusion detection systems (IDSs) and patch notifications from vendors." [9]

While the sky may not be falling, the following animated cartoon on how IT security managers may often view themselves provides comic relief at this ending.[10]

1:   A VIRUS;     A WORM;     SPAM;    GO TO 1;     STOP;     END;

[Go to the table of contents.]
/*

[1] Written for presentation at the Southern (Academic Computing Center) Directors' Conference, Atlanta Marriott Suites Midtown, February 26, 2004.   Special thanks to Kathy Bergsma, UF Information Security Manager, and to Chuck Logan and Jordan Wiens, her colleagues at the UF CNS, for their support and help on this project.   Jordan's work with coauthor Curtis Franklin on firewalls was recently published with the title "Are Your Web Apps SECURE?", INFOWORLD, February 9, 2004, Pp. 35-41.   It is recommended for anyone interested in Web security.

[2] The following definitions are from web.ask.com.   Virus:   A virus is a piece of programming code usually disguised as something else that causes some unexpected and usually undesirable event. A virus is often designed so that it is automatically spread to other computer users. Viruses can be transmitted as attachments to an e-mail note, as downloads, or be present on a diskette or CD. The source of the e-mail note, downloaded file, or diskette you've received is often unaware of the virus. Some viruses wreak their effect as soon as their code is executed; other viruses lie dormant until circumstances cause their code to be executed by the computer. Some viruses are playful in intent and effect ("Happy Birthday, Ludwig!") and some can be quite harmful, erasing data or causing your hard disk to require reformatting.

Worm:
1) In a computer, a worm is a self-replicating virus that does not alter files but resides in active memory and duplicates itself. Worms use parts of an operating system that are automatic and usually invisible to the user. It is common for worms to be noticed only when their uncontrolled replication consumes system resources, slowing or halting other tasks.
2) In computer storage media, WORM (for write once, read many) is a data storage technology that allows information to be written to a disk a single time and prevents the drive from erasing the data. The disks are intentionally not rewritable, because they are especially intended to store data that the user does not want to erase accidentally. Because of this feature, WORM devices have long been used for the archival purposes of organizations such as government agencies or large enterprises.

Spam:
Spam is unsolicited e-mail on the Internet. From the sender's point-of-view, it's a form of bulk mail, often to a list obtained from a spambot or to a list obtained by companies that specialize in creating e-mail distribution lists. To the receiver, it usually seems like junk e-mail. It's roughly equivalent to unsolicited telephone marketing calls except that the user pays for part of the message since everyone shares the cost of maintaining the Internet. Spammers typically send a piece of e-mail to a distribution list in the millions, expecting that only a tiny number of readers will respond to their offer. Spam has become a major problem for all Internet users.
The term is said to derive from a famous Monty Python sketch ("Well, we have Spam, tomato & Spam, egg & Spam, Egg, bacon & Spam...") that was current when spam first began arriving on the Internet. SPAM is a trademarked Hormel meat product that was well-known in the U.S. Armed Forces during World War II.

[3] Russ Cooper, "TruSecure Blaster Impact Study," TruSecure/ICSA Labs, E-mail, August 29, 2003.   URL http://archives.neohapsis.com/archives/ntbugtraq/2003-q3/0190.html

[4] Robert Lemos, "The Computer virus--no cures to be found," CNET News.com. November 25, 2003. URL http://zdnet.com.com/2100-1105-5111442.html

[5] The e-mail to the author is available on request. mi2g has an on-line service that includes frequently asked questions: URL http://www.mi2g.com/cgi/mi2g/press/faq.pdf

[6] Al Johnson, FBI, "Forensic Pitfalls", Information Technology Security Awareness Day, Invited Speaker, Reitz Union Auditorium, UF, October 8, 2003. Powerpoint Presentation http://oak.at.ufl.edu/~video/itsa/itsa4.ram

[7] Zone Labs, Inc., URL: http://www.zonelabs.com/store/content/support/znalmMain.jsp The Program Control page in Zone alarm has a simple click on/click off toggle option to, "Enable the Automatic Lock if you leave your computer online and unattended for long periods."

[8] The author currently has 7 Windows XP updates in queue from MicroSoft.   They are for software that I've never used and likely will never use in the future. If downloaded, they would waste 41.6 Meg of disk space.

[9] The Yankee Group, Vulnerability Management: Processes Strengthen IT's Security Performance, November 10, 2003.   Guest userID & password required for URL: http://www.yankeegroup.com/custom/research/report_overview.jsp?ID=10358

[10] If the dog is not running when this file is accessed via the Web, click on your browser's reload button while holding down the shift key.   This will clear the cache and reset the time-out counter on the runningdog.gif file.

Jump to the top

Recent Worm & Virus Attack Maintenance and Clean Up Efforts:

 Please answer the following for you only, not for any others you may
 support voluntarily or as part of your regular work activity.  The
 efforts in questions refer to MSBLAST, SoBIG and NACHI (Walchia).

 Your Department or Group:________________________

 Your Position: Faculty ( )   Staff ( )   ( ) Student   

 Your Micro Information:

 A. Office Workstation(s): 
    
    Operating System(s) ______________,      ________________
    Scheduled System 
     Upgrade Downloads:   ( )Yes ( )No,      ( )Yes ( )No     
    Scheduled Virus Scan 
     Upgrade Downloads:   ( )Yes ( )No,      ( )Yes ( )No     
      
 B. Home Workstation(s) [Check ( ) if don't have]:

    Operating System(s) ______________,      ________________ 
    Scheduled System 
     Upgrade Downloads:   ( )Yes ( )No,      ( )Yes ( )No     
    Scheduled Virus Scan 
     Upgrade Downloads:   ( )Yes ( )No,      ( )Yes ( )No     
  
    Network Access from Home: ( ) Cable  ( ) DSL   ( ) Phone
  
 C. Laptop(s) [Check ( ) if don't have]: 

    Operating System(s) ______________,     ________________ 
    Scheduled System 
     Upgrade Downloads    ( )Yes ( )No,      ( )Yes ( )No     
    Scheduled Virus Scan 
     Upgrade Downloads:   ( )Yes ( )No,      ( )Yes ( )No     
 
 D. Your time spent on all activities including reading and deciding what 
    you should do, getting software, installing and running software, and/
    or deleting garbage e-mails and files in response to the MSBLAST,
    SoBIG and NACHI attacks:

   Estimated Time for A:  ______ Hours. (  ) None. 
 
   Estimated Time for B:  ______ Hours. (  ) None.

   Estimated Time for C:  ______ Hours. (  ) None. 

E. Excluding your time estimates in D., what amount of time were you not able 
   to work on your system(s) because of required maintenance and clean up
   caused by the viruses and worms?

       ___________ Hours.   (  ) None.

F. General comments and any about department/college and UF support:

 ____________________________________________________________________________

 ____________________________________________________________________________

 
 Name (Optional): __________________________________