Anti-virus industry running on fear and dodgy statistics

NEWS Anti-virus experts say the metrics surrounding the spread of computer viruses and worms leave a lot to be desired, and have criticised some companies for attempting to capitalise on fear, uncertainty and doubt. Chy Chuawiwat, managing director of mail filtering software company Clearswift's Australian business, said some of the data he's seen companies release just doesn't add up. "Why is no-one questioning them?" he asked. "The industry is running on fear, uncertainty, doubt and unsubstantiated statistics." Recalling one instance where he saw two vendors 'racing' each other on the prevalence statistics of a virus, Chuawiwat says he saw the estimated distribution figures from both vendors incrementing by 50,000 in sequential updates. He says there's no way that data could be backed up. Some sections of the media aren't making things any better, Chuawiwat says. "Sensationalise it, and off we go!" he said. "Some vendor put out a release saying that 80 per cent of spam was porn," he said. His company's data suggests the biggest increase in spam has been related to the promotion of health and lifestyle products. It doesn't make for interesting reading - a big boost in porn spam does - so the statistics are selectively released, he says. That's not to say he claims any sort of statistical high horse - Chuawiwat admits that Clearswift is not collecting enough "hosted filtering" data to give it a statistically robust insight into the threats out there, but says he gets enough to know when people have got it wrong. "If we have data that we don't think is statistically valid, then we don't comment on it," he said. Computer Associates' head of anti-virus research and development, Dr Eugene Dozortsev, says he advocates the responsible publishing of threats, but sometimes that can be quite difficult. "Somehow we have to keep the balance between alerting the users to something that we think is going to be a problem, but on the other hand not to alert people to things that don't go anywhere," he said. "This is insanely hard." "There's no way that someone can have a crystal ball," he added. Dozortsev said that the company must be careful not to cry wolf. "We try to be very responsible in regard to all of our announcements. We try not to over-alert people." One company that releases a lot of data relating to the spread of viruses online is MessageLabs. Dozortsev said: "[MessageLabs] have my deep respect in terms of their commitment and their abilities. They do the right thing by users and the industry. They are a large volume IP provider, and therefore they're positioned quite well to gather statistics... [but] sometimes their statistics may be a bit skewed." Dozortsev and Chuawiwat both say the problem when dealing with statistics gathered from any mail filtering services company is they tend to attract a certain type of customer which is not necessarily a valid 'internet-wide' sample from which data can be mined. Sometimes an 'avalanche' phenomenon means that certain viruses may target certain types of groups more than others, so a virus that may attack the type of user that subscribes to MessageLabs service may not attack the typical corporate user. "In the majority of cases viruses and worms are challenged in certain ways," Dozortsev said. "It is almost always not very easy to say if a virus is going to go ahead or not." Patrick Gray writes for ZDNet Australia