Incident Cost Estimate

For the following cost estimate, an annual salary of $70,000 was assumed. An annual salary of $70,000 converts to $33.65 per hour, assuming 52 weeks and 40 hours of work per week.

PersonHoursCost-15%+15%
Steve28$942.20$800.87$1,083.53
Vandana17$572.05$486.24$657.86
Sandeep12$403.80$343.23$464.37
Sachin7$235.55$200.22$270.88
Total64$2,153.60$1,830.56$2,476.64

Background Info on Team Members

Steve15 years experience in Computer Science research; 2 years in computer security; 24 years experience programming; currently an associate professor (so we know those years of experience aren't "real"!)
Vandana18 months experience in Computer Security; 3 years of programming experience; currently a master's student
Sandeep9 months experience in computer security; 6 years programming experience; currently a master's student.
Sachin6 months experience in system administration; 3 months experience in security; 5 years programming experience; currently a master's student

Comments on Over-Estimates

Our investigation took place in an educational environment, and part of the time was spent more on teaching than on incident response. Therefore the above figures overestimate the actual incident response costs. In a real-world situation, time would not have been spent on teaching, and we estimate that the total time spent would be about 2/3 of that shown above, which would make the cost estimate $1,435.73.

Furthermore, as part of this challenge we "over-did" much of the research. For example, writing a full-blown control program is clearly not necessary to understand the functioning of the challenge binary, but we did it anyway. To understand the very basic functioning of the binary and how to detect and remove it would probably have taken only about 10-15 hours, followed by about 5 hours to write the advisories (without the technical details appendix), making the cost-estimate in the range of $500-$700.

What We Didn't Include

Since we don't really manage a network, our job was done once the advisories were written. However, if we really managed a large university (honeyp.edu!) network, there would be work left to do: scanning systems to see which ones were infected, re-installing systems that had been compromised, and updating firewall/IDS rules to protect from further security breaches (although this last category is specifically excluded from incident costs in the cost guidelines). Depending on the size of the organization and the number of systems compromised, this could take anywhere from a couple of hours to 30 or more hours.

Conclusion

In a "simulated" situation like this, it really is very difficult to give a reasonable estimate of costs. A final guess, based on all the comments above is that the cost would be in the range of $1000 to $2000. That's a pretty wide range, but we feel that's an accurate estimate of the costs of handling such an incident.