How Much Is Spam Costing Your Company?

Two research firms' recent reports say spam is costing your company mucho bucks. Security Center Editor Larry Seltzer sees whether the numbers add up.

By now, youve probably seen the stories about the outrageous cost of spam to businesses. Most of it came from research firm Nucleus Research.

eWEEKs story also cited research from MessageLabs, a respected mail security service.

The report from Nucleus, here in PDF form, made some electrifying claims, the big one being that spam is costing an average of $1,934 per employee a year of lost productivity. The cost in July 2003 was $874 per employee a year.

My goodness, thats a lot of money. "What will we do?" some might ask. But I ask, "Where did they get that number?"

Fortunately, the report answers the question. It assumes that an employee makes $30 per hour and works 2,080 hours per year, stating that employees in May got 29 spam messages per day. The increase from July 2003 comes from the average number of spam messages increasing from 13 to 29.

I dont know where they get those last two numbers on the increase in messages; maybe theyre accurate, maybe not. Seems like more of a jump than Ive seen, but it could be right.

They also assume 30 seconds per spam message. This is where I have a real problem. It seems like an awful lot of time to me. The average spam message that gets through my filtering takes me a second at most to delete.

Im probably also on the phone while I do this, further complicating the productivity calculation. Lets assume it takes three seconds to dispose of a spam message, quite a long time if you ask me; that cuts the cost per employee from $1,934 to $193.40, nothing to sneeze at but a whole lot less.

I asked Nucleus Research, and officials there said the calculation involved more than just deleting the message: "All of the data in the report is based on in-depth interviews by analysts with e-mail users and administrators, as is in line with Nucleuss independent, data-focused approach," the company said.

"Thirty seconds may sound like a lot, but that also includes time spent checking false positives, contacting IT and dealing with spam-related issues in general—not just time deleting messages."

Ill concede that there are costs, such as those deriving from false positives, that are difficult to calculate, but I still think the 30-second number is an obvious, gross exaggeration.

And to the extent that the research relies on asking people how much time they spend doing these things, Im even more skeptical. People do not remember time spent dealing with spam fondly, and Im sure the time passes slowly, no matter how short it is.

Next Page: Are spam filters declining in effectiveness?