By now, youve probably seen the stories about the outrageous cost of spam to businesses. Most of it came from research firm Nucleus Research.
eWEEKs story also cited research from MessageLabs, a respected mail security service.
The report from Nucleus, here in PDF form, made some electrifying claims, the big one being that spam is costing an average of $1,934 per employee a year of lost productivity. The cost in July 2003 was $874 per employee a year.
My goodness, thats a lot of money. “What will we do?” some might ask. But I ask, “Where did they get that number?”
Fortunately, the report answers the question. It assumes that an employee makes $30 per hour and works 2,080 hours per year, stating that employees in May got 29 spam messages per day. The increase from July 2003 comes from the average number of spam messages increasing from 13 to 29.
I dont know where they get those last two numbers on the increase in messages; maybe theyre accurate, maybe not. Seems like more of a jump than Ive seen, but it could be right.
They also assume 30 seconds per spam message. This is where I have a real problem. It seems like an awful lot of time to me. The average spam message that gets through my filtering takes me a second at most to delete.
Im probably also on the phone while I do this, further complicating the productivity calculation. Lets assume it takes three seconds to dispose of a spam message, quite a long time if you ask me; that cuts the cost per employee from $1,934 to $193.40, nothing to sneeze at but a whole lot less.
I asked Nucleus Research, and officials there said the calculation involved more than just deleting the message: “All of the data in the report is based on in-depth interviews by analysts with e-mail users and administrators, as is in line with Nucleuss independent, data-focused approach,” the company said.
“Thirty seconds may sound like a lot, but that also includes time spent checking false positives, contacting IT and dealing with spam-related issues in general—not just time deleting messages.”
Ill concede that there are costs, such as those deriving from false positives, that are difficult to calculate, but I still think the 30-second number is an obvious, gross exaggeration.
And to the extent that the research relies on asking people how much time they spend doing these things, Im even more skeptical. People do not remember time spent dealing with spam fondly, and Im sure the time passes slowly, no matter how short it is.
Next Page: Are spam filters declining in effectiveness?
Efficient or Not
?”>
The Nucleus report also makes statements about the declining effectiveness of spam filters in the face of an increasing volume of spam. This sounds more plausible.
Indeed, the MessageLabs research indicates that 76 percent of the mail it processed in May was spam, up from 67 percent just a month earlier. Clearly, even very effective spam filters will keep letting spam through unless they are perfect, and we know theyre not perfect.
But the Nucleus report speaks derisively of spam filers: “The impact of filtering technology on the volume of spam has dropped from 26 to 20 percent,” it says.
“Whereas spam filters have become more sophisticated over the past year, sheer growth in messages sent by spammers and corporate hesitation to set aggressive filters are among key factors driving this figure.”
Twenty percent? Where do they get such a number? Ive been involved in many a performance test of spam-filtering systems. Ill admit that there are limitations in benchmarking, but I feel safe saying that even bad filters stop well more than 20 percent.
Once again, I asked Nucleus. Its response: “This indicates not the decreasing effectiveness of filters—we all agree they have gotten better—but the corresponding increase in the number of spam messages received per user and the reluctance of administrators to set overaggressive filtering.”
This is dissatisfying. The report speaks of percentages. How can the filters have gotten better and yet detect a smaller percentage of spam? Maybe its just explained badly, but Im not inclined to give it that much credit.
We see cost numbers like this all the time, and they always look fishy to me. Usually, we see them after some major worm outbreak, and we hear how it cost American business $8 billion.
Think critically about such numbers. Hurricane Floyd ripped up the East Coast a few years ago, destroying property all along the way—including in my town—and the cost of that was estimated at $4.5 billion. How much damage can a worm really do? Put your spam in that perspective.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Check out eWEEK.coms Security Center at http://security.eweek.com for the latest security news, reviews and analysis.
Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page
More from Larry Seltzer