Microsofts Tipping Point

When do Windows security risks become too much to tolerate? Companies aren't sure-because they haven't been quantifying their security costs.

As hackers continue to take shots at Microsoft business software, youd think companies would analyze what it would cost to move other operating systems, such as Unix, Solaris or Linux.

But calculating the expense of such a move costs money as well. Cendant Hotel Group, which runs about 1,850 Windows servers, understands this. The hospitality-industry firm periodically calculates the cost to switch its 3,700 Linux servers to Windows. Last time around, 18 months ago, the expected tab was $3 million.

So Cendant didnt change a thing. "Everything starts with price," says David Chugg, senior director of hotel solutions at Parsippany, N.J.-based Cendant. "Then supportability. Generally we see [Linux servers] are easier to support."

One of the reasons the tab for running Windows is so high: the expected cost of dealing with attacks by hackers on the Windows operating system and related software. Those costs are thought to be more onerous than those for the Linux operating system, Chugg says.

Thats the perception, anyway. Chugg and other technology managers may not really know. Chugg, for example, couldnt say exactly how much of the $3 million would have gone to security tasks such as patch management. And thats the rub. Companies have a tough time pinning down what they spend on security. Executives have security budgets for items like firewalls, network monitoring and authentication, but tasks such as Microsoft patch management and recovery from a worm or virus attack are often lumped in with regular maintenance costs—if they are calculated at all.

Simply put, technology executives cant rely on financial fact to fairly determine whether they should minimize their exposure to Microsoft. The homework hasnt been done to quantify line-item costs of downtime or other effects of hacker attacks such as worms and viruses, says Mark Lobel, a senior manager at PricewaterhouseCoopers.