I don’t have access to the written portion, but that sounds reasonable on Consumer Reports’ part. I’ve seen estimates on the cost of spam, but, as you suggest, those numbers rely on pretty subjective opinions and are not necessarily trusthworthy.

Your point about the cost of maintaining a secure system is a good one. It is certainly expensive in terms of time, effort, and money. Each of us has to do our own calculation of the costs and benefits of these measures, something I’ve written about before.

I have my own doubts about CR’s numbers, but they run in the opposite direction. I wonder if individuals downplayed the costs of virus infection. For example, a 1 in 5 chance of losing $100 to a virus problem means people shouldn’t spend more than $20 worth of money, time, and effort combating viruses. If that’s true, those who spend $40 (the current price of Norton Anti-virus) on anti-virus software are making a big mistake, since they’re spending double the expected cost of virus infection before they even install the software.

There is another explanation, however. When asked in a survey, perhaps individuals underreported the incidence or cost of virus troubles. But when they had to put their money where their mouth is, they declared that virus problems are at least as costly as $40. Add in the cost of the time and effort required for installation and maintenance, and we have a clue that individuals think viruses are considerably costlier than $40.

For instance, they say that in terms of cost-per-incident, that spam doesn’t have a cost (that cost-per-incident is non-applicable). I would disagree. There is a cost, an opportunity cost, in dealing with spam: lost wages and lost recreation time. This cost quickly aggregates as you take into account the volume of spam most people deal with.

Taking this a step further, for all 4 of the groups mentioned, preventative costs should be a fairly substantial chunk of their overall cost. Economically rational agents should be willing to pay up to the marginal benefits of avoiding harm to avoid the cost of harm. I mean, consider the aggregate amount spent developing spam filters, anti-virus programs, etc, then the time installing those programs, keeping them up-to-date, etc.

I also wonder about whether people report the truth in these numbers. Companies might underplay the costs of dealing with malware, whereas angry individuals might embellish the cost.