Cnet has an article on the topic of “The future of Malware” and basically, it’s all about the 0days.

Widespread worms, viruses or Trojan horses spammed to millions of mailboxes are typically not a grave concern anymore, security experts said at the Virus Bulletin conference here Thursday. Instead, especially for organizations, targeted Trojan horses have become the nightmare scenario, they said.

I lose sleep over a lot of things, but this is not one of them. Fortunately (for me, at least), the article puts it in perspective:

Targeted attacks are, at most, a blip on the radar in the big scheme of security problems, researchers said. MessageLabs pulls about 3 million pieces of malicious software out of e-mail messages every day. Only seven of those can be classified as a targeted Trojan attack, said Alex Shipp, a senior antivirus technologist at the e-mail security company.

Seven emails out of 3 million pieces of malware blocked per day across the entire messagelabs customer base (More than 13,000 businesses around the world, with 5 million users, according to their Web site). That’d need to be a damn high impact (like infecting the CEO’s PC and actually stealing something valuable) to be an unacceptable risk, and the likelihood (assuming randomness, which may be a bad bet) is lower than the odds that he’ll lose his hard drive on any given day.

Even so, the odds that your CEO will even be targeted are still pretty damn low–basically 1 in 2000. I don’t know about you, but I’ve got a lot more to worry about than a one-in-five year chance that my CEO is going to receive targeted malware.

Are the odds that a CEO will be targeted really as low the odds of losing a hard drive? I think that’s only true when the targeting is as random as the spam e-mail which carries it. In a targeted attack, only a few e-mails are sent. Isn’t the likelyhood of receiving one of those targeted e-mails a function of the target’s access to the information and the risk/reward confronting the attacker?

Like I said, assuming randomness may be a bad bet. Nevertheless, even if we assume that those seven emails are all targeted toward a CEO’s, then you’re still looking at a once-in-five years likelihood that it would be your CEO that was targeted.

Obviously, you could potentially adjust likelihood up or down based on business sector, annual revenues, etc. But even when all is said and done, it’s still a minimal risk. Certainly far less than the article would have you believe.