but specifically noted the difficulty of determining exactly how much companies, governments and individuals could lose if subject to an attack. “It’s very difficult to put a dollar figure on it,” Mr Fey said.
So... why put a dollar figure on it? If the number is 4 trillion or 90 billion, what would be the difference in strategies that consumers and organizations should pursue in each case? Fey's language is so obviously just more marketdroid conjuration babble -- "Look! look over here at my right hand! Nothing in it at all! ."
The fact is, Mr. Fey, that the danger of security flaws isn't in the direct dollar amount of damage done by any single incursion, nor in the aggregate sum total of attacks to date. The danger of unsecured machines/networks is cost-neutral, because an unsecured machine/network necessarily implies an infinite relative cost to you -- that is, it is the state of being unsecured which is untenable, not the potential monetary loss. If your neighbor one night digs a trench through your yard and buries an extension cord spliced into your house's electrical power, does it really matter to you whether he is only plugging in his mp3 player to charge it once a week, versus running all his refrigerators and washing machines?
You cannot really put any dollar amount on someone else controlling part or all of your machine/network, because Access is not an object, it is a potentiality. A security hole is a hole is a hole. Patch it up regardless. If on September 10, 2001 some insurance actuary named Smith would have calculated the "loss" experienced in an airplane hijacking by determining the depreciated cost of the plane itself, any cargo it carried, the cost of compensatory marketing to restore consumer confidence, the earning potential of the passengers, etc. The next day, a bunch of black hat social engineering crackers capitalized on a long-unpatched security hole - Access to the cockpit - to pull off an exploit which had an eventual cost far exceeding our actuary's previous estimate by several factors of ten. (And that cost will continue to reverberate/multiply for decades to come.)
The focus on dollar value is simply Mr. Fey's way of opening the haggling process over how much his company wants to charge you. He knows that whatever number "industry experts" give will be quoted and repeated by our infotainment media and by other businesses/consultants wanting to stake their own claim in the network security gold rush. Once the notion enters public consciousness, well what's a $25,000/year enterprise license for software and security services to an individual company when faced with the "common sense" understanding that we're talking about great googly moogly-illions of dollars in Crime. So now he's simply been caught overestimating the number, which is expected in ANY good haggle. Now he's here to tell us "Okay, okay, because you're such a good friend, I'm going to roll it down to $300 billion -- special just for you!"
Don't constantly test and patch flaws because of some dollar amount reported by some "expert study" you read about. Constantly test and patch flaws because a good administrator takes care of business. The number is FUD, but your job is the same either way.