FW: Cost of Worm Attack Protection

I guess the hypothetical would be if you were in charge of security for an AS what would be the cost to put a best-effort worm mitigation system in. The second question being how would you scale that cost with the size of the AS. Maybe it is a case that there is not a best practice to fix a cost to, too much variability in the market and theories of how best to defend, if defend at all. Just figured it would be prudent to ask before we made something up - usually not such a good idea.

What kind of AS?

An AS used by a military organization that has authority over its users
and can through them in the brig for failing to follow commands and
policy?

An AS used by a commercial enterprise that has authority over its users
and can fire them for failing to follow commands and policy?

An AS used by a university enterprise that has authority over its users
and can expell them for failing to follow commands and policy?

An AS used by a service provider that has authority over its users and
can terminate their network access for failing to follow commands and
policy?

An AS used by a public agency that is required by law to permit all
citizens access to information until proven beyond reasonable doubt the
access was misused?