Professional Documents
Culture Documents
Research
Received 19 March 1998; received in revised form 28 January 1999; accepted 9 June 1999
Abstract
This study evaluates current management and security practices with respect to computer virus infestations in business
computer systems. Given the rise in macro viruses within recent years many business ®rms have adopted either a restrictive or
proactive management approach to the problem. It is unclear whether there is a signi®cant difference between the approaches
in terms of user satisfaction and future virus outbreaks. The lack of consistent computer backup procedures tends to exacerbate
a virus outbreak. The cost structure used to address virus management tends to escalate depending on the severity of a virus
episode. # 2000 Elsevier Science B.V. All rights reserved.
0378-7206/00/$ ± see front matter # 2000 Elsevier Science B.V. All rights reserved.
PII: S 0 3 7 8 - 7 2 0 6 ( 9 9 ) 0 0 0 2 8 - 2
14 G. Post, A. Kagan / Information & Management 37 (2000) 13±24
the impact of virus threats among the top four areas of of security and virus protection need to be addressed.
business computer crime hazards. Parker [22] and Wood [26] have brought these con-
Increased computer security problems come from cerns to the attention of business and speculate that
many sources: the expanded use of IS, the Internet, strategically security and viral threats are an impedi-
e-mail applications, and the adoption of Microsoft ment to future electronic commerce.
products. An additional factor is the reluctance of
business ®rms to either acknowledge or admit that
they were electronically victimized. As the demand 2. Survey
and implementation of virus protection software
continues to escalate, so does the cost. The National A survey instrument was designed to learn how
Computer Security Association (NCSA) estimates organizations are responding to the threat of computer
that a typical virus attack costs almost $8400 to viruses. From security theory, several techniques can
correct. A large ®nancial institution reported that a be used to minimize the effects of a virus. The three
virus attack in 1997 cost the ®rm $2.3 million in basic sets of tools are (1) management policies, (2)
lost transactions over a 3-day period. anti-virus software, and (3) backup procedures [7]. An
Traditional virus protection products have been interesting set of questions is how organizations com-
unable to stem the increase in virus attacks on business bine these three tools to minimize virus threat, and the
computer systems. The leading anti virus software differences in the effectiveness of particular proce-
companies have continued to upgrade and modify dures. The effectiveness of these tools also has to be
their products to stay abreast of virus development. measured against their costs, and the potential
New forms of anti-virus software are being produced damages from a virus episode. A copy of the instru-
in an attempt to curb the problem [5,7,9]. This new ment is included in the Appendix A.
generation of protection software includes heuristic- It was necessary to create a new survey instrument
type products, which check incoming documents to identify these trade-offs. This instrument was devel-
(mail, attachments, etc) for unusual properties that oped based on existing research and computer security
suggest a virus. Once detected these products will not theory. The survey was pretested with numerous sys-
allow the suspicious item into the computer system tems professionals who specialized in security issues,
and will subsequently destroy the virus if it is a known and the wording and items were modi®ed to re¯ect
variant. However, these tools still have a relatively high their suggestions.
Type II error. It is argued that these systems destroy To collect a broad-based set of responses, two
documents that do not contain a virus just to be safe. populations were de®ned: (1) security specialists
Magruder [17] discussed the threat to business within the information systems profession, and (2)
information systems of high-level computer viruses. managers who have experience with anti-virus soft-
He argues that the development of this type of virus is ware. Potential respondents were identi®ed through
going to increase, because the nature of the language computer/system user groups and their colleagues.
structure will allow more virus developers to be active Sampled respondents were contacted by phone or e-
and that they will produce viruses that are more mail. The survey was administered through an Internet
destructive. Web site that collected the data, with monitoring to
Solomon [25] summarized the major types of anti- prevent duplicate sets of responses, otherwise com-
virus products that will enter the market. His classi- plete anonymity was maintained. This particular admin-
®cation included scanner-types, integrity detectors, istration was also designed to reduce bias by ®ltering
and behavior blockers; they evolved recently due to responses from the same address. Other investigators
increased pressure from a new generation of viruses have used similar electronically administered sam-
that have multilevel encryption mechanisms and do pling processes to collect survey data [3,14,21].
not display any readily detectable machine language Given the increasing nature of viral threats to
instruction set [20]. business and the rapid development of new virus
As the use of the Web for various types of electronic strains [8,10,19,24] this method of data collection
commerce continues at an exponential pace, the issues was designed to provide a rapid response.
G. Post, A. Kagan / Information & Management 37 (2000) 13±24 15
2.3. Methodology
2.1. Respondents
A basic objective of this study was to evaluate the
The average characteristics of the respondents are trade-offs between management policies, anti-virus
presented in Table 1. There was a substantial variance tools, and backup procedures. Many of the basic
in ®rm size. In total, there were 118 usable responses, questions surrounding these variables and their rela-
with 51 in the ®rst group of security professionals, and tionships are shown in Fig. 1. Some of the important
67 management professionals. There were no signi®- questions are: Do management policies and anti-virus
cant differences between the ®rms represented by the software in¯uence the number and severity of virus
two groups. The reported security expenditures attacks? Does the number of attacks affect willingness
increased slightly on average over time from 1995 to buy anti-virus software. Do companies change their
to 1997 (Table 1). backup policies in response to the number of attacks?
and, Do perspectives on virus damages and anti-virus
2.2. Internal reliability costs affect management policy?
Table 2
Reliability estimates (Cronbach's alpha)
Table 3
Survey instrument items organized by the primary factors
software, and the operational costs of using it (such as reported the use of user training programs. Managers,
slower processing). Items C1 through C5 fall into the however were less likely to provide training, presum-
direct expense category, while C6 and C7 identify the ably because they were not aware of speci®c training
operations cost. programs. In both groups, the most prevalent manage-
ment policy was a virus awareness program. The least
3.1. Summary results prevalent was penalizing users for violating policies.
Responses in the Damage category were similar.
Tables 4, 5 and 6 list the mean responses for the Loss of data and loss of productivity were considered
Management Policy, Virus Damage, and Anti-virus the most important issues. The groups split slightly
Cost categories, respectively. For the most part, the (not statistically signi®cant) on the cost of MIS work-
two respondent groups had similar responses to indi- ers' time.
vidual items: however, a few were statistically differ- In terms of anti-virus costs, security professionals
ent, as signi®ed by the asterisks. In particular, IS/ disagreed with managers, by rating three items lower:
security professionals were more likely to impose slower processing, interference with applications, and
limits on downloading material from the Internet, damage to data. That is, security professionals
whereas general managers thought this issue was less believed these three items to be less likely to occur.
important. Similarly, more security professionals On the other hand, the important costs were the price
Table 4
Management policy averages
Restrictive
1. Shareware limits 0.534 0.608 0.478
2. Internet limits 0.415 0.529a 0.328
3. Game limits 0.534 0.588 0.493
4. Monitor User PCs 0.390 0.373 0.403
7. Anti-virus cleanup team 0.424 0.392 0.448
8. Penalties for violations 0.288 0.333 0.254
Proactive
5. Virus awareness 0.686 0.745 0.642
6. User training 0.305 0.412a 0.224
9. Incident reporting 0.424 0.490 0.373
10. Scan received disks 0.517 0.510 0.522
11. Scan sent disks 0.449 0.353 0.522
12. Other 0.297 0.196a 0.373
a
Significant category difference between security and general managers at 5%.
Table 5
Damage importance evaluation
Table 6
Cost importance means
Expenses
1. Software cost 3.97 4.06 3.91
2. Slower processing 3.52 2.96a 3.94
3. Application interference 3.16 2.57a 3.61
4. Installation problems 3.42 3.49 3.37
5. Hardware costs 3.69 4.18 3.31
Operational costs
6. Application damage 2.64 2.08b 3.07
7. AV Software misses viruses 3.24 2.98 3.43
a
5% level of significance.
b
Significant at 1%.
Fig. 2. Estimated latent variable relationships. One asterisk shows significance at 5%, two indicate a 1% level.
are seldom imposed. The industries least likely to use and restrictive management policies. Policies are
proactive policies are Architecture, Accounting, Med- probably being imposed as a result of industry practice
ical, Education, and Banking. Presumably, the and management education. This result is actually
Accounting and Banking industries rely more on positive, since it implies forethought and planning.
restrictive controls and scanning. Whether a ®rm (organization) is privately or pub-
The coef®cients on anti-virus satisfaction and virus licly operated appears to in¯uence the anti-virus
damage are also worth noting, since both are signi®- management choices. This variable has a signi®cantly
cantly positive. The satisfaction relationship implies negative value (coef®cient). Firms were assigned
that respondents who are more satis®ed with their anti- values as follows: 1 Private, 2 Public, 3 Not
virus software will also be more likely to impose for pro®t. Only 16 responses were from not-for-pro®t
restrictive management policies. The same effect organizations. The negative coef®cient implies that
exists with those who place higher ratings on virus privately managed ®rms are more likely to impose
damage. proactive policies to stop viruses. This appears to be
consistent with the nature of sensitivity associated
3.5. Management proactive policies with information within the private sector.
For the most part the coef®cients associated with 3.6. Anti-virus expense
management proactive policies are not signi®cant.
Managers who place a greater emphasis on virus Within the anti-virus expense category, two factors
damage are more inclined to impose both proactive are statistically signi®cant. First, the signs of the
20 G. Post, A. Kagan / Information & Management 37 (2000) 13±24
Table 7
Items that affect primary factors
policy variables (see Table 7) show that the restrictive rely on proactive management policies are more likely
coef®cient is slightly negative, while the proactive one to also use anti-virus tools as part of that approach. On
is signi®cantly positive. That is, ®rms that place a the other hand, managers appear to be using restrictive
greater importance on restrictive policies do so in the policies in an attempt to reduce the costs of anti-virus
hopes of reducing the expenses of the anti-virus soft- software Table 8.
ware. Firms that take a more proactive management A strong relationship exists between anti-virus
approach end up spending more money. Firms that expenses and virus attacks. Increases in virus attacks
Table 8
Differences across industries for restrictive and proactive management policies
result in a lower evaluation of the expenses of anti- possible that some tools are better than others, and
virus tools. The interpretation is straightforward. some may have more signi®cant impacts. These rela-
When a company repeatedly experiences the costs tionships need further investigation. However, none of
of a virus attack, the expenses of its tools seem small. the management policies appear to be effective. Given
the increasing attacks from viruses and the increasing
3.7. Backup connectivity of computers on the Internet, backup
policies become an even more vital tool. Although
From a management perspective, perhaps the most frequent backups will not stop a virus, they can
unnerving result is that the number and severity of minimize the damage.
virus attacks does not affect the choice of backup
policies. Backup policies were coded so that more
frequent backups (e.g., RAID) were given higher
values. Appendix A. A Survey on management issues in
Surprisingly, there is a strong relationship from computer security/anti-virus software usage
anti-virus tool satisfaction to the frequency of back-
ups. More satis®ed managers use more frequent back- Voluntary participation statement and contact num-
ups. Possibly managers who are concerned about bers.
viruses and security are more satis®ed with their 1. What role do you play in the purchase process for
anti-virus software and are likely to recognize the Computer Security related products and services?
importance of frequent backups. In essence the orga- (Check all that apply)
nization must pursue an aggressive strategy of anti-
& Determine needs
virus tactics that will be based upon economic con-
& Technical evaluations/specifications
siderations, level of security implementation, degree
& Implement/install
of exposure and managerial awareness and profession-
& Specify/select products/services
alism [13].
& Specify/select brands/vendors
& Final authorization/approval for purchase
& None of these
4. Conclusions
2. In which ways are you personally involved in
Apparently there are two distinct types of manage- computer security at your organization? (Check all
ment policies in place to prevent virus outbreaks. that apply)
At this point, neither can be shown to be most effec-
& Specify, recommend, or purchase products and
tive. Instead, an organization's policies seem to be
services used in computer security
determined by the type of organization and the atti-
& Strategic planning of computer security pro-
tudes of management. Those who feel strongly
jects
threatened by the potential damages tend to choose
& Manage the computer security staff and activ-
restrictive policies; others choose more proactive
ities
educational and virus-scanning policies. As a group,
& None of the above
security professionals are less likely to impose restric-
tive controls. 3. What percent (%) of your organization's total
Security professionals and managers who are more spending on computer security related services, equip-
concerned about damages tend to have greater satis- ment and support comes from a centralized IS budget
faction with their anti-virus software. They also versus a business unit budget?
emphasize increased frequency of backups Ð parti-
% Centralized IS budget ______
cularly the use of RAID drives for network servers.
% Business Unit budget ______
The results of this study raise additional questions.
Particularly disturbing is the lack of impact of the 4. How much money did your organization spend on
various methods on the severity of virus attacks. It is computer security related services, equipment and
22 G. Post, A. Kagan / Information & Management 37 (2000) 13±24
support in 1995 and 1996, and what is the estimate for & All incidents are reported to MIS
1997? Check ONE for each year. & Scan all disks when they are received
& Scan all disks before they are sent to someone
1995 1996 1997 else
& Other, please specify: ______
$2.5 million
$1 million ± 2.5 8. In acquiring new computer security products/ser-
$500,000 ± 999,999 vices my firm faces the following issues: (Check all
$250,000 ± 499,999 that apply)
$125,000 ± 249,000 & Financial constraints impede purchasing addi-
$50,000 ± 124,999 tional computer security products/services
Less than $50,000 & Insufficient knowledge concerning computers/
software
5. Who is responsible for developing computer & Trained personnel are not available
security strategy within your organization and mana- & Products/Services for our business is not avail-
ging implementation? (Check all that apply) able/does not meet our needs
& Lack of commitment and foresight from senior
management
Develop Manage & Comfortable with current computer security
strategy implementation software and services
IS/Networking & Other, please specify: ______
Corporate Management 9. Costs/damage from virus. Rate importance of
Consultant/Systems each item (10 serious problem, 0 not an issue).
Integrator
Other (please specify) ___ Loss of data
___ Loss of productivity
___ Cost of MIS workers (time)
___ Cost of non-MIS workers (time)
A.1. Company background
___ Loss of operating system stability
___ Unreliable applications
6. If your company has many of®ces, answer ques-
___ Vendor Shareware Credibility (ex. Is share-
tions based on your location only.
ware virus free or not)
Number of employees ______
10. Issues involved with anti-virus software. Rank
Number of MIS employees ______
in order of importance (1 most important, 7
Number of employees in computer security ______
least). Leave blank if an item is not an issue.
Type of Company (& private, & public, & not-
for-profit) ___ Software cost
___ Slower computer processing
7. What management policies are in place to control
___ Interference with applications
viruses? (Check all that apply)
___ Installation and upgrade problems
& Limits on shareware software ___ Cost of additional hardware (disk space, etc.)
& Limits on Internet downloads ___ Damage to data or applications
& Limits on games ___ Anti-virus software misses viruses
& Monitor user PCs across a LAN
& Virus awareness programs
& User training programs (for virus) A.2. Virus questions
& MIS anti-virus cleanup team
& Penalties for violating PC policies 11. Use of anti-virus software
G. Post, A. Kagan / Information & Management 37 (2000) 13±24 23
References [19] G. Moody, Build your own immunity to viruses over the Net,
Computer Weekly, 4 September 1997.
[20] C. Nachenberg, Computer virus±antivirus coevolution, Com-
[1] J. Arbuckle, Amos User's Guide Version 3.6, 1997, Chicago,
munications of the ACM 40(1) (1997), pp. 46±51.
SmallWaters.
[21] M. Opperman, E-Mail surveys potentials and pitfalls,
[2] J. Backhouse, G. Dhillon, Managing computer crime: A
Marketing Research 7(3) (1995), pp. 29±33.
research outlook, Computers & Security 14 (1995), pp. 645±
[22] D.B. Parker, The strategic values of information security in
651.
business, Computers & Security 16 (1997), pp. 572±582.
[3] J. Chisholm, Surveys by e-mail and Internet, UNIX Review
[23] J.P. Peter, Reliability: A review of psychometric basics and
13 (1995), pp. 11±16.
recent marketing practices, Journal of Marketing Research 16
[4] F. Cohen, Information system defences: A preliminary
(1979), pp. 6±17.
classification scheme, Computers & Security 16 (1997), pp.
[24] J. Sandberg, Hackers prey on AOL users with array of dirty
94±114.
tricks, Wall Street Journal, 5 January 1998.
[5] B. Cole-Gomolski, Several products seek virus before users
[25] A. Solomon, The virus authors strike back, Computers &
open their mail, ComputerWorld, 24, November 1997.
Security 11 (1992), pp. 602±606.
[6] L.J. Cronbach, Coefficient alpha and the internal structure of
[26] C.C. Wood, A management view of Internet electronic
tests, Psychometrica 16 (1951), pp. 297±334.
commerce security, Computers & Security 16 (1997), pp.
[7] J. David, The new face of the virus threat, Computers &
316±320.
Security 15 (1996), pp. 13±16.
[27] B.P. Zajac, Computer viral risksÐ How bad is the threat?,
[8] L. DiDio, Networks need defense against hacker attacks,
Computers & Security 11 (1992), pp. 29±34.
Computerworld, 24 November 1997.
[9] L. DiDio, IBM Devises Technology to disinfect computer
bugs, Computerworld, December 15, 1997.
[10] E. Glanton, Trick or treat Ð Your files are deleted!
Halloween hoax raises eyebrows, The Associated Press, 30
October, 1997.
[11] H.J. Highland, A history of computer viruses Ð Introduction,
Computers & Security 16 (1997), pp. 412±415.
[12] G. Kovacich, Electronic Internet business and security,
Computers & Security 17 (1998), pp. 129±135.
[13] O. Lau, The ten commandments of security, Computers &
Security 17 (1998), pp. 119±123. Gerald Post
[14] A.L. Lederer, D.A. Mirchandani, K. Sims, The link between
information strategy and electronic commerce, Journal of
Organizational Computing and Electronic Commerce 7
(1997), pp. 17±34.
[15] J.C. Loehlin, Latent Variable Models, 1992, Erlbaum, Hills-
dale, NJ.
[16] S. Machlis, Self-mutilating viruses create strain, Computer-
world, 9 September 1997.
[17] S. Magruder, High-level language computer virusesÐ A new
threat?, Computers & Security 13 (1994), pp. 263±269.
[18] G. Meckbach, Viruses Growing out of Control, Computing
Canada, July 1997. Albert Kagan