Information & Management 37 (2000) 13±24

Research

Management tradeoffs in anti-virus strategies

Gerald Posta, Albert Kaganb,*
a
ESB, University of the Paci®c, 3601 Paci®c Ave., Stockton, CA 95211, USA
b
MSABR, Box 870180, Arizona State University, Tempe, AZ 85287-0180, USA

Received 19 March 1998; received in revised form 28 January 1999; accepted 9 June 1999

Abstract

This study evaluates current management and security practices with respect to computer virus infestations in business
computer systems. Given the rise in macro viruses within recent years many business ®rms have adopted either a restrictive or
proactive management approach to the problem. It is unclear whether there is a signi®cant difference between the approaches
in terms of user satisfaction and future virus outbreaks. The lack of consistent computer backup procedures tends to exacerbate
a virus outbreak. The cost structure used to address virus management tends to escalate depending on the severity of a virus
episode. # 2000 Elsevier Science B.V. All rights reserved.

Keywords: Virus; Anti-virus software; Management policy effectiveness; Computer security

1. Introduction With the commonplace adoption of the X.400 mail

The expanding use of personal computers coupled
with increased interconnectivity (the Internet) has led
to increased problems with computer viruses. The
spread of viruses has increased dramatically with
the heightened availability of macro languages. Virus
threats have also increased rapidly with the enhanced
use of e-mail attachments and Web-site ®les that are
easily passed around the Internet.
Highland [11] discussed many of the myths about
virus attacks as well as the work of Fred Cohen [4] and
his efforts to protect computer systems from external
threats. Cohen developed a useful virus classi®cation
scheme to aid in the creation of information system
defenses [27] against virus attacks.
*
Corresponding author.
E-mail addresses: jerrypost@mindspring.com (G. Post),
aaajk@asu.edu (A. Kagan)
protocol within the TCP/IP convention, business ®rms
have made e-mail a routine application. This devel-
opment has increased the risk of virus threats to
alarming proportions in today's computer systems.
Over 1300 new macro viruses were detected in
1997, compared with about 40 in 1996 [16]. Much
of the increase is attributed to the targeting of
Microsoft products. Business managers fear security
threats from viruses as a major security issue today
[12,18].
Estimates of computer crime losses to U.S. business
in 1996 was over $100 million. Backhouse and Dhil-
lon [2] estimated that computer crime losses in the UK
exceeded $30 million dollars in the late 1980s.
Seventy percent of US business ®rms that were
recently surveyed fear attacks will be promulgated
on their systems. Losses to virus attacks were further
determined to be in excess of $12 million dollars.
Furthermore, the Computer Security Institute ranked

0378-7206/00/$ ± see front matter # 2000 Elsevier Science B.V. All rights reserved.
PII: S 0 3 7 8 - 7 2 0 6 ( 9 9 ) 0 0 0 2 8 - 2
14 G. Post, A. Kagan / Information & Management 37 (2000) 13±24
the impact of virus threats among the top four areas of
business computer crime hazards.
Increased computer security problems come from
many sources: the expanded use of IS, the Internet,
e-mail applications, and the adoption of Microsoft
products. An additional factor is the reluctance of
business ®rms to either acknowledge or admit that
they were electronically victimized. As the demand
and implementation of virus protection software
continues to escalate, so does the cost. The National
Computer Security Association (NCSA) estimates
that a typical virus attack costs almost $8400 to
correct. A large ®nancial institution reported that a
virus attack in 1997 cost the ®rm $2.3 million in
lost transactions over a 3-day period.
Traditional virus protection products have been
unable to stem the increase in virus attacks on business
computer systems. The leading anti virus software
companies have continued to upgrade and modify
their products to stay abreast of virus development.
New forms of anti-virus software are being produced
in an attempt to curb the problem [5,7,9]. This new
generation of protection software includes heuristic-
type products, which check incoming documents
(mail, attachments, etc) for unusual properties that
suggest a virus. Once detected these products will not
allow the suspicious item into the computer system
and will subsequently destroy the virus if it is a known
variant. However, these tools still have a relatively high
Type II error. It is argued that these systems destroy
documents that do not contain a virus just to be safe.
Magruder [17] discussed the threat to business
information systems of high-level computer viruses.
He argues that the development of this type of virus is
going to increase, because the nature of the language
structure will allow more virus developers to be active
and that they will produce viruses that are more
destructive.
Solomon [25] summarized the major types of anti-
virus products that will enter the market. His classi-
®cation included scanner-types, integrity detectors,
and behavior blockers; they evolved recently due to
increased pressure from a new generation of viruses
that have multilevel encryption mechanisms and do
not display any readily detectable machine language
instruction set [20].
As the use of the Web for various types of electronic
commerce continues at an exponential pace, the issues
of security and virus protection need to be addressed.
Parker [22] and Wood [26] have brought these con-
cerns to the attention of business and speculate that
strategically security and viral threats are an impedi-
ment to future electronic commerce.
2. Survey
A survey instrument was designed to learn how
organizations are responding to the threat of computer
viruses. From security theory, several techniques can
be used to minimize the effects of a virus. The three
basic sets of tools are (1) management policies, (2)
anti-virus software, and (3) backup procedures [7]. An
interesting set of questions is how organizations com-
bine these three tools to minimize virus threat, and the
differences in the effectiveness of particular proce-
dures. The effectiveness of these tools also has to be
measured against their costs, and the potential
damages from a virus episode. A copy of the instru-
ment is included in the Appendix A.
It was necessary to create a new survey instrument
to identify these trade-offs. This instrument was devel-
oped based on existing research and computer security
theory. The survey was pretested with numerous sys-
tems professionals who specialized in security issues,
and the wording and items were modi®ed to re¯ect
their suggestions.
To collect a broad-based set of responses, two
populations were de®ned: (1) security specialists
within the information systems profession, and (2)
managers who have experience with anti-virus soft-
ware. Potential respondents were identi®ed through
computer/system user groups and their colleagues.
Sampled respondents were contacted by phone or e-
mail. The survey was administered through an Internet
Web site that collected the data, with monitoring to
prevent duplicate sets of responses, otherwise com-
plete anonymity was maintained. This particular admin-
istration was also designed to reduce bias by ®ltering
responses from the same address. Other investigators
have used similar electronically administered sam-
pling processes to collect survey data [3,14,21].
Given the increasing nature of viral threats to
business and the rapid development of new virus
strains [8,10,19,24] this method of data collection
was designed to provide a rapid response.
 G. Post, A. Kagan / Information & Management 37 (2000) 13±24 15

Table 1 background that is indicative of the participant seg-

Characteristics of average respondent in number, percent or dollars ments, their responses are understandably more con-
as indicated
sistent. There is some disagreement over the
Category Mean value satisfaction ratings of the tools. Some of this variation
Employees 1057 is due to differing capabilities, some is due to differ-
MIS employees 61 ences in individual needs. Overall, the reliability
Security employees 4.9 ratings by the security professionals are very strong.
Public 62% The second group (general management) is not as
Server computers 21.9
consistent, this elevated variability is due to respon-
Company computers 403
Workstations 150 dent background within the sample segment (as
Home computers 1.7 opposed to the survey instrument). This group com-
Security expenses 1995 $69,750 prises IS management personnel with a higher level of
Security expenses 1996 $79,125 familiarity with the technical issues pertaining to virus
Security expenses 1997 $93,500
issues.

2.1. Respondents
The average characteristics of the respondents are
presented in Table 1. There was a substantial variance
in ®rm size. In total, there were 118 usable responses,
with 51 in the ®rst group of security professionals, and
67 management professionals. There were no signi®-
cant differences between the ®rms represented by the
two groups. The reported security expenditures
increased slightly on average over time from 1995
to 1997 (Table 1).
2.2. Internal reliability
2.3. Methodology
A basic objective of this study was to evaluate the
trade-offs between management policies, anti-virus
tools, and backup procedures. Many of the basic
questions surrounding these variables and their rela-
tionships are shown in Fig. 1. Some of the important
questions are: Do management policies and anti-virus
software in¯uence the number and severity of virus
attacks? Does the number of attacks affect willingness
to buy anti-virus software. Do companies change their
backup policies in response to the number of attacks?
and, Do perspectives on virus damages and anti-virus
costs affect management policy?

As explained in detail by Peter [23], Cronbach's

alpha [6] is generally considered to provide a reason-
able estimate of internal consistency within a survey
instrument. Four subjective categories were included
in the survey instrument, and the corresponding relia-
bility estimates are presented in Table 2. The relia-
bility values are higher for security or IS respondents
than for the management group. With a common

Table 2
Reliability estimates (Cronbach's alpha)

Survey/model Security/IS General

category respondent respondent

Management policy 0.816 0.741

Damage 0.849 0.544
Costs 0.722 0.141
Satisfaction 0.653 0.374 Fig. 1. Factors that form the model questions and primary
relationships.
16 G. Post, A. Kagan / Information & Management 37 (2000) 13±24

Table 3
Survey instrument items organized by the primary factors

Management policies Virus damages

M1 Limits on shareware software. D1 Loss of data.

M2 Limits on Internet downloads. D2 Loss of productivity.
M3 Limits on games. D3 Cost of MIS workers (time).
M4 Monitor user PCs across a LAN. D4 Cost of non-MIS workers (time).
M5 Virus awareness programs. D5 Loss of operating system stability.
M6 User training programs (for virus). D6 Unreliable applications.
M7 MIS anti-virus cleanup team. D7 Vendor credibility.
M8 Penalties for violating PC policies.
M9 All incidents are reported to MIS.
M10 Scan all disks as they are received.
M11 Scan all disks before they are sent to someone else.
M12 Other.

Number of virus attacks Anti-virus cost

V1 Number of network viruses. C1 Software cost.

V2 Number of company viruses. C2 Slower computer processing.
V3 Number of workstation viruses. C3 Interference with applications.
V4 Percent of network affected. C4 Installation and upgrade problems.
V5 Percent of company affected. C5 Cost of additional hardware (disk space, etc.)
V6 Percent of workstations affected. C6 Damage to data or applications.
C7 Anti-virus software misses viruses.

Backup policies Anti-virus satisfaction

One item from the following: S1 Satisfaction with network software.

RAID or mirrored systems. S2 Satisfaction with company software.
Hourly backup. S3 Satisfaction with workstation software.
Daily backup.
Weekly backup.
Monthly backup
No formal policy.

The measurement items for the primary variables 3. Results

are shown in Table 3, which presents details from the
survey instrument. Note that these variables are all
latent, because the underlying variables are not
directly observable, but result from subsequent ana-
lysis. For example, it is not possible to actually
measure the level of management policies. Instead,
the collection of items (the numbered lists) is a
manifestation of the underlying variable. Through
structural equation analysis, the effects and interac-
tions of the underlying variables can be measured
from these observed effects. Loehlin [15] and
Arbuckle [1] provide details of this methodology.
Several additional questions were also addressed: ®rm
size, and industry could play a role, particularly in the
more subjective variables.
One of the ®rst issues that arose in analyzing the
results was that the Management Policies list actually
consisted of two variables. The respondents consid-
ered the list of items consisting of two separate
collections with different effects. Hence, two factors
are de®ned in the model: Restrictive and Proactive
Management Policies. The restrictive policies consist
of items designed to limit user activities: items M1,
M2, M3, M4, M7 and M8. The proactive items
targeted teaching and encouraging users to minimize
the effects of viruses: M5, M6, M9, M10, M11, and
M12.
Similarly, the costs of the anti-virus approach were
seen as two separate items: the direct expense of the
 G. Post, A. Kagan / Information & Management 37 (2000) 13±24 17

software, and the operational costs of using it (such as
slower processing). Items C1 through C5 fall into the
direct expense category, while C6 and C7 identify the
operations cost.
3.1. Summary results
Tables 4, 5 and 6 list the mean responses for the
Management Policy, Virus Damage, and Anti-virus
Cost categories, respectively. For the most part, the
two respondent groups had similar responses to indi-
vidual items: however, a few were statistically differ-
ent, as signi®ed by the asterisks. In particular, IS/
security professionals were more likely to impose
limits on downloading material from the Internet,
whereas general managers thought this issue was less
important. Similarly, more security professionals
reported the use of user training programs. Managers,
however were less likely to provide training, presum-
ably because they were not aware of speci®c training
programs. In both groups, the most prevalent manage-
ment policy was a virus awareness program. The least
prevalent was penalizing users for violating policies.
Responses in the Damage category were similar.
Loss of data and loss of productivity were considered
the most important issues. The groups split slightly
(not statistically signi®cant) on the cost of MIS work-
ers' time.
In terms of anti-virus costs, security professionals
disagreed with managers, by rating three items lower:
slower processing, interference with applications, and
damage to data. That is, security professionals
believed these three items to be less likely to occur.
On the other hand, the important costs were the price

Table 4
Management policy averages

Management policies All respondents Security managers General management

Restrictive
1. Shareware limits 0.534 0.608 0.478
2. Internet limits 0.415 0.529a 0.328
3. Game limits 0.534 0.588 0.493
4. Monitor User PCs 0.390 0.373 0.403
7. Anti-virus cleanup team 0.424 0.392 0.448
8. Penalties for violations 0.288 0.333 0.254
Proactive
5. Virus awareness 0.686 0.745 0.642
6. User training 0.305 0.412a 0.224
9. Incident reporting 0.424 0.490 0.373
10. Scan received disks 0.517 0.510 0.522
11. Scan sent disks 0.449 0.353 0.522
12. Other 0.297 0.196a 0.373
a
Significant category difference between security and general managers at 5%.

Table 5
Damage importance evaluation

Virus damage All respondents Security managers General management

1. Loss of data 7.08 7.10 7.06

2. Loss of productivity 6.91 6.84 6.96
3. Cost of MIS time 5.80 4.12 7.07
4. Cost of non-MIS time 5.03 4.73 5.27
5. OS Stability 5.92 6.08 5.79
6. Application reliability 5.75 5.86 5.66
7. Vendor credibility 3.05 2.78 3.25
18 G. Post, A. Kagan / Information & Management 37 (2000) 13±24

Table 6
Cost importance means

Anti-virus cost All respondents Security managers General management

Expenses
1. Software cost 3.97 4.06 3.91
2. Slower processing 3.52 2.96a 3.94
3. Application interference 3.16 2.57a 3.61
4. Installation problems 3.42 3.49 3.37
5. Hardware costs 3.69 4.18 3.31
Operational costs
6. Application damage 2.64 2.08b 3.07
7. AV Software misses viruses 3.24 2.98 3.43
a
5% level of significance.
b
Significant at 1%.

of the software and cost of additional hardware. 3.3. Virus attacks

General managers also recognized the cost of the
software as important but tended to focus on slower
processing times. Apparently, while the managers
suffered with slower processing, the security person-
nel overcame the processing costs by purchasing faster
hardware.
3.2. Latent variable model
A latent variable approach provides a detailed look
at the strength of the individual items and at the
relationships among the factors. The relationships
(indicated by the lines) provide the most interesting
management analysis. The primary relationships
among the latent variables are shown along with their
estimated strength (coef®cients). Note that Fig. 2
extends Fig. 1 by showing the split in management
and anti-virus cost variables, and by showing the
additional variables used in the analysis. The relation-
ship coef®cients are summarized in Table 7. The
coef®cients are standardized regression coef®cients
from the latent variable estimation. To minimize
clutter, the detailed path coef®cients on the individual
items are not shown, but almost all of them are
signi®cant at a 1% level.
The values indicate the strength (and direction) of
the effect among the variables. For example, AV
Satisfaction has a signi®cantly positive effect on
Management Restrictive Policies (coef®cient is
0.212). This result indicates that respondents who
are more satis®ed with their AV software are more
likely to impose restrictive policies.
An initial set of interesting relationships is found by
examining the dependent variable for virus attacks.
First, none has a signi®cant effect. That is, none of the
policies or the use of anti-virus software appear to
signi®cantly reduce the number of attacks (or percent
of machines affected). However, the coef®cient on the
scanning policy has the proper sign (increased use of
scanning should reduce the virus attacks). Coef®cients
on the two management policies both signify positive
relationships, but the analysis does not show this to be
signi®cant. Moreover, there may be certain circum-
stances where the policies are counter-productive.
3.4. Management restrictive policies
Variables affecting the use of restrictive policies are
more interesting Ð partly because most are signi®-
cant, and partly because the negative sign suggests
opportunities for improvement. First, management
respondents reported that their companies were much
less inclined to use restrictive policies. Second, certain
industries were less likely to rely on restrictive poli-
cies. (The sign of the coef®cient is irrelevant since the
companies were numbered randomly.) The industries
least likely to use restrictive policies are Education,
Consulting, Publishing, and Architecture. The limited
number of observations per industry makes it more
dif®cult for the results to be shown to be signi®cant.
However, the educational community signi®cantly
favors proactive policies Ð probably in response to
the characteristics of the industry: access restrictions
 G. Post, A. Kagan / Information & Management 37 (2000) 13±24
Fig. 2. Estimated latent variable relationships. One asterisk shows significance at 5%, two indicate a 1% level.
are seldom imposed. The industries least likely to use
proactive policies are Architecture, Accounting, Med-
ical, Education, and Banking. Presumably, the
Accounting and Banking industries rely more on
restrictive controls and scanning.
The coef®cients on anti-virus satisfaction and virus
damage are also worth noting, since both are signi®-
cantly positive. The satisfaction relationship implies
that respondents who are more satis®ed with their anti-
virus software will also be more likely to impose
restrictive management policies. The same effect
exists with those who place higher ratings on virus
damage.
3.5. Management proactive policies
For the most part the coef®cients associated with
management proactive policies are not signi®cant.
Managers who place a greater emphasis on virus
damage are more inclined to impose both proactive
19
and restrictive management policies. Policies are
probably being imposed as a result of industry practice
and management education. This result is actually
positive, since it implies forethought and planning.
Whether a ®rm (organization) is privately or pub-
licly operated appears to in¯uence the anti-virus
management choices. This variable has a signi®cantly
negative value (coef®cient). Firms were assigned
values as follows: 1 ˆ Private, 2 ˆ Public, 3 ˆ Not
for pro®t. Only 16 responses were from not-for-pro®t
organizations. The negative coef®cient implies that
privately managed ®rms are more likely to impose
proactive policies to stop viruses. This appears to be
consistent with the nature of sensitivity associated
with information within the private sector.
3.6. Anti-virus expense
Within the anti-virus expense category, two factors
are statistically signi®cant. First, the signs of the
20 G. Post, A. Kagan / Information & Management 37 (2000) 13±24

Table 7
Items that affect primary factors

Management restrictive policies Virus damage

AV satisfaction 0.212a Size ÿ0.163
Damage 0.209a Virus 0.071
Group ÿ0.252b
Industry ÿ0.217a Anti-Virus Expense
Private ÿ0.024 Proactive policy 0.398a
Size ÿ0.072 Restrictive policy ÿ0.105
Virus ÿ0.286a
Management proactive policies
AV satisfaction 0.220 Anti-virus cost
Damage 0.185 Proactive policy ÿ0.133
Group 0.000 Virus 0.173
Industry 0.106
Private ÿ0.276a Anti-virus software
Size 0.204 AV satisfaction 0.603b
Virus attacks Anti-virus satisfaction
AV software 0.056 Virus ÿ0.076
Proactive policy 0.126
Restrictive policy 0.176 Backup
Scan ÿ0.087 AV satisfaction 0.340b
Size 0.053 Size ÿ0.029
Virus 0.180
a
Significant at a 5% level.
b
1% level of significance.

policy variables (see Table 7) show that the restrictive
coef®cient is slightly negative, while the proactive one
is signi®cantly positive. That is, ®rms that place a
greater importance on restrictive policies do so in the
hopes of reducing the expenses of the anti-virus soft-
ware. Firms that take a more proactive management
approach end up spending more money. Firms that
rely on proactive management policies are more likely
to also use anti-virus tools as part of that approach. On
the other hand, managers appear to be using restrictive
policies in an attempt to reduce the costs of anti-virus
software Table 8.
A strong relationship exists between anti-virus
expenses and virus attacks. Increases in virus attacks

Table 8
Differences across industries for restrictive and proactive management policies

Industry Restrictive policies Rank Proactive policies Rank Difference N

Manufacturing 0.607 1 0.476 4 0.131 14

Government 0.595 2 0.524 3 0.071 14
Computer Services 0.567 4 0.633 1 ÿ0.066 5
Telecommunications 0.567 3 0.533 2 0.034 5
Banking 0.548 5 0.381 8 0.167 7
Accounting 0.500 6 0.300 11 0.200 5
Wholesale/Retail 0.458 8 0.472 5 ÿ0.014 12
Medical/Dental/Healthcare 0.458 7 0.333 10 0.025 8
Architecture 0.367 9 0.267 12 0.100 5
Publishing 0.306 10 0.444 6 ÿ0.138 6
Consulting 0.233 11 0.433 7 ÿ0.200 5
Education 0.128 12 0.372 9 ÿ0.244a 13
a
Means for industries with more than 4 responses.
 G. Post, A. Kagan / Information & Management 37 (2000) 13±24
result in a lower evaluation of the expenses of anti-
virus tools. The interpretation is straightforward.
When a company repeatedly experiences the costs
of a virus attack, the expenses of its tools seem small.
3.7. Backup
From a management perspective, perhaps the most
unnerving result is that the number and severity of
virus attacks does not affect the choice of backup
policies. Backup policies were coded so that more
frequent backups (e.g., RAID) were given higher
values.
Surprisingly, there is a strong relationship from
anti-virus tool satisfaction to the frequency of back-
ups. More satis®ed managers use more frequent back-
ups. Possibly managers who are concerned about
viruses and security are more satis®ed with their
anti-virus software and are likely to recognize the
importance of frequent backups. In essence the orga-
nization must pursue an aggressive strategy of anti-
virus tactics that will be based upon economic con-
siderations, level of security implementation, degree
of exposure and managerial awareness and profession-
alism [13].
4. Conclusions
Apparently there are two distinct types of manage-
ment policies in place to prevent virus outbreaks.
At this point, neither can be shown to be most effec-
tive. Instead, an organization's policies seem to be
determined by the type of organization and the atti-
tudes of management. Those who feel strongly
threatened by the potential damages tend to choose
restrictive policies; others choose more proactive
educational and virus-scanning policies. As a group,
security professionals are less likely to impose restric-
tive controls.
Security professionals and managers who are more
concerned about damages tend to have greater satis-
faction with their anti-virus software. They also
emphasize increased frequency of backups Ð parti-
cularly the use of RAID drives for network servers.
The results of this study raise additional questions.
Particularly disturbing is the lack of impact of the
various methods on the severity of virus attacks. It is
21
possible that some tools are better than others, and
some may have more signi®cant impacts. These rela-
tionships need further investigation. However, none of
the management policies appear to be effective. Given
the increasing attacks from viruses and the increasing
connectivity of computers on the Internet, backup
policies become an even more vital tool. Although
frequent backups will not stop a virus, they can
minimize the damage.
Appendix A. A Survey on management issues in
computer security/anti-virus software usage
Voluntary participation statement and contact num-
bers.
1. What role do you play in the purchase process for
Computer Security related products and services?
(Check all that apply)
 & Determine needs
 & Technical evaluations/specifications
 & Implement/install
 & Specify/select products/services
 & Specify/select brands/vendors
 & Final authorization/approval for purchase
 & None of these
2. In which ways are you personally involved in
computer security at your organization? (Check all
that apply)
 & Specify, recommend, or purchase products and
services used in computer security
 & Strategic planning of computer security pro-
jects
 & Manage the computer security staff and activ-
ities
 & None of the above
3. What percent (%) of your organization's total
spending on computer security related services, equip-
ment and support comes from a centralized IS budget
versus a business unit budget?
 % Centralized IS budget ______
 % Business Unit budget ______
4. How much money did your organization spend on
computer security related services, equipment and
22 G. Post, A. Kagan / Information & Management 37 (2000) 13±24

support in 1995 and 1996, and what is the estimate for  & All incidents are reported to MIS
1997? Check ONE for each year.  & Scan all disks when they are received
 & Scan all disks before they are sent to someone
1995 1996 1997 else
 & Other, please specify: ______
$2.5 million ‡
$1 million ± 2.5 8. In acquiring new computer security products/ser-
$500,000 ± 999,999 vices my firm faces the following issues: (Check all
$250,000 ± 499,999 that apply)
$125,000 ± 249,000  & Financial constraints impede purchasing addi-
$50,000 ± 124,999 tional computer security products/services
Less than $50,000  & Insufficient knowledge concerning computers/
software
5. Who is responsible for developing computer  & Trained personnel are not available
security strategy within your organization and mana-  & Products/Services for our business is not avail-
ging implementation? (Check all that apply) able/does not meet our needs
 & Lack of commitment and foresight from senior
management
Develop Manage  & Comfortable with current computer security
strategy implementation software and services
IS/Networking  & Other, please specify: ______
Corporate Management 9. Costs/damage from virus. Rate importance of
Consultant/Systems each item (10 ˆ serious problem, 0 ˆ not an issue).
Integrator
Other (please specify)  ___ Loss of data
 ___ Loss of productivity
 ___ Cost of MIS workers (time)
 ___ Cost of non-MIS workers (time)
A.1. Company background
 ___ Loss of operating system stability
 ___ Unreliable applications
6. If your company has many of®ces, answer ques-
 ___ Vendor Shareware Credibility (ex. Is share-
tions based on your location only.
ware virus free or not)
 Number of employees ______
10. Issues involved with anti-virus software. Rank
 Number of MIS employees ______
in order of importance (1 ˆ most important, 7 ˆ
 Number of employees in computer security ______
least). Leave blank if an item is not an issue.
 Type of Company (& private, & public, & not-
for-profit)  ___ Software cost
 ___ Slower computer processing
7. What management policies are in place to control
 ___ Interference with applications
viruses? (Check all that apply)
 ___ Installation and upgrade problems
 & Limits on shareware software  ___ Cost of additional hardware (disk space, etc.)
 & Limits on Internet downloads  ___ Damage to data or applications
 & Limits on games  ___ Anti-virus software misses viruses
 & Monitor user PCs across a LAN
 & Virus awareness programs
 & User training programs (for virus) A.2. Virus questions
 & MIS anti-virus cleanup team
 & Penalties for violating PC policies 11. Use of anti-virus software
 G. Post, A. Kagan / Information & Management 37 (2000) 13±24 23

Network Your Other Your home/

servers office PC/ company personal
workstation machines computer
Number of machines.
Percent of machines with antivirus software: Auto-scan.
Percent of machines with occasional scan software.
Which software (name)?
Who installed the software?
How often is the anti-virus software upgraded?
Satisfaction w/anti-virus software
(10 ˆ very happy, 0 ˆ unhappy)

12. Virus attacks in the last six months.

Network Your Other Your home/
servers office PC/ company personal
workstation machines computer
Number of virus incidents
Percent of machines affected
Time to identify virus problem (estimate in days or hours)
Time to remove and clean up (hours)
Other

13. Type of virus (Enter number of incidents).

Network Your office PC/ Other company Your home/personal
servers workstation machines computer
Boot sector virus
Typical EXE/COM virus
Macro (Word/Excel)
Other

14. Data backup policies.

Network Your office Other company Your home/personal
servers PC/workstation machines computer
RAID or mirrored systems
Hourly backup
Daily backup
Weekly backup
Monthly backup
No formal policy
Other
Additional comments: # 1997, 1998
24 G. Post, A. Kagan / Information & Management 37 (2000) 13±24

References [19] G. Moody, Build your own immunity to viruses over the Net,
Computer Weekly, 4 September 1997.
[20] C. Nachenberg, Computer virus±antivirus coevolution, Com-
[1] J. Arbuckle, Amos User's Guide Version 3.6, 1997, Chicago,
munications of the ACM 40(1) (1997), pp. 46±51.
SmallWaters.
[21] M. Opperman, E-Mail surveys potentials and pitfalls,
[2] J. Backhouse, G. Dhillon, Managing computer crime: A
Marketing Research 7(3) (1995), pp. 29±33.
research outlook, Computers & Security 14 (1995), pp. 645±
[22] D.B. Parker, The strategic values of information security in
651.
business, Computers & Security 16 (1997), pp. 572±582.
[3] J. Chisholm, Surveys by e-mail and Internet, UNIX Review
[23] J.P. Peter, Reliability: A review of psychometric basics and
13 (1995), pp. 11±16.
recent marketing practices, Journal of Marketing Research 16
[4] F. Cohen, Information system defences: A preliminary
(1979), pp. 6±17.
classification scheme, Computers & Security 16 (1997), pp.
[24] J. Sandberg, Hackers prey on AOL users with array of dirty
94±114.
tricks, Wall Street Journal, 5 January 1998.
[5] B. Cole-Gomolski, Several products seek virus before users
[25] A. Solomon, The virus authors strike back, Computers &
open their mail, ComputerWorld, 24, November 1997.
Security 11 (1992), pp. 602±606.
[6] L.J. Cronbach, Coefficient alpha and the internal structure of
[26] C.C. Wood, A management view of Internet electronic
tests, Psychometrica 16 (1951), pp. 297±334.
commerce security, Computers & Security 16 (1997), pp.
[7] J. David, The new face of the virus threat, Computers &
316±320.
Security 15 (1996), pp. 13±16.
[27] B.P. Zajac, Computer viral risksÐ How bad is the threat?,
[8] L. DiDio, Networks need defense against hacker attacks,
Computers & Security 11 (1992), pp. 29±34.
Computerworld, 24 November 1997.
[9] L. DiDio, IBM Devises Technology to disinfect computer
bugs, Computerworld, December 15, 1997.
[10] E. Glanton, Trick or treat Ð Your files are deleted!
Halloween hoax raises eyebrows, The Associated Press, 30
October, 1997.
[11] H.J. Highland, A history of computer viruses Ð Introduction,
Computers & Security 16 (1997), pp. 412±415.
[12] G. Kovacich, Electronic Internet business and security,
Computers & Security 17 (1998), pp. 129±135.
[13] O. Lau, The ten commandments of security, Computers &
Security 17 (1998), pp. 119±123. Gerald Post
[14] A.L. Lederer, D.A. Mirchandani, K. Sims, The link between
information strategy and electronic commerce, Journal of
Organizational Computing and Electronic Commerce 7
(1997), pp. 17±34.
[15] J.C. Loehlin, Latent Variable Models, 1992, Erlbaum, Hills-
dale, NJ.
[16] S. Machlis, Self-mutilating viruses create strain, Computer-
world, 9 September 1997.
[17] S. Magruder, High-level language computer virusesÐ A new
threat?, Computers & Security 13 (1994), pp. 263±269.
[18] G. Meckbach, Viruses Growing out of Control, Computing
Canada, July 1997. Albert Kagan