Information & Management 37 (2000) 13±24

Research

Management tradeoffs in anti-virus strategies
Gerald Posta, Albert Kaganb,*
a
b

ESB, University of the Paci®c, 3601 Paci®c Ave., Stockton, CA 95211, USA
MSABR, Box 870180, Arizona State University, Tempe, AZ 85287-0180, USA

Received 19 March 1998; received in revised form 28 January 1999; accepted 9 June 1999

Abstract
This study evaluates current management and security practices with respect to computer virus infestations in business
computer systems. Given the rise in macro viruses within recent years many business ®rms have adopted either a restrictive or
proactive management approach to the problem. It is unclear whether there is a signi®cant difference between the approaches
in terms of user satisfaction and future virus outbreaks. The lack of consistent computer backup procedures tends to exacerbate
a virus outbreak. The cost structure used to address virus management tends to escalate depending on the severity of a virus
episode. # 2000 Elsevier Science B.V. All rights reserved.

Keywords: Virus; Anti-virus software; Management policy effectiveness; Computer security

1. Introduction
The expanding use of personal computers coupled
with increased interconnectivity (the Internet) has led
to increased problems with computer viruses. The
spread of viruses has increased dramatically with
the heightened availability of macro languages. Virus
threats have also increased rapidly with the enhanced
use of e-mail attachments and Web-site ®les that are
easily passed around the Internet.
Highland [11] discussed many of the myths about
virus attacks as well as the work of Fred Cohen [4] and
his efforts to protect computer systems from external
threats. Cohen developed a useful virus classi®cation
scheme to aid in the creation of information system
defenses [27] against virus attacks.
*

Corresponding author.

E-mail addresses: jerrypost@mindspring.com (G. Post),
aaajk@asu.edu (A. Kagan)

With the commonplace adoption of the X.400 mail
protocol within the TCP/IP convention, business ®rms
have made e-mail a routine application. This development has increased the risk of virus threats to
alarming proportions in today's computer systems.
Over 1300 new macro viruses were detected in
1997, compared with about 40 in 1996 [16]. Much
of the increase is attributed to the targeting of
Microsoft products. Business managers fear security
threats from viruses as a major security issue today
[12,18].
Estimates of computer crime losses to U.S. business
in 1996 was over $100 million. Backhouse and Dhillon [2] estimated that computer crime losses in the UK
exceeded $30 million dollars in the late 1980s.
Seventy percent of US business ®rms that were
recently surveyed fear attacks will be promulgated
on their systems. Losses to virus attacks were further
determined to be in excess of $12 million dollars.

Furthermore, the Computer Security Institute ranked

0378-7206/00/$ ± see front matter # 2000 Elsevier Science B.V. All rights reserved.
PII: S 0 3 7 8 - 7 2 0 6 ( 9 9 ) 0 0 0 2 8 - 2

14

G. Post, A. Kagan / Information & Management 37 (2000) 13±24

the impact of virus threats among the top four areas of
business computer crime hazards.
Increased computer security problems come from
many sources: the expanded use of IS, the Internet,
e-mail applications, and the adoption of Microsoft
products. An additional factor is the reluctance of
business ®rms to either acknowledge or admit that
they were electronically victimized. As the demand
and implementation of virus protection software
continues to escalate, so does the cost. The National
Computer Security Association (NCSA) estimates

that a typical virus attack costs almost $8400 to
correct. A large ®nancial institution reported that a
virus attack in 1997 cost the ®rm $2.3 million in
lost transactions over a 3-day period.
Traditional virus protection products have been
unable to stem the increase in virus attacks on business
computer systems. The leading anti virus software
companies have continued to upgrade and modify
their products to stay abreast of virus development.
New forms of anti-virus software are being produced
in an attempt to curb the problem [5,7,9]. This new
generation of protection software includes heuristictype products, which check incoming documents
(mail, attachments, etc) for unusual properties that
suggest a virus. Once detected these products will not
allow the suspicious item into the computer system
and will subsequently destroy the virus if it is a known
variant. However, these tools still have a relatively high
Type II error. It is argued that these systems destroy
documents that do not contain a virus just to be safe.
Magruder [17] discussed the threat to business

information systems of high-level computer viruses.
He argues that the development of this type of virus is
going to increase, because the nature of the language
structure will allow more virus developers to be active
and that they will produce viruses that are more
destructive.
Solomon [25] summarized the major types of antivirus products that will enter the market. His classi®cation included scanner-types, integrity detectors,
and behavior blockers; they evolved recently due to
increased pressure from a new generation of viruses
that have multilevel encryption mechanisms and do
not display any readily detectable machine language
instruction set [20].
As the use of the Web for various types of electronic
commerce continues at an exponential pace, the issues

of security and virus protection need to be addressed.
Parker [22] and Wood [26] have brought these concerns to the attention of business and speculate that
strategically security and viral threats are an impediment to future electronic commerce.

2. Survey

A survey instrument was designed to learn how
organizations are responding to the threat of computer
viruses. From security theory, several techniques can
be used to minimize the effects of a virus. The three
basic sets of tools are (1) management policies, (2)
anti-virus software, and (3) backup procedures [7]. An
interesting set of questions is how organizations combine these three tools to minimize virus threat, and the
differences in the effectiveness of particular procedures. The effectiveness of these tools also has to be
measured against their costs, and the potential
damages from a virus episode. A copy of the instrument is included in the Appendix A.
It was necessary to create a new survey instrument
to identify these trade-offs. This instrument was developed based on existing research and computer security
theory. The survey was pretested with numerous systems professionals who specialized in security issues,
and the wording and items were modi®ed to re¯ect
their suggestions.
To collect a broad-based set of responses, two
populations were de®ned: (1) security specialists
within the information systems profession, and (2)
managers who have experience with anti-virus software. Potential respondents were identi®ed through
computer/system user groups and their colleagues.

Sampled respondents were contacted by phone or email. The survey was administered through an Internet
Web site that collected the data, with monitoring to
prevent duplicate sets of responses, otherwise complete anonymity was maintained. This particular administration was also designed to reduce bias by ®ltering
responses from the same address. Other investigators
have used similar electronically administered sampling processes to collect survey data [3,14,21].
Given the increasing nature of viral threats to
business and the rapid development of new virus
strains [8,10,19,24] this method of data collection
was designed to provide a rapid response.

G. Post, A. Kagan / Information & Management 37 (2000) 13±24
Table 1
Characteristics of average respondent in number, percent or dollars
as indicated
Category

Mean value

Employees
MIS employees

Security employees
Public
Server computers
Company computers
Workstations
Home computers
Security expenses 1995
Security expenses 1996
Security expenses 1997

1057
61
4.9
62%
21.9
403
150
1.7
$69,750
$79,125

$93,500

15

background that is indicative of the participant segments, their responses are understandably more consistent. There is some disagreement over the
satisfaction ratings of the tools. Some of this variation
is due to differing capabilities, some is due to differences in individual needs. Overall, the reliability
ratings by the security professionals are very strong.
The second group (general management) is not as
consistent, this elevated variability is due to respondent background within the sample segment (as
opposed to the survey instrument). This group comprises IS management personnel with a higher level of
familiarity with the technical issues pertaining to virus
issues.
2.3. Methodology

2.1. Respondents
The average characteristics of the respondents are
presented in Table 1. There was a substantial variance
in ®rm size. In total, there were 118 usable responses,
with 51 in the ®rst group of security professionals, and

67 management professionals. There were no signi®cant differences between the ®rms represented by the
two groups. The reported security expenditures
increased slightly on average over time from 1995
to 1997 (Table 1).
2.2. Internal reliability

A basic objective of this study was to evaluate the
trade-offs between management policies, anti-virus
tools, and backup procedures. Many of the basic
questions surrounding these variables and their relationships are shown in Fig. 1. Some of the important
questions are: Do management policies and anti-virus
software in¯uence the number and severity of virus
attacks? Does the number of attacks affect willingness
to buy anti-virus software. Do companies change their
backup policies in response to the number of attacks?
and, Do perspectives on virus damages and anti-virus
costs affect management policy?

As explained in detail by Peter [23], Cronbach's
alpha [6] is generally considered to provide a reasonable estimate of internal consistency within a survey

instrument. Four subjective categories were included
in the survey instrument, and the corresponding reliability estimates are presented in Table 2. The reliability values are higher for security or IS respondents
than for the management group. With a common
Table 2
Reliability estimates (Cronbach's alpha)
Survey/model
category

Security/IS
respondent

General
respondent

Management policy
Damage
Costs
Satisfaction

0.816
0.849
0.722
0.653

0.741
0.544
0.141
0.374

Fig. 1. Factors that form the model questions and primary
relationships.

16

G. Post, A. Kagan / Information & Management 37 (2000) 13±24

Table 3
Survey instrument items organized by the primary factors
Management policies

Virus damages

M1
M2
M3
M4
M5
M6
M7
M8
M9
M10
M11
M12

D1
D2
D3
D4
D5
D6
D7

Limits on shareware software.
Limits on Internet downloads.
Limits on games.
Monitor user PCs across a LAN.
Virus awareness programs.
User training programs (for virus).
MIS anti-virus cleanup team.
Penalties for violating PC policies.
All incidents are reported to MIS.
Scan all disks as they are received.
Scan all disks before they are sent to someone else.
Other.

Number of virus attacks

Anti-virus cost

V1
V2
V3
V4
V5
V6

C1
C2
C3
C4
C5
C6
C7

Number of network viruses.
Number of company viruses.
Number of workstation viruses.
Percent of network affected.
Percent of company affected.
Percent of workstations affected.

Loss of data.
Loss of productivity.
Cost of MIS workers (time).
Cost of non-MIS workers (time).
Loss of operating system stability.
Unreliable applications.
Vendor credibility.

Software cost.
Slower computer processing.
Interference with applications.
Installation and upgrade problems.
Cost of additional hardware (disk space, etc.)
Damage to data or applications.
Anti-virus software misses viruses.

Backup policies

Anti-virus satisfaction

One item from the following:
RAID or mirrored systems.
Hourly backup.
Daily backup.
Weekly backup.
Monthly backup
No formal policy.

S1
S2
S3

The measurement items for the primary variables
are shown in Table 3, which presents details from the
survey instrument. Note that these variables are all
latent, because the underlying variables are not
directly observable, but result from subsequent analysis. For example, it is not possible to actually
measure the level of management policies. Instead,
the collection of items (the numbered lists) is a
manifestation of the underlying variable. Through
structural equation analysis, the effects and interactions of the underlying variables can be measured
from these observed effects. Loehlin [15] and
Arbuckle [1] provide details of this methodology.
Several additional questions were also addressed: ®rm
size, and industry could play a role, particularly in the
more subjective variables.

3. Results

Satisfaction with network software.
Satisfaction with company software.
Satisfaction with workstation software.

One of the ®rst issues that arose in analyzing the
results was that the Management Policies list actually
consisted of two variables. The respondents considered the list of items consisting of two separate
collections with different effects. Hence, two factors
are de®ned in the model: Restrictive and Proactive
Management Policies. The restrictive policies consist
of items designed to limit user activities: items M1,
M2, M3, M4, M7 and M8. The proactive items
targeted teaching and encouraging users to minimize
the effects of viruses: M5, M6, M9, M10, M11, and
M12.
Similarly, the costs of the anti-virus approach were
seen as two separate items: the direct expense of the

17

G. Post, A. Kagan / Information & Management 37 (2000) 13±24

software, and the operational costs of using it (such as
slower processing). Items C1 through C5 fall into the
direct expense category, while C6 and C7 identify the
operations cost.
3.1. Summary results
Tables 4, 5 and 6 list the mean responses for the
Management Policy, Virus Damage, and Anti-virus
Cost categories, respectively. For the most part, the
two respondent groups had similar responses to individual items: however, a few were statistically different, as signi®ed by the asterisks. In particular, IS/
security professionals were more likely to impose
limits on downloading material from the Internet,
whereas general managers thought this issue was less
important. Similarly, more security professionals

reported the use of user training programs. Managers,
however were less likely to provide training, presumably because they were not aware of speci®c training
programs. In both groups, the most prevalent management policy was a virus awareness program. The least
prevalent was penalizing users for violating policies.
Responses in the Damage category were similar.
Loss of data and loss of productivity were considered
the most important issues. The groups split slightly
(not statistically signi®cant) on the cost of MIS workers' time.
In terms of anti-virus costs, security professionals
disagreed with managers, by rating three items lower:
slower processing, interference with applications, and
damage to data. That is, security professionals
believed these three items to be less likely to occur.
On the other hand, the important costs were the price

Table 4
Management policy averages
Management policies

All respondents

Security managers

General management

Restrictive
1. Shareware limits
2. Internet limits
3. Game limits
4. Monitor User PCs
7. Anti-virus cleanup team
8. Penalties for violations

0.534
0.415
0.534
0.390
0.424
0.288

0.608
0.529a
0.588
0.373
0.392
0.333

0.478
0.328
0.493
0.403
0.448
0.254

Proactive
5. Virus awareness
6. User training
9. Incident reporting
10. Scan received disks
11. Scan sent disks
12. Other

0.686
0.305
0.424
0.517
0.449
0.297

0.745
0.412a
0.490
0.510
0.353
0.196a

0.642
0.224
0.373
0.522
0.522
0.373

a

Significant category difference between security and general managers at 5%.

Table 5
Damage importance evaluation
Virus damage

All respondents

Security managers

General management

1.
2.
3.
4.
5.
6.
7.

7.08
6.91
5.80
5.03
5.92
5.75
3.05

7.10
6.84
4.12
4.73
6.08
5.86
2.78

7.06
6.96
7.07
5.27
5.79
5.66
3.25

Loss of data
Loss of productivity
Cost of MIS time
Cost of non-MIS time
OS Stability
Application reliability
Vendor credibility

18

G. Post, A. Kagan / Information & Management 37 (2000) 13±24

Table 6
Cost importance means
Anti-virus cost

All respondents

Security managers

General management

Expenses
1. Software cost
2. Slower processing
3. Application interference
4. Installation problems
5. Hardware costs

3.97
3.52
3.16
3.42
3.69

4.06
2.96a
2.57a
3.49
4.18

3.91
3.94
3.61
3.37
3.31

Operational costs
6. Application damage
7. AV Software misses viruses

2.64
3.24

2.08b
2.98

3.07
3.43

a
b

5% level of significance.
Significant at 1%.

of the software and cost of additional hardware.
General managers also recognized the cost of the
software as important but tended to focus on slower
processing times. Apparently, while the managers
suffered with slower processing, the security personnel overcame the processing costs by purchasing faster
hardware.
3.2. Latent variable model
A latent variable approach provides a detailed look
at the strength of the individual items and at the
relationships among the factors. The relationships
(indicated by the lines) provide the most interesting
management analysis. The primary relationships
among the latent variables are shown along with their
estimated strength (coef®cients). Note that Fig. 2
extends Fig. 1 by showing the split in management
and anti-virus cost variables, and by showing the
additional variables used in the analysis. The relationship coef®cients are summarized in Table 7. The
coef®cients are standardized regression coef®cients
from the latent variable estimation. To minimize
clutter, the detailed path coef®cients on the individual
items are not shown, but almost all of them are
signi®cant at a 1% level.
The values indicate the strength (and direction) of
the effect among the variables. For example, AV
Satisfaction has a signi®cantly positive effect on
Management Restrictive Policies (coef®cient is
0.212). This result indicates that respondents who
are more satis®ed with their AV software are more
likely to impose restrictive policies.

3.3. Virus attacks
An initial set of interesting relationships is found by
examining the dependent variable for virus attacks.
First, none has a signi®cant effect. That is, none of the
policies or the use of anti-virus software appear to
signi®cantly reduce the number of attacks (or percent
of machines affected). However, the coef®cient on the
scanning policy has the proper sign (increased use of
scanning should reduce the virus attacks). Coef®cients
on the two management policies both signify positive
relationships, but the analysis does not show this to be
signi®cant. Moreover, there may be certain circumstances where the policies are counter-productive.
3.4. Management restrictive policies
Variables affecting the use of restrictive policies are
more interesting Ð partly because most are signi®cant, and partly because the negative sign suggests
opportunities for improvement. First, management
respondents reported that their companies were much
less inclined to use restrictive policies. Second, certain
industries were less likely to rely on restrictive policies. (The sign of the coef®cient is irrelevant since the
companies were numbered randomly.) The industries
least likely to use restrictive policies are Education,
Consulting, Publishing, and Architecture. The limited
number of observations per industry makes it more
dif®cult for the results to be shown to be signi®cant.
However, the educational community signi®cantly
favors proactive policies Ð probably in response to
the characteristics of the industry: access restrictions

G. Post, A. Kagan / Information & Management 37 (2000) 13±24

19

Fig. 2. Estimated latent variable relationships. One asterisk shows significance at 5%, two indicate a 1% level.

are seldom imposed. The industries least likely to use
proactive policies are Architecture, Accounting, Medical, Education, and Banking. Presumably, the
Accounting and Banking industries rely more on
restrictive controls and scanning.
The coef®cients on anti-virus satisfaction and virus
damage are also worth noting, since both are signi®cantly positive. The satisfaction relationship implies
that respondents who are more satis®ed with their antivirus software will also be more likely to impose
restrictive management policies. The same effect
exists with those who place higher ratings on virus
damage.
3.5. Management proactive policies
For the most part the coef®cients associated with
management proactive policies are not signi®cant.
Managers who place a greater emphasis on virus
damage are more inclined to impose both proactive

and restrictive management policies. Policies are
probably being imposed as a result of industry practice
and management education. This result is actually
positive, since it implies forethought and planning.
Whether a ®rm (organization) is privately or publicly operated appears to in¯uence the anti-virus
management choices. This variable has a signi®cantly
negative value (coef®cient). Firms were assigned
values as follows: 1 ˆ Private, 2 ˆ Public, 3 ˆ Not
for pro®t. Only 16 responses were from not-for-pro®t
organizations. The negative coef®cient implies that
privately managed ®rms are more likely to impose
proactive policies to stop viruses. This appears to be
consistent with the nature of sensitivity associated
with information within the private sector.
3.6. Anti-virus expense
Within the anti-virus expense category, two factors
are statistically signi®cant. First, the signs of the

20

G. Post, A. Kagan / Information & Management 37 (2000) 13±24

Table 7
Items that affect primary factors
Management restrictive policies
AV satisfaction
Damage
Group
Industry
Private
Size

0.212a
0.209a
ÿ0.252b
ÿ0.217a
ÿ0.024
ÿ0.072

Management proactive policies
AV satisfaction
Damage
Group
Industry
Private
Size
Virus attacks
AV software
Proactive policy
Restrictive policy
Scan
Size
a
b

0.220
0.185
0.000
0.106
ÿ0.276a
0.204
0.056
0.126
0.176
ÿ0.087
0.053

Virus damage
Size
Virus

ÿ0.163
0.071

Anti-Virus Expense
Proactive policy
Restrictive policy
Virus

0.398a
ÿ0.105
ÿ0.286a

Anti-virus cost
Proactive policy
Virus

ÿ0.133
0.173

Anti-virus software
AV satisfaction
Anti-virus satisfaction
Virus

ÿ0.076

Backup
AV satisfaction
Size
Virus

0.340b
ÿ0.029
0.180

0.603b

Significant at a 5% level.
1% level of significance.

policy variables (see Table 7) show that the restrictive
coef®cient is slightly negative, while the proactive one
is signi®cantly positive. That is, ®rms that place a
greater importance on restrictive policies do so in the
hopes of reducing the expenses of the anti-virus software. Firms that take a more proactive management
approach end up spending more money. Firms that

rely on proactive management policies are more likely
to also use anti-virus tools as part of that approach. On
the other hand, managers appear to be using restrictive
policies in an attempt to reduce the costs of anti-virus
software Table 8.
A strong relationship exists between anti-virus
expenses and virus attacks. Increases in virus attacks

Table 8
Differences across industries for restrictive and proactive management policies
Industry

Restrictive policies

Rank

Proactive policies

Rank

Difference

N

Manufacturing
Government
Computer Services
Telecommunications
Banking
Accounting
Wholesale/Retail
Medical/Dental/Healthcare
Architecture
Publishing
Consulting
Education

0.607
0.595
0.567
0.567
0.548
0.500
0.458
0.458
0.367
0.306
0.233
0.128

1
2
4
3
5
6
8
7
9
10
11
12

0.476
0.524
0.633
0.533
0.381
0.300
0.472
0.333
0.267
0.444
0.433
0.372

4
3
1
2
8
11
5
10
12
6
7
9

0.131
0.071
ÿ0.066
0.034
0.167
0.200
ÿ0.014
0.025
0.100
ÿ0.138
ÿ0.200
ÿ0.244a

14
14
5
5
7
5
12
8
5
6
5
13

a

Means for industries with more than 4 responses.

G. Post, A. Kagan / Information & Management 37 (2000) 13±24

result in a lower evaluation of the expenses of antivirus tools. The interpretation is straightforward.
When a company repeatedly experiences the costs
of a virus attack, the expenses of its tools seem small.
3.7. Backup
From a management perspective, perhaps the most
unnerving result is that the number and severity of
virus attacks does not affect the choice of backup
policies. Backup policies were coded so that more
frequent backups (e.g., RAID) were given higher
values.
Surprisingly, there is a strong relationship from
anti-virus tool satisfaction to the frequency of backups. More satis®ed managers use more frequent backups. Possibly managers who are concerned about
viruses and security are more satis®ed with their
anti-virus software and are likely to recognize the
importance of frequent backups. In essence the organization must pursue an aggressive strategy of antivirus tactics that will be based upon economic considerations, level of security implementation, degree
of exposure and managerial awareness and professionalism [13].

4. Conclusions
Apparently there are two distinct types of management policies in place to prevent virus outbreaks.
At this point, neither can be shown to be most effective. Instead, an organization's policies seem to be
determined by the type of organization and the attitudes of management. Those who feel strongly
threatened by the potential damages tend to choose
restrictive policies; others choose more proactive
educational and virus-scanning policies. As a group,
security professionals are less likely to impose restrictive controls.
Security professionals and managers who are more
concerned about damages tend to have greater satisfaction with their anti-virus software. They also
emphasize increased frequency of backups Ð particularly the use of RAID drives for network servers.
The results of this study raise additional questions.
Particularly disturbing is the lack of impact of the
various methods on the severity of virus attacks. It is

21

possible that some tools are better than others, and
some may have more signi®cant impacts. These relationships need further investigation. However, none of
the management policies appear to be effective. Given
the increasing attacks from viruses and the increasing
connectivity of computers on the Internet, backup
policies become an even more vital tool. Although
frequent backups will not stop a virus, they can
minimize the damage.

Appendix A. A Survey on management issues in
computer security/anti-virus software usage
Voluntary participation statement and contact numbers.
1. What role do you play in the purchase process for
Computer Security related products and services?
(Check all that apply)








&
&
&
&
&
&
&

Determine needs
Technical evaluations/specifications
Implement/install
Specify/select products/services
Specify/select brands/vendors
Final authorization/approval for purchase
None of these

2. In which ways are you personally involved in
computer security at your organization? (Check all
that apply)





& Specify, recommend, or purchase products and
services used in computer security
& Strategic planning of computer security projects
& Manage the computer security staff and activities
& None of the above

3. What percent (%) of your organization's total
spending on computer security related services, equipment and support comes from a centralized IS budget
versus a business unit budget?



% Centralized IS budget ______
% Business Unit budget ______

4. How much money did your organization spend on
computer security related services, equipment and

22

G. Post, A. Kagan / Information & Management 37 (2000) 13±24

support in 1995 and 1996, and what is the estimate for
1997? Check ONE for each year.
1995

1996





1997


$2.5 million ‡
$1 million ± 2.5
$500,000 ± 999,999
$250,000 ± 499,999
$125,000 ± 249,000
$50,000 ± 124,999

8. In acquiring new computer security products/services my firm faces the following issues: (Check all
that apply)


Less than $50,000



5. Who is responsible for developing computer
security strategy within your organization and managing implementation? (Check all that apply)





Develop
strategy

Manage
implementation



IS/Networking
Corporate Management
Consultant/Systems
Integrator



Other (please specify)









A.1. Company background
6. If your company has many of®ces, answer questions based on your location only.





Number of employees ______
Number of MIS employees ______
Number of employees in computer security ______
Type of Company (& private, & public, & notfor-profit)

7. What management policies are in place to control
viruses? (Check all that apply)









&
&
&
&
&
&
&
&

& All incidents are reported to MIS
& Scan all disks when they are received
& Scan all disks before they are sent to someone
else
& Other, please specify: ______

Limits on shareware software
Limits on Internet downloads
Limits on games
Monitor user PCs across a LAN
Virus awareness programs
User training programs (for virus)
MIS anti-virus cleanup team
Penalties for violating PC policies

& Financial constraints impede purchasing additional computer security products/services
& Insufficient knowledge concerning computers/
software
& Trained personnel are not available
& Products/Services for our business is not available/does not meet our needs
& Lack of commitment and foresight from senior
management
& Comfortable with current computer security
software and services
& Other, please specify: ______

9. Costs/damage from virus. Rate importance of
each item (10 ˆ serious problem, 0 ˆ not an issue).
___ Loss of data
___ Loss of productivity
___ Cost of MIS workers (time)
___ Cost of non-MIS workers (time)
___ Loss of operating system stability
___ Unreliable applications
___ Vendor Shareware Credibility (ex. Is shareware virus free or not)

10. Issues involved with anti-virus software. Rank
in order of importance (1 ˆ most important, 7 ˆ
least). Leave blank if an item is not an issue.








___ Software cost
___ Slower computer processing
___ Interference with applications
___ Installation and upgrade problems
___ Cost of additional hardware (disk space, etc.)
___ Damage to data or applications
___ Anti-virus software misses viruses

A.2. Virus questions
11. Use of anti-virus software

23

G. Post, A. Kagan / Information & Management 37 (2000) 13±24

Network
servers

Your
office PC/
workstation

Other
company
machines

Your home/
personal
computer

Your
office PC/
workstation

Other
company
machines

Your home/
personal
computer

Number of machines.
Percent of machines with antivirus software: Auto-scan.
Percent of machines with occasional scan software.
Which software (name)?
Who installed the software?
How often is the anti-virus software upgraded?
Satisfaction w/anti-virus software
(10 ˆ very happy, 0 ˆ unhappy)
12. Virus attacks in the last six months.
Network
servers
Number of virus incidents
Percent of machines affected
Time to identify virus problem (estimate in days or hours)
Time to remove and clean up (hours)
Other
13. Type of virus (Enter number of incidents).
Network
servers

Your office PC/
workstation

Other company
machines

Your home/personal
computer

Network
servers

Your office
PC/workstation

Other company
machines

Your home/personal
computer

Boot sector virus
Typical EXE/COM virus
Macro (Word/Excel)
Other
14. Data backup policies.

RAID or mirrored systems
Hourly backup
Daily backup
Weekly backup
Monthly backup
No formal policy
Other
Additional comments: # 1997, 1998

24

G. Post, A. Kagan / Information & Management 37 (2000) 13±24

References
[1] J. Arbuckle, Amos User's Guide Version 3.6, 1997, Chicago,
SmallWaters.
[2] J. Backhouse, G. Dhillon, Managing computer crime: A
research outlook, Computers & Security 14 (1995), pp. 645±
651.
[3] J. Chisholm, Surveys by e-mail and Internet, UNIX Review
13 (1995), pp. 11±16.
[4] F. Cohen, Information system defences: A preliminary
classification scheme, Computers & Security 16 (1997), pp.
94±114.
[5] B. Cole-Gomolski, Several products seek virus before users
open their mail, ComputerWorld, 24, November 1997.
[6] L.J. Cronbach, Coefficient alpha and the internal structure of
tests, Psychometrica 16 (1951), pp. 297±334.
[7] J. David, The new face of the virus threat, Computers &
Security 15 (1996), pp. 13±16.
[8] L. DiDio, Networks need defense against hacker attacks,
Computerworld, 24 November 1997.
[9] L. DiDio, IBM Devises Technology to disinfect computer
bugs, Computerworld, December 15, 1997.
[10] E. Glanton, Trick or treat Ð Your files are deleted!
Halloween hoax raises eyebrows, The Associated Press, 30
October, 1997.
[11] H.J. Highland, A history of computer viruses Ð Introduction,
Computers & Security 16 (1997), pp. 412±415.
[12] G. Kovacich, Electronic Internet business and security,
Computers & Security 17 (1998), pp. 129±135.
[13] O. Lau, The ten commandments of security, Computers &
Security 17 (1998), pp. 119±123.
[14] A.L. Lederer, D.A. Mirchandani, K. Sims, The link between
information strategy and electronic commerce, Journal of
Organizational Computing and Electronic Commerce 7
(1997), pp. 17±34.
[15] J.C. Loehlin, Latent Variable Models, 1992, Erlbaum, Hillsdale, NJ.
[16] S. Machlis, Self-mutilating viruses create strain, Computerworld, 9 September 1997.
[17] S. Magruder, High-level language computer virusesÐ A new
threat?, Computers & Security 13 (1994), pp. 263±269.
[18] G. Meckbach, Viruses Growing out of Control, Computing
Canada, July 1997.

[19] G. Moody, Build your own immunity to viruses over the Net,
Computer Weekly, 4 September 1997.
[20] C. Nachenberg, Computer virus±antivirus coevolution, Communications of the ACM 40(1) (1997), pp. 46±51.
[21] M. Opperman, E-Mail surveys potentials and pitfalls,
Marketing Research 7(3) (1995), pp. 29±33.
[22] D.B. Parker, The strategic values of information security in
business, Computers & Security 16 (1997), pp. 572±582.
[23] J.P. Peter, Reliability: A review of psychometric basics and
recent marketing practices, Journal of Marketing Research 16
(1979), pp. 6±17.
[24] J. Sandberg, Hackers prey on AOL users with array of dirty
tricks, Wall Street Journal, 5 January 1998.
[25] A. Solomon, The virus authors strike back, Computers &
Security 11 (1992), pp. 602±606.
[26] C.C. Wood, A management view of Internet electronic
commerce security, Computers & Security 16 (1997), pp.
316±320.
[27] B.P. Zajac, Computer viral risksÐ How bad is the threat?,
Computers & Security 11 (1992), pp. 29±34.

Gerald Post

Albert Kagan