Research
Management tradeoffs in anti-virus strategies
Gerald Post
a, Albert Kagan
b,*aESB, University of the Paci®c, 3601 Paci®c Ave., Stockton, CA 95211, USA bMSABR, Box 870180, Arizona State University, Tempe, AZ 85287-0180, USA
Received 19 March 1998; received in revised form 28 January 1999; accepted 9 June 1999
Abstract
This study evaluates current management and security practices with respect to computer virus infestations in business computer systems. Given the rise in macro viruses within recent years many business ®rms have adopted either a restrictive or proactive management approach to the problem. It is unclear whether there is a signi®cant difference between the approaches in terms of user satisfaction and future virus outbreaks. The lack of consistent computer backup procedures tends to exacerbate a virus outbreak. The cost structure used to address virus management tends to escalate depending on the severity of a virus episode.#2000 Elsevier Science B.V. All rights reserved.
Keywords:Virus; Anti-virus software; Management policy effectiveness; Computer security
1. Introduction
The expanding use of personal computers coupled with increased interconnectivity (the Internet) has led to increased problems with computer viruses. The spread of viruses has increased dramatically with the heightened availability of macro languages. Virus threats have also increased rapidly with the enhanced use of e-mail attachments and Web-site ®les that are easily passed around the Internet.
Highland [11] discussed many of the myths about virus attacks as well as the work of Fred Cohen [4] and his efforts to protect computer systems from external threats. Cohen developed a useful virus classi®cation scheme to aid in the creation of information system defenses [27] against virus attacks.
With the commonplace adoption of the X.400 mail protocol within the TCP/IP convention, business ®rms have made e-mail a routine application. This devel-opment has increased the risk of virus threats to alarming proportions in today's computer systems. Over 1300 new macro viruses were detected in 1997, compared with about 40 in 1996 [16]. Much of the increase is attributed to the targeting of Microsoft products. Business managers fear security threats from viruses as a major security issue today [12,18].
Estimates of computer crime losses to U.S. business in 1996 was over $100 million. Backhouse and Dhil-lon [2] estimated that computer crime losses in the UK exceeded $30 million dollars in the late 1980s. Seventy percent of US business ®rms that were recently surveyed fear attacks will be promulgated on their systems. Losses to virus attacks were further determined to be in excess of $12 million dollars. Furthermore, the Computer Security Institute ranked
*Corresponding author.
E-mail addresses: jerrypost@mindspring.com (G. Post), aaajk@asu.edu (A. Kagan)
the impact of virus threats among the top four areas of business computer crime hazards.
Increased computer security problems come from many sources: the expanded use of IS, the Internet, e-mail applications, and the adoption of Microsoft products. An additional factor is the reluctance of business ®rms to either acknowledge or admit that they were electronically victimized. As the demand and implementation of virus protection software continues to escalate, so does the cost. The National Computer Security Association (NCSA) estimates that a typical virus attack costs almost $8400 to correct. A large ®nancial institution reported that a virus attack in 1997 cost the ®rm $2.3 million in lost transactions over a 3-day period.
Traditional virus protection products have been unable to stem the increase in virus attacks on business computer systems. The leading anti virus software companies have continued to upgrade and modify their products to stay abreast of virus development. New forms of anti-virus software are being produced in an attempt to curb the problem [5,7,9]. This new generation of protection software includes heuristic-type products, which check incoming documents (mail, attachments, etc) for unusual properties that suggest a virus. Once detected these products will not allow the suspicious item into the computer system and will subsequently destroy the virus if it is a known variant. However, these tools still have a relatively high Type II error. It is argued that these systems destroy documents that do not contain a virus just to be safe.
Magruder [17] discussed the threat to business information systems of high-level computer viruses. He argues that the development of this type of virus is going to increase, because the nature of the language structure will allow more virus developers to be active and that they will produce viruses that are more destructive.
Solomon [25] summarized the major types of anti-virus products that will enter the market. His classi-®cation included scanner-types, integrity detectors, and behavior blockers; they evolved recently due to increased pressure from a new generation of viruses that have multilevel encryption mechanisms and do not display any readily detectable machine language instruction set [20].
As the use of the Web for various types of electronic commerce continues at an exponential pace, the issues
of security and virus protection need to be addressed. Parker [22] and Wood [26] have brought these con-cerns to the attention of business and speculate that strategically security and viral threats are an impedi-ment to future electronic commerce.
2. Survey
A survey instrument was designed to learn how organizations are responding to the threat of computer viruses. From security theory, several techniques can be used to minimize the effects of a virus. The three basic sets of tools are (1) management policies, (2) anti-virus software, and (3) backup procedures [7]. An interesting set of questions is how organizations com-bine these three tools to minimize virus threat, and the differences in the effectiveness of particular proce-dures. The effectiveness of these tools also has to be measured against their costs, and the potential damages from a virus episode. A copy of the instru-ment is included in the Appendix A.
It was necessary to create a new survey instrument to identify these trade-offs. This instrument was devel-oped based on existing research and computer security theory. The survey was pretested with numerous sys-tems professionals who specialized in security issues, and the wording and items were modi®ed to re¯ect their suggestions.
To collect a broad-based set of responses, two populations were de®ned: (1) security specialists within the information systems profession, and (2) managers who have experience with anti-virus soft-ware. Potential respondents were identi®ed through computer/system user groups and their colleagues. Sampled respondents were contacted by phone or e-mail. The survey was administered through an Internet Web site that collected the data, with monitoring to prevent duplicate sets of responses, otherwise com-plete anonymity was maintained. This particular admin-istration was also designed to reduce bias by ®ltering responses from the same address. Other investigators have used similar electronically administered sam-pling processes to collect survey data [3,14,21].
2.1. Respondents
The average characteristics of the respondents are presented in Table 1. There was a substantial variance in ®rm size. In total, there were 118 usable responses, with 51 in the ®rst group of security professionals, and 67 management professionals. There were no signi®-cant differences between the ®rms represented by the two groups. The reported security expenditures increased slightly on average over time from 1995 to 1997 (Table 1).
2.2. Internal reliability
As explained in detail by Peter [23], Cronbach's alpha [6] is generally considered to provide a reason-able estimate of internal consistency within a survey instrument. Four subjective categories were included in the survey instrument, and the corresponding bility estimates are presented in Table 2. The relia-bility values are higher for security or IS respondents than for the management group. With a common
background that is indicative of the participant seg-ments, their responses are understandably more con-sistent. There is some disagreement over the satisfaction ratings of the tools. Some of this variation is due to differing capabilities, some is due to differ-ences in individual needs. Overall, the reliability ratings by the security professionals are very strong. The second group (general management) is not as consistent, this elevated variability is due to respon-dent background within the sample segment (as opposed to the survey instrument). This group com-prises IS management personnel with a higher level of familiarity with the technical issues pertaining to virus issues.
2.3. Methodology
A basic objective of this study was to evaluate the trade-offs between management policies, anti-virus tools, and backup procedures. Many of the basic questions surrounding these variables and their rela-tionships are shown in Fig. 1. Some of the important questions are: Do management policies and anti-virus software in¯uence the number and severity of virus attacks? Does the number of attacks affect willingness to buy anti-virus software. Do companies change their backup policies in response to the number of attacks? and, Do perspectives on virus damages and anti-virus costs affect management policy?
Table 1
Characteristics of average respondent in number, percent or dollars as indicated
Category Mean value
Employees 1057
MIS employees 61
Security employees 4.9
Public 62%
Server computers 21.9
Company computers 403
Workstations 150
Home computers 1.7
Security expenses 1995 $69,750 Security expenses 1996 $79,125 Security expenses 1997 $93,500
Table 2
Reliability estimates (Cronbach's alpha)
Survey/model category
Security/IS respondent
General respondent
Management policy 0.816 0.741
Damage 0.849 0.544
Costs 0.722 0.141
Satisfaction 0.653 0.374 Fig. 1. Factors that form the model questions and primary
The measurement items for the primary variables are shown in Table 3, which presents details from the survey instrument. Note that these variables are all latent, because the underlying variables are not directly observable, but result from subsequent ana-lysis. For example, it is not possible to actually measure the level of management policies. Instead, the collection of items (the numbered lists) is a manifestation of the underlying variable. Through structural equation analysis, the effects and interac-tions of the underlying variables can be measured from these observed effects. Loehlin [15] and Arbuckle [1] provide details of this methodology. Several additional questions were also addressed: ®rm size, and industry could play a role, particularly in the more subjective variables.
3. Results
One of the ®rst issues that arose in analyzing the results was that theManagement Policieslist actually consisted of two variables. The respondents consid-ered the list of items consisting of two separate collections with different effects. Hence, two factors are de®ned in the model: Restrictive and Proactive Management Policies. The restrictive policies consist of items designed to limit user activities: items M1, M2, M3, M4, M7 and M8. The proactive items targeted teaching and encouraging users to minimize the effects of viruses: M5, M6, M9, M10, M11, and M12.
Similarly, the costs of the anti-virus approach were seen as two separate items: the direct expense of the
Table 3
Survey instrument items organized by the primary factors
Management policies Virus damages
M1 Limits on shareware software. D1 Loss of data.
M2 Limits on Internet downloads. D2 Loss of productivity.
M3 Limits on games. D3 Cost of MIS workers (time).
M4 Monitor user PCs across a LAN. D4 Cost of non-MIS workers (time).
M5 Virus awareness programs. D5 Loss of operating system stability.
M6 User training programs (for virus). D6 Unreliable applications.
M7 MIS anti-virus cleanup team. D7 Vendor credibility.
M8 Penalties for violating PC policies. M9 All incidents are reported to MIS. M10 Scan all disks as they are received.
M11 Scan all disks before they are sent to someone else.
M12 Other.
Number of virus attacks Anti-virus cost
V1 Number of network viruses. C1 Software cost.
V2 Number of company viruses. C2 Slower computer processing.
V3 Number of workstation viruses. C3 Interference with applications.
V4 Percent of network affected. C4 Installation and upgrade problems.
V5 Percent of company affected. C5 Cost of additional hardware (disk space, etc.)
V6 Percent of workstations affected. C6 Damage to data or applications.
C7 Anti-virus software misses viruses.
Backup policies Anti-virus satisfaction
One item from the following: S1 Satisfaction with network software.
RAID or mirrored systems. S2 Satisfaction with company software.
Hourly backup. S3 Satisfaction with workstation software.
software, and the operational costs of using it (such as slower processing). Items C1 through C5 fall into the direct expense category, while C6 and C7 identify the operations cost.
3.1. Summary results
Tables 4, 5 and 6 list the mean responses for the Management Policy, Virus Damage, and Anti-virus Cost categories, respectively. For the most part, the two respondent groups had similar responses to indi-vidual items: however, a few were statistically differ-ent, as signi®ed by the asterisks. In particular, IS/ security professionals were more likely to impose limits on downloading material from the Internet, whereas general managers thought this issue was less important. Similarly, more security professionals
reported the use of user training programs. Managers, however were less likely to provide training, presum-ably because they were not aware of speci®c training programs. In both groups, the most prevalent manage-ment policy was a virus awareness program. The least prevalent was penalizing users for violating policies. Responses in the Damage category were similar. Loss of data and loss of productivity were considered the most important issues. The groups split slightly (not statistically signi®cant) on the cost of MIS work-ers' time.
In terms of anti-virus costs, security professionals disagreed with managers, by rating three items lower: slower processing, interference with applications, and damage to data. That is, security professionals believed these three items to be less likely to occur. On the other hand, the important costs were the price
Table 4
Management policy averages
Management policies All respondents Security managers General management
Restrictive
1. Shareware limits 0.534 0.608 0.478
2. Internet limits 0.415 0.529a 0.328
3. Game limits 0.534 0.588 0.493
4. Monitor User PCs 0.390 0.373 0.403
7. Anti-virus cleanup team 0.424 0.392 0.448
8. Penalties for violations 0.288 0.333 0.254
Proactive
5. Virus awareness 0.686 0.745 0.642
6. User training 0.305 0.412a 0.224
9. Incident reporting 0.424 0.490 0.373
10. Scan received disks 0.517 0.510 0.522
11. Scan sent disks 0.449 0.353 0.522
12. Other 0.297 0.196a 0.373
aSignificant category difference between security and general managers at 5%.
Table 5
Damage importance evaluation
Virus damage All respondents Security managers General management
1. Loss of data 7.08 7.10 7.06
2. Loss of productivity 6.91 6.84 6.96
3. Cost of MIS time 5.80 4.12 7.07
4. Cost of non-MIS time 5.03 4.73 5.27
5. OS Stability 5.92 6.08 5.79
6. Application reliability 5.75 5.86 5.66
of the software and cost of additional hardware. General managers also recognized the cost of the software as important but tended to focus on slower processing times. Apparently, while the managers suffered with slower processing, the security person-nel overcame the processing costs by purchasing faster hardware.
3.2. Latent variable model
A latent variable approach provides a detailed look at the strength of the individual items and at the relationships among the factors. The relationships (indicated by the lines) provide the most interesting management analysis. The primary relationships among the latent variables are shown along with their estimated strength (coef®cients). Note that Fig. 2 extends Fig. 1 by showing the split in management and anti-virus cost variables, and by showing the additional variables used in the analysis. The relation-ship coef®cients are summarized in Table 7. The coef®cients are standardized regression coef®cients from the latent variable estimation. To minimize clutter, the detailed path coef®cients on the individual items are not shown, but almost all of them are signi®cant at a 1% level.
The values indicate the strength (and direction) of the effect among the variables. For example, AV Satisfaction has a signi®cantly positive effect on Management Restrictive Policies (coef®cient is 0.212). This result indicates that respondents who are more satis®ed with their AV software are more likely to impose restrictive policies.
3.3. Virus attacks
An initial set of interesting relationships is found by examining the dependent variable for virus attacks. First, none has a signi®cant effect. That is, none of the policies or the use of anti-virus software appear to signi®cantly reduce the number of attacks (or percent of machines affected). However, the coef®cient on the scanning policy has the proper sign (increased use of scanning should reduce the virus attacks). Coef®cients on the two management policies both signify positive relationships, but the analysis does not show this to be signi®cant. Moreover, there may be certain circum-stances where the policies are counter-productive.
3.4. Management restrictive policies
Variables affecting the use of restrictive policies are more interesting Ð partly because most are signi®-cant, and partly because the negative sign suggests opportunities for improvement. First, management respondents reported that their companies were much less inclined to use restrictive policies. Second, certain industries were less likely to rely on restrictive poli-cies. (The sign of the coef®cient is irrelevant since the companies were numbered randomly.) The industries least likely to use restrictive policies are Education, Consulting, Publishing, and Architecture. The limited number of observations per industry makes it more dif®cult for the results to be shown to be signi®cant. However, the educational community signi®cantly favors proactive policies Ð probably in response to the characteristics of the industry: access restrictions
Table 6
Cost importance means
Anti-virus cost All respondents Security managers General management
Expenses
1. Software cost 3.97 4.06 3.91
2. Slower processing 3.52 2.96a 3.94
3. Application interference 3.16 2.57a 3.61
4. Installation problems 3.42 3.49 3.37
5. Hardware costs 3.69 4.18 3.31
Operational costs
6. Application damage 2.64 2.08b 3.07
7. AV Software misses viruses 3.24 2.98 3.43
are seldom imposed. The industries least likely to use proactive policies are Architecture, Accounting, Med-ical, Education, and Banking. Presumably, the Accounting and Banking industries rely more on restrictive controls and scanning.
The coef®cients on anti-virus satisfaction and virus damage are also worth noting, since both are signi®-cantly positive. The satisfaction relationship implies that respondents who are more satis®ed with their anti-virus software will also be more likely to impose restrictive management policies. The same effect exists with those who place higher ratings on virus damage.
3.5. Management proactive policies
For the most part the coef®cients associated with management proactive policies are not signi®cant. Managers who place a greater emphasis on virus damage are more inclined to impose both proactive
and restrictive management policies. Policies are probably being imposed as a result of industry practice and management education. This result is actually positive, since it implies forethought and planning.
Whether a ®rm (organization) is privately or pub-licly operated appears to in¯uence the anti-virus management choices. This variable has a signi®cantly negative value (coef®cient). Firms were assigned
values as follows: 1Private, 2Public, 3Not
for pro®t. Only 16 responses were from not-for-pro®t organizations. The negative coef®cient implies that privately managed ®rms are more likely to impose proactive policies to stop viruses. This appears to be consistent with the nature of sensitivity associated with information within the private sector.
3.6. Anti-virus expense
Within the anti-virus expense category, two factors are statistically signi®cant. First, the signs of the
policy variables (see Table 7) show that the restrictive coef®cient is slightly negative, while the proactive one is signi®cantly positive. That is, ®rms that place a greater importance on restrictive policies do so in the hopes of reducing the expenses of the anti-virus soft-ware. Firms that take a more proactive management approach end up spending more money. Firms that
rely on proactive management policies are more likely to also use anti-virus tools as part of that approach. On the other hand, managers appear to be using restrictive policies in an attempt to reduce the costs of anti-virus software Table 8.
A strong relationship exists between anti-virus expenses and virus attacks. Increases in virus attacks
Table 7
Items that affect primary factors
Management restrictive policies Virus damage
AV satisfaction 0.212a Size ÿ0.163
Damage 0.209a Virus 0.071
Group ÿ0.252b
Industry ÿ0.217a Anti-Virus Expense
Private ÿ0.024 Proactive policy 0.398a
Size ÿ0.072 Restrictive policy ÿ0.105
Virus ÿ0.286a
Management proactive policies
AV satisfaction 0.220 Anti-virus cost
Damage 0.185 Proactive policy ÿ0.133
Group 0.000 Virus 0.173
Industry 0.106
Private ÿ0.276a Anti-virus software
Size 0.204 AV satisfaction 0.603b
Virus attacks Anti-virus satisfaction
AV software 0.056 Virus ÿ0.076
Proactive policy 0.126
Restrictive policy 0.176 Backup
Scan ÿ0.087 AV satisfaction 0.340b
Size 0.053 Size ÿ0.029
Virus 0.180
aSignificant at a 5% level. b1% level of significance.
Table 8
Differences across industries for restrictive and proactive management policies
Industry Restrictive policies Rank Proactive policies Rank Difference N
Manufacturing 0.607 1 0.476 4 0.131 14
Government 0.595 2 0.524 3 0.071 14
Computer Services 0.567 4 0.633 1 ÿ0.066 5
Telecommunications 0.567 3 0.533 2 0.034 5
Banking 0.548 5 0.381 8 0.167 7
Accounting 0.500 6 0.300 11 0.200 5
Wholesale/Retail 0.458 8 0.472 5 ÿ0.014 12
Medical/Dental/Healthcare 0.458 7 0.333 10 0.025 8
Architecture 0.367 9 0.267 12 0.100 5
Publishing 0.306 10 0.444 6 ÿ0.138 6
Consulting 0.233 11 0.433 7 ÿ0.200 5
Education 0.128 12 0.372 9 ÿ0.244a 13
result in a lower evaluation of the expenses of anti-virus tools. The interpretation is straightforward. When a company repeatedly experiences the costs of a virus attack, the expenses of its tools seem small.
3.7. Backup
From a management perspective, perhaps the most unnerving result is that the number and severity of virus attacks does not affect the choice of backup policies. Backup policies were coded so that more frequent backups (e.g., RAID) were given higher values.
Surprisingly, there is a strong relationship from anti-virus tool satisfaction to the frequency of ups. More satis®ed managers use more frequent back-ups. Possibly managers who are concerned about viruses and security are more satis®ed with their anti-virus software and are likely to recognize the importance of frequent backups. In essence the orga-nization must pursue an aggressive strategy of anti-virus tactics that will be based upon economic con-siderations, level of security implementation, degree of exposure and managerial awareness and profession-alism [13].
4. Conclusions
Apparently there are two distinct types of manage-ment policies in place to prevent virus outbreaks. At this point, neither can be shown to be most effec-tive. Instead, an organization's policies seem to be determined by the type of organization and the atti-tudes of management. Those who feel strongly threatened by the potential damages tend to choose restrictive policies; others choose more proactive educational and virus-scanning policies. As a group, security professionals are less likely to impose restric-tive controls.
Security professionals and managers who are more concerned about damages tend to have greater satis-faction with their anti-virus software. They also emphasize increased frequency of backups Ð parti-cularly the use of RAID drives for network servers.
The results of this study raise additional questions. Particularly disturbing is the lack of impact of the various methods on the severity of virus attacks. It is
possible that some tools are better than others, and some may have more signi®cant impacts. These rela-tionships need further investigation. However, none of the management policies appear to be effective. Given the increasing attacks from viruses and the increasing connectivity of computers on the Internet, backup policies become an even more vital tool. Although frequent backups will not stop a virus, they can minimize the damage.
Appendix A. A Survey on management issues in computer security/anti-virus software usage
Voluntary participation statement and contact num-bers.
1. What role do you play in the purchase process for Computer Security related products and services? (Check all that apply)
&Determine needs
&Technical evaluations/specifications
&Implement/install
&Specify/select products/services
&Specify/select brands/vendors
&Final authorization/approval for purchase
&None of these
2. In which ways are you personally involved in computer security at your organization? (Check all that apply)
&Specify, recommend, or purchase products and services used in computer security
& Strategic planning of computer security pro-jects
&Manage the computer security staff and activ-ities
&None of the above
3. What percent (%) of your organization's total spending on computer security related services, equip-ment and support comes from a centralized IS budget versus a business unit budget?
% Centralized IS budget ______
% Business Unit budget ______
support in 1995 and 1996, and what is the estimate for 1997? Check ONE for each year.
1995 1996 1997
5. Who is responsible for developing computer security strategy within your organization and mana-ging implementation? (Check all that apply)
Develop
6. If your company has many of®ces, answer ques-tions based on your location only.
Number of employees ______
Number of MIS employees ______
Number of employees in computer security ______
Type of Company (&private,&public,& not-for-profit)
7. What management policies are in place to control viruses? (Check all that apply)
&Limits on shareware software
&Limits on Internet downloads
&Limits on games
&Monitor user PCs across a LAN
&Virus awareness programs
&User training programs (for virus)
&MIS anti-virus cleanup team
&Penalties for violating PC policies
&All incidents are reported to MIS
&Scan all disks when they are received
&Scan all disks before they are sent to someone else
&Other, please specify: ______
8. In acquiring new computer security products/ser-vices my firm faces the following issues: (Check all that apply)
&Financial constraints impede purchasing addi-tional computer security products/services
&Insufficient knowledge concerning computers/ software
&Trained personnel are not available
&Products/Services for our business is not avail-able/does not meet our needs
&Lack of commitment and foresight from senior management
& Comfortable with current computer security software and services
&Other, please specify: ______
9. Costs/damage from virus. Rate importance of
each item (10serious problem, 0not an issue).
___ Loss of data
___ Loss of productivity
___ Cost of MIS workers (time)
___ Cost of non-MIS workers (time)
___ Loss of operating system stability
___ Unreliable applications
___ Vendor Shareware Credibility (ex. Is
share-ware virus free or not)
10. Issues involved with anti-virus software. Rank
in order of importance (1most important, 7
least). Leave blank if an item is not an issue.
___ Software cost
___ Slower computer processing
___ Interference with applications
___ Installation and upgrade problems
___ Cost of additional hardware (disk space, etc.)
___ Damage to data or applications
___ Anti-virus software misses viruses
A.2. Virus questions
Network servers
Your office PC/ workstation
Other company machines
Your home/ personal computer
Number of machines.
Percent of machines with antivirus software: Auto-scan. Percent of machines with occasional scan software. Which software (name)?
Who installed the software?
How often is the anti-virus software upgraded? Satisfaction w/anti-virus software
(10very happy, 0unhappy)
12. Virus attacks in the last six months.
Network servers
Your office PC/ workstation
Other company machines
Your home/ personal computer
Number of virus incidents Percent of machines affected
Time to identify virus problem (estimate in days or hours) Time to remove and clean up (hours)
Other
13. Type of virus (Enter number of incidents).
Network servers
Your office PC/ workstation
Other company machines
Your home/personal computer
Boot sector virus Typical EXE/COM virus Macro (Word/Excel) Other
14. Data backup policies.
Network servers
Your office PC/workstation
Other company machines
Your home/personal computer
RAID or mirrored systems Hourly backup
Daily backup Weekly backup Monthly backup No formal policy Other
References
[1] J. Arbuckle, Amos User's Guide Version 3.6, 1997, Chicago, SmallWaters.
[2] J. Backhouse, G. Dhillon, Managing computer crime: A research outlook, Computers & Security 14 (1995), pp. 645± 651.
[3] J. Chisholm, Surveys by e-mail and Internet, UNIX Review 13 (1995), pp. 11±16.
[4] F. Cohen, Information system defences: A preliminary classification scheme, Computers & Security 16 (1997), pp. 94±114.
[5] B. Cole-Gomolski, Several products seek virus before users open their mail, ComputerWorld, 24, November 1997. [6] L.J. Cronbach, Coefficient alpha and the internal structure of
tests, Psychometrica 16 (1951), pp. 297±334.
[7] J. David, The new face of the virus threat, Computers & Security 15 (1996), pp. 13±16.
[8] L. DiDio, Networks need defense against hacker attacks, Computerworld, 24 November 1997.
[9] L. DiDio, IBM Devises Technology to disinfect computer bugs, Computerworld, December 15, 1997.
[10] E. Glanton, Trick or treat Ð Your files are deleted! Halloween hoax raises eyebrows, The Associated Press, 30 October, 1997.
[11] H.J. Highland, A history of computer viruses Ð Introduction, Computers & Security 16 (1997), pp. 412±415.
[12] G. Kovacich, Electronic Internet business and security, Computers & Security 17 (1998), pp. 129±135.
[13] O. Lau, The ten commandments of security, Computers & Security 17 (1998), pp. 119±123.
[14] A.L. Lederer, D.A. Mirchandani, K. Sims, The link between information strategy and electronic commerce, Journal of Organizational Computing and Electronic Commerce 7 (1997), pp. 17±34.
[15] J.C. Loehlin, Latent Variable Models, 1992, Erlbaum, Hills-dale, NJ.
[16] S. Machlis, Self-mutilating viruses create strain, Computer-world, 9 September 1997.
[17] S. Magruder, High-level language computer virusesÐ A new threat?, Computers & Security 13 (1994), pp. 263±269. [18] G. Meckbach, Viruses Growing out of Control, Computing
Canada, July 1997.
[19] G. Moody, Build your own immunity to viruses over the Net, Computer Weekly, 4 September 1997.
[20] C. Nachenberg, Computer virus±antivirus coevolution, Com-munications of the ACM 40(1) (1997), pp. 46±51. [21] M. Opperman, E-Mail surveys potentials and pitfalls,
Marketing Research 7(3) (1995), pp. 29±33.
[22] D.B. Parker, The strategic values of information security in business, Computers & Security 16 (1997), pp. 572±582. [23] J.P. Peter, Reliability: A review of psychometric basics and
recent marketing practices, Journal of Marketing Research 16 (1979), pp. 6±17.
[24] J. Sandberg, Hackers prey on AOL users with array of dirty tricks, Wall Street Journal, 5 January 1998.
[25] A. Solomon, The virus authors strike back, Computers & Security 11 (1992), pp. 602±606.
[26] C.C. Wood, A management view of Internet electronic commerce security, Computers & Security 16 (1997), pp. 316±320.
[27] B.P. Zajac, Computer viral risksÐ How bad is the threat?, Computers & Security 11 (1992), pp. 29±34.
Gerald Post
