Over the past several years I have had the opportunity to talk to customers and governments all over the world about the threat landscape and the data we publish in the Microsoft Security Intelligence Report (SIR).  During these conversations regional malware infection rates always garner a lot of discussion. One of the most interesting questions I’m increasingly asked is what factors contribute to the differences in regional malware infection rates? Or what do regions with low malware infection rates do differently than regions with high malware infection rates? Our Special Edition Microsoft Security Intelligence Report: Linking Cybersecurity Policy and Performance released today provides a new body of research that speaks to these questions.

This study was conducted by Trustworthy Computing’s Global Security Strategy and Diplomacy team    and examines the relationships that a number of different socio-economic factors have with regional malware infection rates across 105 countries.  The study started with a list of 80 factors that was trimmed down to the 34 factors that had a potential correlation with malware infection rates or computers cleaned per mille (CCM).  These factors include such indicators as GDP per capita, broadband penetration, use of mobile devices, Facebook usage, and thirty others.  To provide you with an example, Figure 2 illustrates some of the factors examined in the United States.    

Figure 1: some of the socio-economic factors examined in the new study, with values for the United States from the second quarter of 2011

Some key findings from this Special Edition SIR:

  1. The group of countries in the study with the lowest malware infection rates (the “highest performing” countries), on average had more personal computers in use per capita, higher health expenditure per capita, greater regime stability, and higher broadband penetration.  Many locations around the world are included in this group, but the largest concentration of them, 43 percent, were located in Western Europe.  This group of countries also had some other interesting characteristics: 
    • These locations had a malware infection rate (CCM) of 5 systems infected with malware per 1,000 scanned, on average, while the worldwide average during the same period was 8.9. i.e. this group of countries had nearly half the malware infection rate of the worldwide average. 
    • The piracy rate (the number of pirated software units divided by the total number of units put into use) for this group of countries, as an average, was 42 percent.
    • Half of these countries had either signed an international treaty or a voluntary code of conduct related to cybersecurity. 

  2. The group of countries in the study with the highest malware infection rates (the “lowest performing” countries) typically had low broadband speed, low broadband penetration, and high crime per capita; many locations from around the world compose this group, but the largest concentration of them, 52 percent, were located in the Middle East and Africa.  This group of locations also had some other interesting characteristics:
    • This group of countries had an average malware infection rate (CCM) of 18 systems infected with malware for every 1,000 scanned.  This is three times the malware infection rate of the highest performing countries group, and double the worldwide average CCM (8.9) during the same period.
    • The piracy rate (the number of pirated software units divided by the total number of units put into use) for this group of countries, as an average, was 68 percent.  This is 26 percent higher than the highest performing countries.
    • Fewer than 10 percent of the countries in this group had signed international treaties or codes of conduct on cybercrime.

More background information:
Understanding how we measure regional malware infection rates is an important piece to this puzzle. Using the raw number of systems reporting malware infections in each location around the world isn’t very useful in this context because this data is biased by differences in populations, sizes of personal computer install bases, the number of systems using Windows Update and Microsoft Update services, etc.  The Microsoft Malware Protection Center normalizes regional malware infection rate data so we can more accurately compare the infection rates of countries/regions on an apples to apples basis.  We call this normalized measure computers cleaned per mille (CCM).  The CCM tells us how many computers are infected with malware for every 1,000 computers that are scanned by the Microsoft Malicious Software Removal Tool (MSRT).  The MSRT runs on more than 600 million systems around the world each month. From this “big data”, we use the CCM for each location to build a worldwide malware infection rate “heat map” as seen in Figure 2. 

Figure 2: Infection rates by country/region in the fourth quarter of 2011 (4Q11), by CCM

While interesting and informative, comparing CCMs of different locations doesn’t tell us what factors contribute to the differences in regional malware infection rates.  I have tried to at least partially answer this question in a series of articles we published called Lessons from Some of the Least Malware Infected Countries in the World.  Additionally, I compared and contrasted a location with a consistently low malware infection rate with a location that consistently has one of the highest infection rates in the world, in this article: The Threat Landscape in Asia & Oceania – Part 2: Korea and Japan.

Although I think these articles provide valuable insights, I concluded that there isn’t a simple answer or a small number of factors, such as language or culture, that help explain the differences we see in regional malware infection rates. The number of factors that could be contributing to a location’s malware infection rate is likely much larger, and those factors could include a myriad of socio-economic issues.

As I previously mentioned, the study started with a list of 80 socio-economic factors that was trimmed down to the 34 factors that had a potential correlation with malware infection rates.  In order to get the latest values for 80 socio-economic factors, many of which are only updated annually or less frequently, the report uses data from 2011 including malware infection rate data from the Microsoft Security Intelligence Report volumes 11 and 12.

There are many other key insights included in the new report.  For the many people around the world that have asked me about this topic, this new study gives us a few more pieces of the puzzle by providing more insights into the socio-economic factors and public policies contributing to differences in regional malware infection rates. We hope that this data is valuable to policymakers and IT professionals alike as they examine malware trends in their own regions and plan accordingly.

You can download this new report here: Special Edition Microsoft Security Intelligence Report: Linking Cybersecurity Policy and Performance

Tim Rains
Director
Trustworthy Computing