Posted by: Tim Rains, Director, Trustworthy Computing Communications

I recently visited Brussels, where the European Union has its main base of operations. I visit customers and partners regularly as I get out and about discussing Security Intelligence Report findings.

The most recent volume of the Microsoft Security Intelligence Report, volume 11, which covers the first half of 2011, includes deep dive regional threat assessments on every member state in the EU as well as many other locations. The regional assessments on EU member states provide insight into how many systems were infected with malicious software in each location, what the most prevalent malicious software threats were and the relative concentration of botnets (collections of compromised systems controlled by criminals) used to send spam in each location. We compare trends in different locations without skewing the results because of the differences in populations or computer install bases. This type of data can be useful to EU policymakers by helping to identify the specific security challenges that governments are currently facing, and whether they share common issues that might be tackled through collaboration between member states.

For example, some observations I have made studying the data on EU member states in volume 11 of the Microsoft Security Intelligence Report include:

  • Malicious software infection rates during the second quarter of 2011 were higher than the worldwide average in locations such as Bulgaria, Croatia, Georgia, Lithuania, Poland, Romania, and Spain. Finland’s infection rate was 7.4 times lower than the worldwide average during the same period, and has had one of the lowest infection rates in the world consistently over the past several years. 
  • Microsoft anti-malware technologies detected adware (a program that displays advertisements; although some adware can be beneficial by subsidizing a program or service, other adware programs may display advertisements without adequate consent.) at percentages far above the worldwide average during the second quarter of 2011 in many EU member states including Belgium, France, Germany, Italy and the United Kingdom.
  • Locations such as Bulgaria, Georgia, Portugal and Romania have significantly higher percentages of web pages hosting drive-by download exploit code than the worldwide average (ranging between 8 to 12 times the worldwide average). A drive-by download site is a website that hosts one or more exploits that target vulnerabilities in web browsers and browser add-ons. Users with vulnerable computers can be infected with malware simply by visiting such a website, even without attempting to download anything. During the same period, web pages hosting drive-by download exploit code in Luxembourg was 1/3 of the worldwide average.
  • The number of phishing sites (per 1,000 hosts) in the second quarter of 2011 was more than double the worldwide average in France, Georgia, Slovenia, and the United Kingdom. Phishing is a method of credential theft that tricks Internet users into revealing personal or financial information online. Phishers use phony websites or deceptive email messages that mimic trusted businesses and brands to steal personally identifiable information (PII), such as user names, passwords, credit card numbers, and identification numbers. Austria and Finland have far fewer phishing sites (per 1,000 hosts) than the worldwide average, 5.8 times less and 11 times less respectively.

The threat landscape appears to be much more active in some EU member states than others. This seems to present an opportunity for collaboration whereby the consistently least infected locations within the EU could share best practices, and perhaps even resources, with the more impacted member states. 


In my opinion, if every EU member state had malicious software infection rates as low as Finland’s or Austria’s it would be a huge accomplishment in terms of cost savings and productivity gains. I provide a detailed analysis of the threat landscape in these countries, along with several others that have consistently low malware infection rates, in a six part blog series I wrote recently. In the last part of the series I share the best practices that these regions use to manage consistently low malware infection rates – these are worth a look and can help locations with higher infection rates.