3 reasons to ask whether anti-virus controls are worthwhile

I argued here a couple of weeks ago that Information Risk organizations may be spending too much on security. Today I want to look at a concrete example of possible over-investment: anti-virus. Here are three items that should make you question strong investment in anti-virus controls.

1) Bill Brenner over at CSO magazine wrote a nice article yesterday. In it he quotes a number of security experts who say that–given other controls–traditional anti-virus may cause as much harm as good.

2) In early 2008 IREC addressed the issue of “streamlining” the controls portfolio–basically this means looking for opportunities to cut costs by cutting out controls. The trick of course is finding ways to cut controls without reducing security too much. In the overview of the topic shown below, we cited anti-virus in the Unix environment as an example of an obsolete control that should be considered for retirement. Since then many of our members have reported to us that they have taken this step in the Unix environment, and a couple are considering it for MS Windows. 
(Click image for larger copy.)Streamlining

3) In recently concluded work, IREC studied the relative value of controls as a guide to security investment prioritization. We assessed objective 10.4 of ISO 27001/27002 (“Protection of malicious and mobile code”, which is where anti-virus falls within ISO), along with 30 other objectives, for their power to improve security outcomes. The results were:

  • Overall, this objective was the second weakest of the objectives at driving information protection outcomes.
  • This objective showed severe diminishing returns when organizations increased their maturity past 3.6 on our 1-5 maturity scale.
  • Over 25% of our members have already surpassed this level of maturity (meaning their latest investments have been wasted). Another 15% are pretty much at this level (and thus should not invest any more).
  • Controls like ISO 10.1 (Operational Procedures and responsibilities) not only had more room for improvement (no diminishing returns) but had twice the power to improve security outcomes.

In short, you almost certainly don’t want to invest more in anti-virus, and in some cases you might want to pull back.

Edited July 6, 2009 to add: Here’s a timely article about a downside of AV controls: a bad update can cause massive productivity losses. Do you try to test every signature update (meaning your signatures are even more out-of-date) or run the risk of mass system problems? http://www.theregister.co.uk/2009/07/03/mcafee_false_positive_glitch/

Explore posts in the same categories: Risk Management

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: