Within the margin of error

According to some popular theories, history follows a circular path, always returning to a previous state albeit at a higher level of social development. Recently, I came to the conclusion that anti-virus research follows a similar path: not only did an experiment flash back from the past, but the result turned out to be virtually identical.

During the course of the 2001 Virus Bulletin conference Dr Vesselin Bontchev summarized FRISK’s experiences of the W97M/Groov.A macro virus. This otherwise unremarkable macro virus had an interesting payload: it uploaded IPCONFIG output data to the complex.is (FRISK) FTP site. Using the server logs it was possible for the researchers to trace back the infected users, advise them of the infection, and ask them whether they wished to receive further notifications. Only 3.15% of them responded positively.

All of the above details were quickly forgotten, but what was remembered by many (and entered into AV industry folklore) was Bontchev’s famous summary: ‘97.3% of the human population are [not security conscious people]’ – though he used a slightly different and much shorter epithet. In fact, the details were so poorly remembered by the majority that in later citations a different number subsisted than in the original publication (eagle-eyed readers will already have observed this by adding the two numbers above).

This year’s Virus Bulletin conference featured a similarly interesting presentation by Stefan Tanase. He described the process of contacting the webmasters of infected Romanian websites. The result was interesting: only 3% of the webmasters responded. As was pointed out by a member of the audience, Tanase had rediscovered the Bontchev constant.

Now, if my evil twin were writing this comment, he would conclude that all the efforts invested in user education and security consciousness over the last ten years have resulted in a 0.15% decline in awareness. And this is in an even more security-oriented audience – since webmasters ought to be more security-aware than the average user falling victim to a macro virus. But since my twin is not only evil but also fair, he would mention that the difference is within the margin of error resulting from finite sample size – so he would say that, in fact, the situation is best described as exactly the same as it was ten years ago.

Fortunately, it is not my evil twin writing, but me at my most optimistic moment. I feel I must transmit optimism, otherwise the readers of this magazine would give up all their efforts and retreat to physics or games software development. What gives us hope are Tanase’s further findings – namely that although only 3% of the webmasters responded, actually 5% of the web pages were cleaned. And I would even take into account the additional 1% that were shut down, assuming the best. Therefore, according to my optimistic calculation, security consciousness has grown from 3.15% to 6% in ten years. If we continue with the same effort, we will reach the clear majority in the year 2165, when half of the user population will care about security. I can hardly wait to see that – though I won’t hold my breath.

But all sarcasm aside, we must continue relentlessly with our efforts in user education. First, we need better PR. If we are not accepted as educators, our message will not be received. For me, the most worrying part of both experiments was the deafening silence: the majority of users did not even respond to the assistance being offered by the anti-virus experts. I interpret this as an indication that the general population does not accept us as an authority when it comes to computer security issues.

The anti-virus industry could not overstep the ancient accusation that we write the viruses ourselves, but now it is essential for us to convince the public that we are the good guys. Without their support we can only lose the battle over cybercrime.

Latest articles:

Bulletin Archive