Preventive Anti-Virus Software

The Business Case

© Robert Vibert (1996)


Computer viruses have become a popular topic of discussion over the past several years and many organizations are now concerned that their security procedures and anti-virus protection may not be adequate to deal with this threat to their computing environment. This article will address the risks presented by computer viruses and the need for anti-virus software in organizations. For the sake of simplicity, an organization with 500 PCs will be used as the example.

Viruses – Fact or Fancy?

There has always been a certain level of hype surrounding computer viruses. In 1992, the largest American anti-virus vendor was accused of fomenting panic to sell their product by claiming that the Michelangelo virus would infect large numbers of machines. The popular press’ has had a poor track record for reporting objectively on computer viruses, often distorting facts for the sake of sensationalism and many times failing to investigate the realities of computer viruses before writing headline-grabbing stories. Reports of viruses which will bring down military systems or destroy computer hardware are equally common and equally erroneous. The fact is that computer viruses are not about to take over the world, do not destroy hardware, and do not justify locking up all computers. Computer viruses are, quite simply, one of a number of security threats against which all organizations must protect themselves. The threat of computer viruses is real and increasing.

Numerous studies by independent organizations have found that the level of incidents is steadily rising. The RCMP, which receives reports from Canadian government departments, reported an increase of over 200% in incidents from 1994 to 1995. Information Week, in conjunction with Ernst & Young, reported that 59% of companies surveyed in 1994 suffered virus incidents, versus 54% in 1993. For 1995, the same survey found that 70% of respondents had suffered virus incidents. Studies conducted in Europe show similar trends.

There have also been a number of cases documented in which widespread virus incidents have occurred with the newer Macro Viruses. Why are more and more organizations suffering from virus incidents? The answers are many, but include

  • the increase in the number of viruses in existence (7500 in December 1995 and growing by at least 250 per month);
  • virus distribution via the Internet, where a number of World Wide Web sites offer viruses for downloading;
  • the development of new types of viruses, such as the Macro viruses, which have mechanisms for rapid spread;
  • the widespread availability of virus creation software and information;
  • the sale of viruses on CD-ROM and virus writing instruction manuals;
  • the growth in the use of PCs in businesses, homes and schools; and
  • a growing technical awareness amongst young users who are discontented with bleak job prospects.

Another factor which weighs heavily in the analysis is the use of outdated procedures and methods of virus detection that are not suited to the increased threat. This leaves organizations at a higher risk level than before. All of the factors mentioned above reveal one thing: the computer virus threat is real, it is increasing, and it will not go away anytime soon.

Should One Buy Anti-Virus Software?

Having identified the threat, it becomes important to determine what protection can be put in place to defend against it. Many solutions are available, but the protection that is most widespread and consistently recommended by experts is, and will continue to be for the foreseeable future, the virus scanner. This is a software program that detects viruses, alerts users to the presence of a virus and in many cases removes the virus from the infected host. The best implementation of this software, from a user and management viewpoint, is the online or real-time version which automatically checks all potentially infected files and disks before a virus can spread. This method is called preventive protection. The reasons for buying anti-virus software are quite similar to those used to justify investments made in other areas. In some ways, Anti-Virus software is a form of insurance.

With the preventive software properly installed, virus incidents are reduced to a minimum, since viruses are caught before they can infect the machine. Preventive Anti-Virus software also has the benefit of allowing management to exercise more control over their computing environment. Viruses can cause tremendous disruption to the harmonious working of systems. Anti-Virus software that prevents these incidents removes this disruption. At the same time, management is made aware of the source of viruses. A third, and perhaps the most important, is that high quality Anti-Virus software can actually save an organization considerable money. This is achieved by reducing un-productive work spent on dealing with viruses to an absolute minimum and freeing up resources for more productive work. Given the demands of the modern economy, where every resource must be maximized, this savings can represent a major return on the investment.

What Are The Costs of a Virus Incident?

There are two main types of virus incidents which should be considered: an actual virus infection and a false alarm.

An Actual Virus Infection

In our first case, we will look at a single workstation which has been infected with a virus. For all intents and purposes, from the time the virus is detected until it is removed, the workstation is rendered unusable and the worker unproductive. Time and effort of several people will be spent on tasks to make that workstation usable and return the worker to productive activity again. We have listed several of the activities involved below, following the normal sequence of events after the discovery of a virus:

How much does a Virus Incident cost?

The steps:

Step: User time: Tech Time:
1. The user experiences a problem and checks to see what has gone wrong. This could involve checking hardware, re-booting the workstation, talking with someone else about the symptoms, calling the help desk, etc. At some point he will also check to see if it is a virus.  15-60 5-10
2. Unsuccessful in determining the exact cause of the problem, the user calls the help desk and requests assistance. A technician is dispatched and the user waits until he arrives.  15-60 15-60
3. The user, or more likely, a technician from the help desk, uses an anti-virus product (or products) to inspect the workstation to determine if a virus is present and to make a positive identification of all the infected files on the workstation. 5-15 5-15
4. Action is taken to remove the infection. This could involve cleaning the infected files, erasing the infected files, re-installing software, installing a clean partition or boot sector, reformatting the hard drive, etc.  15-90 15-90
5. Since the source and time of the infection are often unknown, any diskettes used on that workstation need to be inspected and cleaned. 15-30 15-30
6. After the clean-up is performed, software is tested to ensure that it is working properly. Re-configuration is often necessary. 15-30 15-30
7. A virus infection draws attention. Co-workers will observe, discuss and react to the event. This is inevitable and can lead to the discovery of other infected workstations.  15-60 15-60
8. If warranted by the situation, the technician needs to check other workstations, especially if they were sharing diskettes or e-mail attachments.  30-120 30-120
9. A report will normally be prepared on the incident, if only to justify the unproductive time. 15-30 15-30

Total time lost in minutes 140-495 user / 130-445 tech


In the instance of an infection with no data loss, there will be work time lost by three groups: the user, the co-workers while observing, and the technician’s time for cleanup. It is realistic to estimate that on average, a virus infection on a workstation will result in the loss of a minimum of two hours and a maximum of one person-day. In the case of an infection that has spread across several workstations, the costs could conservatively be estimated at a half-person-day times the number of workstations. Of course, in both these cases, we are assuming that no data has been lost or damaged.

Some virus infections will attack data or document files. This data may need to be restored or redone. The Word macro virus, for example, has created situations where this work is considerable. If damaged, the files have to be restored from backup. If the backup has been damaged, the data may be lost. There is also the cost of data that is lost. If the virus is the type that corrupts data files, the cost could be calculated as the equivalent of redoing the work lost.

Depending upon the amount of work lost (1 day, 1 week, 1 month,…) and the number of users affected, the cost could quickly exceed the value of the computers in use. Some banks have a rule-of-thumb which states that the value of the data on a network server grows to exceed the value of the equipment itself within a very short period – perhaps as little as a month.

False Alarm

A false alarm incident is not actually a virus attack, but a false report which causes an organization to react in the same manner as an actual virus attack. A false alarm happens when:

a) a virus detector makes a mistake and indicates that a file is infected when it really is not; 
b) a virus infection is suspected due to strange behavior on the part of a PC. 


In the first case, (often caused by virus detection software which is designed to detect suspicious code in program files), a great deal of time and effort can be wasted in the hunt for the elusive ghost. In the second case, strange behavior on the PC (program crashes, data corruption, missing files, slow performance, etc.) are suspected to be caused by a virus, when actually some other problem is responsible. When this happens at a workstation the user’s time is unproductive. The following table illustrates the sequence of events that can occur due to a false alarm.

Below are the Events and the Time spent (min.) by both: Users Tech
1. The user experiences a problem and tries to determine the source. This could involve checking hardware, re-booting the workstation, talking with someone else about the symptoms, calling the help desk, etc. Eventually, the user will check to see if it is a virus.  15-60 5-10
2. Unsuccessful in determining the exact cause of the problem, the user calls the help desk and requests assistance. A technician is dispatched and the user waits until he arrives. 15-60 15-60
3. The user, or a technician from the help desk, uses an anti-virus product (or products) to inspect the workstation to determine if a virus is present and to make a positive identification of all the infected files on the workstation. Since it is a false alarm, several inspections will be done to try to locate the problem.  15-45 15-45
4. A suspected virus infection draws attention. Co-workers will observe, discuss and react to the event. 15-60 15-60
5. A report will normally be prepared on the incident, if only to justify the unproductive time. 15-30 15-30

Total time lost in minutes 75-255 user / 65-205 tech

In a typical scenario of one worker and two co-workers, where the false alarm causes the maximum loss of time in one of the items of time wastage and the minimum in all the rest, a half-person day will be lost. Often, the false alarm will involve much more time wastage. False alarms, although not causing direct damage, can still be costly to an organization.

Network Incidents

Viruses on a network have an even greater cost than on single PCs. Not only do they affect more users, they tend to cause greater problems than normal. This happens because viruses tend to conflict with the basic operations of networks, especially Novell NetWare (which is the most popular). These conflicts can be especially troublesome for certain operations, causing problems that do not occur on normal PCs.

What Would These Incidents Cost?

To calculate a dollar value for these virus incidents, we will take as an example 500 workstations in an organization, and 5 virus incidents (real and false alarms) per year. With 50% of the PCs being affected, we find the following:

500 x 5% = 25 PCs
5 incidents x 25 PCs = 125 cleanups
125 cleanups x .5 person days min. = 62.5 person-days @ $50.000 year (average wages & benefits*) / 230 working days = $13.600 in direct costs for lost time.
(*CPP, UI, Dental, Medical, etc.)


To this we must add the costs of rework for data that was corrupted, opportunity costs for projects which were delayed due to lost time, sales which were lost due to lost availability, etc. If a third party technician is used to do the cleanup, this cost (at about $100/hour) must be added as well.

Costs of Inadequate Protection

If the organization’s current anti-virus software does not prevent virus infections, but only enables cleanup after an infection has occurred, the purchase cost of that software must be considered as well. Although this software does enable cleanups, it does not prevent incidents. Proper, high quality, preventive anti-virus software will reduce the time spent dealing with viruses to a minimum. Infections are reduced to a minimum as the real-time software stops viruses from spreading and infecting workstations. Viruses are contained at their point of entry (typically diskettes or e-mail attachments), which enables them to be cleaned up in seconds, rather than hours.


The computer virus threat represents a very real cost to organizations. Each virus incident incurs a real cost in time and resources, often hidden from management under general operating expenses. Reducing the impact of virus incidents through the use of preventive anti-virus software will have a direct impact on the bottom line of any organization. Costs will be reduced, productivity increased and technicians freed up to work on more important projects. Preventive anti-virus software provides a solid return on the investment in a very short period of time.

Appendix A

Calculating costs for your organization

To calculate the costs of virus incidents in your organization, you need to take into account the following:
Item A
Quantity B
Person Day Total (A x B)
Number of false alarms in one year 0.5
Number of single PCs infected in one year 1.0
Number of Network infections in one year 1.5
Estimated person days required to restore data that was lost or damaged 1.0
Subtotal person days
Person-years (person days /230)
Average person-year cost
Lost productivity cost (average cost x person years)
Cost of current anti-virus software for cleanups
Total cost of virus incidents

Appendix B

Clean up costs – a real case

The following is a report on the cleanup operations performed at an American company after several virus infections. This report was provided by the technical company which performed the cleanup.

“The first incident happened in early February 1995 and involved us removing NATAS from 253 of the 300 systems in their office at a cost of $23,680 US. This figure was the cost of our having 7 technicians on site for the better part of a week (28 hours total I believe). I was a little shocked when I first saw that number myself, until I talked to the account manger. Many of the PCs involved had to be cleaned two or three times before we killed the thing completely. Apparently, while our guys were cleaning the involved systems they came across the game that was most likely the source of the infection and removed it. But nobody bothered to tell the guy who had installed it and he just reinstalled it, and went on playing with his buddies across the network!

I think in the end the only factor considered in their decision to set an AV policy was that it cost less per year than the removal of the viruses.

Incident number 2 (late February) again involved the removal of NATAS from 49 systems at a cost of $4,140.00 US. Incident number 3 (mid April) involved us removing RIPPER from 5 systems and restoring data from a pre-infection set of backups which where about 10 days old. Total cost $8,550.00 US (plus an unknown amount of overtime pay for their employee who had to re-enter all the transactions lost because of RIPPER). Incident number 4 (Late May/early June) involved removal of both TEQUILA and ONEHALF from about 65 systems plus the recovery of data encrypted by ONEHALF. Total cost $13,350.00 US.

After adding up all the bills associated with the removal of these viruses, the bean counters’ who had been opposed to the purchase of anti-virus software re-evaluated their objection that it was too expensive. They now have Dr. Solomon’s Anti-Virus Toolkit installed on all their servers and workstations as the primary defence. They have also licensed F-Prot Professional and installed it as backup scanner. The other steps that they’ve implemented are outlined below.
1. All employees are required to attend a virus prevention seminar once a year. These seminars include information on what viruses are and what they can and can not do, along with training in the company response policy.
2. All software in the company has been standardized so that all departments use the same applications and all unauthorized software was removed (we were able to trace the NATAS incidents to a shareware game program installed on several workstations).
3. An incident response team was created along with a disaster recovery plan.
4. All software, diskettes, etc are required to pass through a “gatekeeper” before it can be installed on production workstations.
5. Any employee who disables, removes, bypasses, or ignores a warning from the AV software installed on his/her workstation and/or fails to notify the Incident Response Team of a virus encounter in any company facility is subject to immediate termination.

They have also purchased additional copies of the Toolkit for use by employees on their home PCs.”

Appendix C


Additional Information

It is not easy to find anecdotal information on this topic, probably due to a fear of adverse publicity on the part of organizations which have suffered from virus attacks. If any readers are willing to provide details, as in the case presented in Appendix B, the author would be most appreciative. Confidentiality is assured. In addition, any other information or comments on the business case for anti-virus software are appreciated.