Cherwell IT Service Management Blog
Resources, Best Practices, and Solutions for ITSM Pros

Fuzzy Math on Malware-Piracy Connection

Posted by

A follow-on to last Friday’s post about the BSA’s recent worldwide study linking software piracy rates with the proliferation of PC malware:

Jeff Williams, principle group program manager for Microsoft’s Malware Protection Center, announced that Microsoft has come out with a report revealing that malware infection rates are directly correlated with the reluctance of those running counterfeit copies of Windows to use Windows Update, the service that pushes OS patches out to PCs. (Microsoft’s research on malware infection rates was also used to draw similar conclusions in the BSA’s own study.)

But according to Gregg Keizer of Computer World, Microsoft’s numbers don’t add up. Here are a couple of excerpts from a column he published on Monday.

“China [whose piracy rate is estimated to be four times that of the US], for example, boasted a malware infection rate…of just 6.7, significantly lower than the global average of 8.7 or the U.S.’s rate of 8.2 per thousand.”

“Of the three countries Microsoft called out as examples of nations whose users are reluctant to run Windows Update because of high piracy rates, only Brazil fit William’s argument: Brazil’s infection rate was 25.4, nearly three times the global average.”

Those familiar with the studies also criticize the BSA’s “cherry picking” of numbers to support its own anti-piracy agenda. Here’s one example of such a critique.

Though I can’t personally validate any of these statistics, it seems that both Microsoft and the BSA are oversimplifying the connection between the use of Windows Update and lower malware infection rates. Even if there is a correlation (which I’m sure there is), it appears that in some cases there are more powerful factors at work that offset the effect. I’d personally love to better understand the roles that cultural, governmental, demographic, and economic factors might play in the overall equation. For example, to what extent might each of the following impact regional malware infection rates?

  • Government commitment to and effectiveness at targeting cybercrime
  • Severity of government penalties for perpetrating malware schemes
  • Rate of unemployment or underemployment (in societies with fewer employment opportunities, are people more likely to turn to malicious computer activity?)
  • Prevalance of individuals that possess technical capabilities to carry out malware attacks
  • Percentage of security threats designed to exploit vulnerabilities in the Windows OS versus other means of tunneling into the PC
  • Relationship between investment in desktop security (i.e. AV or anti-malware programs) and demographic factors such as personal income, computer literacy, education level, spoken language, etc.
  • Access of the general population to information regarding the presence and/or remedy to any specific security threat
  • Ambivalence or cultural cynicism toward Microsoft (to what extent do legitimate Windows users choose not to run Windows Update?)

And of course, similar factors exist for the supply and demand side of counterfeit software. Simply put, based on Microsoft’s and the BSA’s published statistics alone, there appears to be no clear-cut relationship between software piracy and malware infection rates. Unfortunately for Microsoft and the BSA, the less rigorous their research methods, the less credibility their reports hold among those whose behavior they seek to change.