An Empirical Analysis of the Effectiveness of Information Security Measures

We examine whether the adoption of information security measures can reduce the probability of computer virus infection by using firm-level survey data and probit regression analysis. We find that implementing two security measures—Web content filtering (WCF) and restriction of bringing in/out storage media or PCs (R_in/out)—can result in a statistically significant reduction of the probability. Calculating the average partial effect, we also indicate that the adoption of each of these measures decreases the estimated probability of infection by about 10% on average. In addition to these analyses, we show that the effectiveness of some security measures differs by firm size or by sector.