If you’re just tuning in, this is the fourth in a series of blogs about understanding the risk of endpoint security, preceded by:
- Endpoint Security: The Risk of Going Unprotected
- Endpoint Security: Yes, Anti-Virus Really Does Reduce Risk
- Endpoint Security: Why “Free” A/V is Better Than Nothing
By now, the approach to substantiate the statement “free A/V actually costs more” should seem straightforward: update our Monte Carlo model using the block rate for a specific, commercial endpoint protection solution, along with estimates for its total annual cost – and evaluate the resulting reduction in risk, net of the incremental investment.
For systems running endpoint protection from McAfee, testing by NSS Labs found a block rate of 97%. A small range centered around this value was incorporated into the Monte Carlo model. In addition, the annual total cost of the McAfee solution was estimated to be between US$5.00 and $12.00 per endpoint per year, based on publicly available data for 1,000 endpoints. For full details on the assumptions and their source, you can read the full report.
The result is presented in the following figure, which shows the (conservative, understated) risk of 1,000 endpoints protected with Microsoft versus that of 1,000 endpoints protected with McAfee:
Probability of … Microsoft McAfee
80% that the annual business impact will be greater than $22K $9.3K
50% that the annual business impact will be greater than $31K $11.7K
20% that the annual business impact will be greater than $41K $14.3K
The model shows that the commercial McAfee endpoint protection solution actually reduces the risk by 60%-70% more than the “free” Microsoft solution, even net of the incremental cost of licensing. In other words, “free” anti-virus actually costs more.
We could attempt to model additional differences between enterprise-class and “free” solutions – including the impact of performance (scan times), the overhead of installing and managing multiple products from multiple solution providers, and other factors impacting the end-user experience. These also favor the enterprise-class solution, but they have a much smaller effect on the aggregate business impact than the information we already have – so in terms of the question at hand, there is relatively low incremental information to be gained by carrying out this additional work. (Unless you’re in marketing, in which case you want to take full advantage of every possible opportunity to beat up on your competition!)
In our last blog, we’ll look at the bigger picture of endpoint security – where Aberdeen’s research has shown that anti-virus by itself is not enough.