Skip to main content
Skip to main content
Microsoft Security

Threat Landscape in the Middle East and Southwest Asia – Part 5: Socio-economic Factors and Regional Malware Infection Rates

  • Tim Rains

This series examines malware infection rates and the factors contributing to them in several locations in the Middle East and southwest Asia including Bahrain, Egypt, Israel, Iraq, Jordan, Kuwait, Lebanon, Oman, Pakistan, Palestinian Authority, Qatar, Saudi Arabia, Syria, Turkey, and the United Arab Emirates. This region of the world has had high malware infection rates  compared to other parts of the world. I looked at how malware encounter rates effect malware infection rates in the region. I also examined how  anti-virus software usage  and Windows XP market share  impact infection rates in these locations.

Although all of these factors appear to have some effect on regional malware infection rates, each one by itself cannot be used to explain why this region consistently has relatively high malware infection rates.  Then what does explain why the threat landscape has been so active in this region of the world? In this part of the series I explore how a broader range of socio-economic factors influence malware infection rates in the Middle East and southwest Asia.

In February, 2013 Trustworthy Computing released a Special Edition Security Intelligence Report called “Linking Cybersecurity Outcomes and Policies.” This research revealed that there were correlations between 34 socio-economic factors and regional malware infection rates, among the 80 factors studied. A full list of these factors and the sources of data for each are available in the study. Figure 1 contains some samples of the factors and their correlation with regional malware infection rates (Computers Cleaned per Mille or CCM). Most of the factors identified were negatively correlated with CCM; as the indicator value rises, CCM will decrease. For example, as gross income per capita increases, CCM decreases. It is important to keep in mind that correlation does not mean causation.

Figure 1 (left): Sample indicator variables as published in Linking Cybersecurity Policy Performance; Figure 2 (right): 11 factors, divided into three main policy areas

In January of this year, Trustworthy Computing published a follow-on study based on this research called “The Cybersecurity Risk Paradox: Impact of Social, Economic, and Technological Factors on Rates of Malware.” This new study focused on a subset of the 34 socio-economic factors identified in the original study; the 11 factors seen in Figure 2 were the focus of the new study. These factors are organized into three areas: Digital Access, Institutional Stability, and Economic Development. The relative ability of the factors in each area to forecast infection rate changes varies from country to country. However, the research shows that countries that are above-average across these developmental areas can expect to see greater improvement in malware infection rates than those locations that are not.

Digital Access measures both the quality and quantity of digital content being consumed; factors studied include Facebook usage , Internet Users per Capita and Secure Internet Servers per Million People . Institutional Stability applies to a group of factors related to national, social, and human development, such as Regime Stability , Rule of Law , Literacy Rate , and Corruption . Finally, Economic Development relates to factors that directly impact the creation of goods, income, or business operations within the country, such as GDP per Capita , Gross Income per Capita , Productivity  and Regulatory Quality . The model developed during the research utilizes three distinct clusters of countries/regions:

  • Maximizers: Countries with effective cybersecurity capabilities and that out-perform the model expectations.
  • Aspirants: Countries that are on a par with the model and are still developing cybersecurity capabilities.
  • Seekers: Countries with higher cybersecurity risk that underperform on model expectations. Seeker countries are generally those with developing economies and lower levels of technological development.

Because of the consistently high malware infection rates in the Middle East and southwest Asia, most of the locations that I have examined in this series of articles are in the Seeker cluster. For example, the CCMs for Pakistan, the Palestinian Authority, and Turkey are the three data points plotted closet to the top right corner of the graph in Figure 3. Figure 4 gives you some idea how the infection rate improvements of the seeker countries/regions compares to the improvements of other locations. As a group Seekers had higher malware infection rates and saw less improvement in infection rates than other locations in 2011 and 2012.

Figure 3 (left): Comparison of malware rates between 2011 and 2012. Countries/regions above the divider line saw an increase in malware and are disproportionately composed of countries identified as Seekers in the Linking Cybersecurity Policy and Performance study; Figure 4 (right): Comparing the changes in malware infection rates of the Seeker cluster to other locations

Let’s take a closer look at Institutional Stability and how related socio-economic factors might be playing a role in high infection rates in the Middle East and southwest Asia. Figures 5, 6, 7 and 8 illustrate the malware infection rates of Egypt, Iraq, Syria, and Saudi Arabia respectively, with dates of some recent events plotted along the line. I chose Egypt, Iraq and Syria because they have all had above average levels of institutional instability over the past few years. As seen in Figures 5, 6, and 7, malware infection rates seem to rise in these locations when stability is challenged and governments are likely less effective. I included Saudi Arabia in Figure 8 as a contrast to the other locations as it has been relatively stable during the same period of time and has had more positive socio-economic factors than the others. It’s also interesting to see that high profile cyber-attacks in Saudi Arabia, like Saudi Aramco and RasGas, seemed to have little or no effect on the malware infection rate of the country/region as the infection rate in Saudi Arabia continued to mirror the downward trend of the worldwide average. Although such high profile attacks rightfully garner a lot of attention, it would seem that socio-economic factors have a much more profound impact on malware infection rates than attacks on individual organizations or local industries.

Figure 5 (top left): Recent events and CCM in Egypt; Figure 6 (top right): Recent events and CCM in Iraq; Figure 7 (bottom left): Recent events and CCM in Syria; Figure 8 (bottom right): Recent events and CCM in Saudi Arabi; note: events and dates as published in, and

Interestingly, our research suggests that there is a paradox that stems from the modernization of information and communications technology. While increased Internet access and more mature technological development is correlated with improvement in malware infection rates at the global level, it has the opposite effect among Seeker countries. This can be seen in Figure 9 that illustrates the correlation of Digital Access predictors with regional malware infection rate changes among Seeker and Maximizer countries/regions. The numbers in Figure 9 are correlation coefficients, with values of 1 and -1 representing perfect correlation, and 0 representing no correlation. The data in Figure 9 suggests that as Broadband Penetration increases, Maximizers (countries/regions that are more technologically mature) experience a decrease in malware (-.33), while Seeker countries/regions (that are less technologically mature) experience an increase in malware (.68). Similarly, as Mobile Internet Penetration increases, Maximizers experience a decrease in malware (-.19), but Seekers experience an increase in malware (.58).

Figure 9: Correlation of Digital Access factors with regional malware infection rate changes among Seeker and Maximizer countries/regions

To explain this effect, the study hypothesized that there exists a tipping point in digital maturity after which increased Internet access ceases to encourage the increase in malware infection rates and begins to reduce them. If the hypothesis is correct, this suggests that countries with a developing level of information and communications technology might be unprepared to secure their infrastructures commensurate with the increase in citizen use of computer systems, which provides greater opportunity for malware to spread unchecked.  Seeker countries/regions are typically less mature in their security capabilities for newly deployed technologies, which explains why regional malware infection rate increases are observed as digital access increases. However, there appears to be a certain level of technology maturity at which countries/regions develop enough technological sophistication that they can curb the growth of malware. Improving digital access after that point correlates with improved malware infection rates — the effect observed in more technologically mature countries.

Given what we know, what can the countries/regions in the Middle East and southwest Asia do to lower their malware infection rates? This is the topic of the final article in this series – Part 6.

Tim Rains
Trustworthy Computing