266 Chapter 7 · Perilous Outsorcery First Law AV services "exist" realistically if (and only if) there are agreed descriptions of the activities involved. Only then are you able to manage the virtual world of protection against harmful code as an integral part of protecting the business or the "real world" in a predictable and measurable way. Often, these descriptions are either absent or (at best) not yet migrated, slowing down the AV operation. Second Law Malware, malicious code, virus, or harmful code are all interchangeable terms and concepts for most managers, and so (often) are the processes related to AV services. So, in this context you can use the terms AV, anti-malware, anti-spyware, harmful code protection, malware management, and so on.This is nice, but it will not have a positive effect on managing the "perils." As described in other chapters, dealing with spyware, rootkits and so on can be very different from the techniques required for dealing with viruses and worms. During the first phases, what is described is in general, and hence doesn't give enough information to staff needing to know what is (or is not) to be done. Adding the word "management" (like in anti-malware management services) to the outsourced activities will look more impressive for an AV manager, but makes little difference to the meaning. While we can generally stick to a term like outsourced AV services for the sake of clarity, it will nevertheless take quite a while for all staff to understand what that means in