"according to a McAfee-backed cyber-defence study."
What's the point of taking it seriously? This is from a company, that for the longest time, would hand out "hacker safe" medals to websites that were vulnerable to XSS attacks and SQL injections. Their definition of "cyber defense" or "security" raises serious questions about their judgement.
For example, rating Spain, France and Germany in the same category as Denmark and Estonia? Those three alone account for about 30% of the infected machines in Europe alone, and about 20% of the global market (Germany is the worst offender in that list).
Why is Brazil rated higher than Mexico? In the entire LATAM region, Brazil has more infected hosts than Mexico by a factor of almost 20.
India should be rated a single "star", giving them 2 1/2 is way too good.
Why am I looking at infected hosts? Because what bloody good will the best external-facing firewall do you if you have a scourge within the inside, ready to strike out and do damage from within? Absolutely zero.
Make the claim that it is an end-user problem. It certainly is -- but who allows those users on? The ISPs and telcos, who help to set security policy within the country as they set and configure the infrastructure. If ISPs took a more active approach to security inside and outside, they'd be better off and ranked higher. Any entity that takes either an apathetic or ignorant view of internal security doesn't have a good policy in place.