Documentation of Aggregated Model

Documentation Of Aggregated Model_V9 paper

Quick Links

All Variables

Variable Link Detail

View-Variable Profile

Model Assessment Results

Model Information	Result
Total Number Of Variables	86\|88
Total Number Of State Variables	11 (12,8%)\|13 (14,8%)
Total Number Of Stocks	9 (10,5%)\|9 (10,2%)
Total Number Of Feedback Loops No IVV (Maximum Length: 30) [2, 22]	66 (34\|32\|0)
Total Number Of Feedback Loops With IVV (Maximum Length: 30) [0, 0]	0 (0\|0\|0)
Total Number Of Causal Links	123 (80\|26\|17)\|130 (90\|26\|14)
Total Number of Rate-to-rate Links	1



Number Of Units Used In The Model (Basic/Combined)	7/9
Total Number Of Equations Using Macros	0 (0,0%)\|0 (0,0%)
Variables With Source Information	0 (0,0%)\|0 (0,0%)
Dimensionless Unit Variables	24 (27,9%)\|24 (27,3%)
Variables without Predefined Min or Max Values	82 (95,3%)\|84 (95,5%)
Function Sensitivity Parameters	0 (0,0%)\|0 (0,0%)
Data Lookup Tables	0 (0,0%)\|0 (0,0%)



Time Unit	Month
Initial Time	0
Final Time	12
Reported Time Interval	TIME STEP
Time Step	1



Model Is Fully Formulated	Yes
Model Defined Groups	No

Warnings	Result
Number Of Undocumented Variables	2 (2,3%)\|2 (2,3%)
Equations With Embedded Data	6 (7,0%)\|7 (8,0%)
Variables Not In Any View	0 (0,0%)\|0 (0,0%)
Nonmonotonic Lookup Functions	0 (0,0%)\|0 (0,0%)
Cascading Lookup Functions	0 (0,0%)\|0 (0,0%)
Non-Zero End Sloped Lookup Functions	0 (0,0%)\|0 (0,0%)
Equations With If Then Else Functions	0 (0,0%)\|0 (0,0%)
Equations With Min Or Max Functions	5 (5,8%)\|5 (5,7%)
Equations With Step Pulse Or Related Functions	0 (0,0%)\|0 (0,0%)
Equations With Unit Errors Or Warnings	0 (0,0%)\|0 (0,0%)

Potential Omissions	Result
Unused Variables	1 (1,2%)\|0 (0,0%)
Supplementary Variables	0 (0,0%)\|0 (0,0%)
Supplementary Variables Being Used	0 (0,0%)\|0 (0,0%)
Complex Variable	11 (12,8%)\|13 (14,8%)
Complex Stock	0 (0,0%)\|0 (0,0%)

Variable Types

L: Level (9 / 9)*	SM: Smooth (0 / 0)*	DE: Delay (2 / 4)*†	LI: Level Initial (9)	I: Initial (0 / 0)
C: Constant (49 / 49)	F: Flow (11 / 13)	A: Auxiliary (28 / 30)	Sub: Subscripts (0)	D: Data (0 / 0)
G: Game (0 / 0)	T: Lookup (0 / 0)*††

* (State Variables/Total Stocks) † Total Stocks Do Not Include Fixed Delay Variables. †† (Lookup Tables).

Views

View: security view (83) Variables

Groups

Aggregated Model_V9 paper (83)

Quick Links:

Top	(All) Variables (86 Variables)
Group	Type	*Variable Name And Description*	Thumbnail
Aggregated Model_V9 paper	#1 A	ad effectiveness (Dmnl) = +"AD FRACTION OF DROPPERS AND C&C"AD RISK SCORE LEVEL DETECTION Description:* the effectiveness of anomaly detection is based on the fraction of malware that can generate abnormal behaviour and the sensitivity of the anomaly detection capability. Usually that abnormal behaviour can be found in communication of the assets that are infected with malware. Certain malware functionality evoke communication between the threat actor and infected assets (C&C) or try to get more malisious software on the assets (droppers). The communication activites are abnormal compared to the situation before infection. The higher the sensitivity of anomaly detection capability determines the number of events that are reported for further investigation. Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#2 C	AD FRACTION OF DROPPERS AND C&C (Dmnl ) = 0.23 Description: Microsoft Security Intelligence Report Volume 21 January through June, 2016 (https://www.microsoft.com/security/sir/threat/) indicate that 12% to 33% of the malware is related to droppers and other functionality (incl C&C communications) with an average of 23% Present In 1 View: security view Used By ad effectiveness the effectiveness of anomaly detection is based on the fraction of malware that can generate abnormal behaviour and the sensitivity of the anomaly detection capability. Usually that abnormal behaviour can be found in communication of the assets that are infected with malware. Certain malware functionality evoke communication between the threat actor and infected assets (C&C) or try to get more malisious software on the assets (droppers). The communication activites are abnormal compared to the situation before infection. The higher the sensitivity of anomaly detection capability determines the number of events that are reported for further investigation. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#3 C	AD RISK SCORE LEVEL DETECTION (Dmnl ) = 0.6 Description: This fraction indicate the hight of the risk score detection level. A 1 indicate every event will be reportend and evoke incident respond and 0 indicate nothing is reported unless there is 100% certainty about the occurance of an incident. Default value in the model is set on 0.6 Present In 1 View: security view Used By ad effectiveness the effectiveness of anomaly detection is based on the fraction of malware that can generate abnormal behaviour and the sensitivity of the anomaly detection capability. Usually that abnormal behaviour can be found in communication of the assets that are infected with malware. Certain malware functionality evoke communication between the threat actor and infected assets (C&C) or try to get more malisious software on the assets (droppers). The communication activites are abnormal compared to the situation before infection. The higher the sensitivity of anomaly detection capability determines the number of events that are reported for further investigation. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#4 C	ADVERSARY OBFUCATION EFFECT (Dmnl ) = 0.04 Description: Microsoft Security Intelligence Report Volume 21 January through June, 2016 (https://www.microsoft.com/security/sir/threat/)indicate that malware with obfucation functionality is on average 4% with a minimum of 2% and a maximum of 8% Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection malware listing effectiveness Certain malware have specific functionality to mislead defender defenses and detection mechnasims. This functionality is called obfuction and loweres the effectiveness of the defender (= lowering malware listing) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#5 C	AVERAGE TIME TO CLEAN UP (Month ) = 1 Description: In the model the time to become subsetible is set on 1 by default. Present In 1 View: security view Used By clean up rate The clean-up rate is based on the time needed for cleaning an infected assets and the capacity of the number of assets that can be cleaned up simultaniouly Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#6 C	AVG TIME TO LOSE ATTENTION (Month ) = 12 Description: This is the average time the awareness will be lost due to decay of knowledge based on SME interviews Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#7 L	Aware Employees (Staff) = ∫increase awareness-Awareness Decay dt + INITIAL AWARE EMPLOYEES Description: Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. creating awareness culture Raising the awareness culture will be done if unaware employees and aware employees start sharing their knowledge and experiences about malware infections insecure behavior of employees The impact of insecure behaviour is based on the ratio between unaware and aware employees Feedback Loops: 20 (30,3%) (+) 11 [3,22] (-) 9 [2,21]
Aggregated Model_V9 paper	#8 F,A	Awareness Decay (Staff/Month) = (Aware Employees/AVG TIME TO LOSE ATTENTION)(1-SW spearphishing)+(Aware Employees/AVG TIME TO LOSE ATTENTION)SW spearphishing(1+PULSE TRAIN(0, 1 , SP SEQUENCE , FINAL TIME )SP IMPACTRANDOM UNIFORM(0, 1 , 3+RANDOMIZER )"SP FRACTION BACKDOOR & STEALERS") Description: The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Present In 1 View: security view Used By Aware Employees Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. Unaware Employees Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Feedback Loops: 11 (16,7%) (+) 7 [4,22] (-) 4 [2,21]
Aggregated Model_V9 paper	#9 F,A	becoming susceptible rate (Asset/Month) = Resolved Assets/TIME TO BECOME SUSCEPTIBLE Description: become susceptible rate is the recolved assets devided by the time to become susceptible Present In 1 View: security view Used By Resolved Assets The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Susceptible Assets The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Feedback Loops: 3 (4,5%) (+) 1 [8,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#10 A	being a victim of a malware attack (Staff/Month) = detection rateVICTIMS PER ATTACK Description:* If a malware infection on an assets has been detected the owner and user of this assets will be a victim with the attack and has to cope with the impact of malware removal actions Present In 1 View: security view Used By increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. Feedback Loops: 24 (36,4%) (+) 11 [10,22] (-) 13 [8,21]
Aggregated Model_V9 paper	#11 F,A	clean up rate (Asset/Month) = MIN(SINGLE DEVICE CLEAN UP CAPACITY,Known Infected Assets/AVERAGE TIME TO CLEAN UP) Description: The clean-up rate is based on the time needed for cleaning an infected assets and the capacity of the number of assets that can be cleaned up simultaniouly Present In 1 View: security view Used By Known Infected Assets The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Resolved Assets The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Feedback Loops: 3 (4,5%) (+) 1 [8,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#12 C	CONTACT FREQUENCY ((Asset/Month)/Asset ) = 15 Description: based on average size on shared environments of the defender Present In 1 View: security view Used By total daily contacts by infecteds Employees share files. This sharing can be done by dropbox, cloud, groupdirectory, sharepoints, etc. This means that malware with infectivity properties (worms) can start to infect assets of other workers that are connected with the infected asset. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#13 C	CONTACT FREQUENCY BETWEEN EMPLOYEES ((Staff/Month)/Staff ) = 0.2 Description: This number is based on SME interviews Present In 1 View: security view Used By creating awareness culture Raising the awareness culture will be done if unaware employees and aware employees start sharing their knowledge and experiences about malware infections Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#14 DE,A	creating awareness culture (Staff/Month) = DELAY1((Unaware Employees/(Aware Employees+Unaware Employees))(Aware EmployeesCONTACT FREQUENCY BETWEEN EMPLOYEES), 3) Description: Raising the awareness culture will be done if unaware employees and aware employees start sharing their knowledge and experiences about malware infections Present In 1 View: security view Used By increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. Feedback Loops: 3 (4,5%) (+) 2 [3,5] (-) 1 [3,3]
Aggregated Model_V9 paper	#15 A	defense before infection (Dmnl) = (1-(1-(DEFENSE PERFORMANCEmalware listing effectiveness-FRACTION OF SENSORS NOT FUNCTIONING))^NUMBER OF DEFENSIVE LAYERS) Description:* The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). Present In 1 View: security view Used By starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. stopping malware attack The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Feedback Loops: 23 (34,8%) (+) 12 [8,22] (-) 11 [11,20]
Aggregated Model_V9 paper	#16 C	DEFENSE PERFORMANCE (Dmnl ) = 0.95 Description: Defense performance is a value of the average effectiveness of the defenses in place. https://www.av-comparatives.org/ provide various test results to be used. Model is set on 0.95% Present In 1 View: security view Used By defense before infection The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#17 C	DETECTION DELAY (Month ) = 4.8 Description: FireEye (2016) Mandiant M-Trends EMEA report. This report considers that the global average time to detect security breaches is 146 days (4.8 months) Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#18 F,A	detection rate (Asset/Month) = (1-SW anomaly detection)((Unknown Infected Assets(DETECTON EFFECTIVENESS-ADVERSARY OBFUCATION EFFECT-0.025))/DETECTION DELAY)+SW anomaly detection((Unknown Infected Assets(DETECTON EFFECTIVENESS-ADVERSARY OBFUCATION EFFECT-FRACTION OF SENSORS NOT FUNCTIONING))/(DETECTION DELAY(1-ad effectiveness)))+SW anomaly detectionUnknown Infected Assetsad effectivenessmonth adj Description: The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Present In 1 View: security view Used By Known Infected Assets The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Unknown Infected Assets The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) being a victim of a malware attack If a malware infection on an assets has been detected the owner and user of this assets will be a victim with the attack and has to cope with the impact of malware removal actions discovery of new malware The discovery of malware is based on the rate of detection multiplied by the unknown malware ration taken into account the number of malware present per infected asset. Feedback Loops: 38 (57,6%) (+) 17 [8,22] (-) 21 [2,21]
Aggregated Model_V9 paper	#19 C	DETECTON EFFECTIVENESS (Dmnl ) = 0.95 Description: Defense performance is a value of the average effectiveness of the defenses in place. https://www.av-comparatives.org/ provide various test results to be used. Model is set on 0.95% Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#20 A	discovery of new malware (Malware/Month) = detection rateMALWARE PER ASSETunknown malware ratio Description: The discovery of malware is based on the rate of detection multiplied by the unknown malware ration taken into account the number of malware present per infected asset. Present In 1 View: security view Used By malware discovery Malware descovery depends on the industry new malware discovery practices evoked by succesful malware attacks as well as the average time needed to discover new malware Feedback Loops: 23 (34,8%) (+) 12 [6,22] (-) 11 [4,21]
.Control	#21 C	FINAL TIME (Month ) = 12 Description: The final time of the simulation. Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#22 A	fraction of contacts with susceptibles (Dmnl) = Unknown Infected Assets/Susceptible Assets Description: fration of contacts with susceptibles depends on the contacts between unknown infected assets and the assets that can be infected by malware (susceptible assets). Present In 1 View: security view Used By total infectious contact total infections contacts are the total contracts created via shared environments (daily contracts by infecteds) multiplied by the total fraction of contacts with susceptibles Feedback Loops: 3 (4,5%) (+) 2 [4,4] (-) 1 [10,10]
Aggregated Model_V9 paper	#23 C	FRACTION OF EMPLOYEES TRAINED FOR AWARENESS (Dmnl/Month ) = 0.05 Description: This is the average fraction of employees of the defender effectively in scope of security awareness sessions Present In 1 View: security view Used By increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#24 C	FRACTION OF SENSORS NOT FUNCTIONING (Dmnl) = 0.025 Description: fraction of sensors not functioning is based on SME Interview Present In 1 View: security view Used By defense before infection The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#25 F,A	increase awareness (Staff/Month) = MIN(being a victim of a malware attack+creating awareness culture+Unaware EmployeesFRACTION OF EMPLOYEES TRAINED FOR AWARENESS,Unaware Employeesmonth adj) Description: Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. Present In 1 View: security view Used By Aware Employees Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. Unaware Employees Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Feedback Loops: 29 (43,9%) (+) 14 [3,22] (-) 15 [2,21]
Aggregated Model_V9 paper	#26 C	INFECTION PER ATTACK (Asset/Attacks ) = 1 Description: This variable can be used to increase the severity of malware attacks. Default model behaviour is set one asset per attack is considered. Present In 1 View: security view Used By infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#27 F,A	infection rate (Asset/Month) = MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Description: An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Present In 1 View: security view Used By Susceptible Assets The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Unknown Infected Assets The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) Feedback Loops: 41 (62,1%) (+) 20 [4,22] (-) 21 [2,21]
Aggregated Model_V9 paper	#28 C	INFECTION RATE IN EUROPE (Attacks/Malware ) = 0.06 Description: Fraction is based on the source: https://www.microsoft.com/security/sir/threat/ Present In 1 View: security view Used By starting malware attacks The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#29 C	INFECTIVITY (Dmnl ) = 0.13 Description: Microsoft Security Intelligence Report Volume 21 January through June 2016. States that the encounter rate for infections in The Netherlands was for the 1Q16 15% and for the 2Q16 13% Present In 1 View: security view Used By infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#30 LI,C	INITIAL AWARE EMPLOYEES (Staff ) = 875 Description: This is the total number of staff that is aware of the danger of malware. Present In 1 View: security view Used By Aware Employees Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. INITIAL UNAWARE EMPLOYEES Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#31 LI,C	INITIAL KNOWN INFECTED ASSETS (Asset ) = 1 Description: This is the initial number of known infected assets (the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Known Infected Assets The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#32 LI,C	INITIAL KNOWN MALWARE (Malware) = 466666 Description: https://www.av-test.org/en/statistics/malware/ 2016 malware analysis indicate value per 1/1/2016 Present In 1 View: security view Used By Known Malware Known Malware will increase over time because more malware (families) will be discovered Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#33 LI,C	INITIAL MALWARE ATTACK REACHED ORGANIZATION (Attacks ) = 0 Description: Default model value is 0 Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#34 LI,C	INITIAL RESOLVED ASSETS (Asset ) = 0 Description: This is the initial number of the resolved assets (the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Resolved Assets The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#35 LI,C	INITIAL SUSCEPTIBLE ASSETS (Asset ) = 10000 Description: this is the initial number of susceptible assets (the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Susceptible Assets The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
.Control	#36 C	INITIAL TIME (Month) = 0 Description: The initial time for the simulation. Present In 0 Views: Used By Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#37 LI,A	INITIAL UNAWARE EMPLOYEES (Staff ) = TOTAL INITAL EMPLOYEES-INITIAL AWARE EMPLOYEES Present In 1 View: security view Used By Unaware Employees Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#38 LI,C	INITIAL UNKNOWN INFECTED ASSETS (Asset ) = 1 Description: This is the total number of unknown infected devices(the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Unknown Infected Assets The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#39 LI,C	INITIAL UNKNOWN MALWARE (Malware) = 40411 Description: https://www.av-test.org/en/statistics/malware/ 2016 malware analysis indicate value per 1/1/2016 Present In 1 View: security view Used By Unknown Malware The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#40 A	insecure behavior of employees (Dmnl) = Unaware Employees/Aware Employees Description: The impact of insecure behaviour is based on the ratio between unaware and aware employees Present In 1 View: security view Used By starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. stopping malware attack The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Feedback Loops: 24 (36,4%) (+) 11 [10,22] (-) 13 [8,21]
Aggregated Model_V9 paper	#41 L	Known Infected Assets (Asset) = ∫detection rate-clean up rate dt + INITIAL KNOWN INFECTED ASSETS Description: The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Present In 1 View: security view Used By clean up rate The clean-up rate is based on the time needed for cleaning an infected assets and the capacity of the number of assets that can be cleaned up simultaniouly Feedback Loops: 3 (4,5%) (+) 1 [8,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#42 L	Known Malware (Malware) = ∫malware discovery dt + INITIAL KNOWN MALWARE Description: Known Malware will increase over time because more malware (families) will be discovered Present In 1 View: security view Used By known malware campaign trend Known malware campaign trend is the number of known malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware unknown malware ratio The unknown malware ratio is the unknown malware devided by the total malware. The total malware is the known malware plus the unknown malware. Feedback Loops: 29 (43,9%) (+) 17 [4,22] (-) 12 [4,21]
Aggregated Model_V9 paper	#44 C	MALWARE ADJUSTMENT RATE KNOWN MALWARE (Dmnl/Month ) = 0.01 Description: Various security blogs on malware family development of approx 1% of adjusting excisting malware that evolves into new malware. Examples are financial malware development and ransomware development Present In 1 View: security view Used By malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#45 L	Malware Attack reached Organization (Attacks) = ∫(starting malware attacks-starting an infection)-stopping malware attack dt + INITIAL MALWARE ATTACK REACHED ORGANIZATION Description: The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. Present In 1 View: security view Used By starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. stopping malware attack The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Feedback Loops: 28 (42,4%) (+) 17 [7,19] (-) 11 [2,21]
Aggregated Model_V9 paper	#46 C	MALWARE CREATED PER UNSUCCESFUL ATTACK (Malware/Attacks ) = 0.9 Description: ttps://www.av-test.org/en/statistics/malware/ 2016 malware analysis provide malware behaviour over time. In order to follow these insights with the model a value of approx 0.9 is needed Present In 1 View: security view Used By malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#47 C	MALWARE CREATION DELAY (Month ) = 4 Description: Calleja (2016) indicate that the average malware development time is between 16 months to 114 months depending on the type of software being used (basic model value was 6) Present In 1 View: security view Used By malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#48 DE,F,A	malware creation due to adversary learning (Malware/Month) = DELAY3( total unsuccessful attackMALWARE CREATED PER UNSUCCESFUL ATTACK , MALWARE CREATION DELAY)+Known MalwareMALWARE ADJUSTMENT RATE KNOWN MALWARE/12 Description: The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Present In 1 View: security view Used By Unknown Malware The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Feedback Loops: 34 (51,5%) (+) 22 [4,22] (-) 12 [13,21]
Aggregated Model_V9 paper	#49 F,A	malware discovery (Malware/Month) = discovery of new malware+(Unknown Malware/TIME TO DISCOVER MALWARE) Description: Malware descovery depends on the industry new malware discovery practices evoked by succesful malware attacks as well as the average time needed to discover new malware Present In 1 View: security view Used By Known Malware Known Malware will increase over time because more malware (families) will be discovered Unknown Malware The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Feedback Loops: 34 (51,5%) (+) 19 [4,22] (-) 15 [2,21]
Aggregated Model_V9 paper	#50 A	malware listing (Dmnl) = ZIDZ( known malware campaign trend , (known malware campaign trend+unknown malware campaign trend) ) Description: Malware listing is the fraction of malware that is known to the defences of the defender and that is based on the ratio between known malware (campaign) trends and the total malware (campaign) trends. The Total malware (campaign) trend is the sum of the unknown and the known malware (campaign) trend. Present In 1 View: security view Used By malware listing effectiveness Certain malware have specific functionality to mislead defender defenses and detection mechnasims. This functionality is called obfuction and loweres the effectiveness of the defender (= lowering malware listing) Feedback Loops: 23 (34,8%) (+) 12 [8,22] (-) 11 [11,20]
Aggregated Model_V9 paper	#51 A	malware listing effectiveness (Dmnl) = malware listing-ADVERSARY OBFUCATION EFFECT Description: Certain malware have specific functionality to mislead defender defenses and detection mechnasims. This functionality is called obfuction and loweres the effectiveness of the defender (= lowering malware listing) Present In 1 View: security view Used By defense before infection The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). Feedback Loops: 23 (34,8%) (+) 12 [8,22] (-) 11 [11,20]
Aggregated Model_V9 paper	#52 C	MALWARE PER ASSET (Malware/Asset ) = 1 Description: This is a number default set on 1 and might be altered for specific scenarios Present In 1 View: security view Used By discovery of new malware The discovery of malware is based on the rate of detection multiplied by the unknown malware ration taken into account the number of malware present per infected asset. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#53 C	month adj (1/Month ) = 1 Description: we have used MIN or MAX functions to ensure that stocks do not become negative. However to avoid unit errors we had to correct certain functions by 1/Month Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#55 C	NUMBER OF DEFENSIVE LAYERS (Dmnl ) = 1 Description: The number of defense layers depends on the measures taken in the organisation. The model assumes endpoint and server anti-,malware and anti-virus software as a defense so this software solution does not count as a layer. Present In 1 View: security view Used By defense before infection The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#56 C	PERCENTAGE OF WORMS (Dmnl ) = 0.03 Description: Microsoft Security Intelligence Report Volume 21 January through June, 2016 (https://www.microsoft.com/security/sir/threat/) indicate that on average 7% contains work functionality with a minimum of 2% and a maximum of 17% Present In 1 View: security view Used By total daily contacts by infecteds Employees share files. This sharing can be done by dropbox, cloud, groupdirectory, sharepoints, etc. This means that malware with infectivity properties (worms) can start to infect assets of other workers that are connected with the infected asset. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#57 C	PROBABILITY OF ATTACKING THE DEFENDER ORGANISATION (Dmnl/Month ) = 0.15 Description: Fraction is based on the source: https://www.microsoft.com/security/sir/threat/Chance of Malware in a Windows computer in NL. Average value is approx 13%. Minimum value is 4% and maximum is 24.9% Present In 1 View: security view Used By starting malware attacks The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#58 A	RANDOMIZER (Dmnl ) = 0 Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. known malware campaign trend Known malware campaign trend is the number of known malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#59 L	Resolved Assets (Asset) = ∫clean up rate-becoming susceptible rate dt + INITIAL RESOLVED ASSETS Description: The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Present In 1 View: security view Used By becoming susceptible rate become susceptible rate is the recolved assets devided by the time to become susceptible Feedback Loops: 3 (4,5%) (+) 1 [8,8] (-) 2 [2,10]
.Control	#60 A	SAVEPER (Month ) = TIME STEP Description: The frequency with which output is stored. Present In 0 Views: Used By Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#61 C	SINGLE DEVICE CLEAN UP CAPACITY (Asset/Month ) = 1000 Description: This is the maximum capacity at the defender's organisation by which they can clean-up infected assets Present In 1 View: security view Used By clean up rate The clean-up rate is based on the time needed for cleaning an infected assets and the capacity of the number of assets that can be cleaned up simultaniouly Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#62 C	SP FRACTION BACKDOOR & STEALERS (Dmnl ) = 0.03 Description: Microsoft Security Intelligence Report Volume 21 January through June, 2016 (https://www.microsoft.com/security/sir/threat/) indicate the fraction of backdoors and stealers is on average 3% with a minimum of 1% and maximum of 14% Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#63 C	SP IMPACT (Dmnl ) = 0.65 Description: This variable indicate the strength of the pike in the spear phishinb campaign. Various security suppliers and security blogs suggests trends in malware attacks. Liginlal et al (2009) indicate humar error in data breaches is about 65% Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#64 C	SP SEQUENCE (Month ) = 1 Description: Various security suppliers and security blogs suggests trends in malware attacks. This variable indicate average time between the following spear phishing campaign Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#65 F,A	starting an infection (Attacks/Month) = MIN( insecure behavior of employees(1-defense before infection)Malware Attack reached Organization/TIME FOR ATTACKS,Malware Attack reached Organizationmonth adj) Description:* Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 39 (59,1%) (+) 19 [10,22] (-) 20 [2,21]
Aggregated Model_V9 paper	#66 F,A	starting malware attacks (Attacks/Month) = (known malware campaign trend+unknown malware campaign trend)INFECTION RATE IN EUROPEPROBABILITY OF ATTACKING THE DEFENDER ORGANISATIONTARGET ATTRACTIVENESS Description:* The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. Feedback Loops: 17 (25,8%) (+) 12 [7,19] (-) 5 [10,21]
Aggregated Model_V9 paper	#67 F,A	stopping malware attack (Attacks/Month) = MAX(((1-insecure behavior of employees)defense before infectionMalware Attack reached Organization)/TIME FOR ATTACKS,0) Description: The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. total unsuccessful attack All stopped malware attacks are not succesful Feedback Loops: 36 (54,5%) (+) 21 [7,22] (-) 15 [2,21]
Aggregated Model_V9 paper	#68 L	Susceptible Assets (Asset) = ∫becoming susceptible rate-infection rate dt + INITIAL SUSCEPTIBLE ASSETS Description: The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Present In 1 View: security view Used By fraction of contacts with susceptibles fration of contacts with susceptibles depends on the contacts between unknown infected assets and the assets that can be infected by malware (susceptible assets). infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 4 (6,1%) (+) 2 [4,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#69 C	SW anomaly detection (Dmnl ) = 0 Description: This swith indicate to what extend this model should consider anomaly detection as a defense (1) or not (0) Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#70 C	SW campain trend (Dmnl ) = 1 Description: This Switch indicate trend and non-liniear behaviour of malware campaigns is included (1) or not (0).Various security suppliers and security blogs suggests such trends. Present In 1 View: security view Used By known malware campaign trend Known malware campaign trend is the number of known malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#71 C	SW spearphishing (Dmnl ) = 1 Description: This Switch indicate to what extend the model considers the impact of spearphishing campaigns (1) or not (0) Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#72 C	TARGET ATTRACTIVENESS (Dmnl ) = 0.15 Description: This is a parameter for model calibration and is needed to estimate the size and the attractiveness of the target for malware attacks. Values towards 0 are appropriate for very small or unattractive targets. While large companies might have a value of 2.75 to 3 Present In 1 View: security view Used By starting malware attacks The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#74 C	TIME FOR ATTACKS (Month ) = 1 Description: model set on 1 by default Present In 1 View: security view Used By infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. stopping malware attack The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
.Control	#75 C	TIME STEP (Month ) = 1 Description: The time step for the simulation. Present In 0 Views: Used By SAVEPER The frequency with which output is stored. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#76 C	TIME TO BECOME SUSCEPTIBLE (Month ) = 1 Description: In the model the time to become subsetible is set on 1 by default. Present In 1 View: security view Used By becoming susceptible rate become susceptible rate is the recolved assets devided by the time to become susceptible Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#77 C	TIME TO DISCOVER MALWARE (Month ) = 3 Description: based on http://www.trendmicro.com we have analysed a 2014 - 2017 dataset and included average detection time Present In 1 View: security view Used By malware discovery Malware descovery depends on the industry new malware discovery practices evoked by succesful malware attacks as well as the average time needed to discover new malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#78 A	total daily contacts by infecteds (Asset/Month) = CONTACT FREQUENCYPERCENTAGE OF WORMSUnknown Infected Assets Description: Employees share files. This sharing can be done by dropbox, cloud, groupdirectory, sharepoints, etc. This means that malware with infectivity properties (worms) can start to infect assets of other workers that are connected with the infected asset. Present In 1 View: security view Used By total infectious contact total infections contacts are the total contracts created via shared environments (daily contracts by infecteds) multiplied by the total fraction of contacts with susceptibles Feedback Loops: 1 (1,5%) (+) 1 [4,4] (-) 0 [0,0]
Aggregated Model_V9 paper	#79 A	total infectious contact (Asset/Month) = fraction of contacts with susceptiblestotal daily contacts by infecteds Description:* total infections contacts are the total contracts created via shared environments (daily contracts by infecteds) multiplied by the total fraction of contacts with susceptibles Present In 1 View: security view Used By infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 4 (6,1%) (+) 3 [4,4] (-) 1 [10,10]
Aggregated Model_V9 paper	#80 C	TOTAL INITAL EMPLOYEES (Staff ) = 2500 Description: This is the inital value of the total staff of the defender Present In 1 View: security view Used By INITIAL UNAWARE EMPLOYEES Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#81 A	total unsuccessful attack (Attacks/Month) = stopping malware attack Description: All stopped malware attacks are not succesful Present In 1 View: security view Used By malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Feedback Loops: 29 (43,9%) (+) 19 [7,22] (-) 10 [16,21]
Aggregated Model_V9 paper	#82 C	UM INTENSITY (Dmnl ) = 7 Description: This variable indicate the strength of the pike as a result of the start of a new malware campaign with unknown malware. Various security suppliers and security blogs suggests such trends. Based on these insights intensity should be around 7 Present In 1 View: security view Used By unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#83 C	UM SEQUENCE (Month ) = 5 Description: This variable is used to indicate the length of the time delay in months between malware campaigns. Various security suppliers and security blogs suggests such trends.Between every 2 and 9 months a campaign pike can be expected Present In 1 View: security view Used By unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#84 L	Unaware Employees (Staff) = ∫Awareness Decay-increase awareness dt + INITIAL UNAWARE EMPLOYEES Description: Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Present In 1 View: security view Used By creating awareness culture Raising the awareness culture will be done if unaware employees and aware employees start sharing their knowledge and experiences about malware infections increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. insecure behavior of employees The impact of insecure behaviour is based on the ratio between unaware and aware employees Feedback Loops: 20 (30,3%) (+) 10 [4,22] (-) 10 [2,21]
Aggregated Model_V9 paper	#85 L	Unknown Infected Assets (Asset) = ∫infection rate-detection rate dt + INITIAL UNKNOWN INFECTED ASSETS Description: The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection fraction of contacts with susceptibles fration of contacts with susceptibles depends on the contacts between unknown infected assets and the assets that can be infected by malware (susceptible assets). total daily contacts by infecteds Employees share files. This sharing can be done by dropbox, cloud, groupdirectory, sharepoints, etc. This means that malware with infectivity properties (worms) can start to infect assets of other workers that are connected with the infected asset. Feedback Loops: 40 (60,6%) (+) 19 [4,22] (-) 21 [2,21]
Aggregated Model_V9 paper	#86 L	Unknown Malware (Malware) = ∫malware creation due to adversary learning-malware discovery dt + INITIAL UNKNOWN MALWARE Description: The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Present In 1 View: security view Used By malware discovery Malware descovery depends on the industry new malware discovery practices evoked by succesful malware attacks as well as the average time needed to discover new malware unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time unknown malware ratio The unknown malware ratio is the unknown malware devided by the total malware. The total malware is the known malware plus the unknown malware. Feedback Loops: 39 (59,1%) (+) 24 [4,22] (-) 15 [2,21]
Aggregated Model_V9 paper	#87 A	unknown malware campaign trend (Malware) = Unknown Malware(1-SW campain trend)+SW campain trendUnknown MalwarePULSE TRAIN(0,1, UM SEQUENCERANDOM UNIFORM(0, 1, RANDOMIZER+1) , FINAL TIME )UM INTENSITYRANDOM UNIFORM(0, 1, RANDOMIZER+2 ) Description: Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Present In 1 View: security view Used By malware listing Malware listing is the fraction of malware that is known to the defences of the defender and that is based on the ratio between known malware (campaign) trends and the total malware (campaign) trends. The Total malware (campaign) trend is the sum of the unknown and the known malware (campaign) trend. starting malware attacks The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Feedback Loops: 17 (25,8%) (+) 10 [7,18] (-) 7 [10,18]
Aggregated Model_V9 paper	#88 A	unknown malware ratio (Dmnl) = Unknown Malware/(Known Malware+Unknown Malware) Description: The unknown malware ratio is the unknown malware devided by the total malware. The total malware is the known malware plus the unknown malware. Present In 1 View: security view Used By discovery of new malware The discovery of malware is based on the rate of detection multiplied by the unknown malware ration taken into account the number of malware present per infected asset. Feedback Loops: 12 (18,2%) (+) 7 [6,22] (-) 5 [4,21]
Aggregated Model_V9 paper	#89 C	VICTIMS PER ATTACK (Staff/Asset ) = 1 Description: Default value is set on one asset and one staff member are involved in an infection. Present In 1 View: security view Used By being a victim of a malware attack If a malware infection on an assets has been detected the owner and user of this assets will be a victim with the attack and has to cope with the impact of malware removal actions Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]

(View) security view (83 Variables)

Top	(View) security view (83 Variables)
Group	Type	*Variable Name And Description*	Thumbnail
Aggregated Model_V9 paper	#1 A	ad effectiveness (Dmnl) = +"AD FRACTION OF DROPPERS AND C&C"AD RISK SCORE LEVEL DETECTION Description:* the effectiveness of anomaly detection is based on the fraction of malware that can generate abnormal behaviour and the sensitivity of the anomaly detection capability. Usually that abnormal behaviour can be found in communication of the assets that are infected with malware. Certain malware functionality evoke communication between the threat actor and infected assets (C&C) or try to get more malisious software on the assets (droppers). The communication activites are abnormal compared to the situation before infection. The higher the sensitivity of anomaly detection capability determines the number of events that are reported for further investigation. Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#2 C	AD FRACTION OF DROPPERS AND C&C (Dmnl ) = 0.23 Description: Microsoft Security Intelligence Report Volume 21 January through June, 2016 (https://www.microsoft.com/security/sir/threat/) indicate that 12% to 33% of the malware is related to droppers and other functionality (incl C&C communications) with an average of 23% Present In 1 View: security view Used By ad effectiveness the effectiveness of anomaly detection is based on the fraction of malware that can generate abnormal behaviour and the sensitivity of the anomaly detection capability. Usually that abnormal behaviour can be found in communication of the assets that are infected with malware. Certain malware functionality evoke communication between the threat actor and infected assets (C&C) or try to get more malisious software on the assets (droppers). The communication activites are abnormal compared to the situation before infection. The higher the sensitivity of anomaly detection capability determines the number of events that are reported for further investigation. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#3 C	AD RISK SCORE LEVEL DETECTION (Dmnl ) = 0.6 Description: This fraction indicate the hight of the risk score detection level. A 1 indicate every event will be reportend and evoke incident respond and 0 indicate nothing is reported unless there is 100% certainty about the occurance of an incident. Default value in the model is set on 0.6 Present In 1 View: security view Used By ad effectiveness the effectiveness of anomaly detection is based on the fraction of malware that can generate abnormal behaviour and the sensitivity of the anomaly detection capability. Usually that abnormal behaviour can be found in communication of the assets that are infected with malware. Certain malware functionality evoke communication between the threat actor and infected assets (C&C) or try to get more malisious software on the assets (droppers). The communication activites are abnormal compared to the situation before infection. The higher the sensitivity of anomaly detection capability determines the number of events that are reported for further investigation. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#4 C	ADVERSARY OBFUCATION EFFECT (Dmnl ) = 0.04 Description: Microsoft Security Intelligence Report Volume 21 January through June, 2016 (https://www.microsoft.com/security/sir/threat/)indicate that malware with obfucation functionality is on average 4% with a minimum of 2% and a maximum of 8% Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection malware listing effectiveness Certain malware have specific functionality to mislead defender defenses and detection mechnasims. This functionality is called obfuction and loweres the effectiveness of the defender (= lowering malware listing) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#5 C	AVERAGE TIME TO CLEAN UP (Month ) = 1 Description: In the model the time to become subsetible is set on 1 by default. Present In 1 View: security view Used By clean up rate The clean-up rate is based on the time needed for cleaning an infected assets and the capacity of the number of assets that can be cleaned up simultaniouly Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#6 C	AVG TIME TO LOSE ATTENTION (Month ) = 12 Description: This is the average time the awareness will be lost due to decay of knowledge based on SME interviews Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#7 L	Aware Employees (Staff) = ∫increase awareness-Awareness Decay dt + INITIAL AWARE EMPLOYEES Description: Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. creating awareness culture Raising the awareness culture will be done if unaware employees and aware employees start sharing their knowledge and experiences about malware infections insecure behavior of employees The impact of insecure behaviour is based on the ratio between unaware and aware employees Feedback Loops: 20 (30,3%) (+) 11 [3,22] (-) 9 [2,21]
Aggregated Model_V9 paper	#8 F,A	Awareness Decay (Staff/Month) = (Aware Employees/AVG TIME TO LOSE ATTENTION)(1-SW spearphishing)+(Aware Employees/AVG TIME TO LOSE ATTENTION)SW spearphishing(1+PULSE TRAIN(0, 1 , SP SEQUENCE , FINAL TIME )SP IMPACTRANDOM UNIFORM(0, 1 , 3+RANDOMIZER )"SP FRACTION BACKDOOR & STEALERS") Description: The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Present In 1 View: security view Used By Aware Employees Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. Unaware Employees Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Feedback Loops: 11 (16,7%) (+) 7 [4,22] (-) 4 [2,21]
Aggregated Model_V9 paper	#9 F,A	becoming susceptible rate (Asset/Month) = Resolved Assets/TIME TO BECOME SUSCEPTIBLE Description: become susceptible rate is the recolved assets devided by the time to become susceptible Present In 1 View: security view Used By Resolved Assets The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Susceptible Assets The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Feedback Loops: 3 (4,5%) (+) 1 [8,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#10 A	being a victim of a malware attack (Staff/Month) = detection rateVICTIMS PER ATTACK Description:* If a malware infection on an assets has been detected the owner and user of this assets will be a victim with the attack and has to cope with the impact of malware removal actions Present In 1 View: security view Used By increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. Feedback Loops: 24 (36,4%) (+) 11 [10,22] (-) 13 [8,21]
Aggregated Model_V9 paper	#11 F,A	clean up rate (Asset/Month) = MIN(SINGLE DEVICE CLEAN UP CAPACITY,Known Infected Assets/AVERAGE TIME TO CLEAN UP) Description: The clean-up rate is based on the time needed for cleaning an infected assets and the capacity of the number of assets that can be cleaned up simultaniouly Present In 1 View: security view Used By Known Infected Assets The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Resolved Assets The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Feedback Loops: 3 (4,5%) (+) 1 [8,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#12 C	CONTACT FREQUENCY ((Asset/Month)/Asset ) = 15 Description: based on average size on shared environments of the defender Present In 1 View: security view Used By total daily contacts by infecteds Employees share files. This sharing can be done by dropbox, cloud, groupdirectory, sharepoints, etc. This means that malware with infectivity properties (worms) can start to infect assets of other workers that are connected with the infected asset. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#13 C	CONTACT FREQUENCY BETWEEN EMPLOYEES ((Staff/Month)/Staff ) = 0.2 Description: This number is based on SME interviews Present In 1 View: security view Used By creating awareness culture Raising the awareness culture will be done if unaware employees and aware employees start sharing their knowledge and experiences about malware infections Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#14 DE,A	creating awareness culture (Staff/Month) = DELAY1((Unaware Employees/(Aware Employees+Unaware Employees))(Aware EmployeesCONTACT FREQUENCY BETWEEN EMPLOYEES), 3) Description: Raising the awareness culture will be done if unaware employees and aware employees start sharing their knowledge and experiences about malware infections Present In 1 View: security view Used By increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. Feedback Loops: 3 (4,5%) (+) 2 [3,5] (-) 1 [3,3]
Aggregated Model_V9 paper	#15 A	defense before infection (Dmnl) = (1-(1-(DEFENSE PERFORMANCEmalware listing effectiveness-FRACTION OF SENSORS NOT FUNCTIONING))^NUMBER OF DEFENSIVE LAYERS) Description:* The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). Present In 1 View: security view Used By starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. stopping malware attack The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Feedback Loops: 23 (34,8%) (+) 12 [8,22] (-) 11 [11,20]
Aggregated Model_V9 paper	#16 C	DEFENSE PERFORMANCE (Dmnl ) = 0.95 Description: Defense performance is a value of the average effectiveness of the defenses in place. https://www.av-comparatives.org/ provide various test results to be used. Model is set on 0.95% Present In 1 View: security view Used By defense before infection The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#17 C	DETECTION DELAY (Month ) = 4.8 Description: FireEye (2016) Mandiant M-Trends EMEA report. This report considers that the global average time to detect security breaches is 146 days (4.8 months) Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#18 F,A	detection rate (Asset/Month) = (1-SW anomaly detection)((Unknown Infected Assets(DETECTON EFFECTIVENESS-ADVERSARY OBFUCATION EFFECT-0.025))/DETECTION DELAY)+SW anomaly detection((Unknown Infected Assets(DETECTON EFFECTIVENESS-ADVERSARY OBFUCATION EFFECT-FRACTION OF SENSORS NOT FUNCTIONING))/(DETECTION DELAY(1-ad effectiveness)))+SW anomaly detectionUnknown Infected Assetsad effectivenessmonth adj Description: The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Present In 1 View: security view Used By Known Infected Assets The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Unknown Infected Assets The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) being a victim of a malware attack If a malware infection on an assets has been detected the owner and user of this assets will be a victim with the attack and has to cope with the impact of malware removal actions discovery of new malware The discovery of malware is based on the rate of detection multiplied by the unknown malware ration taken into account the number of malware present per infected asset. Feedback Loops: 38 (57,6%) (+) 17 [8,22] (-) 21 [2,21]
Aggregated Model_V9 paper	#19 C	DETECTON EFFECTIVENESS (Dmnl ) = 0.95 Description: Defense performance is a value of the average effectiveness of the defenses in place. https://www.av-comparatives.org/ provide various test results to be used. Model is set on 0.95% Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#20 A	discovery of new malware (Malware/Month) = detection rateMALWARE PER ASSETunknown malware ratio Description: The discovery of malware is based on the rate of detection multiplied by the unknown malware ration taken into account the number of malware present per infected asset. Present In 1 View: security view Used By malware discovery Malware descovery depends on the industry new malware discovery practices evoked by succesful malware attacks as well as the average time needed to discover new malware Feedback Loops: 23 (34,8%) (+) 12 [6,22] (-) 11 [4,21]
Aggregated Model_V9 paper	#22 A	fraction of contacts with susceptibles (Dmnl) = Unknown Infected Assets/Susceptible Assets Description: fration of contacts with susceptibles depends on the contacts between unknown infected assets and the assets that can be infected by malware (susceptible assets). Present In 1 View: security view Used By total infectious contact total infections contacts are the total contracts created via shared environments (daily contracts by infecteds) multiplied by the total fraction of contacts with susceptibles Feedback Loops: 3 (4,5%) (+) 2 [4,4] (-) 1 [10,10]
Aggregated Model_V9 paper	#23 C	FRACTION OF EMPLOYEES TRAINED FOR AWARENESS (Dmnl/Month ) = 0.05 Description: This is the average fraction of employees of the defender effectively in scope of security awareness sessions Present In 1 View: security view Used By increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#24 C	FRACTION OF SENSORS NOT FUNCTIONING (Dmnl) = 0.025 Description: fraction of sensors not functioning is based on SME Interview Present In 1 View: security view Used By defense before infection The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#25 F,A	increase awareness (Staff/Month) = MIN(being a victim of a malware attack+creating awareness culture+Unaware EmployeesFRACTION OF EMPLOYEES TRAINED FOR AWARENESS,Unaware Employeesmonth adj) Description: Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. Present In 1 View: security view Used By Aware Employees Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. Unaware Employees Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Feedback Loops: 29 (43,9%) (+) 14 [3,22] (-) 15 [2,21]
Aggregated Model_V9 paper	#26 C	INFECTION PER ATTACK (Asset/Attacks ) = 1 Description: This variable can be used to increase the severity of malware attacks. Default model behaviour is set one asset per attack is considered. Present In 1 View: security view Used By infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#27 F,A	infection rate (Asset/Month) = MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Description: An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Present In 1 View: security view Used By Susceptible Assets The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Unknown Infected Assets The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) Feedback Loops: 41 (62,1%) (+) 20 [4,22] (-) 21 [2,21]
Aggregated Model_V9 paper	#28 C	INFECTION RATE IN EUROPE (Attacks/Malware ) = 0.06 Description: Fraction is based on the source: https://www.microsoft.com/security/sir/threat/ Present In 1 View: security view Used By starting malware attacks The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#29 C	INFECTIVITY (Dmnl ) = 0.13 Description: Microsoft Security Intelligence Report Volume 21 January through June 2016. States that the encounter rate for infections in The Netherlands was for the 1Q16 15% and for the 2Q16 13% Present In 1 View: security view Used By infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#30 LI,C	INITIAL AWARE EMPLOYEES (Staff ) = 875 Description: This is the total number of staff that is aware of the danger of malware. Present In 1 View: security view Used By Aware Employees Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. INITIAL UNAWARE EMPLOYEES Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#31 LI,C	INITIAL KNOWN INFECTED ASSETS (Asset ) = 1 Description: This is the initial number of known infected assets (the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Known Infected Assets The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#32 LI,C	INITIAL KNOWN MALWARE (Malware) = 466666 Description: https://www.av-test.org/en/statistics/malware/ 2016 malware analysis indicate value per 1/1/2016 Present In 1 View: security view Used By Known Malware Known Malware will increase over time because more malware (families) will be discovered Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#33 LI,C	INITIAL MALWARE ATTACK REACHED ORGANIZATION (Attacks ) = 0 Description: Default model value is 0 Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#34 LI,C	INITIAL RESOLVED ASSETS (Asset ) = 0 Description: This is the initial number of the resolved assets (the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Resolved Assets The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#35 LI,C	INITIAL SUSCEPTIBLE ASSETS (Asset ) = 10000 Description: this is the initial number of susceptible assets (the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Susceptible Assets The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#37 LI,A	INITIAL UNAWARE EMPLOYEES (Staff ) = TOTAL INITAL EMPLOYEES-INITIAL AWARE EMPLOYEES Present In 1 View: security view Used By Unaware Employees Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#38 LI,C	INITIAL UNKNOWN INFECTED ASSETS (Asset ) = 1 Description: This is the total number of unknown infected devices(the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Unknown Infected Assets The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#39 LI,C	INITIAL UNKNOWN MALWARE (Malware) = 40411 Description: https://www.av-test.org/en/statistics/malware/ 2016 malware analysis indicate value per 1/1/2016 Present In 1 View: security view Used By Unknown Malware The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#40 A	insecure behavior of employees (Dmnl) = Unaware Employees/Aware Employees Description: The impact of insecure behaviour is based on the ratio between unaware and aware employees Present In 1 View: security view Used By starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. stopping malware attack The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Feedback Loops: 24 (36,4%) (+) 11 [10,22] (-) 13 [8,21]
Aggregated Model_V9 paper	#41 L	Known Infected Assets (Asset) = ∫detection rate-clean up rate dt + INITIAL KNOWN INFECTED ASSETS Description: The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Present In 1 View: security view Used By clean up rate The clean-up rate is based on the time needed for cleaning an infected assets and the capacity of the number of assets that can be cleaned up simultaniouly Feedback Loops: 3 (4,5%) (+) 1 [8,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#42 L	Known Malware (Malware) = ∫malware discovery dt + INITIAL KNOWN MALWARE Description: Known Malware will increase over time because more malware (families) will be discovered Present In 1 View: security view Used By known malware campaign trend Known malware campaign trend is the number of known malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware unknown malware ratio The unknown malware ratio is the unknown malware devided by the total malware. The total malware is the known malware plus the unknown malware. Feedback Loops: 29 (43,9%) (+) 17 [4,22] (-) 12 [4,21]
Aggregated Model_V9 paper	#44 C	MALWARE ADJUSTMENT RATE KNOWN MALWARE (Dmnl/Month ) = 0.01 Description: Various security blogs on malware family development of approx 1% of adjusting excisting malware that evolves into new malware. Examples are financial malware development and ransomware development Present In 1 View: security view Used By malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#45 L	Malware Attack reached Organization (Attacks) = ∫(starting malware attacks-starting an infection)-stopping malware attack dt + INITIAL MALWARE ATTACK REACHED ORGANIZATION Description: The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. Present In 1 View: security view Used By starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. stopping malware attack The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Feedback Loops: 28 (42,4%) (+) 17 [7,19] (-) 11 [2,21]
Aggregated Model_V9 paper	#46 C	MALWARE CREATED PER UNSUCCESFUL ATTACK (Malware/Attacks ) = 0.9 Description: ttps://www.av-test.org/en/statistics/malware/ 2016 malware analysis provide malware behaviour over time. In order to follow these insights with the model a value of approx 0.9 is needed Present In 1 View: security view Used By malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#47 C	MALWARE CREATION DELAY (Month ) = 4 Description: Calleja (2016) indicate that the average malware development time is between 16 months to 114 months depending on the type of software being used (basic model value was 6) Present In 1 View: security view Used By malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#48 DE,F,A	malware creation due to adversary learning (Malware/Month) = DELAY3( total unsuccessful attackMALWARE CREATED PER UNSUCCESFUL ATTACK , MALWARE CREATION DELAY)+Known MalwareMALWARE ADJUSTMENT RATE KNOWN MALWARE/12 Description: The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Present In 1 View: security view Used By Unknown Malware The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Feedback Loops: 34 (51,5%) (+) 22 [4,22] (-) 12 [13,21]
Aggregated Model_V9 paper	#49 F,A	malware discovery (Malware/Month) = discovery of new malware+(Unknown Malware/TIME TO DISCOVER MALWARE) Description: Malware descovery depends on the industry new malware discovery practices evoked by succesful malware attacks as well as the average time needed to discover new malware Present In 1 View: security view Used By Known Malware Known Malware will increase over time because more malware (families) will be discovered Unknown Malware The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Feedback Loops: 34 (51,5%) (+) 19 [4,22] (-) 15 [2,21]
Aggregated Model_V9 paper	#50 A	malware listing (Dmnl) = ZIDZ( known malware campaign trend , (known malware campaign trend+unknown malware campaign trend) ) Description: Malware listing is the fraction of malware that is known to the defences of the defender and that is based on the ratio between known malware (campaign) trends and the total malware (campaign) trends. The Total malware (campaign) trend is the sum of the unknown and the known malware (campaign) trend. Present In 1 View: security view Used By malware listing effectiveness Certain malware have specific functionality to mislead defender defenses and detection mechnasims. This functionality is called obfuction and loweres the effectiveness of the defender (= lowering malware listing) Feedback Loops: 23 (34,8%) (+) 12 [8,22] (-) 11 [11,20]
Aggregated Model_V9 paper	#51 A	malware listing effectiveness (Dmnl) = malware listing-ADVERSARY OBFUCATION EFFECT Description: Certain malware have specific functionality to mislead defender defenses and detection mechnasims. This functionality is called obfuction and loweres the effectiveness of the defender (= lowering malware listing) Present In 1 View: security view Used By defense before infection The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). Feedback Loops: 23 (34,8%) (+) 12 [8,22] (-) 11 [11,20]
Aggregated Model_V9 paper	#52 C	MALWARE PER ASSET (Malware/Asset ) = 1 Description: This is a number default set on 1 and might be altered for specific scenarios Present In 1 View: security view Used By discovery of new malware The discovery of malware is based on the rate of detection multiplied by the unknown malware ration taken into account the number of malware present per infected asset. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#53 C	month adj (1/Month ) = 1 Description: we have used MIN or MAX functions to ensure that stocks do not become negative. However to avoid unit errors we had to correct certain functions by 1/Month Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#55 C	NUMBER OF DEFENSIVE LAYERS (Dmnl ) = 1 Description: The number of defense layers depends on the measures taken in the organisation. The model assumes endpoint and server anti-,malware and anti-virus software as a defense so this software solution does not count as a layer. Present In 1 View: security view Used By defense before infection The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#56 C	PERCENTAGE OF WORMS (Dmnl ) = 0.03 Description: Microsoft Security Intelligence Report Volume 21 January through June, 2016 (https://www.microsoft.com/security/sir/threat/) indicate that on average 7% contains work functionality with a minimum of 2% and a maximum of 17% Present In 1 View: security view Used By total daily contacts by infecteds Employees share files. This sharing can be done by dropbox, cloud, groupdirectory, sharepoints, etc. This means that malware with infectivity properties (worms) can start to infect assets of other workers that are connected with the infected asset. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#57 C	PROBABILITY OF ATTACKING THE DEFENDER ORGANISATION (Dmnl/Month ) = 0.15 Description: Fraction is based on the source: https://www.microsoft.com/security/sir/threat/Chance of Malware in a Windows computer in NL. Average value is approx 13%. Minimum value is 4% and maximum is 24.9% Present In 1 View: security view Used By starting malware attacks The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#58 A	RANDOMIZER (Dmnl ) = 0 Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. known malware campaign trend Known malware campaign trend is the number of known malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#59 L	Resolved Assets (Asset) = ∫clean up rate-becoming susceptible rate dt + INITIAL RESOLVED ASSETS Description: The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Present In 1 View: security view Used By becoming susceptible rate become susceptible rate is the recolved assets devided by the time to become susceptible Feedback Loops: 3 (4,5%) (+) 1 [8,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#61 C	SINGLE DEVICE CLEAN UP CAPACITY (Asset/Month ) = 1000 Description: This is the maximum capacity at the defender's organisation by which they can clean-up infected assets Present In 1 View: security view Used By clean up rate The clean-up rate is based on the time needed for cleaning an infected assets and the capacity of the number of assets that can be cleaned up simultaniouly Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#62 C	SP FRACTION BACKDOOR & STEALERS (Dmnl ) = 0.03 Description: Microsoft Security Intelligence Report Volume 21 January through June, 2016 (https://www.microsoft.com/security/sir/threat/) indicate the fraction of backdoors and stealers is on average 3% with a minimum of 1% and maximum of 14% Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#63 C	SP IMPACT (Dmnl ) = 0.65 Description: This variable indicate the strength of the pike in the spear phishinb campaign. Various security suppliers and security blogs suggests trends in malware attacks. Liginlal et al (2009) indicate humar error in data breaches is about 65% Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#64 C	SP SEQUENCE (Month ) = 1 Description: Various security suppliers and security blogs suggests trends in malware attacks. This variable indicate average time between the following spear phishing campaign Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#65 F,A	starting an infection (Attacks/Month) = MIN( insecure behavior of employees(1-defense before infection)Malware Attack reached Organization/TIME FOR ATTACKS,Malware Attack reached Organizationmonth adj) Description:* Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 39 (59,1%) (+) 19 [10,22] (-) 20 [2,21]
Aggregated Model_V9 paper	#66 F,A	starting malware attacks (Attacks/Month) = (known malware campaign trend+unknown malware campaign trend)INFECTION RATE IN EUROPEPROBABILITY OF ATTACKING THE DEFENDER ORGANISATIONTARGET ATTRACTIVENESS Description:* The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. Feedback Loops: 17 (25,8%) (+) 12 [7,19] (-) 5 [10,21]
Aggregated Model_V9 paper	#67 F,A	stopping malware attack (Attacks/Month) = MAX(((1-insecure behavior of employees)defense before infectionMalware Attack reached Organization)/TIME FOR ATTACKS,0) Description: The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. total unsuccessful attack All stopped malware attacks are not succesful Feedback Loops: 36 (54,5%) (+) 21 [7,22] (-) 15 [2,21]
Aggregated Model_V9 paper	#68 L	Susceptible Assets (Asset) = ∫becoming susceptible rate-infection rate dt + INITIAL SUSCEPTIBLE ASSETS Description: The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Present In 1 View: security view Used By fraction of contacts with susceptibles fration of contacts with susceptibles depends on the contacts between unknown infected assets and the assets that can be infected by malware (susceptible assets). infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 4 (6,1%) (+) 2 [4,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#69 C	SW anomaly detection (Dmnl ) = 0 Description: This swith indicate to what extend this model should consider anomaly detection as a defense (1) or not (0) Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#70 C	SW campain trend (Dmnl ) = 1 Description: This Switch indicate trend and non-liniear behaviour of malware campaigns is included (1) or not (0).Various security suppliers and security blogs suggests such trends. Present In 1 View: security view Used By known malware campaign trend Known malware campaign trend is the number of known malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#71 C	SW spearphishing (Dmnl ) = 1 Description: This Switch indicate to what extend the model considers the impact of spearphishing campaigns (1) or not (0) Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#72 C	TARGET ATTRACTIVENESS (Dmnl ) = 0.15 Description: This is a parameter for model calibration and is needed to estimate the size and the attractiveness of the target for malware attacks. Values towards 0 are appropriate for very small or unattractive targets. While large companies might have a value of 2.75 to 3 Present In 1 View: security view Used By starting malware attacks The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#74 C	TIME FOR ATTACKS (Month ) = 1 Description: model set on 1 by default Present In 1 View: security view Used By infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. stopping malware attack The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#76 C	TIME TO BECOME SUSCEPTIBLE (Month ) = 1 Description: In the model the time to become subsetible is set on 1 by default. Present In 1 View: security view Used By becoming susceptible rate become susceptible rate is the recolved assets devided by the time to become susceptible Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#77 C	TIME TO DISCOVER MALWARE (Month ) = 3 Description: based on http://www.trendmicro.com we have analysed a 2014 - 2017 dataset and included average detection time Present In 1 View: security view Used By malware discovery Malware descovery depends on the industry new malware discovery practices evoked by succesful malware attacks as well as the average time needed to discover new malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#78 A	total daily contacts by infecteds (Asset/Month) = CONTACT FREQUENCYPERCENTAGE OF WORMSUnknown Infected Assets Description: Employees share files. This sharing can be done by dropbox, cloud, groupdirectory, sharepoints, etc. This means that malware with infectivity properties (worms) can start to infect assets of other workers that are connected with the infected asset. Present In 1 View: security view Used By total infectious contact total infections contacts are the total contracts created via shared environments (daily contracts by infecteds) multiplied by the total fraction of contacts with susceptibles Feedback Loops: 1 (1,5%) (+) 1 [4,4] (-) 0 [0,0]
Aggregated Model_V9 paper	#79 A	total infectious contact (Asset/Month) = fraction of contacts with susceptiblestotal daily contacts by infecteds Description:* total infections contacts are the total contracts created via shared environments (daily contracts by infecteds) multiplied by the total fraction of contacts with susceptibles Present In 1 View: security view Used By infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 4 (6,1%) (+) 3 [4,4] (-) 1 [10,10]
Aggregated Model_V9 paper	#80 C	TOTAL INITAL EMPLOYEES (Staff ) = 2500 Description: This is the inital value of the total staff of the defender Present In 1 View: security view Used By INITIAL UNAWARE EMPLOYEES Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#81 A	total unsuccessful attack (Attacks/Month) = stopping malware attack Description: All stopped malware attacks are not succesful Present In 1 View: security view Used By malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Feedback Loops: 29 (43,9%) (+) 19 [7,22] (-) 10 [16,21]
Aggregated Model_V9 paper	#82 C	UM INTENSITY (Dmnl ) = 7 Description: This variable indicate the strength of the pike as a result of the start of a new malware campaign with unknown malware. Various security suppliers and security blogs suggests such trends. Based on these insights intensity should be around 7 Present In 1 View: security view Used By unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#83 C	UM SEQUENCE (Month ) = 5 Description: This variable is used to indicate the length of the time delay in months between malware campaigns. Various security suppliers and security blogs suggests such trends.Between every 2 and 9 months a campaign pike can be expected Present In 1 View: security view Used By unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#84 L	Unaware Employees (Staff) = ∫Awareness Decay-increase awareness dt + INITIAL UNAWARE EMPLOYEES Description: Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Present In 1 View: security view Used By creating awareness culture Raising the awareness culture will be done if unaware employees and aware employees start sharing their knowledge and experiences about malware infections increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. insecure behavior of employees The impact of insecure behaviour is based on the ratio between unaware and aware employees Feedback Loops: 20 (30,3%) (+) 10 [4,22] (-) 10 [2,21]
Aggregated Model_V9 paper	#85 L	Unknown Infected Assets (Asset) = ∫infection rate-detection rate dt + INITIAL UNKNOWN INFECTED ASSETS Description: The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection fraction of contacts with susceptibles fration of contacts with susceptibles depends on the contacts between unknown infected assets and the assets that can be infected by malware (susceptible assets). total daily contacts by infecteds Employees share files. This sharing can be done by dropbox, cloud, groupdirectory, sharepoints, etc. This means that malware with infectivity properties (worms) can start to infect assets of other workers that are connected with the infected asset. Feedback Loops: 40 (60,6%) (+) 19 [4,22] (-) 21 [2,21]
Aggregated Model_V9 paper	#86 L	Unknown Malware (Malware) = ∫malware creation due to adversary learning-malware discovery dt + INITIAL UNKNOWN MALWARE Description: The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Present In 1 View: security view Used By malware discovery Malware descovery depends on the industry new malware discovery practices evoked by succesful malware attacks as well as the average time needed to discover new malware unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time unknown malware ratio The unknown malware ratio is the unknown malware devided by the total malware. The total malware is the known malware plus the unknown malware. Feedback Loops: 39 (59,1%) (+) 24 [4,22] (-) 15 [2,21]
Aggregated Model_V9 paper	#87 A	unknown malware campaign trend (Malware) = Unknown Malware(1-SW campain trend)+SW campain trendUnknown MalwarePULSE TRAIN(0,1, UM SEQUENCERANDOM UNIFORM(0, 1, RANDOMIZER+1) , FINAL TIME )UM INTENSITYRANDOM UNIFORM(0, 1, RANDOMIZER+2 ) Description: Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Present In 1 View: security view Used By malware listing Malware listing is the fraction of malware that is known to the defences of the defender and that is based on the ratio between known malware (campaign) trends and the total malware (campaign) trends. The Total malware (campaign) trend is the sum of the unknown and the known malware (campaign) trend. starting malware attacks The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Feedback Loops: 17 (25,8%) (+) 10 [7,18] (-) 7 [10,18]
Aggregated Model_V9 paper	#88 A	unknown malware ratio (Dmnl) = Unknown Malware/(Known Malware+Unknown Malware) Description: The unknown malware ratio is the unknown malware devided by the total malware. The total malware is the known malware plus the unknown malware. Present In 1 View: security view Used By discovery of new malware The discovery of malware is based on the rate of detection multiplied by the unknown malware ration taken into account the number of malware present per infected asset. Feedback Loops: 12 (18,2%) (+) 7 [6,22] (-) 5 [4,21]
Aggregated Model_V9 paper	#89 C	VICTIMS PER ATTACK (Staff/Asset ) = 1 Description: Default value is set on one asset and one staff member are involved in an infection. Present In 1 View: security view Used By being a victim of a malware attack If a malware infection on an assets has been detected the owner and user of this assets will be a victim with the attack and has to cope with the impact of malware removal actions Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]

Top	(Group) Aggregated Model_V9 paper (83 Variables)
Group	Type	*Variable Name And Description*	Thumbnail
Aggregated Model_V9 paper	#1 A	ad effectiveness (Dmnl) = +"AD FRACTION OF DROPPERS AND C&C"AD RISK SCORE LEVEL DETECTION Description:* the effectiveness of anomaly detection is based on the fraction of malware that can generate abnormal behaviour and the sensitivity of the anomaly detection capability. Usually that abnormal behaviour can be found in communication of the assets that are infected with malware. Certain malware functionality evoke communication between the threat actor and infected assets (C&C) or try to get more malisious software on the assets (droppers). The communication activites are abnormal compared to the situation before infection. The higher the sensitivity of anomaly detection capability determines the number of events that are reported for further investigation. Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#2 C	AD FRACTION OF DROPPERS AND C&C (Dmnl ) = 0.23 Description: Microsoft Security Intelligence Report Volume 21 January through June, 2016 (https://www.microsoft.com/security/sir/threat/) indicate that 12% to 33% of the malware is related to droppers and other functionality (incl C&C communications) with an average of 23% Present In 1 View: security view Used By ad effectiveness the effectiveness of anomaly detection is based on the fraction of malware that can generate abnormal behaviour and the sensitivity of the anomaly detection capability. Usually that abnormal behaviour can be found in communication of the assets that are infected with malware. Certain malware functionality evoke communication between the threat actor and infected assets (C&C) or try to get more malisious software on the assets (droppers). The communication activites are abnormal compared to the situation before infection. The higher the sensitivity of anomaly detection capability determines the number of events that are reported for further investigation. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#3 C	AD RISK SCORE LEVEL DETECTION (Dmnl ) = 0.6 Description: This fraction indicate the hight of the risk score detection level. A 1 indicate every event will be reportend and evoke incident respond and 0 indicate nothing is reported unless there is 100% certainty about the occurance of an incident. Default value in the model is set on 0.6 Present In 1 View: security view Used By ad effectiveness the effectiveness of anomaly detection is based on the fraction of malware that can generate abnormal behaviour and the sensitivity of the anomaly detection capability. Usually that abnormal behaviour can be found in communication of the assets that are infected with malware. Certain malware functionality evoke communication between the threat actor and infected assets (C&C) or try to get more malisious software on the assets (droppers). The communication activites are abnormal compared to the situation before infection. The higher the sensitivity of anomaly detection capability determines the number of events that are reported for further investigation. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#4 C	ADVERSARY OBFUCATION EFFECT (Dmnl ) = 0.04 Description: Microsoft Security Intelligence Report Volume 21 January through June, 2016 (https://www.microsoft.com/security/sir/threat/)indicate that malware with obfucation functionality is on average 4% with a minimum of 2% and a maximum of 8% Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection malware listing effectiveness Certain malware have specific functionality to mislead defender defenses and detection mechnasims. This functionality is called obfuction and loweres the effectiveness of the defender (= lowering malware listing) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#5 C	AVERAGE TIME TO CLEAN UP (Month ) = 1 Description: In the model the time to become subsetible is set on 1 by default. Present In 1 View: security view Used By clean up rate The clean-up rate is based on the time needed for cleaning an infected assets and the capacity of the number of assets that can be cleaned up simultaniouly Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#6 C	AVG TIME TO LOSE ATTENTION (Month ) = 12 Description: This is the average time the awareness will be lost due to decay of knowledge based on SME interviews Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#7 L	Aware Employees (Staff) = ∫increase awareness-Awareness Decay dt + INITIAL AWARE EMPLOYEES Description: Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. creating awareness culture Raising the awareness culture will be done if unaware employees and aware employees start sharing their knowledge and experiences about malware infections insecure behavior of employees The impact of insecure behaviour is based on the ratio between unaware and aware employees Feedback Loops: 20 (30,3%) (+) 11 [3,22] (-) 9 [2,21]
Aggregated Model_V9 paper	#8 F,A	Awareness Decay (Staff/Month) = (Aware Employees/AVG TIME TO LOSE ATTENTION)(1-SW spearphishing)+(Aware Employees/AVG TIME TO LOSE ATTENTION)SW spearphishing(1+PULSE TRAIN(0, 1 , SP SEQUENCE , FINAL TIME )SP IMPACTRANDOM UNIFORM(0, 1 , 3+RANDOMIZER )"SP FRACTION BACKDOOR & STEALERS") Description: The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Present In 1 View: security view Used By Aware Employees Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. Unaware Employees Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Feedback Loops: 11 (16,7%) (+) 7 [4,22] (-) 4 [2,21]
Aggregated Model_V9 paper	#9 F,A	becoming susceptible rate (Asset/Month) = Resolved Assets/TIME TO BECOME SUSCEPTIBLE Description: become susceptible rate is the recolved assets devided by the time to become susceptible Present In 1 View: security view Used By Resolved Assets The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Susceptible Assets The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Feedback Loops: 3 (4,5%) (+) 1 [8,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#10 A	being a victim of a malware attack (Staff/Month) = detection rateVICTIMS PER ATTACK Description:* If a malware infection on an assets has been detected the owner and user of this assets will be a victim with the attack and has to cope with the impact of malware removal actions Present In 1 View: security view Used By increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. Feedback Loops: 24 (36,4%) (+) 11 [10,22] (-) 13 [8,21]
Aggregated Model_V9 paper	#11 F,A	clean up rate (Asset/Month) = MIN(SINGLE DEVICE CLEAN UP CAPACITY,Known Infected Assets/AVERAGE TIME TO CLEAN UP) Description: The clean-up rate is based on the time needed for cleaning an infected assets and the capacity of the number of assets that can be cleaned up simultaniouly Present In 1 View: security view Used By Known Infected Assets The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Resolved Assets The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Feedback Loops: 3 (4,5%) (+) 1 [8,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#12 C	CONTACT FREQUENCY ((Asset/Month)/Asset ) = 15 Description: based on average size on shared environments of the defender Present In 1 View: security view Used By total daily contacts by infecteds Employees share files. This sharing can be done by dropbox, cloud, groupdirectory, sharepoints, etc. This means that malware with infectivity properties (worms) can start to infect assets of other workers that are connected with the infected asset. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#13 C	CONTACT FREQUENCY BETWEEN EMPLOYEES ((Staff/Month)/Staff ) = 0.2 Description: This number is based on SME interviews Present In 1 View: security view Used By creating awareness culture Raising the awareness culture will be done if unaware employees and aware employees start sharing their knowledge and experiences about malware infections Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#14 DE,A	creating awareness culture (Staff/Month) = DELAY1((Unaware Employees/(Aware Employees+Unaware Employees))(Aware EmployeesCONTACT FREQUENCY BETWEEN EMPLOYEES), 3) Description: Raising the awareness culture will be done if unaware employees and aware employees start sharing their knowledge and experiences about malware infections Present In 1 View: security view Used By increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. Feedback Loops: 3 (4,5%) (+) 2 [3,5] (-) 1 [3,3]
Aggregated Model_V9 paper	#15 A	defense before infection (Dmnl) = (1-(1-(DEFENSE PERFORMANCEmalware listing effectiveness-FRACTION OF SENSORS NOT FUNCTIONING))^NUMBER OF DEFENSIVE LAYERS) Description:* The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). Present In 1 View: security view Used By starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. stopping malware attack The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Feedback Loops: 23 (34,8%) (+) 12 [8,22] (-) 11 [11,20]
Aggregated Model_V9 paper	#16 C	DEFENSE PERFORMANCE (Dmnl ) = 0.95 Description: Defense performance is a value of the average effectiveness of the defenses in place. https://www.av-comparatives.org/ provide various test results to be used. Model is set on 0.95% Present In 1 View: security view Used By defense before infection The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#17 C	DETECTION DELAY (Month ) = 4.8 Description: FireEye (2016) Mandiant M-Trends EMEA report. This report considers that the global average time to detect security breaches is 146 days (4.8 months) Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#18 F,A	detection rate (Asset/Month) = (1-SW anomaly detection)((Unknown Infected Assets(DETECTON EFFECTIVENESS-ADVERSARY OBFUCATION EFFECT-0.025))/DETECTION DELAY)+SW anomaly detection((Unknown Infected Assets(DETECTON EFFECTIVENESS-ADVERSARY OBFUCATION EFFECT-FRACTION OF SENSORS NOT FUNCTIONING))/(DETECTION DELAY(1-ad effectiveness)))+SW anomaly detectionUnknown Infected Assetsad effectivenessmonth adj Description: The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Present In 1 View: security view Used By Known Infected Assets The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Unknown Infected Assets The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) being a victim of a malware attack If a malware infection on an assets has been detected the owner and user of this assets will be a victim with the attack and has to cope with the impact of malware removal actions discovery of new malware The discovery of malware is based on the rate of detection multiplied by the unknown malware ration taken into account the number of malware present per infected asset. Feedback Loops: 38 (57,6%) (+) 17 [8,22] (-) 21 [2,21]
Aggregated Model_V9 paper	#19 C	DETECTON EFFECTIVENESS (Dmnl ) = 0.95 Description: Defense performance is a value of the average effectiveness of the defenses in place. https://www.av-comparatives.org/ provide various test results to be used. Model is set on 0.95% Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#20 A	discovery of new malware (Malware/Month) = detection rateMALWARE PER ASSETunknown malware ratio Description: The discovery of malware is based on the rate of detection multiplied by the unknown malware ration taken into account the number of malware present per infected asset. Present In 1 View: security view Used By malware discovery Malware descovery depends on the industry new malware discovery practices evoked by succesful malware attacks as well as the average time needed to discover new malware Feedback Loops: 23 (34,8%) (+) 12 [6,22] (-) 11 [4,21]
Aggregated Model_V9 paper	#22 A	fraction of contacts with susceptibles (Dmnl) = Unknown Infected Assets/Susceptible Assets Description: fration of contacts with susceptibles depends on the contacts between unknown infected assets and the assets that can be infected by malware (susceptible assets). Present In 1 View: security view Used By total infectious contact total infections contacts are the total contracts created via shared environments (daily contracts by infecteds) multiplied by the total fraction of contacts with susceptibles Feedback Loops: 3 (4,5%) (+) 2 [4,4] (-) 1 [10,10]
Aggregated Model_V9 paper	#23 C	FRACTION OF EMPLOYEES TRAINED FOR AWARENESS (Dmnl/Month ) = 0.05 Description: This is the average fraction of employees of the defender effectively in scope of security awareness sessions Present In 1 View: security view Used By increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#24 C	FRACTION OF SENSORS NOT FUNCTIONING (Dmnl) = 0.025 Description: fraction of sensors not functioning is based on SME Interview Present In 1 View: security view Used By defense before infection The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#25 F,A	increase awareness (Staff/Month) = MIN(being a victim of a malware attack+creating awareness culture+Unaware EmployeesFRACTION OF EMPLOYEES TRAINED FOR AWARENESS,Unaware Employeesmonth adj) Description: Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. Present In 1 View: security view Used By Aware Employees Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. Unaware Employees Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Feedback Loops: 29 (43,9%) (+) 14 [3,22] (-) 15 [2,21]
Aggregated Model_V9 paper	#26 C	INFECTION PER ATTACK (Asset/Attacks ) = 1 Description: This variable can be used to increase the severity of malware attacks. Default model behaviour is set one asset per attack is considered. Present In 1 View: security view Used By infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#27 F,A	infection rate (Asset/Month) = MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Description: An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Present In 1 View: security view Used By Susceptible Assets The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Unknown Infected Assets The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) Feedback Loops: 41 (62,1%) (+) 20 [4,22] (-) 21 [2,21]
Aggregated Model_V9 paper	#28 C	INFECTION RATE IN EUROPE (Attacks/Malware ) = 0.06 Description: Fraction is based on the source: https://www.microsoft.com/security/sir/threat/ Present In 1 View: security view Used By starting malware attacks The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#29 C	INFECTIVITY (Dmnl ) = 0.13 Description: Microsoft Security Intelligence Report Volume 21 January through June 2016. States that the encounter rate for infections in The Netherlands was for the 1Q16 15% and for the 2Q16 13% Present In 1 View: security view Used By infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#30 LI,C	INITIAL AWARE EMPLOYEES (Staff ) = 875 Description: This is the total number of staff that is aware of the danger of malware. Present In 1 View: security view Used By Aware Employees Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. INITIAL UNAWARE EMPLOYEES Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#31 LI,C	INITIAL KNOWN INFECTED ASSETS (Asset ) = 1 Description: This is the initial number of known infected assets (the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Known Infected Assets The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#32 LI,C	INITIAL KNOWN MALWARE (Malware) = 466666 Description: https://www.av-test.org/en/statistics/malware/ 2016 malware analysis indicate value per 1/1/2016 Present In 1 View: security view Used By Known Malware Known Malware will increase over time because more malware (families) will be discovered Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#33 LI,C	INITIAL MALWARE ATTACK REACHED ORGANIZATION (Attacks ) = 0 Description: Default model value is 0 Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#34 LI,C	INITIAL RESOLVED ASSETS (Asset ) = 0 Description: This is the initial number of the resolved assets (the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Resolved Assets The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#35 LI,C	INITIAL SUSCEPTIBLE ASSETS (Asset ) = 10000 Description: this is the initial number of susceptible assets (the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Susceptible Assets The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#37 LI,A	INITIAL UNAWARE EMPLOYEES (Staff ) = TOTAL INITAL EMPLOYEES-INITIAL AWARE EMPLOYEES Present In 1 View: security view Used By Unaware Employees Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#38 LI,C	INITIAL UNKNOWN INFECTED ASSETS (Asset ) = 1 Description: This is the total number of unknown infected devices(the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Unknown Infected Assets The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#39 LI,C	INITIAL UNKNOWN MALWARE (Malware) = 40411 Description: https://www.av-test.org/en/statistics/malware/ 2016 malware analysis indicate value per 1/1/2016 Present In 1 View: security view Used By Unknown Malware The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#40 A	insecure behavior of employees (Dmnl) = Unaware Employees/Aware Employees Description: The impact of insecure behaviour is based on the ratio between unaware and aware employees Present In 1 View: security view Used By starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. stopping malware attack The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Feedback Loops: 24 (36,4%) (+) 11 [10,22] (-) 13 [8,21]
Aggregated Model_V9 paper	#41 L	Known Infected Assets (Asset) = ∫detection rate-clean up rate dt + INITIAL KNOWN INFECTED ASSETS Description: The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Present In 1 View: security view Used By clean up rate The clean-up rate is based on the time needed for cleaning an infected assets and the capacity of the number of assets that can be cleaned up simultaniouly Feedback Loops: 3 (4,5%) (+) 1 [8,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#42 L	Known Malware (Malware) = ∫malware discovery dt + INITIAL KNOWN MALWARE Description: Known Malware will increase over time because more malware (families) will be discovered Present In 1 View: security view Used By known malware campaign trend Known malware campaign trend is the number of known malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware unknown malware ratio The unknown malware ratio is the unknown malware devided by the total malware. The total malware is the known malware plus the unknown malware. Feedback Loops: 29 (43,9%) (+) 17 [4,22] (-) 12 [4,21]
Aggregated Model_V9 paper	#44 C	MALWARE ADJUSTMENT RATE KNOWN MALWARE (Dmnl/Month ) = 0.01 Description: Various security blogs on malware family development of approx 1% of adjusting excisting malware that evolves into new malware. Examples are financial malware development and ransomware development Present In 1 View: security view Used By malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#45 L	Malware Attack reached Organization (Attacks) = ∫(starting malware attacks-starting an infection)-stopping malware attack dt + INITIAL MALWARE ATTACK REACHED ORGANIZATION Description: The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. Present In 1 View: security view Used By starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. stopping malware attack The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Feedback Loops: 28 (42,4%) (+) 17 [7,19] (-) 11 [2,21]
Aggregated Model_V9 paper	#46 C	MALWARE CREATED PER UNSUCCESFUL ATTACK (Malware/Attacks ) = 0.9 Description: ttps://www.av-test.org/en/statistics/malware/ 2016 malware analysis provide malware behaviour over time. In order to follow these insights with the model a value of approx 0.9 is needed Present In 1 View: security view Used By malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#47 C	MALWARE CREATION DELAY (Month ) = 4 Description: Calleja (2016) indicate that the average malware development time is between 16 months to 114 months depending on the type of software being used (basic model value was 6) Present In 1 View: security view Used By malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#48 DE,F,A	malware creation due to adversary learning (Malware/Month) = DELAY3( total unsuccessful attackMALWARE CREATED PER UNSUCCESFUL ATTACK , MALWARE CREATION DELAY)+Known MalwareMALWARE ADJUSTMENT RATE KNOWN MALWARE/12 Description: The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Present In 1 View: security view Used By Unknown Malware The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Feedback Loops: 34 (51,5%) (+) 22 [4,22] (-) 12 [13,21]
Aggregated Model_V9 paper	#49 F,A	malware discovery (Malware/Month) = discovery of new malware+(Unknown Malware/TIME TO DISCOVER MALWARE) Description: Malware descovery depends on the industry new malware discovery practices evoked by succesful malware attacks as well as the average time needed to discover new malware Present In 1 View: security view Used By Known Malware Known Malware will increase over time because more malware (families) will be discovered Unknown Malware The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Feedback Loops: 34 (51,5%) (+) 19 [4,22] (-) 15 [2,21]
Aggregated Model_V9 paper	#50 A	malware listing (Dmnl) = ZIDZ( known malware campaign trend , (known malware campaign trend+unknown malware campaign trend) ) Description: Malware listing is the fraction of malware that is known to the defences of the defender and that is based on the ratio between known malware (campaign) trends and the total malware (campaign) trends. The Total malware (campaign) trend is the sum of the unknown and the known malware (campaign) trend. Present In 1 View: security view Used By malware listing effectiveness Certain malware have specific functionality to mislead defender defenses and detection mechnasims. This functionality is called obfuction and loweres the effectiveness of the defender (= lowering malware listing) Feedback Loops: 23 (34,8%) (+) 12 [8,22] (-) 11 [11,20]
Aggregated Model_V9 paper	#51 A	malware listing effectiveness (Dmnl) = malware listing-ADVERSARY OBFUCATION EFFECT Description: Certain malware have specific functionality to mislead defender defenses and detection mechnasims. This functionality is called obfuction and loweres the effectiveness of the defender (= lowering malware listing) Present In 1 View: security view Used By defense before infection The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). Feedback Loops: 23 (34,8%) (+) 12 [8,22] (-) 11 [11,20]
Aggregated Model_V9 paper	#52 C	MALWARE PER ASSET (Malware/Asset ) = 1 Description: This is a number default set on 1 and might be altered for specific scenarios Present In 1 View: security view Used By discovery of new malware The discovery of malware is based on the rate of detection multiplied by the unknown malware ration taken into account the number of malware present per infected asset. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#53 C	month adj (1/Month ) = 1 Description: we have used MIN or MAX functions to ensure that stocks do not become negative. However to avoid unit errors we had to correct certain functions by 1/Month Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#55 C	NUMBER OF DEFENSIVE LAYERS (Dmnl ) = 1 Description: The number of defense layers depends on the measures taken in the organisation. The model assumes endpoint and server anti-,malware and anti-virus software as a defense so this software solution does not count as a layer. Present In 1 View: security view Used By defense before infection The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#56 C	PERCENTAGE OF WORMS (Dmnl ) = 0.03 Description: Microsoft Security Intelligence Report Volume 21 January through June, 2016 (https://www.microsoft.com/security/sir/threat/) indicate that on average 7% contains work functionality with a minimum of 2% and a maximum of 17% Present In 1 View: security view Used By total daily contacts by infecteds Employees share files. This sharing can be done by dropbox, cloud, groupdirectory, sharepoints, etc. This means that malware with infectivity properties (worms) can start to infect assets of other workers that are connected with the infected asset. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#57 C	PROBABILITY OF ATTACKING THE DEFENDER ORGANISATION (Dmnl/Month ) = 0.15 Description: Fraction is based on the source: https://www.microsoft.com/security/sir/threat/Chance of Malware in a Windows computer in NL. Average value is approx 13%. Minimum value is 4% and maximum is 24.9% Present In 1 View: security view Used By starting malware attacks The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#58 A	RANDOMIZER (Dmnl ) = 0 Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. known malware campaign trend Known malware campaign trend is the number of known malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#59 L	Resolved Assets (Asset) = ∫clean up rate-becoming susceptible rate dt + INITIAL RESOLVED ASSETS Description: The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Present In 1 View: security view Used By becoming susceptible rate become susceptible rate is the recolved assets devided by the time to become susceptible Feedback Loops: 3 (4,5%) (+) 1 [8,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#61 C	SINGLE DEVICE CLEAN UP CAPACITY (Asset/Month ) = 1000 Description: This is the maximum capacity at the defender's organisation by which they can clean-up infected assets Present In 1 View: security view Used By clean up rate The clean-up rate is based on the time needed for cleaning an infected assets and the capacity of the number of assets that can be cleaned up simultaniouly Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#62 C	SP FRACTION BACKDOOR & STEALERS (Dmnl ) = 0.03 Description: Microsoft Security Intelligence Report Volume 21 January through June, 2016 (https://www.microsoft.com/security/sir/threat/) indicate the fraction of backdoors and stealers is on average 3% with a minimum of 1% and maximum of 14% Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#63 C	SP IMPACT (Dmnl ) = 0.65 Description: This variable indicate the strength of the pike in the spear phishinb campaign. Various security suppliers and security blogs suggests trends in malware attacks. Liginlal et al (2009) indicate humar error in data breaches is about 65% Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#64 C	SP SEQUENCE (Month ) = 1 Description: Various security suppliers and security blogs suggests trends in malware attacks. This variable indicate average time between the following spear phishing campaign Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#65 F,A	starting an infection (Attacks/Month) = MIN( insecure behavior of employees(1-defense before infection)Malware Attack reached Organization/TIME FOR ATTACKS,Malware Attack reached Organizationmonth adj) Description:* Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 39 (59,1%) (+) 19 [10,22] (-) 20 [2,21]
Aggregated Model_V9 paper	#66 F,A	starting malware attacks (Attacks/Month) = (known malware campaign trend+unknown malware campaign trend)INFECTION RATE IN EUROPEPROBABILITY OF ATTACKING THE DEFENDER ORGANISATIONTARGET ATTRACTIVENESS Description:* The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. Feedback Loops: 17 (25,8%) (+) 12 [7,19] (-) 5 [10,21]
Aggregated Model_V9 paper	#67 F,A	stopping malware attack (Attacks/Month) = MAX(((1-insecure behavior of employees)defense before infectionMalware Attack reached Organization)/TIME FOR ATTACKS,0) Description: The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. total unsuccessful attack All stopped malware attacks are not succesful Feedback Loops: 36 (54,5%) (+) 21 [7,22] (-) 15 [2,21]
Aggregated Model_V9 paper	#68 L	Susceptible Assets (Asset) = ∫becoming susceptible rate-infection rate dt + INITIAL SUSCEPTIBLE ASSETS Description: The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Present In 1 View: security view Used By fraction of contacts with susceptibles fration of contacts with susceptibles depends on the contacts between unknown infected assets and the assets that can be infected by malware (susceptible assets). infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 4 (6,1%) (+) 2 [4,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#69 C	SW anomaly detection (Dmnl ) = 0 Description: This swith indicate to what extend this model should consider anomaly detection as a defense (1) or not (0) Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#70 C	SW campain trend (Dmnl ) = 1 Description: This Switch indicate trend and non-liniear behaviour of malware campaigns is included (1) or not (0).Various security suppliers and security blogs suggests such trends. Present In 1 View: security view Used By known malware campaign trend Known malware campaign trend is the number of known malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#71 C	SW spearphishing (Dmnl ) = 1 Description: This Switch indicate to what extend the model considers the impact of spearphishing campaigns (1) or not (0) Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#72 C	TARGET ATTRACTIVENESS (Dmnl ) = 0.15 Description: This is a parameter for model calibration and is needed to estimate the size and the attractiveness of the target for malware attacks. Values towards 0 are appropriate for very small or unattractive targets. While large companies might have a value of 2.75 to 3 Present In 1 View: security view Used By starting malware attacks The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#74 C	TIME FOR ATTACKS (Month ) = 1 Description: model set on 1 by default Present In 1 View: security view Used By infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. stopping malware attack The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#76 C	TIME TO BECOME SUSCEPTIBLE (Month ) = 1 Description: In the model the time to become subsetible is set on 1 by default. Present In 1 View: security view Used By becoming susceptible rate become susceptible rate is the recolved assets devided by the time to become susceptible Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#77 C	TIME TO DISCOVER MALWARE (Month ) = 3 Description: based on http://www.trendmicro.com we have analysed a 2014 - 2017 dataset and included average detection time Present In 1 View: security view Used By malware discovery Malware descovery depends on the industry new malware discovery practices evoked by succesful malware attacks as well as the average time needed to discover new malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#78 A	total daily contacts by infecteds (Asset/Month) = CONTACT FREQUENCYPERCENTAGE OF WORMSUnknown Infected Assets Description: Employees share files. This sharing can be done by dropbox, cloud, groupdirectory, sharepoints, etc. This means that malware with infectivity properties (worms) can start to infect assets of other workers that are connected with the infected asset. Present In 1 View: security view Used By total infectious contact total infections contacts are the total contracts created via shared environments (daily contracts by infecteds) multiplied by the total fraction of contacts with susceptibles Feedback Loops: 1 (1,5%) (+) 1 [4,4] (-) 0 [0,0]
Aggregated Model_V9 paper	#79 A	total infectious contact (Asset/Month) = fraction of contacts with susceptiblestotal daily contacts by infecteds Description:* total infections contacts are the total contracts created via shared environments (daily contracts by infecteds) multiplied by the total fraction of contacts with susceptibles Present In 1 View: security view Used By infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 4 (6,1%) (+) 3 [4,4] (-) 1 [10,10]
Aggregated Model_V9 paper	#80 C	TOTAL INITAL EMPLOYEES (Staff ) = 2500 Description: This is the inital value of the total staff of the defender Present In 1 View: security view Used By INITIAL UNAWARE EMPLOYEES Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#81 A	total unsuccessful attack (Attacks/Month) = stopping malware attack Description: All stopped malware attacks are not succesful Present In 1 View: security view Used By malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Feedback Loops: 29 (43,9%) (+) 19 [7,22] (-) 10 [16,21]
Aggregated Model_V9 paper	#82 C	UM INTENSITY (Dmnl ) = 7 Description: This variable indicate the strength of the pike as a result of the start of a new malware campaign with unknown malware. Various security suppliers and security blogs suggests such trends. Based on these insights intensity should be around 7 Present In 1 View: security view Used By unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#83 C	UM SEQUENCE (Month ) = 5 Description: This variable is used to indicate the length of the time delay in months between malware campaigns. Various security suppliers and security blogs suggests such trends.Between every 2 and 9 months a campaign pike can be expected Present In 1 View: security view Used By unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#84 L	Unaware Employees (Staff) = ∫Awareness Decay-increase awareness dt + INITIAL UNAWARE EMPLOYEES Description: Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Present In 1 View: security view Used By creating awareness culture Raising the awareness culture will be done if unaware employees and aware employees start sharing their knowledge and experiences about malware infections increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. insecure behavior of employees The impact of insecure behaviour is based on the ratio between unaware and aware employees Feedback Loops: 20 (30,3%) (+) 10 [4,22] (-) 10 [2,21]
Aggregated Model_V9 paper	#85 L	Unknown Infected Assets (Asset) = ∫infection rate-detection rate dt + INITIAL UNKNOWN INFECTED ASSETS Description: The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection fraction of contacts with susceptibles fration of contacts with susceptibles depends on the contacts between unknown infected assets and the assets that can be infected by malware (susceptible assets). total daily contacts by infecteds Employees share files. This sharing can be done by dropbox, cloud, groupdirectory, sharepoints, etc. This means that malware with infectivity properties (worms) can start to infect assets of other workers that are connected with the infected asset. Feedback Loops: 40 (60,6%) (+) 19 [4,22] (-) 21 [2,21]
Aggregated Model_V9 paper	#86 L	Unknown Malware (Malware) = ∫malware creation due to adversary learning-malware discovery dt + INITIAL UNKNOWN MALWARE Description: The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Present In 1 View: security view Used By malware discovery Malware descovery depends on the industry new malware discovery practices evoked by succesful malware attacks as well as the average time needed to discover new malware unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time unknown malware ratio The unknown malware ratio is the unknown malware devided by the total malware. The total malware is the known malware plus the unknown malware. Feedback Loops: 39 (59,1%) (+) 24 [4,22] (-) 15 [2,21]
Aggregated Model_V9 paper	#87 A	unknown malware campaign trend (Malware) = Unknown Malware(1-SW campain trend)+SW campain trendUnknown MalwarePULSE TRAIN(0,1, UM SEQUENCERANDOM UNIFORM(0, 1, RANDOMIZER+1) , FINAL TIME )UM INTENSITYRANDOM UNIFORM(0, 1, RANDOMIZER+2 ) Description: Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Present In 1 View: security view Used By malware listing Malware listing is the fraction of malware that is known to the defences of the defender and that is based on the ratio between known malware (campaign) trends and the total malware (campaign) trends. The Total malware (campaign) trend is the sum of the unknown and the known malware (campaign) trend. starting malware attacks The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Feedback Loops: 17 (25,8%) (+) 10 [7,18] (-) 7 [10,18]
Aggregated Model_V9 paper	#88 A	unknown malware ratio (Dmnl) = Unknown Malware/(Known Malware+Unknown Malware) Description: The unknown malware ratio is the unknown malware devided by the total malware. The total malware is the known malware plus the unknown malware. Present In 1 View: security view Used By discovery of new malware The discovery of malware is based on the rate of detection multiplied by the unknown malware ration taken into account the number of malware present per infected asset. Feedback Loops: 12 (18,2%) (+) 7 [6,22] (-) 5 [4,21]
Aggregated Model_V9 paper	#89 C	VICTIMS PER ATTACK (Staff/Asset ) = 1 Description: Default value is set on one asset and one staff member are involved in an infection. Present In 1 View: security view Used By being a victim of a malware attack If a malware infection on an assets has been detected the owner and user of this assets will be a victim with the attack and has to cope with the impact of malware removal actions Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]

Top	(Type) Level (9 Variables)
Group	Type	*Variable Name And Description*	Thumbnail
Aggregated Model_V9 paper	#7 L	Aware Employees (Staff) = ∫increase awareness-Awareness Decay dt + INITIAL AWARE EMPLOYEES Description: Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. creating awareness culture Raising the awareness culture will be done if unaware employees and aware employees start sharing their knowledge and experiences about malware infections insecure behavior of employees The impact of insecure behaviour is based on the ratio between unaware and aware employees Feedback Loops: 20 (30,3%) (+) 11 [3,22] (-) 9 [2,21]
Aggregated Model_V9 paper	#41 L	Known Infected Assets (Asset) = ∫detection rate-clean up rate dt + INITIAL KNOWN INFECTED ASSETS Description: The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Present In 1 View: security view Used By clean up rate The clean-up rate is based on the time needed for cleaning an infected assets and the capacity of the number of assets that can be cleaned up simultaniouly Feedback Loops: 3 (4,5%) (+) 1 [8,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#42 L	Known Malware (Malware) = ∫malware discovery dt + INITIAL KNOWN MALWARE Description: Known Malware will increase over time because more malware (families) will be discovered Present In 1 View: security view Used By known malware campaign trend Known malware campaign trend is the number of known malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware unknown malware ratio The unknown malware ratio is the unknown malware devided by the total malware. The total malware is the known malware plus the unknown malware. Feedback Loops: 29 (43,9%) (+) 17 [4,22] (-) 12 [4,21]
Aggregated Model_V9 paper	#45 L	Malware Attack reached Organization (Attacks) = ∫(starting malware attacks-starting an infection)-stopping malware attack dt + INITIAL MALWARE ATTACK REACHED ORGANIZATION Description: The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. Present In 1 View: security view Used By starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. stopping malware attack The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Feedback Loops: 28 (42,4%) (+) 17 [7,19] (-) 11 [2,21]
Aggregated Model_V9 paper	#59 L	Resolved Assets (Asset) = ∫clean up rate-becoming susceptible rate dt + INITIAL RESOLVED ASSETS Description: The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Present In 1 View: security view Used By becoming susceptible rate become susceptible rate is the recolved assets devided by the time to become susceptible Feedback Loops: 3 (4,5%) (+) 1 [8,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#68 L	Susceptible Assets (Asset) = ∫becoming susceptible rate-infection rate dt + INITIAL SUSCEPTIBLE ASSETS Description: The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Present In 1 View: security view Used By fraction of contacts with susceptibles fration of contacts with susceptibles depends on the contacts between unknown infected assets and the assets that can be infected by malware (susceptible assets). infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 4 (6,1%) (+) 2 [4,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#84 L	Unaware Employees (Staff) = ∫Awareness Decay-increase awareness dt + INITIAL UNAWARE EMPLOYEES Description: Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Present In 1 View: security view Used By creating awareness culture Raising the awareness culture will be done if unaware employees and aware employees start sharing their knowledge and experiences about malware infections increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. insecure behavior of employees The impact of insecure behaviour is based on the ratio between unaware and aware employees Feedback Loops: 20 (30,3%) (+) 10 [4,22] (-) 10 [2,21]
Aggregated Model_V9 paper	#85 L	Unknown Infected Assets (Asset) = ∫infection rate-detection rate dt + INITIAL UNKNOWN INFECTED ASSETS Description: The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection fraction of contacts with susceptibles fration of contacts with susceptibles depends on the contacts between unknown infected assets and the assets that can be infected by malware (susceptible assets). total daily contacts by infecteds Employees share files. This sharing can be done by dropbox, cloud, groupdirectory, sharepoints, etc. This means that malware with infectivity properties (worms) can start to infect assets of other workers that are connected with the infected asset. Feedback Loops: 40 (60,6%) (+) 19 [4,22] (-) 21 [2,21]
Aggregated Model_V9 paper	#86 L	Unknown Malware (Malware) = ∫malware creation due to adversary learning-malware discovery dt + INITIAL UNKNOWN MALWARE Description: The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Present In 1 View: security view Used By malware discovery Malware descovery depends on the industry new malware discovery practices evoked by succesful malware attacks as well as the average time needed to discover new malware unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time unknown malware ratio The unknown malware ratio is the unknown malware devided by the total malware. The total malware is the known malware plus the unknown malware. Feedback Loops: 39 (59,1%) (+) 24 [4,22] (-) 15 [2,21]

Top	(Type) Smooth (0 Variables)
Group	Type	*Variable Name And Description*	Thumbnail

Top	(Type) Delay (2 Variables)
Group	Type	*Variable Name And Description*	Thumbnail
Aggregated Model_V9 paper	#14 DE,A	creating awareness culture (Staff/Month) = DELAY1((Unaware Employees/(Aware Employees+Unaware Employees))(Aware EmployeesCONTACT FREQUENCY BETWEEN EMPLOYEES), 3) Description: Raising the awareness culture will be done if unaware employees and aware employees start sharing their knowledge and experiences about malware infections Present In 1 View: security view Used By increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. Feedback Loops: 3 (4,5%) (+) 2 [3,5] (-) 1 [3,3]
Aggregated Model_V9 paper	#48 DE,F,A	malware creation due to adversary learning (Malware/Month) = DELAY3( total unsuccessful attackMALWARE CREATED PER UNSUCCESFUL ATTACK , MALWARE CREATION DELAY)+Known MalwareMALWARE ADJUSTMENT RATE KNOWN MALWARE/12 Description: The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Present In 1 View: security view Used By Unknown Malware The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Feedback Loops: 34 (51,5%) (+) 22 [4,22] (-) 12 [13,21]

Top	(Type) Level Initial (9 Variables)
Group	Type	*Variable Name And Description*	Thumbnail
Aggregated Model_V9 paper	#30 LI,C	INITIAL AWARE EMPLOYEES (Staff ) = 875 Description: This is the total number of staff that is aware of the danger of malware. Present In 1 View: security view Used By Aware Employees Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. INITIAL UNAWARE EMPLOYEES Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#31 LI,C	INITIAL KNOWN INFECTED ASSETS (Asset ) = 1 Description: This is the initial number of known infected assets (the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Known Infected Assets The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#32 LI,C	INITIAL KNOWN MALWARE (Malware) = 466666 Description: https://www.av-test.org/en/statistics/malware/ 2016 malware analysis indicate value per 1/1/2016 Present In 1 View: security view Used By Known Malware Known Malware will increase over time because more malware (families) will be discovered Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#33 LI,C	INITIAL MALWARE ATTACK REACHED ORGANIZATION (Attacks ) = 0 Description: Default model value is 0 Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#34 LI,C	INITIAL RESOLVED ASSETS (Asset ) = 0 Description: This is the initial number of the resolved assets (the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Resolved Assets The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#35 LI,C	INITIAL SUSCEPTIBLE ASSETS (Asset ) = 10000 Description: this is the initial number of susceptible assets (the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Susceptible Assets The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#37 LI,A	INITIAL UNAWARE EMPLOYEES (Staff ) = TOTAL INITAL EMPLOYEES-INITIAL AWARE EMPLOYEES Present In 1 View: security view Used By Unaware Employees Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#38 LI,C	INITIAL UNKNOWN INFECTED ASSETS (Asset ) = 1 Description: This is the total number of unknown infected devices(the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Unknown Infected Assets The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#39 LI,C	INITIAL UNKNOWN MALWARE (Malware) = 40411 Description: https://www.av-test.org/en/statistics/malware/ 2016 malware analysis indicate value per 1/1/2016 Present In 1 View: security view Used By Unknown Malware The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]

Top	(Type) Initial (0 Variables)
Group	Type	*Variable Name And Description*	Thumbnail

Top	(Type) Constant (46 Variables)
Group	Type	*Variable Name And Description*	Thumbnail
Aggregated Model_V9 paper	#2 C	AD FRACTION OF DROPPERS AND C&C (Dmnl ) = 0.23 Description: Microsoft Security Intelligence Report Volume 21 January through June, 2016 (https://www.microsoft.com/security/sir/threat/) indicate that 12% to 33% of the malware is related to droppers and other functionality (incl C&C communications) with an average of 23% Present In 1 View: security view Used By ad effectiveness the effectiveness of anomaly detection is based on the fraction of malware that can generate abnormal behaviour and the sensitivity of the anomaly detection capability. Usually that abnormal behaviour can be found in communication of the assets that are infected with malware. Certain malware functionality evoke communication between the threat actor and infected assets (C&C) or try to get more malisious software on the assets (droppers). The communication activites are abnormal compared to the situation before infection. The higher the sensitivity of anomaly detection capability determines the number of events that are reported for further investigation. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#3 C	AD RISK SCORE LEVEL DETECTION (Dmnl ) = 0.6 Description: This fraction indicate the hight of the risk score detection level. A 1 indicate every event will be reportend and evoke incident respond and 0 indicate nothing is reported unless there is 100% certainty about the occurance of an incident. Default value in the model is set on 0.6 Present In 1 View: security view Used By ad effectiveness the effectiveness of anomaly detection is based on the fraction of malware that can generate abnormal behaviour and the sensitivity of the anomaly detection capability. Usually that abnormal behaviour can be found in communication of the assets that are infected with malware. Certain malware functionality evoke communication between the threat actor and infected assets (C&C) or try to get more malisious software on the assets (droppers). The communication activites are abnormal compared to the situation before infection. The higher the sensitivity of anomaly detection capability determines the number of events that are reported for further investigation. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#4 C	ADVERSARY OBFUCATION EFFECT (Dmnl ) = 0.04 Description: Microsoft Security Intelligence Report Volume 21 January through June, 2016 (https://www.microsoft.com/security/sir/threat/)indicate that malware with obfucation functionality is on average 4% with a minimum of 2% and a maximum of 8% Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection malware listing effectiveness Certain malware have specific functionality to mislead defender defenses and detection mechnasims. This functionality is called obfuction and loweres the effectiveness of the defender (= lowering malware listing) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#5 C	AVERAGE TIME TO CLEAN UP (Month ) = 1 Description: In the model the time to become subsetible is set on 1 by default. Present In 1 View: security view Used By clean up rate The clean-up rate is based on the time needed for cleaning an infected assets and the capacity of the number of assets that can be cleaned up simultaniouly Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#6 C	AVG TIME TO LOSE ATTENTION (Month ) = 12 Description: This is the average time the awareness will be lost due to decay of knowledge based on SME interviews Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#12 C	CONTACT FREQUENCY ((Asset/Month)/Asset ) = 15 Description: based on average size on shared environments of the defender Present In 1 View: security view Used By total daily contacts by infecteds Employees share files. This sharing can be done by dropbox, cloud, groupdirectory, sharepoints, etc. This means that malware with infectivity properties (worms) can start to infect assets of other workers that are connected with the infected asset. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#13 C	CONTACT FREQUENCY BETWEEN EMPLOYEES ((Staff/Month)/Staff ) = 0.2 Description: This number is based on SME interviews Present In 1 View: security view Used By creating awareness culture Raising the awareness culture will be done if unaware employees and aware employees start sharing their knowledge and experiences about malware infections Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#16 C	DEFENSE PERFORMANCE (Dmnl ) = 0.95 Description: Defense performance is a value of the average effectiveness of the defenses in place. https://www.av-comparatives.org/ provide various test results to be used. Model is set on 0.95% Present In 1 View: security view Used By defense before infection The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#17 C	DETECTION DELAY (Month ) = 4.8 Description: FireEye (2016) Mandiant M-Trends EMEA report. This report considers that the global average time to detect security breaches is 146 days (4.8 months) Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#19 C	DETECTON EFFECTIVENESS (Dmnl ) = 0.95 Description: Defense performance is a value of the average effectiveness of the defenses in place. https://www.av-comparatives.org/ provide various test results to be used. Model is set on 0.95% Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#23 C	FRACTION OF EMPLOYEES TRAINED FOR AWARENESS (Dmnl/Month ) = 0.05 Description: This is the average fraction of employees of the defender effectively in scope of security awareness sessions Present In 1 View: security view Used By increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#24 C	FRACTION OF SENSORS NOT FUNCTIONING (Dmnl) = 0.025 Description: fraction of sensors not functioning is based on SME Interview Present In 1 View: security view Used By defense before infection The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#26 C	INFECTION PER ATTACK (Asset/Attacks ) = 1 Description: This variable can be used to increase the severity of malware attacks. Default model behaviour is set one asset per attack is considered. Present In 1 View: security view Used By infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#28 C	INFECTION RATE IN EUROPE (Attacks/Malware ) = 0.06 Description: Fraction is based on the source: https://www.microsoft.com/security/sir/threat/ Present In 1 View: security view Used By starting malware attacks The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#29 C	INFECTIVITY (Dmnl ) = 0.13 Description: Microsoft Security Intelligence Report Volume 21 January through June 2016. States that the encounter rate for infections in The Netherlands was for the 1Q16 15% and for the 2Q16 13% Present In 1 View: security view Used By infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#30 LI,C	INITIAL AWARE EMPLOYEES (Staff ) = 875 Description: This is the total number of staff that is aware of the danger of malware. Present In 1 View: security view Used By Aware Employees Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. INITIAL UNAWARE EMPLOYEES Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#31 LI,C	INITIAL KNOWN INFECTED ASSETS (Asset ) = 1 Description: This is the initial number of known infected assets (the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Known Infected Assets The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#32 LI,C	INITIAL KNOWN MALWARE (Malware) = 466666 Description: https://www.av-test.org/en/statistics/malware/ 2016 malware analysis indicate value per 1/1/2016 Present In 1 View: security view Used By Known Malware Known Malware will increase over time because more malware (families) will be discovered Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#33 LI,C	INITIAL MALWARE ATTACK REACHED ORGANIZATION (Attacks ) = 0 Description: Default model value is 0 Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#34 LI,C	INITIAL RESOLVED ASSETS (Asset ) = 0 Description: This is the initial number of the resolved assets (the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Resolved Assets The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#35 LI,C	INITIAL SUSCEPTIBLE ASSETS (Asset ) = 10000 Description: this is the initial number of susceptible assets (the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Susceptible Assets The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#38 LI,C	INITIAL UNKNOWN INFECTED ASSETS (Asset ) = 1 Description: This is the total number of unknown infected devices(the assets include end-point devices and servers but not mobile devices like phones or tablets) Present In 1 View: security view Used By Unknown Infected Assets The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#39 LI,C	INITIAL UNKNOWN MALWARE (Malware) = 40411 Description: https://www.av-test.org/en/statistics/malware/ 2016 malware analysis indicate value per 1/1/2016 Present In 1 View: security view Used By Unknown Malware The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#44 C	MALWARE ADJUSTMENT RATE KNOWN MALWARE (Dmnl/Month ) = 0.01 Description: Various security blogs on malware family development of approx 1% of adjusting excisting malware that evolves into new malware. Examples are financial malware development and ransomware development Present In 1 View: security view Used By malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#46 C	MALWARE CREATED PER UNSUCCESFUL ATTACK (Malware/Attacks ) = 0.9 Description: ttps://www.av-test.org/en/statistics/malware/ 2016 malware analysis provide malware behaviour over time. In order to follow these insights with the model a value of approx 0.9 is needed Present In 1 View: security view Used By malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#47 C	MALWARE CREATION DELAY (Month ) = 4 Description: Calleja (2016) indicate that the average malware development time is between 16 months to 114 months depending on the type of software being used (basic model value was 6) Present In 1 View: security view Used By malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#52 C	MALWARE PER ASSET (Malware/Asset ) = 1 Description: This is a number default set on 1 and might be altered for specific scenarios Present In 1 View: security view Used By discovery of new malware The discovery of malware is based on the rate of detection multiplied by the unknown malware ration taken into account the number of malware present per infected asset. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#53 C	month adj (1/Month ) = 1 Description: we have used MIN or MAX functions to ensure that stocks do not become negative. However to avoid unit errors we had to correct certain functions by 1/Month Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#55 C	NUMBER OF DEFENSIVE LAYERS (Dmnl ) = 1 Description: The number of defense layers depends on the measures taken in the organisation. The model assumes endpoint and server anti-,malware and anti-virus software as a defense so this software solution does not count as a layer. Present In 1 View: security view Used By defense before infection The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#56 C	PERCENTAGE OF WORMS (Dmnl ) = 0.03 Description: Microsoft Security Intelligence Report Volume 21 January through June, 2016 (https://www.microsoft.com/security/sir/threat/) indicate that on average 7% contains work functionality with a minimum of 2% and a maximum of 17% Present In 1 View: security view Used By total daily contacts by infecteds Employees share files. This sharing can be done by dropbox, cloud, groupdirectory, sharepoints, etc. This means that malware with infectivity properties (worms) can start to infect assets of other workers that are connected with the infected asset. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#57 C	PROBABILITY OF ATTACKING THE DEFENDER ORGANISATION (Dmnl/Month ) = 0.15 Description: Fraction is based on the source: https://www.microsoft.com/security/sir/threat/Chance of Malware in a Windows computer in NL. Average value is approx 13%. Minimum value is 4% and maximum is 24.9% Present In 1 View: security view Used By starting malware attacks The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#61 C	SINGLE DEVICE CLEAN UP CAPACITY (Asset/Month ) = 1000 Description: This is the maximum capacity at the defender's organisation by which they can clean-up infected assets Present In 1 View: security view Used By clean up rate The clean-up rate is based on the time needed for cleaning an infected assets and the capacity of the number of assets that can be cleaned up simultaniouly Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#62 C	SP FRACTION BACKDOOR & STEALERS (Dmnl ) = 0.03 Description: Microsoft Security Intelligence Report Volume 21 January through June, 2016 (https://www.microsoft.com/security/sir/threat/) indicate the fraction of backdoors and stealers is on average 3% with a minimum of 1% and maximum of 14% Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#63 C	SP IMPACT (Dmnl ) = 0.65 Description: This variable indicate the strength of the pike in the spear phishinb campaign. Various security suppliers and security blogs suggests trends in malware attacks. Liginlal et al (2009) indicate humar error in data breaches is about 65% Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#64 C	SP SEQUENCE (Month ) = 1 Description: Various security suppliers and security blogs suggests trends in malware attacks. This variable indicate average time between the following spear phishing campaign Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#69 C	SW anomaly detection (Dmnl ) = 0 Description: This swith indicate to what extend this model should consider anomaly detection as a defense (1) or not (0) Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#70 C	SW campain trend (Dmnl ) = 1 Description: This Switch indicate trend and non-liniear behaviour of malware campaigns is included (1) or not (0).Various security suppliers and security blogs suggests such trends. Present In 1 View: security view Used By known malware campaign trend Known malware campaign trend is the number of known malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#71 C	SW spearphishing (Dmnl ) = 1 Description: This Switch indicate to what extend the model considers the impact of spearphishing campaigns (1) or not (0) Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#72 C	TARGET ATTRACTIVENESS (Dmnl ) = 0.15 Description: This is a parameter for model calibration and is needed to estimate the size and the attractiveness of the target for malware attacks. Values towards 0 are appropriate for very small or unattractive targets. While large companies might have a value of 2.75 to 3 Present In 1 View: security view Used By starting malware attacks The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#74 C	TIME FOR ATTACKS (Month ) = 1 Description: model set on 1 by default Present In 1 View: security view Used By infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. stopping malware attack The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#76 C	TIME TO BECOME SUSCEPTIBLE (Month ) = 1 Description: In the model the time to become subsetible is set on 1 by default. Present In 1 View: security view Used By becoming susceptible rate become susceptible rate is the recolved assets devided by the time to become susceptible Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#77 C	TIME TO DISCOVER MALWARE (Month ) = 3 Description: based on http://www.trendmicro.com we have analysed a 2014 - 2017 dataset and included average detection time Present In 1 View: security view Used By malware discovery Malware descovery depends on the industry new malware discovery practices evoked by succesful malware attacks as well as the average time needed to discover new malware Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#80 C	TOTAL INITAL EMPLOYEES (Staff ) = 2500 Description: This is the inital value of the total staff of the defender Present In 1 View: security view Used By INITIAL UNAWARE EMPLOYEES Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#82 C	UM INTENSITY (Dmnl ) = 7 Description: This variable indicate the strength of the pike as a result of the start of a new malware campaign with unknown malware. Various security suppliers and security blogs suggests such trends. Based on these insights intensity should be around 7 Present In 1 View: security view Used By unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#83 C	UM SEQUENCE (Month ) = 5 Description: This variable is used to indicate the length of the time delay in months between malware campaigns. Various security suppliers and security blogs suggests such trends.Between every 2 and 9 months a campaign pike can be expected Present In 1 View: security view Used By unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#89 C	VICTIMS PER ATTACK (Staff/Asset ) = 1 Description: Default value is set on one asset and one staff member are involved in an infection. Present In 1 View: security view Used By being a victim of a malware attack If a malware infection on an assets has been detected the owner and user of this assets will be a victim with the attack and has to cope with the impact of malware removal actions Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]

Top	(Type) Flow (11 Variables)
Group	Type	*Variable Name And Description*	Thumbnail
Aggregated Model_V9 paper	#8 F,A	Awareness Decay (Staff/Month) = (Aware Employees/AVG TIME TO LOSE ATTENTION)(1-SW spearphishing)+(Aware Employees/AVG TIME TO LOSE ATTENTION)SW spearphishing(1+PULSE TRAIN(0, 1 , SP SEQUENCE , FINAL TIME )SP IMPACTRANDOM UNIFORM(0, 1 , 3+RANDOMIZER )"SP FRACTION BACKDOOR & STEALERS") Description: The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Present In 1 View: security view Used By Aware Employees Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. Unaware Employees Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Feedback Loops: 11 (16,7%) (+) 7 [4,22] (-) 4 [2,21]
Aggregated Model_V9 paper	#9 F,A	becoming susceptible rate (Asset/Month) = Resolved Assets/TIME TO BECOME SUSCEPTIBLE Description: become susceptible rate is the recolved assets devided by the time to become susceptible Present In 1 View: security view Used By Resolved Assets The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Susceptible Assets The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Feedback Loops: 3 (4,5%) (+) 1 [8,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#11 F,A	clean up rate (Asset/Month) = MIN(SINGLE DEVICE CLEAN UP CAPACITY,Known Infected Assets/AVERAGE TIME TO CLEAN UP) Description: The clean-up rate is based on the time needed for cleaning an infected assets and the capacity of the number of assets that can be cleaned up simultaniouly Present In 1 View: security view Used By Known Infected Assets The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Resolved Assets The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Feedback Loops: 3 (4,5%) (+) 1 [8,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#18 F,A	detection rate (Asset/Month) = (1-SW anomaly detection)((Unknown Infected Assets(DETECTON EFFECTIVENESS-ADVERSARY OBFUCATION EFFECT-0.025))/DETECTION DELAY)+SW anomaly detection((Unknown Infected Assets(DETECTON EFFECTIVENESS-ADVERSARY OBFUCATION EFFECT-FRACTION OF SENSORS NOT FUNCTIONING))/(DETECTION DELAY(1-ad effectiveness)))+SW anomaly detectionUnknown Infected Assetsad effectivenessmonth adj Description: The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Present In 1 View: security view Used By Known Infected Assets The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Unknown Infected Assets The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) being a victim of a malware attack If a malware infection on an assets has been detected the owner and user of this assets will be a victim with the attack and has to cope with the impact of malware removal actions discovery of new malware The discovery of malware is based on the rate of detection multiplied by the unknown malware ration taken into account the number of malware present per infected asset. Feedback Loops: 38 (57,6%) (+) 17 [8,22] (-) 21 [2,21]
Aggregated Model_V9 paper	#25 F,A	increase awareness (Staff/Month) = MIN(being a victim of a malware attack+creating awareness culture+Unaware EmployeesFRACTION OF EMPLOYEES TRAINED FOR AWARENESS,Unaware Employeesmonth adj) Description: Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. Present In 1 View: security view Used By Aware Employees Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. Unaware Employees Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Feedback Loops: 29 (43,9%) (+) 14 [3,22] (-) 15 [2,21]
Aggregated Model_V9 paper	#27 F,A	infection rate (Asset/Month) = MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Description: An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Present In 1 View: security view Used By Susceptible Assets The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Unknown Infected Assets The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) Feedback Loops: 41 (62,1%) (+) 20 [4,22] (-) 21 [2,21]
Aggregated Model_V9 paper	#48 DE,F,A	malware creation due to adversary learning (Malware/Month) = DELAY3( total unsuccessful attackMALWARE CREATED PER UNSUCCESFUL ATTACK , MALWARE CREATION DELAY)+Known MalwareMALWARE ADJUSTMENT RATE KNOWN MALWARE/12 Description: The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Present In 1 View: security view Used By Unknown Malware The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Feedback Loops: 34 (51,5%) (+) 22 [4,22] (-) 12 [13,21]
Aggregated Model_V9 paper	#49 F,A	malware discovery (Malware/Month) = discovery of new malware+(Unknown Malware/TIME TO DISCOVER MALWARE) Description: Malware descovery depends on the industry new malware discovery practices evoked by succesful malware attacks as well as the average time needed to discover new malware Present In 1 View: security view Used By Known Malware Known Malware will increase over time because more malware (families) will be discovered Unknown Malware The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Feedback Loops: 34 (51,5%) (+) 19 [4,22] (-) 15 [2,21]
Aggregated Model_V9 paper	#65 F,A	starting an infection (Attacks/Month) = MIN( insecure behavior of employees(1-defense before infection)Malware Attack reached Organization/TIME FOR ATTACKS,Malware Attack reached Organizationmonth adj) Description:* Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 39 (59,1%) (+) 19 [10,22] (-) 20 [2,21]
Aggregated Model_V9 paper	#66 F,A	starting malware attacks (Attacks/Month) = (known malware campaign trend+unknown malware campaign trend)INFECTION RATE IN EUROPEPROBABILITY OF ATTACKING THE DEFENDER ORGANISATIONTARGET ATTRACTIVENESS Description:* The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. Feedback Loops: 17 (25,8%) (+) 12 [7,19] (-) 5 [10,21]
Aggregated Model_V9 paper	#67 F,A	stopping malware attack (Attacks/Month) = MAX(((1-insecure behavior of employees)defense before infectionMalware Attack reached Organization)/TIME FOR ATTACKS,0) Description: The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. total unsuccessful attack All stopped malware attacks are not succesful Feedback Loops: 36 (54,5%) (+) 21 [7,22] (-) 15 [2,21]

Top	(Type) Auxiliary (28 Variables)
Group	Type	*Variable Name And Description*	Thumbnail
Aggregated Model_V9 paper	#1 A	ad effectiveness (Dmnl) = +"AD FRACTION OF DROPPERS AND C&C"AD RISK SCORE LEVEL DETECTION Description:* the effectiveness of anomaly detection is based on the fraction of malware that can generate abnormal behaviour and the sensitivity of the anomaly detection capability. Usually that abnormal behaviour can be found in communication of the assets that are infected with malware. Certain malware functionality evoke communication between the threat actor and infected assets (C&C) or try to get more malisious software on the assets (droppers). The communication activites are abnormal compared to the situation before infection. The higher the sensitivity of anomaly detection capability determines the number of events that are reported for further investigation. Present In 1 View: security view Used By detection rate The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#8 F,A	Awareness Decay (Staff/Month) = (Aware Employees/AVG TIME TO LOSE ATTENTION)(1-SW spearphishing)+(Aware Employees/AVG TIME TO LOSE ATTENTION)SW spearphishing(1+PULSE TRAIN(0, 1 , SP SEQUENCE , FINAL TIME )SP IMPACTRANDOM UNIFORM(0, 1 , 3+RANDOMIZER )"SP FRACTION BACKDOOR & STEALERS") Description: The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. Present In 1 View: security view Used By Aware Employees Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. Unaware Employees Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Feedback Loops: 11 (16,7%) (+) 7 [4,22] (-) 4 [2,21]
Aggregated Model_V9 paper	#9 F,A	becoming susceptible rate (Asset/Month) = Resolved Assets/TIME TO BECOME SUSCEPTIBLE Description: become susceptible rate is the recolved assets devided by the time to become susceptible Present In 1 View: security view Used By Resolved Assets The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Susceptible Assets The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Feedback Loops: 3 (4,5%) (+) 1 [8,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#10 A	being a victim of a malware attack (Staff/Month) = detection rateVICTIMS PER ATTACK Description:* If a malware infection on an assets has been detected the owner and user of this assets will be a victim with the attack and has to cope with the impact of malware removal actions Present In 1 View: security view Used By increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. Feedback Loops: 24 (36,4%) (+) 11 [10,22] (-) 13 [8,21]
Aggregated Model_V9 paper	#11 F,A	clean up rate (Asset/Month) = MIN(SINGLE DEVICE CLEAN UP CAPACITY,Known Infected Assets/AVERAGE TIME TO CLEAN UP) Description: The clean-up rate is based on the time needed for cleaning an infected assets and the capacity of the number of assets that can be cleaned up simultaniouly Present In 1 View: security view Used By Known Infected Assets The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Resolved Assets The number of resolved assets are the total of the cleaned up assets minus the number of assets that become susceptible again for other malware infections Feedback Loops: 3 (4,5%) (+) 1 [8,8] (-) 2 [2,10]
Aggregated Model_V9 paper	#14 DE,A	creating awareness culture (Staff/Month) = DELAY1((Unaware Employees/(Aware Employees+Unaware Employees))(Aware EmployeesCONTACT FREQUENCY BETWEEN EMPLOYEES), 3) Description: Raising the awareness culture will be done if unaware employees and aware employees start sharing their knowledge and experiences about malware infections Present In 1 View: security view Used By increase awareness Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. Feedback Loops: 3 (4,5%) (+) 2 [3,5] (-) 1 [3,3]
Aggregated Model_V9 paper	#15 A	defense before infection (Dmnl) = (1-(1-(DEFENSE PERFORMANCEmalware listing effectiveness-FRACTION OF SENSORS NOT FUNCTIONING))^NUMBER OF DEFENSIVE LAYERS) Description:* The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). Present In 1 View: security view Used By starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. stopping malware attack The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Feedback Loops: 23 (34,8%) (+) 12 [8,22] (-) 11 [11,20]
Aggregated Model_V9 paper	#18 F,A	detection rate (Asset/Month) = (1-SW anomaly detection)((Unknown Infected Assets(DETECTON EFFECTIVENESS-ADVERSARY OBFUCATION EFFECT-0.025))/DETECTION DELAY)+SW anomaly detection((Unknown Infected Assets(DETECTON EFFECTIVENESS-ADVERSARY OBFUCATION EFFECT-FRACTION OF SENSORS NOT FUNCTIONING))/(DETECTION DELAY(1-ad effectiveness)))+SW anomaly detectionUnknown Infected Assetsad effectivenessmonth adj Description: The detection rate is the fraction of assets per month that will be detected for being infected by malware. This detection rate depends on the effectiveness of anti-malware and anti-virus software taking tino account that some sensors will not work properly and some sofisticated malware takes a long time for being detected. The implementation of anomaly detection can increase the detection rate because anomal behaviour of the assets can be another trigger for detection Present In 1 View: security view Used By Known Infected Assets The total number of known infected assets are based on the detected assets minus the number of devices for which the malware infections has been resolved (cleaned) Unknown Infected Assets The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) being a victim of a malware attack If a malware infection on an assets has been detected the owner and user of this assets will be a victim with the attack and has to cope with the impact of malware removal actions discovery of new malware The discovery of malware is based on the rate of detection multiplied by the unknown malware ration taken into account the number of malware present per infected asset. Feedback Loops: 38 (57,6%) (+) 17 [8,22] (-) 21 [2,21]
Aggregated Model_V9 paper	#20 A	discovery of new malware (Malware/Month) = detection rateMALWARE PER ASSETunknown malware ratio Description: The discovery of malware is based on the rate of detection multiplied by the unknown malware ration taken into account the number of malware present per infected asset. Present In 1 View: security view Used By malware discovery Malware descovery depends on the industry new malware discovery practices evoked by succesful malware attacks as well as the average time needed to discover new malware Feedback Loops: 23 (34,8%) (+) 12 [6,22] (-) 11 [4,21]
Aggregated Model_V9 paper	#22 A	fraction of contacts with susceptibles (Dmnl) = Unknown Infected Assets/Susceptible Assets Description: fration of contacts with susceptibles depends on the contacts between unknown infected assets and the assets that can be infected by malware (susceptible assets). Present In 1 View: security view Used By total infectious contact total infections contacts are the total contracts created via shared environments (daily contracts by infecteds) multiplied by the total fraction of contacts with susceptibles Feedback Loops: 3 (4,5%) (+) 2 [4,4] (-) 1 [10,10]
Aggregated Model_V9 paper	#25 F,A	increase awareness (Staff/Month) = MIN(being a victim of a malware attack+creating awareness culture+Unaware EmployeesFRACTION OF EMPLOYEES TRAINED FOR AWARENESS,Unaware Employeesmonth adj) Description: Unaware employees become aware of the danger of malware infection through education, being victim of an ineffection or talking to colleagues who did this education of was a victim. Present In 1 View: security view Used By Aware Employees Aware employees are the total employees that are aware of the dangour of malware minus the employees who's general knowledge about malware has decayed. Unaware Employees Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Feedback Loops: 29 (43,9%) (+) 14 [3,22] (-) 15 [2,21]
Aggregated Model_V9 paper	#27 F,A	infection rate (Asset/Month) = MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Description: An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Present In 1 View: security view Used By Susceptible Assets The number of susceptible assets are the total of the assets that can be infected minus the number of assets that are infected by malware Unknown Infected Assets The unknown infected assets are based on the infected assets (infection rate) minus the assets that are detected being infected (detection rate) Feedback Loops: 41 (62,1%) (+) 20 [4,22] (-) 21 [2,21]
Aggregated Model_V9 paper	#37 LI,A	INITIAL UNAWARE EMPLOYEES (Staff ) = TOTAL INITAL EMPLOYEES-INITIAL AWARE EMPLOYEES Present In 1 View: security view Used By Unaware Employees Unaware employees are the number of employees that are not aware of the danger of malware. This number is lowered by the effect of awareness campaigns and increased since knowledge will decay over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#40 A	insecure behavior of employees (Dmnl) = Unaware Employees/Aware Employees Description: The impact of insecure behaviour is based on the ratio between unaware and aware employees Present In 1 View: security view Used By starting an infection Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. stopping malware attack The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Feedback Loops: 24 (36,4%) (+) 11 [10,22] (-) 13 [8,21]
Aggregated Model_V9 paper	#48 DE,F,A	malware creation due to adversary learning (Malware/Month) = DELAY3( total unsuccessful attackMALWARE CREATED PER UNSUCCESFUL ATTACK , MALWARE CREATION DELAY)+Known MalwareMALWARE ADJUSTMENT RATE KNOWN MALWARE/12 Description: The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Present In 1 View: security view Used By Unknown Malware The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Feedback Loops: 34 (51,5%) (+) 22 [4,22] (-) 12 [13,21]
Aggregated Model_V9 paper	#49 F,A	malware discovery (Malware/Month) = discovery of new malware+(Unknown Malware/TIME TO DISCOVER MALWARE) Description: Malware descovery depends on the industry new malware discovery practices evoked by succesful malware attacks as well as the average time needed to discover new malware Present In 1 View: security view Used By Known Malware Known Malware will increase over time because more malware (families) will be discovered Unknown Malware The number of unknown malware is the newly developed by threat actors (malware creation due to adversary learning) minuns the unknown malware that has been discovered by security companies, security departments and government security agencies (discovered malware) Feedback Loops: 34 (51,5%) (+) 19 [4,22] (-) 15 [2,21]
Aggregated Model_V9 paper	#50 A	malware listing (Dmnl) = ZIDZ( known malware campaign trend , (known malware campaign trend+unknown malware campaign trend) ) Description: Malware listing is the fraction of malware that is known to the defences of the defender and that is based on the ratio between known malware (campaign) trends and the total malware (campaign) trends. The Total malware (campaign) trend is the sum of the unknown and the known malware (campaign) trend. Present In 1 View: security view Used By malware listing effectiveness Certain malware have specific functionality to mislead defender defenses and detection mechnasims. This functionality is called obfuction and loweres the effectiveness of the defender (= lowering malware listing) Feedback Loops: 23 (34,8%) (+) 12 [8,22] (-) 11 [11,20]
Aggregated Model_V9 paper	#51 A	malware listing effectiveness (Dmnl) = malware listing-ADVERSARY OBFUCATION EFFECT Description: Certain malware have specific functionality to mislead defender defenses and detection mechnasims. This functionality is called obfuction and loweres the effectiveness of the defender (= lowering malware listing) Present In 1 View: security view Used By defense before infection The defender can have mulitple defensive layers (not considering the virus and anti-malware software on the assets because these are considered seperately). Each layer will stop a certain volume of malware attacks depending on the malware that can be known (malware listing effectiveness), the performance of the defences is place (defense performance) taking into account that these defenses will sometimes fail (Fraction of sensors not functioning). Feedback Loops: 23 (34,8%) (+) 12 [8,22] (-) 11 [11,20]
Aggregated Model_V9 paper	#58 A	RANDOMIZER (Dmnl ) = 0 Present In 1 View: security view Used By Awareness Decay The decay of awareness will be caused by time. However, certained specific professional campaigns that targetted specific employees (called spear phishing) can result in the effect that even aware employees will fall for the tricks of the threat actor. known malware campaign trend Known malware campaign trend is the number of known malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time unknown malware campaign trend Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Feedback Loops: 0 (0.0%) (+) 0 [0,0] (-) 0 [0,0]
Aggregated Model_V9 paper	#65 F,A	starting an infection (Attacks/Month) = MIN( insecure behavior of employees(1-defense before infection)Malware Attack reached Organization/TIME FOR ATTACKS,Malware Attack reached Organizationmonth adj) Description:* Malware attacks can start an infection if these attacks are not stopped by the defences in place and are triggered by an unaware employee. This triggering can be done by opening an infected email, opening an unknown infected file, clicking on a infected link, etc. Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 39 (59,1%) (+) 19 [10,22] (-) 20 [2,21]
Aggregated Model_V9 paper	#66 F,A	starting malware attacks (Attacks/Month) = (known malware campaign trend+unknown malware campaign trend)INFECTION RATE IN EUROPEPROBABILITY OF ATTACKING THE DEFENDER ORGANISATIONTARGET ATTRACTIVENESS Description:* The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. Feedback Loops: 17 (25,8%) (+) 12 [7,19] (-) 5 [10,21]
Aggregated Model_V9 paper	#67 F,A	stopping malware attack (Attacks/Month) = MAX(((1-insecure behavior of employees)defense before infectionMalware Attack reached Organization)/TIME FOR ATTACKS,0) Description: The number of malware attacks that reach the organisation will be stopped by either the defences in place and aware employees that do not trigger the malware (e.g. not opening unknown attachments, not clicking on unknown links, etc.) taking into account the time needed for these attacks. Present In 1 View: security view Used By Malware Attack reached Organization The malware that reach an organisation depends on the attacks that have been started and the volume that will be stopped by the defenses in place. The remaining volume can infect the assets of the organisation. total unsuccessful attack All stopped malware attacks are not succesful Feedback Loops: 36 (54,5%) (+) 21 [7,22] (-) 15 [2,21]
Aggregated Model_V9 paper	#78 A	total daily contacts by infecteds (Asset/Month) = CONTACT FREQUENCYPERCENTAGE OF WORMSUnknown Infected Assets Description: Employees share files. This sharing can be done by dropbox, cloud, groupdirectory, sharepoints, etc. This means that malware with infectivity properties (worms) can start to infect assets of other workers that are connected with the infected asset. Present In 1 View: security view Used By total infectious contact total infections contacts are the total contracts created via shared environments (daily contracts by infecteds) multiplied by the total fraction of contacts with susceptibles Feedback Loops: 1 (1,5%) (+) 1 [4,4] (-) 0 [0,0]
Aggregated Model_V9 paper	#79 A	total infectious contact (Asset/Month) = fraction of contacts with susceptiblestotal daily contacts by infecteds Description:* total infections contacts are the total contracts created via shared environments (daily contracts by infecteds) multiplied by the total fraction of contacts with susceptibles Present In 1 View: security view Used By infection rate An infection will only start if malware will reach the defender's assets (end-points or servers) and has the capability to infect the asset.MIN(starting an infectionINFECTION PER ATTACK+total infectious contactINFECTIVITY,Susceptible Assets/TIME FOR ATTACKS) Feedback Loops: 4 (6,1%) (+) 3 [4,4] (-) 1 [10,10]
Aggregated Model_V9 paper	#81 A	total unsuccessful attack (Attacks/Month) = stopping malware attack Description: All stopped malware attacks are not succesful Present In 1 View: security view Used By malware creation due to adversary learning The threat actors will start to develop new malware if the notice that past attacks were not succesful. Malware creation is based on creating new malware and adjusting already excisting malware Feedback Loops: 29 (43,9%) (+) 19 [7,22] (-) 10 [16,21]
Aggregated Model_V9 paper	#87 A	unknown malware campaign trend (Malware) = Unknown Malware(1-SW campain trend)+SW campain trendUnknown MalwarePULSE TRAIN(0,1, UM SEQUENCERANDOM UNIFORM(0, 1, RANDOMIZER+1) , FINAL TIME )UM INTENSITYRANDOM UNIFORM(0, 1, RANDOMIZER+2 ) Description: Unknown malware campaign trend is the number of unknown malware that can be used for attacking the defender. The campaign trend switch considered the effect of malware campaign trends. These trends generate different intensities of malware attacks over time Present In 1 View: security view Used By malware listing Malware listing is the fraction of malware that is known to the defences of the defender and that is based on the ratio between known malware (campaign) trends and the total malware (campaign) trends. The Total malware (campaign) trend is the sum of the unknown and the known malware (campaign) trend. starting malware attacks The total available malware (known malware (campaign) trend and unknown malware (campaign) trend) can be used for attacking the defender. The magnitude of these attacks depends on average infection rate within the region, the probability that the defender is targetted for such attack and the attractiveness of the defender as a target. Feedback Loops: 17 (25,8%) (+) 10 [7,18] (-) 7 [10,18]
Aggregated Model_V9 paper	#88 A	unknown malware ratio (Dmnl) = Unknown Malware/(Known Malware+Unknown Malware) Description: The unknown malware ratio is the unknown malware devided by the total malware. The total malware is the known malware plus the unknown malware. Present In 1 View: security view Used By discovery of new malware The discovery of malware is based on the rate of detection multiplied by the unknown malware ration taken into account the number of malware present per infected asset. Feedback Loops: 12 (18,2%) (+) 7 [6,22] (-) 5 [4,21]

Top	(Type) Subscripts (0 Variables)
Group	Type	*Variable Name And Description*	Thumbnail

Top	(Type) Data (0 Variables)
Group	Type	*Variable Name And Description*	Thumbnail

Top	(Type) Game (0 Variables)
Group	Type	*Variable Name And Description*	Thumbnail

Top	(Type) Lookup (0 Variables)
Group	Type	*Variable Name And Description*

Top

Quick Links:

All Variables (86)

Group	Type	Variable
Aggregated Model_V9 paper	A	ad effectiveness (Dmnl)
Aggregated Model_V9 paper	C	AD FRACTION OF DROPPERS AND C&C (Dmnl )
Aggregated Model_V9 paper	C	AD RISK SCORE LEVEL DETECTION (Dmnl )
Aggregated Model_V9 paper	C	ADVERSARY OBFUCATION EFFECT (Dmnl )
Aggregated Model_V9 paper	C	AVERAGE TIME TO CLEAN UP (Month )
Aggregated Model_V9 paper	C	AVG TIME TO LOSE ATTENTION (Month )
Aggregated Model_V9 paper	L	Aware Employees (Staff)
Aggregated Model_V9 paper	F,A	Awareness Decay (Staff/Month)
Aggregated Model_V9 paper	F,A	becoming susceptible rate (Asset/Month)
Aggregated Model_V9 paper	A	being a victim of a malware attack (Staff/Month)
Aggregated Model_V9 paper	F,A	clean up rate (Asset/Month)
Aggregated Model_V9 paper	C	CONTACT FREQUENCY ((Asset/Month)/Asset )
Aggregated Model_V9 paper	C	CONTACT FREQUENCY BETWEEN EMPLOYEES ((Staff/Month)/Staff )
Aggregated Model_V9 paper	DE,A	creating awareness culture (Staff/Month)
Aggregated Model_V9 paper	A	defense before infection (Dmnl)
Aggregated Model_V9 paper	C	DEFENSE PERFORMANCE (Dmnl )
Aggregated Model_V9 paper	C	DETECTION DELAY (Month )
Aggregated Model_V9 paper	F,A	detection rate (Asset/Month)
Aggregated Model_V9 paper	C	DETECTON EFFECTIVENESS (Dmnl )
Aggregated Model_V9 paper	A	discovery of new malware (Malware/Month)
.Control	C	FINAL TIME (Month )
Aggregated Model_V9 paper	A	fraction of contacts with susceptibles (Dmnl)
Aggregated Model_V9 paper	C	FRACTION OF EMPLOYEES TRAINED FOR AWARENESS (Dmnl/Month )
Aggregated Model_V9 paper	C	FRACTION OF SENSORS NOT FUNCTIONING (Dmnl)
Aggregated Model_V9 paper	F,A	increase awareness (Staff/Month)
Aggregated Model_V9 paper	C	INFECTION PER ATTACK (Asset/Attacks )
Aggregated Model_V9 paper	F,A	infection rate (Asset/Month)
Aggregated Model_V9 paper	C	INFECTION RATE IN EUROPE (Attacks/Malware )
Aggregated Model_V9 paper	C	INFECTIVITY (Dmnl )
Aggregated Model_V9 paper	LI,C	INITIAL AWARE EMPLOYEES (Staff )
Aggregated Model_V9 paper	LI,C	INITIAL KNOWN INFECTED ASSETS (Asset )
Aggregated Model_V9 paper	LI,C	INITIAL KNOWN MALWARE (Malware)
Aggregated Model_V9 paper	LI,C	INITIAL MALWARE ATTACK REACHED ORGANIZATION (Attacks )
Aggregated Model_V9 paper	LI,C	INITIAL RESOLVED ASSETS (Asset )
Aggregated Model_V9 paper	LI,C	INITIAL SUSCEPTIBLE ASSETS (Asset )
.Control	C	INITIAL TIME (Month)
Aggregated Model_V9 paper	LI,A	INITIAL UNAWARE EMPLOYEES (Staff )
Aggregated Model_V9 paper	LI,C	INITIAL UNKNOWN INFECTED ASSETS (Asset )
Aggregated Model_V9 paper	LI,C	INITIAL UNKNOWN MALWARE (Malware)
Aggregated Model_V9 paper	A	insecure behavior of employees (Dmnl)
Aggregated Model_V9 paper	L	Known Infected Assets (Asset)
Aggregated Model_V9 paper	L	Known Malware (Malware)
Aggregated Model_V9 paper	C	MALWARE ADJUSTMENT RATE KNOWN MALWARE (Dmnl/Month )
Aggregated Model_V9 paper	L	Malware Attack reached Organization (Attacks)
Aggregated Model_V9 paper	C	MALWARE CREATED PER UNSUCCESFUL ATTACK (Malware/Attacks )
Aggregated Model_V9 paper	C	MALWARE CREATION DELAY (Month )
Aggregated Model_V9 paper	DE,F,A	malware creation due to adversary learning (Malware/Month)
Aggregated Model_V9 paper	F,A	malware discovery (Malware/Month)
Aggregated Model_V9 paper	A	malware listing (Dmnl)
Aggregated Model_V9 paper	A	malware listing effectiveness (Dmnl)
Aggregated Model_V9 paper	C	MALWARE PER ASSET (Malware/Asset )
Aggregated Model_V9 paper	C	month adj (1/Month )
Aggregated Model_V9 paper	C	NUMBER OF DEFENSIVE LAYERS (Dmnl )
Aggregated Model_V9 paper	C	PERCENTAGE OF WORMS (Dmnl )
Aggregated Model_V9 paper	C	PROBABILITY OF ATTACKING THE DEFENDER ORGANISATION (Dmnl/Month )
Aggregated Model_V9 paper	A	RANDOMIZER (Dmnl )
Aggregated Model_V9 paper	L	Resolved Assets (Asset)
.Control	A	SAVEPER (Month )
Aggregated Model_V9 paper	C	SINGLE DEVICE CLEAN UP CAPACITY (Asset/Month )
Aggregated Model_V9 paper	C	SP FRACTION BACKDOOR & STEALERS (Dmnl )
Aggregated Model_V9 paper	C	SP IMPACT (Dmnl )
Aggregated Model_V9 paper	C	SP SEQUENCE (Month )
Aggregated Model_V9 paper	F,A	starting an infection (Attacks/Month)
Aggregated Model_V9 paper	F,A	starting malware attacks (Attacks/Month)
Aggregated Model_V9 paper	F,A	stopping malware attack (Attacks/Month)
Aggregated Model_V9 paper	L	Susceptible Assets (Asset)
Aggregated Model_V9 paper	C	SW anomaly detection (Dmnl )
Aggregated Model_V9 paper	C	SW campain trend (Dmnl )
Aggregated Model_V9 paper	C	SW spearphishing (Dmnl )
Aggregated Model_V9 paper	C	TARGET ATTRACTIVENESS (Dmnl )
Aggregated Model_V9 paper	C	TIME FOR ATTACKS (Month )
.Control	C	TIME STEP (Month )
Aggregated Model_V9 paper	C	TIME TO BECOME SUSCEPTIBLE (Month )
Aggregated Model_V9 paper	C	TIME TO DISCOVER MALWARE (Month )
Aggregated Model_V9 paper	A	total daily contacts by infecteds (Asset/Month)
Aggregated Model_V9 paper	A	total infectious contact (Asset/Month)
Aggregated Model_V9 paper	C	TOTAL INITAL EMPLOYEES (Staff )
Aggregated Model_V9 paper	A	total unsuccessful attack (Attacks/Month)
Aggregated Model_V9 paper	C	UM INTENSITY (Dmnl )
Aggregated Model_V9 paper	C	UM SEQUENCE (Month )
Aggregated Model_V9 paper	L	Unaware Employees (Staff)
Aggregated Model_V9 paper	L	Unknown Infected Assets (Asset)
Aggregated Model_V9 paper	L	Unknown Malware (Malware)
Aggregated Model_V9 paper	A	unknown malware campaign trend (Malware)
Aggregated Model_V9 paper	A	unknown malware ratio (Dmnl)
Aggregated Model_V9 paper	C	VICTIMS PER ATTACK (Staff/Asset )

Top

Variable Link Detail (86)

Group	Type	Variable	In/Out Counts	In/Out Ratio	In Links by Polarity	Out Links by Polarity
Aggregated Model_V9 paper	F,A	detection rate (Asset/Month)	8 \| 4	2,00	5\| 3\| 0	3\| 1\| 0
Aggregated Model_V9 paper	F,A	Awareness Decay (Staff/Month)	8 \| 2	4,00	0\| 0\| 8	1\| 1\| 0
Aggregated Model_V9 paper	A	unknown malware campaign trend (Malware)	6 \| 2	3,00	0\| 0\| 6	2\| 0\| 0
Aggregated Model_V9 paper	F,A	infection rate (Asset/Month)	6 \| 2	3,00	5\| 1\| 0	1\| 1\| 0
Aggregated Model_V9 paper	F,A	starting an infection (Attacks/Month)	5 \| 2	2,50	3\| 2\| 0	1\| 1\| 0
Aggregated Model_V9 paper	F,A	increase awareness (Staff/Month)	5 \| 2	2,50	5\| 0\| 0	1\| 1\| 0
Aggregated Model_V9 paper	L	Unknown Malware (Malware)	3 \| 3	1,00	2\| 1\| 0	2\| 0\| 1
Aggregated Model_V9 paper	L	Unknown Infected Assets (Asset)	3 \| 3	1,00	2\| 1\| 0	3\| 0\| 0
Aggregated Model_V9 paper	L	Unaware Employees (Staff)	3 \| 3	1,00	2\| 1\| 0	3\| 0\| 0
Aggregated Model_V9 paper	F,A	stopping malware attack (Attacks/Month)	4 \| 2	2,00	2\| 2\| 0	1\| 1\| 0
Aggregated Model_V9 paper	F,A	starting malware attacks (Attacks/Month)	5 \| 1	5,00	5\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	DE,F,A	malware creation due to adversary learning (Malware/Month)	5 \| 1	5,00	5\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	L	Malware Attack reached Organization (Attacks)	4 \| 2	2,00	2\| 2\| 0	2\| 0\| 0
Aggregated Model_V9 paper	A	defense before infection (Dmnl)	4 \| 2	2,00	3\| 1\| 0	1\| 1\| 0
Aggregated Model_V9 paper	L	Aware Employees (Staff)	3 \| 3	1,00	2\| 1\| 0	1\| 1\| 1
Aggregated Model_V9 paper	L	Susceptible Assets (Asset)	3 \| 2	1,50	2\| 1\| 0	1\| 1\| 0
Aggregated Model_V9 paper	F,A	malware discovery (Malware/Month)	3 \| 2	1,50	2\| 1\| 0	1\| 1\| 0
Aggregated Model_V9 paper	L	Known Malware (Malware)	2 \| 3	0,67	2\| 0\| 0	1\| 1\| 1
Aggregated Model_V9 paper	F,A	clean up rate (Asset/Month)	3 \| 2	1,50	2\| 1\| 0	1\| 1\| 0
Aggregated Model_V9 paper	A	total daily contacts by infecteds (Asset/Month)	3 \| 1	3,00	3\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	L	Resolved Assets (Asset)	3 \| 1	3,00	2\| 1\| 0	1\| 0\| 0
Aggregated Model_V9 paper	L	Known Infected Assets (Asset)	3 \| 1	3,00	2\| 1\| 0	1\| 0\| 0
Aggregated Model_V9 paper	A	insecure behavior of employees (Dmnl)	2 \| 2	1,00	1\| 1\| 0	1\| 1\| 0
Aggregated Model_V9 paper	A	discovery of new malware (Malware/Month)	3 \| 1	3,00	3\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	DE,A	creating awareness culture (Staff/Month)	3 \| 1	3,00	3\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	F,A	becoming susceptible rate (Asset/Month)	2 \| 2	1,00	1\| 1\| 0	1\| 1\| 0
Aggregated Model_V9 paper	A	unknown malware ratio (Dmnl)	2 \| 1	2,00	1\| 1\| 0	1\| 0\| 0
Aggregated Model_V9 paper	A	total infectious contact (Asset/Month)	2 \| 1	2,00	2\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	TIME FOR ATTACKS (Month )	0 \| 3	0,00	0\| 0\| 0	0\| 3\| 0
Aggregated Model_V9 paper	A	RANDOMIZER (Dmnl )	0 \| 3	0,00	0\| 0\| 0	0\| 0\| 3
Aggregated Model_V9 paper	C	month adj (1/Month )	0 \| 3	0,00	0\| 0\| 0	3\| 0\| 0
Aggregated Model_V9 paper	A	malware listing effectiveness (Dmnl)	2 \| 1	2,00	1\| 1\| 0	1\| 0\| 0
Aggregated Model_V9 paper	A	malware listing (Dmnl)	2 \| 1	2,00	2\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	LI,A	INITIAL UNAWARE EMPLOYEES (Staff )	2 \| 1	2,00	1\| 1\| 0	1\| 0\| 0
Aggregated Model_V9 paper	A	fraction of contacts with susceptibles (Dmnl)	2 \| 1	2,00	1\| 1\| 0	1\| 0\| 0
Aggregated Model_V9 paper	A	being a victim of a malware attack (Staff/Month)	2 \| 1	2,00	2\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	A	ad effectiveness (Dmnl)	2 \| 1	2,00	2\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	A	total unsuccessful attack (Attacks/Month)	1 \| 1	1,00	1\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	SW campain trend (Dmnl )	0 \| 2	0,00	0\| 0\| 0	0\| 0\| 2
Aggregated Model_V9 paper	LI,C	INITIAL AWARE EMPLOYEES (Staff )	0 \| 2	0,00	0\| 0\| 0	1\| 1\| 0
Aggregated Model_V9 paper	C	FRACTION OF SENSORS NOT FUNCTIONING (Dmnl)	0 \| 2	0,00	0\| 0\| 0	0\| 2\| 0
.Control	C	FINAL TIME (Month )	0 \| 2	0,00	0\| 0\| 0	0\| 0\| 2
Aggregated Model_V9 paper	C	ADVERSARY OBFUCATION EFFECT (Dmnl )	0 \| 2	0,00	0\| 0\| 0	0\| 2\| 0
Aggregated Model_V9 paper	C	VICTIMS PER ATTACK (Staff/Asset )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	UM SEQUENCE (Month )	0 \| 1	0,00	0\| 0\| 0	0\| 0\| 1
Aggregated Model_V9 paper	C	UM INTENSITY (Dmnl )	0 \| 1	0,00	0\| 0\| 0	0\| 0\| 1
Aggregated Model_V9 paper	C	TOTAL INITAL EMPLOYEES (Staff )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	TIME TO DISCOVER MALWARE (Month )	0 \| 1	0,00	0\| 0\| 0	0\| 1\| 0
Aggregated Model_V9 paper	C	TIME TO BECOME SUSCEPTIBLE (Month )	0 \| 1	0,00	0\| 0\| 0	0\| 1\| 0
.Control	C	TIME STEP (Month )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	TARGET ATTRACTIVENESS (Dmnl )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	SW spearphishing (Dmnl )	0 \| 1	0,00	0\| 0\| 0	0\| 0\| 1
Aggregated Model_V9 paper	C	SW anomaly detection (Dmnl )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	SP SEQUENCE (Month )	0 \| 1	0,00	0\| 0\| 0	0\| 0\| 1
Aggregated Model_V9 paper	C	SP IMPACT (Dmnl )	0 \| 1	0,00	0\| 0\| 0	0\| 0\| 1
Aggregated Model_V9 paper	C	SP FRACTION BACKDOOR & STEALERS (Dmnl )	0 \| 1	0,00	0\| 0\| 0	0\| 0\| 1
Aggregated Model_V9 paper	C	SINGLE DEVICE CLEAN UP CAPACITY (Asset/Month )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
.Control	A	SAVEPER (Month )	1 \| 0	∞	1\| 0\| 0	0\| 0\| 0
Aggregated Model_V9 paper	C	PROBABILITY OF ATTACKING THE DEFENDER ORGANISATION (Dmnl/Month )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	PERCENTAGE OF WORMS (Dmnl )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	NUMBER OF DEFENSIVE LAYERS (Dmnl )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	MALWARE PER ASSET (Malware/Asset )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	MALWARE CREATION DELAY (Month )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	MALWARE CREATED PER UNSUCCESFUL ATTACK (Malware/Attacks )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	MALWARE ADJUSTMENT RATE KNOWN MALWARE (Dmnl/Month )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	LI,C	INITIAL UNKNOWN MALWARE (Malware)	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	LI,C	INITIAL UNKNOWN INFECTED ASSETS (Asset )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	LI,C	INITIAL SUSCEPTIBLE ASSETS (Asset )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	LI,C	INITIAL RESOLVED ASSETS (Asset )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	LI,C	INITIAL MALWARE ATTACK REACHED ORGANIZATION (Attacks )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	LI,C	INITIAL KNOWN MALWARE (Malware)	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	LI,C	INITIAL KNOWN INFECTED ASSETS (Asset )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	INFECTIVITY (Dmnl )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	INFECTION RATE IN EUROPE (Attacks/Malware )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	INFECTION PER ATTACK (Asset/Attacks )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	FRACTION OF EMPLOYEES TRAINED FOR AWARENESS (Dmnl/Month )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	DETECTON EFFECTIVENESS (Dmnl )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	DETECTION DELAY (Month )	0 \| 1	0,00	0\| 0\| 0	0\| 1\| 0
Aggregated Model_V9 paper	C	DEFENSE PERFORMANCE (Dmnl )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	CONTACT FREQUENCY BETWEEN EMPLOYEES ((Staff/Month)/Staff )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	CONTACT FREQUENCY ((Asset/Month)/Asset )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	AVG TIME TO LOSE ATTENTION (Month )	0 \| 1	0,00	0\| 0\| 0	0\| 0\| 1
Aggregated Model_V9 paper	C	AVERAGE TIME TO CLEAN UP (Month )	0 \| 1	0,00	0\| 0\| 0	0\| 1\| 0
Aggregated Model_V9 paper	C	AD RISK SCORE LEVEL DETECTION (Dmnl )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
Aggregated Model_V9 paper	C	AD FRACTION OF DROPPERS AND C&C (Dmnl )	0 \| 1	0,00	0\| 0\| 0	1\| 0\| 0
.Control	C	INITIAL TIME (Month)	( 0\| 0)	∞	0\| 0\| 0	0\| 0\| 0

Top

Supplementary Variables (0)

Group

Type

Variable

Top

Supplementary Variables Being Used (0)

Group

Type

Variable

Top

Quick Links:

Unused Variables (1)

Group	Type	Variable
Aggregated Model_V9 paper	Unavailable	known malware campaign trend (Malware)

Top

Quick Links:

Equations With Embedded Data (6)

Group	Type	Variable
Aggregated Model_V9 paper	F,A	Awareness Decay (Staff/Month)
Aggregated Model_V9 paper	DE,A	creating awareness culture (Staff/Month)
Aggregated Model_V9 paper	F,A	detection rate (Asset/Month)
Aggregated Model_V9 paper	Unavailable	known malware campaign trend (Malware)
Aggregated Model_V9 paper	DE,F,A	malware creation due to adversary learning (Malware/Month)
Aggregated Model_V9 paper	A	unknown malware campaign trend (Malware)

Top

Nonmonotonic Lookup Functions (0)

Group

Type

Variable

Top

Non-Zero End Sloped Lookup Functions (0)

Group

Type

Variable

Non-Zero

Top

Cascading Lookup Functions (0)

Group

Type

Variable

Top

Equations With Step Pulse Or Related Functions (0)

Group

Type

Variable

Top

Equations With If Then Else Functions (0)

Group

Type

Variable

Top

Quick Links:

Equations With Min Or Max Functions (5)

Group	Type	Variable
Aggregated Model_V9 paper	F,A	clean up rate (Asset/Month)
Aggregated Model_V9 paper	F,A	increase awareness (Staff/Month)
Aggregated Model_V9 paper	F,A	infection rate (Asset/Month)
Aggregated Model_V9 paper	F,A	starting an infection (Attacks/Month)
Aggregated Model_V9 paper	F,A	stopping malware attack (Attacks/Month)

Top

Complex Variable (Richardson's Rule Threshold = 3) (11)

Group	Type	Variable	Complexity
Aggregated Model_V9 paper	A	defense before infection (Dmnl)	4
Aggregated Model_V9 paper	L	Malware Attack reached Organization (Attacks)	4
Aggregated Model_V9 paper	F,A	stopping malware attack (Attacks/Month)	4
Aggregated Model_V9 paper	F,A	increase awareness (Staff/Month)	5
Aggregated Model_V9 paper	DE,F,A	malware creation due to adversary learning (Malware/Month)	5
Aggregated Model_V9 paper	F,A	starting an infection (Attacks/Month)	5
Aggregated Model_V9 paper	F,A	starting malware attacks (Attacks/Month)	5
Aggregated Model_V9 paper	F,A	infection rate (Asset/Month)	6
Aggregated Model_V9 paper	A	unknown malware campaign trend (Malware)	6
Aggregated Model_V9 paper	F,A	Awareness Decay (Staff/Month)	8
Aggregated Model_V9 paper	F,A	detection rate (Asset/Month)	8

Top

Complex Stock (0)

Group

Type

Variable

Top

Variables With Source Information (0)

Group

Type

Variable

Top

Quick Links:

Variables With Dimensionless Units (24)

Group	Type	Variable
Aggregated Model_V9 paper	A	ad effectiveness (Dmnl)
Aggregated Model_V9 paper	C	AD FRACTION OF DROPPERS AND C&C (Dmnl )
Aggregated Model_V9 paper	C	AD RISK SCORE LEVEL DETECTION (Dmnl )
Aggregated Model_V9 paper	C	ADVERSARY OBFUCATION EFFECT (Dmnl )
Aggregated Model_V9 paper	A	defense before infection (Dmnl)
Aggregated Model_V9 paper	C	DEFENSE PERFORMANCE (Dmnl )
Aggregated Model_V9 paper	C	DETECTON EFFECTIVENESS (Dmnl )
Aggregated Model_V9 paper	A	fraction of contacts with susceptibles (Dmnl)
Aggregated Model_V9 paper	C	FRACTION OF SENSORS NOT FUNCTIONING (Dmnl)
Aggregated Model_V9 paper	C	INFECTIVITY (Dmnl )
Aggregated Model_V9 paper	A	insecure behavior of employees (Dmnl)
Aggregated Model_V9 paper	A	malware listing (Dmnl)
Aggregated Model_V9 paper	A	malware listing effectiveness (Dmnl)
Aggregated Model_V9 paper	C	NUMBER OF DEFENSIVE LAYERS (Dmnl )
Aggregated Model_V9 paper	C	PERCENTAGE OF WORMS (Dmnl )
Aggregated Model_V9 paper	A	RANDOMIZER (Dmnl )
Aggregated Model_V9 paper	C	SP FRACTION BACKDOOR & STEALERS (Dmnl )
Aggregated Model_V9 paper	C	SP IMPACT (Dmnl )
Aggregated Model_V9 paper	C	SW anomaly detection (Dmnl )
Aggregated Model_V9 paper	C	SW campain trend (Dmnl )
Aggregated Model_V9 paper	C	SW spearphishing (Dmnl )
Aggregated Model_V9 paper	C	TARGET ATTRACTIVENESS (Dmnl )
Aggregated Model_V9 paper	C	UM INTENSITY (Dmnl )
Aggregated Model_V9 paper	A	unknown malware ratio (Dmnl)

Top

Quick Links:

Variables without Predefined Min or Max Values (83)

Group	Type	Variable
Aggregated Model_V9 paper	A	ad effectiveness (Dmnl)
Aggregated Model_V9 paper	C	AD FRACTION OF DROPPERS AND C&C (Dmnl )
Aggregated Model_V9 paper	C	AD RISK SCORE LEVEL DETECTION (Dmnl )
Aggregated Model_V9 paper	C	ADVERSARY OBFUCATION EFFECT (Dmnl )
Aggregated Model_V9 paper	C	AVERAGE TIME TO CLEAN UP (Month )
Aggregated Model_V9 paper	C	AVG TIME TO LOSE ATTENTION (Month )
Aggregated Model_V9 paper	L	Aware Employees (Staff)
Aggregated Model_V9 paper	F,A	Awareness Decay (Staff/Month)
Aggregated Model_V9 paper	F,A	becoming susceptible rate (Asset/Month)
Aggregated Model_V9 paper	A	being a victim of a malware attack (Staff/Month)
Aggregated Model_V9 paper	F,A	clean up rate (Asset/Month)
Aggregated Model_V9 paper	C	CONTACT FREQUENCY ((Asset/Month)/Asset )
Aggregated Model_V9 paper	C	CONTACT FREQUENCY BETWEEN EMPLOYEES ((Staff/Month)/Staff )
Aggregated Model_V9 paper	DE,A	creating awareness culture (Staff/Month)
Aggregated Model_V9 paper	A	defense before infection (Dmnl)
Aggregated Model_V9 paper	C	DEFENSE PERFORMANCE (Dmnl )
Aggregated Model_V9 paper	C	DETECTION DELAY (Month )
Aggregated Model_V9 paper	F,A	detection rate (Asset/Month)
Aggregated Model_V9 paper	C	DETECTON EFFECTIVENESS (Dmnl )
Aggregated Model_V9 paper	A	discovery of new malware (Malware/Month)
Aggregated Model_V9 paper	A	fraction of contacts with susceptibles (Dmnl)
Aggregated Model_V9 paper	C	FRACTION OF EMPLOYEES TRAINED FOR AWARENESS (Dmnl/Month )
Aggregated Model_V9 paper	C	FRACTION OF SENSORS NOT FUNCTIONING (Dmnl)
Aggregated Model_V9 paper	F,A	increase awareness (Staff/Month)
Aggregated Model_V9 paper	C	INFECTION PER ATTACK (Asset/Attacks )
Aggregated Model_V9 paper	F,A	infection rate (Asset/Month)
Aggregated Model_V9 paper	C	INFECTION RATE IN EUROPE (Attacks/Malware )
Aggregated Model_V9 paper	C	INFECTIVITY (Dmnl )
Aggregated Model_V9 paper	LI,C	INITIAL AWARE EMPLOYEES (Staff )
Aggregated Model_V9 paper	LI,C	INITIAL KNOWN INFECTED ASSETS (Asset )
Aggregated Model_V9 paper	LI,C	INITIAL KNOWN MALWARE (Malware)
Aggregated Model_V9 paper	LI,C	INITIAL MALWARE ATTACK REACHED ORGANIZATION (Attacks )
Aggregated Model_V9 paper	LI,C	INITIAL RESOLVED ASSETS (Asset )
Aggregated Model_V9 paper	LI,C	INITIAL SUSCEPTIBLE ASSETS (Asset )
Aggregated Model_V9 paper	LI,A	INITIAL UNAWARE EMPLOYEES (Staff )
Aggregated Model_V9 paper	LI,C	INITIAL UNKNOWN INFECTED ASSETS (Asset )
Aggregated Model_V9 paper	LI,C	INITIAL UNKNOWN MALWARE (Malware)
Aggregated Model_V9 paper	A	insecure behavior of employees (Dmnl)
Aggregated Model_V9 paper	L	Known Infected Assets (Asset)
Aggregated Model_V9 paper	L	Known Malware (Malware)
Aggregated Model_V9 paper	Unavailable	known malware campaign trend (Malware)
Aggregated Model_V9 paper	C	MALWARE ADJUSTMENT RATE KNOWN MALWARE (Dmnl/Month )
Aggregated Model_V9 paper	L	Malware Attack reached Organization (Attacks)
Aggregated Model_V9 paper	C	MALWARE CREATED PER UNSUCCESFUL ATTACK (Malware/Attacks )
Aggregated Model_V9 paper	C	MALWARE CREATION DELAY (Month )
Aggregated Model_V9 paper	DE,F,A	malware creation due to adversary learning (Malware/Month)
Aggregated Model_V9 paper	F,A	malware discovery (Malware/Month)
Aggregated Model_V9 paper	A	malware listing (Dmnl)
Aggregated Model_V9 paper	A	malware listing effectiveness (Dmnl)
Aggregated Model_V9 paper	C	MALWARE PER ASSET (Malware/Asset )
Aggregated Model_V9 paper	C	month adj (1/Month )
Aggregated Model_V9 paper	C	NUMBER OF DEFENSIVE LAYERS (Dmnl )
Aggregated Model_V9 paper	C	PERCENTAGE OF WORMS (Dmnl )
Aggregated Model_V9 paper	C	PROBABILITY OF ATTACKING THE DEFENDER ORGANISATION (Dmnl/Month )
Aggregated Model_V9 paper	A	RANDOMIZER (Dmnl )
Aggregated Model_V9 paper	L	Resolved Assets (Asset)
Aggregated Model_V9 paper	C	SINGLE DEVICE CLEAN UP CAPACITY (Asset/Month )
Aggregated Model_V9 paper	C	SP FRACTION BACKDOOR & STEALERS (Dmnl )
Aggregated Model_V9 paper	C	SP IMPACT (Dmnl )
Aggregated Model_V9 paper	C	SP SEQUENCE (Month )
Aggregated Model_V9 paper	F,A	starting an infection (Attacks/Month)
Aggregated Model_V9 paper	F,A	starting malware attacks (Attacks/Month)
Aggregated Model_V9 paper	F,A	stopping malware attack (Attacks/Month)
Aggregated Model_V9 paper	L	Susceptible Assets (Asset)
Aggregated Model_V9 paper	C	SW anomaly detection (Dmnl )
Aggregated Model_V9 paper	C	SW campain trend (Dmnl )
Aggregated Model_V9 paper	C	SW spearphishing (Dmnl )
Aggregated Model_V9 paper	C	TARGET ATTRACTIVENESS (Dmnl )
Aggregated Model_V9 paper	C	TIME FOR ATTACKS (Month )
Aggregated Model_V9 paper	C	TIME TO BECOME SUSCEPTIBLE (Month )
Aggregated Model_V9 paper	C	TIME TO DISCOVER MALWARE (Month )
Aggregated Model_V9 paper	A	total daily contacts by infecteds (Asset/Month)
Aggregated Model_V9 paper	A	total infectious contact (Asset/Month)
Aggregated Model_V9 paper	C	TOTAL INITAL EMPLOYEES (Staff )
Aggregated Model_V9 paper	A	total unsuccessful attack (Attacks/Month)
Aggregated Model_V9 paper	C	UM INTENSITY (Dmnl )
Aggregated Model_V9 paper	C	UM SEQUENCE (Month )
Aggregated Model_V9 paper	L	Unaware Employees (Staff)
Aggregated Model_V9 paper	L	Unknown Infected Assets (Asset)
Aggregated Model_V9 paper	L	Unknown Malware (Malware)
Aggregated Model_V9 paper	A	unknown malware campaign trend (Malware)
Aggregated Model_V9 paper	A	unknown malware ratio (Dmnl)
Aggregated Model_V9 paper	C	VICTIMS PER ATTACK (Staff/Asset )

Top

Function Sensitivity Parameters (0)

Group

Type

Variable

Top

Data Lookup Tables (0)

Group

Type

Variable

Top

Variables Not In Any View (0)

Group

Type

Variable

Top

Equations With Unit Errors Or Warnings (0)

Group

Type

Variable

Units

Top

Units (7/9)

Units	Type	Alternates
1/Month	Basic	[(Asset/Month)/Asset, (Staff/Month)/Staff, Dmnl/Month]
Asset	Basic
Attacks	Basic
Dmnl	Basic
Malware	Basic
Month	Basic
Staff	Basic
Asset/Attacks	Combined
Asset/Month	Combined
Attacks/Malware	Combined
Attacks/Month	Combined
Malware/Asset	Combined
Malware/Attacks	Combined
Malware/Month	Combined
Staff/Asset	Combined
Staff/Month	Combined

Top

Feedback Loops (66|0 Maximum Length: 30 [2,22] | [0,0])

Group

Type

Variable

Loops

+/- Ratio

Loops (IVV)

+/- Ratio

Aggregated Model_V9 paper

F,A

infection rate (Asset/Month)

41 (62,1%)

20 [ 4,22]

21 [ 2,21]

0,95

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

Unknown Infected Assets (Asset)

40 (60,6%)

19 [ 4,22]

21 [ 2,21]

0,90

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

F,A

starting an infection (Attacks/Month)

39 (59,1%)

19 [10,22]

20 [ 2,21]

0,95

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

Unknown Malware (Malware)

39 (59,1%)

24 [ 4,22]

15 [ 2,21]

1,60

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

F,A

detection rate (Asset/Month)

38 (57,6%)

17 [ 8,22]

21 [ 2,21]

0,81

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

F,A

stopping malware attack (Attacks/Month)

36 (54,5%)

21 [ 7,22]

15 [ 2,21]

1,40

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

DE,F,A

malware creation due to adversary learning (Malware/Month)

34 (51,5%)

22 [ 4,22]

12 [13,21]

1,83

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

F,A

malware discovery (Malware/Month)

34 (51,5%)

19 [ 4,22]

15 [ 2,21]

1,27

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

F,A

increase awareness (Staff/Month)

29 (43,9%)

14 [ 3,22]

15 [ 2,21]

0,93

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

Known Malware (Malware)

29 (43,9%)

17 [ 4,22]

12 [ 4,21]

1,42

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

total unsuccessful attack (Attacks/Month)

29 (43,9%)

19 [ 7,22]

10 [16,21]

1,90

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

Malware Attack reached Organization (Attacks)

28 (42,4%)

17 [ 7,19]

11 [ 2,21]

1,55

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

being a victim of a malware attack (Staff/Month)

24 (36,4%)

11 [10,22]

13 [ 8,21]

0,85

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

insecure behavior of employees (Dmnl)

24 (36,4%)

11 [10,22]

13 [ 8,21]

0,85

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

defense before infection (Dmnl)

23 (34,8%)

12 [ 8,22]

11 [11,20]

1,09

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

discovery of new malware (Malware/Month)

23 (34,8%)

12 [ 6,22]

11 [ 4,21]

1,09

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

malware listing (Dmnl)

23 (34,8%)

12 [ 8,22]

11 [11,20]

1,09

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

malware listing effectiveness (Dmnl)

23 (34,8%)

12 [ 8,22]

11 [11,20]

1,09

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

Aware Employees (Staff)

20 (30,3%)

11 [ 3,22]

9 [ 2,21]

1,22

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

Unaware Employees (Staff)

20 (30,3%)

10 [ 4,22]

10 [ 2,21]

1,00

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

F,A

starting malware attacks (Attacks/Month)

17 (25,8%)

12 [ 7,19]

5 [10,21]

2,40

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

unknown malware campaign trend (Malware)

17 (25,8%)

10 [ 7,18]

7 [10,18]

1,43

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

unknown malware ratio (Dmnl)

12 (18,2%)

7 [ 6,22]

5 [ 4,21]

1,40

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

F,A

Awareness Decay (Staff/Month)

11 (16,7%)

7 [ 4,22]

4 [ 2,21]

1,75

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

Susceptible Assets (Asset)

4 (6,1%)

2 [ 4, 8]

2 [ 2,10]

1,00

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

total infectious contact (Asset/Month)

4 (6,1%)

3 [ 4, 4]

1 [10,10]

3,00

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

F,A

becoming susceptible rate (Asset/Month)

3 (4,5%)

1 [ 8, 8]

2 [ 2,10]

0,50

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

F,A

clean up rate (Asset/Month)

3 (4,5%)

1 [ 8, 8]

2 [ 2,10]

0,50

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

DE,A

creating awareness culture (Staff/Month)

3 (4,5%)

2 [ 3, 5]

1 [ 3, 3]

2,00

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

fraction of contacts with susceptibles (Dmnl)

3 (4,5%)

2 [ 4, 4]

1 [10,10]

2,00

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

Known Infected Assets (Asset)

3 (4,5%)

1 [ 8, 8]

2 [ 2,10]

0,50

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

Resolved Assets (Asset)

3 (4,5%)

1 [ 8, 8]

2 [ 2,10]

0,50

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

total daily contacts by infecteds (Asset/Month)

1 (1,5%)

1 [ 4, 4]

0 [ 0, 0]

Infinite

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

ad effectiveness (Dmnl)

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

AD FRACTION OF DROPPERS AND C&C (Dmnl )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

AD RISK SCORE LEVEL DETECTION (Dmnl )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

ADVERSARY OBFUCATION EFFECT (Dmnl )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

AVERAGE TIME TO CLEAN UP (Month )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

AVG TIME TO LOSE ATTENTION (Month )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

CONTACT FREQUENCY ((Asset/Month)/Asset )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

CONTACT FREQUENCY BETWEEN EMPLOYEES ((Staff/Month)/Staff )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

DEFENSE PERFORMANCE (Dmnl )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

DETECTION DELAY (Month )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

DETECTON EFFECTIVENESS (Dmnl )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

.Control

FINAL TIME (Month )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

FRACTION OF EMPLOYEES TRAINED FOR AWARENESS (Dmnl/Month )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

FRACTION OF SENSORS NOT FUNCTIONING (Dmnl)

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

INFECTION PER ATTACK (Asset/Attacks )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

INFECTION RATE IN EUROPE (Attacks/Malware )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

INFECTIVITY (Dmnl )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

LI,C

INITIAL AWARE EMPLOYEES (Staff )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

LI,C

INITIAL KNOWN INFECTED ASSETS (Asset )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

LI,C

INITIAL KNOWN MALWARE (Malware)

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

LI,C

INITIAL MALWARE ATTACK REACHED ORGANIZATION (Attacks )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

LI,C

INITIAL RESOLVED ASSETS (Asset )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

LI,C

INITIAL SUSCEPTIBLE ASSETS (Asset )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

.Control

INITIAL TIME (Month)

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

LI,A

INITIAL UNAWARE EMPLOYEES (Staff )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

LI,C

INITIAL UNKNOWN INFECTED ASSETS (Asset )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

LI,C

INITIAL UNKNOWN MALWARE (Malware)

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

MALWARE ADJUSTMENT RATE KNOWN MALWARE (Dmnl/Month )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

MALWARE CREATED PER UNSUCCESFUL ATTACK (Malware/Attacks )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

MALWARE CREATION DELAY (Month )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

MALWARE PER ASSET (Malware/Asset )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

month adj (1/Month )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

NUMBER OF DEFENSIVE LAYERS (Dmnl )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

PERCENTAGE OF WORMS (Dmnl )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

PROBABILITY OF ATTACKING THE DEFENDER ORGANISATION (Dmnl/Month )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

RANDOMIZER (Dmnl )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

.Control

SAVEPER (Month )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

SINGLE DEVICE CLEAN UP CAPACITY (Asset/Month )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

SP FRACTION BACKDOOR & STEALERS (Dmnl )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

SP IMPACT (Dmnl )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

SP SEQUENCE (Month )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

SW anomaly detection (Dmnl )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

SW campain trend (Dmnl )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

SW spearphishing (Dmnl )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

TARGET ATTRACTIVENESS (Dmnl )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

TIME FOR ATTACKS (Month )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

.Control

TIME STEP (Month )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

TIME TO BECOME SUSCEPTIBLE (Month )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

TIME TO DISCOVER MALWARE (Month )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

TOTAL INITAL EMPLOYEES (Staff )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

UM INTENSITY (Dmnl )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

UM SEQUENCE (Month )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Aggregated Model_V9 paper

VICTIMS PER ATTACK (Staff/Asset )

0 ( 0%)

0 [ 0, 0]

0 ( 0%)

0 [ 0, 0]

Top

Macros (0)

Name

Macro Definition

Expanded Macro Definition

Top

Quick Links:

Positive Polarity Causal Links (80)

Cause	Effect	Polarity
ad effectiveness	detection rate	+
AD FRACTION OF DROPPERS AND C&C	ad effectiveness	+
AD RISK SCORE LEVEL DETECTION	ad effectiveness	+
Aware Employees	creating awareness culture	+
Awareness Decay	Unaware Employees	+
becoming susceptible rate	Susceptible Assets	+
being a victim of a malware attack	increase awareness	+
clean up rate	Resolved Assets	+
CONTACT FREQUENCY	total daily contacts by infecteds	+
CONTACT FREQUENCY BETWEEN EMPLOYEES	creating awareness culture	+
creating awareness culture	increase awareness	+
defense before infection	stopping malware attack	+
DEFENSE PERFORMANCE	defense before infection	+
detection rate	being a victim of a malware attack	+
detection rate	discovery of new malware	+
detection rate	Known Infected Assets	+
DETECTON EFFECTIVENESS	detection rate	+
discovery of new malware	malware discovery	+
fraction of contacts with susceptibles	total infectious contact	+
FRACTION OF EMPLOYEES TRAINED FOR AWARENESS	increase awareness	+
increase awareness	Aware Employees	+
INFECTION PER ATTACK	infection rate	+
infection rate	Unknown Infected Assets	+
INFECTION RATE IN EUROPE	starting malware attacks	+
INFECTIVITY	infection rate	+
INITIAL AWARE EMPLOYEES	Aware Employees	+
INITIAL KNOWN INFECTED ASSETS	Known Infected Assets	+
INITIAL KNOWN MALWARE	Known Malware	+
INITIAL MALWARE ATTACK REACHED ORGANIZATION	Malware Attack reached Organization	+
INITIAL RESOLVED ASSETS	Resolved Assets	+
INITIAL SUSCEPTIBLE ASSETS	Susceptible Assets	+
INITIAL UNAWARE EMPLOYEES	Unaware Employees	+
INITIAL UNKNOWN INFECTED ASSETS	Unknown Infected Assets	+
INITIAL UNKNOWN MALWARE	Unknown Malware	+
insecure behavior of employees	starting an infection	+
Known Infected Assets	clean up rate	+
Known Malware	malware creation due to adversary learning	+
known malware campaign trend	malware listing	+
known malware campaign trend	starting malware attacks	+
MALWARE ADJUSTMENT RATE KNOWN MALWARE	malware creation due to adversary learning	+
Malware Attack reached Organization	starting an infection	+
Malware Attack reached Organization	stopping malware attack	+
MALWARE CREATED PER UNSUCCESFUL ATTACK	malware creation due to adversary learning	+
MALWARE CREATION DELAY	malware creation due to adversary learning	+
malware creation due to adversary learning	Unknown Malware	+
malware discovery	Known Malware	+
malware listing	malware listing effectiveness	+
malware listing effectiveness	defense before infection	+
MALWARE PER ASSET	discovery of new malware	+
month adj	detection rate	+
month adj	increase awareness	+
month adj	starting an infection	+
NUMBER OF DEFENSIVE LAYERS	defense before infection	+
PERCENTAGE OF WORMS	total daily contacts by infecteds	+
PROBABILITY OF ATTACKING THE DEFENDER ORGANISATION	starting malware attacks	+
Resolved Assets	becoming susceptible rate	+
SINGLE DEVICE CLEAN UP CAPACITY	clean up rate	+
starting an infection	infection rate	+
starting malware attacks	Malware Attack reached Organization	+
stopping malware attack	total unsuccessful attack	+
Susceptible Assets	infection rate	+
SW anomaly detection	detection rate	+
TARGET ATTRACTIVENESS	starting malware attacks	+
TIME STEP	SAVEPER	+
total daily contacts by infecteds	total infectious contact	+
total infectious contact	infection rate	+
TOTAL INITAL EMPLOYEES	INITIAL UNAWARE EMPLOYEES	+
total unsuccessful attack	malware creation due to adversary learning	+
Unaware Employees	creating awareness culture	+
Unaware Employees	increase awareness	+
Unaware Employees	insecure behavior of employees	+
Unknown Infected Assets	detection rate	+
Unknown Infected Assets	fraction of contacts with susceptibles	+
Unknown Infected Assets	total daily contacts by infecteds	+
Unknown Malware	malware discovery	+
Unknown Malware	unknown malware ratio	+
unknown malware campaign trend	malware listing	+
unknown malware campaign trend	starting malware attacks	+
unknown malware ratio	discovery of new malware	+
VICTIMS PER ATTACK	being a victim of a malware attack	+

Top

Quick Links:

Negative Polarity Causal Links (26)

Cause	Effect	Polarity
ADVERSARY OBFUCATION EFFECT	detection rate	-
ADVERSARY OBFUCATION EFFECT	malware listing effectiveness	-
AVERAGE TIME TO CLEAN UP	clean up rate	-
Aware Employees	insecure behavior of employees	-
Awareness Decay	Aware Employees	-
becoming susceptible rate	Resolved Assets	-
clean up rate	Known Infected Assets	-
defense before infection	starting an infection	-
DETECTION DELAY	detection rate	-
detection rate	Unknown Infected Assets	-
FRACTION OF SENSORS NOT FUNCTIONING	defense before infection	-
FRACTION OF SENSORS NOT FUNCTIONING	detection rate	-
increase awareness	Unaware Employees	-
infection rate	Susceptible Assets	-
INITIAL AWARE EMPLOYEES	INITIAL UNAWARE EMPLOYEES	-
insecure behavior of employees	stopping malware attack	-
Known Malware	unknown malware ratio	-
malware discovery	Unknown Malware	-
starting an infection	Malware Attack reached Organization	-
stopping malware attack	Malware Attack reached Organization	-
Susceptible Assets	fraction of contacts with susceptibles	-
TIME FOR ATTACKS	infection rate	-
TIME FOR ATTACKS	starting an infection	-
TIME FOR ATTACKS	stopping malware attack	-
TIME TO BECOME SUSCEPTIBLE	becoming susceptible rate	-
TIME TO DISCOVER MALWARE	malware discovery	-

Top

Quick Links:

Function-based Polarity Causal Links (17)

Cause	Effect	Polarity
AVG TIME TO LOSE ATTENTION	Awareness Decay	Function[PULSETRAIN,RANDOMUNIFORM]
Aware Employees	Awareness Decay	Function[PULSETRAIN,RANDOMUNIFORM]
FINAL TIME	Awareness Decay	Function[PULSETRAIN,RANDOMUNIFORM]
FINAL TIME	unknown malware campaign trend	Function[PULSETRAIN,RANDOMUNIFORM]
Known Malware	known malware campaign trend	Function[RANDOMNORMAL,SIN]
RANDOMIZER	Awareness Decay	Function[PULSETRAIN,RANDOMUNIFORM]
RANDOMIZER	known malware campaign trend	Function[RANDOMNORMAL,SIN]
RANDOMIZER	unknown malware campaign trend	Function[PULSETRAIN,RANDOMUNIFORM]
SP FRACTION BACKDOOR & STEALERS	Awareness Decay	Function[PULSETRAIN,RANDOMUNIFORM]
SP IMPACT	Awareness Decay	Function[PULSETRAIN,RANDOMUNIFORM]
SP SEQUENCE	Awareness Decay	Function[PULSETRAIN,RANDOMUNIFORM]
SW campain trend	known malware campaign trend	Function[RANDOMNORMAL,SIN]
SW campain trend	unknown malware campaign trend	Function[PULSETRAIN,RANDOMUNIFORM]
SW spearphishing	Awareness Decay	Function[PULSETRAIN,RANDOMUNIFORM]
UM INTENSITY	unknown malware campaign trend	Function[PULSETRAIN,RANDOMUNIFORM]
UM SEQUENCE	unknown malware campaign trend	Function[PULSETRAIN,RANDOMUNIFORM]
Unknown Malware	unknown malware campaign trend	Function[PULSETRAIN,RANDOMUNIFORM]

Top

Rate-to-rate Links (1)

Cause	Effect
starting an infection	infection rate

Top

View-Variable Profile

View	View-Variable Profile
security view	83 vars (93,3%)

Top

List Of 1 views and their 83 Variables

Source File: H:\Attentie My Documents sinds 12-04-2011\___PhD\Malware paper\Malware model paper\Aggregated Model_V9 paper.mdl (Wed Feb 28 19:38:43 CET 2018)
Report Created On Wed Feb 28 20:12:26 CET 2018
SDM-Doc Tool Version 1.2.89
Global Security Sciences Division
Argonne National Laboratory

	security view
Total:	83	Total:
starting malware attacks (In 1 View)		starting malware attacks (In 1 View)
infection rate (In 1 View)		infection rate (In 1 View)
AD FRACTION OF DROPPERS AND C&C (In 1 View)		AD FRACTION OF DROPPERS AND C&C (In 1 View)
fraction of contacts with susceptibles (In 1 View)		fraction of contacts with susceptibles (In 1 View)
MALWARE ADJUSTMENT RATE KNOWN MALWARE (In 1 View)		MALWARE ADJUSTMENT RATE KNOWN MALWARE (In 1 View)
INFECTIVITY (In 1 View)		INFECTIVITY (In 1 View)
MALWARE PER ASSET (In 1 View)		MALWARE PER ASSET (In 1 View)
defense before infection (In 1 View)		defense before infection (In 1 View)
ADVERSARY OBFUCATION EFFECT (In 1 View)		ADVERSARY OBFUCATION EFFECT (In 1 View)
discovery of new malware (In 1 View)		discovery of new malware (In 1 View)
TOTAL INITAL EMPLOYEES (In 1 View)		TOTAL INITAL EMPLOYEES (In 1 View)
SW anomaly detection (In 1 View)		SW anomaly detection (In 1 View)
ad effectiveness (In 1 View)		ad effectiveness (In 1 View)
malware listing (In 1 View)		malware listing (In 1 View)
INFECTION PER ATTACK (In 1 View)		INFECTION PER ATTACK (In 1 View)
starting an infection (In 1 View)		starting an infection (In 1 View)
INITIAL MALWARE ATTACK REACHED ORGANIZATION (In 1 View)		INITIAL MALWARE ATTACK REACHED ORGANIZATION (In 1 View)
malware discovery (In 1 View)		malware discovery (In 1 View)
SP SEQUENCE (In 1 View)		SP SEQUENCE (In 1 View)
Resolved Assets (In 1 View)		Resolved Assets (In 1 View)
INITIAL UNKNOWN INFECTED ASSETS (In 1 View)		INITIAL UNKNOWN INFECTED ASSETS (In 1 View)
total infectious contact (In 1 View)		total infectious contact (In 1 View)
CONTACT FREQUENCY (In 1 View)		CONTACT FREQUENCY (In 1 View)
SP IMPACT (In 1 View)		SP IMPACT (In 1 View)
INITIAL UNKNOWN MALWARE (In 1 View)		INITIAL UNKNOWN MALWARE (In 1 View)
DETECTON EFFECTIVENESS (In 1 View)		DETECTON EFFECTIVENESS (In 1 View)
DEFENSE PERFORMANCE (In 1 View)		DEFENSE PERFORMANCE (In 1 View)
Aware Employees (In 1 View)		Aware Employees (In 1 View)
INITIAL SUSCEPTIBLE ASSETS (In 1 View)		INITIAL SUSCEPTIBLE ASSETS (In 1 View)
AVG TIME TO LOSE ATTENTION (In 1 View)		AVG TIME TO LOSE ATTENTION (In 1 View)
INITIAL RESOLVED ASSETS (In 1 View)		INITIAL RESOLVED ASSETS (In 1 View)
INFECTION RATE IN EUROPE (In 1 View)		INFECTION RATE IN EUROPE (In 1 View)
unknown malware campaign trend (In 1 View)		unknown malware campaign trend (In 1 View)
VICTIMS PER ATTACK (In 1 View)		VICTIMS PER ATTACK (In 1 View)
unknown malware ratio (In 1 View)		unknown malware ratio (In 1 View)
Unknown Malware (In 1 View)		Unknown Malware (In 1 View)
TIME FOR ATTACKS (In 1 View)		TIME FOR ATTACKS (In 1 View)
TIME TO DISCOVER MALWARE (In 1 View)		TIME TO DISCOVER MALWARE (In 1 View)
creating awareness culture (In 1 View)		creating awareness culture (In 1 View)
increase awareness (In 1 View)		increase awareness (In 1 View)
RANDOMIZER (In 1 View)		RANDOMIZER (In 1 View)
Known Malware (In 1 View)		Known Malware (In 1 View)
AD RISK SCORE LEVEL DETECTION (In 1 View)		AD RISK SCORE LEVEL DETECTION (In 1 View)
Awareness Decay (In 1 View)		Awareness Decay (In 1 View)
insecure behavior of employees (In 1 View)		insecure behavior of employees (In 1 View)
total daily contacts by infecteds (In 1 View)		total daily contacts by infecteds (In 1 View)
PROBABILITY OF ATTACKING THE DEFENDER ORGANISATION (In 1 View)		PROBABILITY OF ATTACKING THE DEFENDER ORGANISATION (In 1 View)
Susceptible Assets (In 1 View)		Susceptible Assets (In 1 View)
stopping malware attack (In 1 View)		stopping malware attack (In 1 View)
UM INTENSITY (In 1 View)		UM INTENSITY (In 1 View)
SP FRACTION BACKDOOR & STEALERS (In 1 View)		SP FRACTION BACKDOOR & STEALERS (In 1 View)
INITIAL UNAWARE EMPLOYEES (In 1 View)		INITIAL UNAWARE EMPLOYEES (In 1 View)
detection rate (In 1 View)		detection rate (In 1 View)
MALWARE CREATION DELAY (In 1 View)		MALWARE CREATION DELAY (In 1 View)
INITIAL AWARE EMPLOYEES (In 1 View)		INITIAL AWARE EMPLOYEES (In 1 View)
TIME TO BECOME SUSCEPTIBLE (In 1 View)		TIME TO BECOME SUSCEPTIBLE (In 1 View)
FRACTION OF SENSORS NOT FUNCTIONING (In 1 View)		FRACTION OF SENSORS NOT FUNCTIONING (In 1 View)
AVERAGE TIME TO CLEAN UP (In 1 View)		AVERAGE TIME TO CLEAN UP (In 1 View)
MALWARE CREATED PER UNSUCCESFUL ATTACK (In 1 View)		MALWARE CREATED PER UNSUCCESFUL ATTACK (In 1 View)
SW spearphishing (In 1 View)		SW spearphishing (In 1 View)
SINGLE DEVICE CLEAN UP CAPACITY (In 1 View)		SINGLE DEVICE CLEAN UP CAPACITY (In 1 View)
SW campain trend (In 1 View)		SW campain trend (In 1 View)
Unknown Infected Assets (In 1 View)		Unknown Infected Assets (In 1 View)
becoming susceptible rate (In 1 View)		becoming susceptible rate (In 1 View)
UM SEQUENCE (In 1 View)		UM SEQUENCE (In 1 View)
Malware Attack reached Organization (In 1 View)		Malware Attack reached Organization (In 1 View)
Known Infected Assets (In 1 View)		Known Infected Assets (In 1 View)
PERCENTAGE OF WORMS (In 1 View)		PERCENTAGE OF WORMS (In 1 View)
clean up rate (In 1 View)		clean up rate (In 1 View)
month adj (In 1 View)		month adj (In 1 View)
malware listing effectiveness (In 1 View)		malware listing effectiveness (In 1 View)
DETECTION DELAY (In 1 View)		DETECTION DELAY (In 1 View)
NUMBER OF DEFENSIVE LAYERS (In 1 View)		NUMBER OF DEFENSIVE LAYERS (In 1 View)
Unaware Employees (In 1 View)		Unaware Employees (In 1 View)
FRACTION OF EMPLOYEES TRAINED FOR AWARENESS (In 1 View)		FRACTION OF EMPLOYEES TRAINED FOR AWARENESS (In 1 View)
malware creation due to adversary learning (In 1 View)		malware creation due to adversary learning (In 1 View)
known malware campaign trend (In 1 View)		known malware campaign trend (In 1 View)
INITIAL KNOWN INFECTED ASSETS (In 1 View)		INITIAL KNOWN INFECTED ASSETS (In 1 View)
being a victim of a malware attack (In 1 View)		being a victim of a malware attack (In 1 View)
INITIAL KNOWN MALWARE (In 1 View)		INITIAL KNOWN MALWARE (In 1 View)
TARGET ATTRACTIVENESS (In 1 View)		TARGET ATTRACTIVENESS (In 1 View)
CONTACT FREQUENCY BETWEEN EMPLOYEES (In 1 View)		CONTACT FREQUENCY BETWEEN EMPLOYEES (In 1 View)
total unsuccessful attack (In 1 View)		total unsuccessful attack (In 1 View)
Total:	83	Total:
	security view