Window of Vulnerability for a Single Botnet

The average overall detection time of this botnet virus may be computed as the weighted average 60% × 20 days + 40% × 60 days = 36 days. So on average we are vulnerable to a single botnet for 36 days. The discipline of probability management¹ provides additional insights by explicitly representing the entire distribution as a set of historical or simulated realizations called SIPs.² Figure B.10 displays the SIPs (in this example, 10,000 simulated outcomes) of both distributions in Figure B.9. Performing calculations with SIPs (SIPmath) can be done in numerous software environments, including the native spreadsheet.

Recently Microsoft Excel has become powerful enough to process SIPs of thousands of trials using its Data Table function.³ Figure B.11 displays such a SIPmath model that combines the two distributions of Figure B.9 to create a distribution of overall time to detection across both security layers.

This workbook takes the two SIPs of Figure B.10 as input and then performs 10,000 calculations of cell C6 that randomly chooses the layer 1 distribution 60% of the time and the layer 2 SIP 40% of the time. The resulting distribution clearly displays the two modes of detection. Press the calculate key (F9 in Windows, ⌘ = on Mac) to perform a new simulation of 10,000 trials. Note that the simulated average is very close to the theoretical value of 36 days, yet 36 is a very unlikely outcome of the distribution. Also note that because the distribution is asymmetric, the chance of vulnerability of less than the average of 36 days is not 50% but 63%. Experiment with the chance of discovery at layer 1 in cell D3 and the number of days in B11 to see how the distribution, average, and chance change.

The formula used for calculating the average detection time over both layers was technically correct in that it yielded 36 days, but it provides no clue about the distribution. This is what I call the weak form of the flaw of averages. The strong form is considerably worse, in that you don't even get the right average. The model of Figure B.7 created a SIP of its own, which we can now use to explore the impact of multiple simultaneous botnet attacks.

Window of Vulnerability for Multiple Botnets

Suppose we put a new system online, which is immediately attacked by multiple viruses that all have the same distribution of detection times. Since each virus is detected in an average of 36 days, you might think that the average vulnerability is again 36 days, as it was for the single virus. But it is not, because your system remains vulnerable until the last of the botnets is detected.

Figure B.12 displays the SIPs of 10 botnet detection times generated by the simulation of Figure B.11. They all have the same numbers, but the order has been scrambled in each to make them statistically independent.

These SIPs are used in the model in Figure B.13, which calculates the distribution of the maximum of the detection times of all botnets in cell C14. Note that you can adjust the number of botnets from between 1 and 10 with the spinner control in column E. Before experimenting with this model, close the model of Figure B.11, as it contains a Rand() formula, which can slow down the calculation.

Note that the average days of vulnerability increase as the number of simultaneous attacks goes up, and that the chance of coming in at less than 36 days diminishes. This is an example of the strong form of the flaw of averages, and for 10 botnets, the average is 78 days, with a 1% chance of being less than 36.

Such modeling could easily be generalized to reflect different variants of viruses attacking at random times instead of all at once. Such insights into the proportion of time when you would expect your system to be vulnerable are vital to making investment decisions involving mitigation strategies.