Modeling the occurrence of computer security incidents within a defined population of computers can be used to help understand some of factors contributing to risk and transmission of these incidents among the population. A better understanding of these factors can be used to determine appropriate intervention actions that can be applied to the population, which may also be evaluated through the application of models. Explanatory models attempt to include and account for various primary factors that affect the occurrence of computer security incidents.

Models based on observed security incidents may also be used to evaluate interventions even when explanatory models may not exist or may be difficult to formulate or express for a particular incident type. Forecasting models can be used to project the occurrence of incidents in the future and these projections can be compared to actual observations before and after interventions are applied.

The following aspects of modeling computer security incidents are explored: (1) the presentation and discussion of adapting some commonly used infectious disease models for modeling the spread of some types of computer security incidents along with applicable intervention actions; (2) an illustration of how these types of models could be applied to making resource allocation decisions regarding intervention efforts; (3) the presentation and comparison of models that can be used for tracking/forecasting security incidents and monitoring the impact of interventions; (4) the presentation of a method for estimating model features and parameter distributions from observed data; and (5) the exploration of some population characteristics and models for evaluating where to focus or target intervention actions.

When resources for responding to or preventing computer security incidents are limited or constrained, the ability to accurately model and evaluate intervention actions can be a useful tool for making the most of these resources.