A Case-Control Study to Measure Behavioral Risks of Malware Encounters in Organizations

The behavior of enterprise users (e.g. browsing at night or visiting gambling sites) is a potential factor that might increase the chances of malware encounters (e.g. coinminers vs ransomware) on the field. We report a case-control study on telemetry data collected by Trend Micro, a global cybersecurity vendor, to identify users' behavioral characteristics that can be used to differentiate cybersecurity risks profiles. Our results show that different types of 'patients zero' are vulnerable to different types of epidemics. The odds ratio of encountering malware such as PUAs, trojans, and hacktools is higher for a variety of network and system behavior (e.g. number, types, and diversity of visited web sites, visit of gambling sites, etc.) but it is not significant for other factors such as browsing at night. Other type of malware such as coinminers have an increase in the odds ratio only for few type of factors (e.g. gambling web sites). We also present a specific methodology tailored for investigating self-propagating malware such as ransomware in which one is infected by one's neighbor. With this approach, we observed a more accurate characterization of the odds of encountering ransomware based on system-based behaviors than with a standard case-control study setup. Experiments with different vendors may be needed to generalize the results and offset potential bias due to differences in market share.