Cyber Power Through Propagation Control

Abstract

Enterprise cyber defense operates in telemetry-saturated environments, yet major incidents continue to escalate through rapid, large-scale propagation. Failure rarely stems from lack of visibility; it reflects inability to suppress spread across interconnected systems before compromise becomes self-sustaining. Contemporary cyber operations exploit trust relationships and identity infrastructure to convert initial access into distributed control, overwhelming response capacity despite extensive sensing. This exposes a measurement gap: defenders lack a defensible method for assessing whether an environment can contain propagation once intrusion begins. We propose a cyber-epidemiological model of intrusion propagation that treats the enterprise as a population distributed across a directed graph of trust, privilege, and service relationships. Compromise is modeled as a dynamic process rather than a binary outcome, and defensive cyber operations are treated as endogenous counterforces that directly compete with attacker-driven spread. We formalize a compartmental S-E-I-Q-R model in which susceptible, exposed, infectious, quarantined, and recovered states correspond to operational phases of cyber campaigns, including foothold establishment, activation, lateral movement, isolation, and remediation. This formulation extends prior cyber-epidemic models by explicitly incorporating enterprise identity architecture and active defensive response dynamics central to modern cyber conflict. Building on this model, we derive a cyber reproduction number, R₀, using a next-generation matrix approach. R₀ represents the expected number of secondary infectious compromises generated by a single infectious node in an otherwise susceptible environment. Interpreted as an environmental threshold, R₀ distinguishes escalation from containment: when R₀ exceeds unity, propagation outpaces defensive action; when R₀ falls below unity, containment dominates and campaigns tend to collapse. R₀ characterizes environmental susceptibility to sustained cyber operations, independent of attacker identity or tooling. To operationalize the framework without experiments, the paper proposes a telemetry-driven method for estimating model parameters from standard security operations center and incident response artifacts. The result is a defensible analytic lens linking security architecture, defensive operations, and campaign outcomes, supporting prioritization decisions that constrain adversary freedom of action, reduce coercive cyber power, and strengthen deterrence by denial at both enterprise and national scales.