{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,3]],"date-time":"2026-02-03T18:01:29Z","timestamp":1770141689445,"version":"3.49.0"},"reference-count":42,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2023,4,12]],"date-time":"2023-04-12T00:00:00Z","timestamp":1681257600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"European Research Council"},{"name":"European Unions Horizon 2020 research and innovation programme","award":["771844"],"award-info":[{"award-number":["771844"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2023,5,31]]},"abstract":"<jats:p>Malware is still a widespread problem, and it is used by malicious actors to routinely compromise the security of computer systems. Consumers typically rely on a single AV product to detect and block possible malware infections, while corporations often install multiple security products, activate several layers of defenses, and establish security policies among employees. However, if a better security posture should lower the risk of malware infections, then the actual extent to which this happens is still under debate by risk analysis experts. Moreover, the difference in risks encountered by consumers and enterprises has never been empirically studied by using real-world data.<\/jats:p>\n          <jats:p>In fact, the mere use of third-party software, network services, and the interconnected nature of our society necessarily exposes both classes of users to undiversifiable risks: Independently from how careful users are and how well they manage their cyber hygiene, a portion of that risk would simply exist because of the fact of using a computer, sharing the same networks, and running the same software.<\/jats:p>\n          <jats:p>In this work, we shed light on both systemic (i.e., diversifiable and dependent on the security posture) and systematic (i.e., undiversifiable and independent of the cyber hygiene) risk classes. Leveraging the telemetry data of a popular security company, we compare, in the first part of our study, the effects that different security measures have on malware encounter risks in consumer and enterprise environments. In the second part, we conduct exploratory research on systematic risk, investigate the quality of nine different indicators we were able to extract from our telemetry, and provide, for the first time, quantitative indicators of their predictive power.<\/jats:p>\n          <jats:p>Our results show that even if consumers have a slightly lower encounter rate than enterprises (9.8% vs. 12.0%), the latter do considerably better when selecting machines with an increasingly higher uptime (89% vs. 53%). The two segments also diverge when we separately consider the presence of Adware and Potentially Unwanted Applications (PUA) and the generic samples detected through behavioral signatures: While consumers have an encounter rate for Adware and PUA that is 6 times higher than enterprise machines, those on average match behavioral signatures 2 times more frequently than the counterpart. We find, instead, similar trends when analyzing the age of encountered signatures, and the prevalence of different classes of traditional malware (such as Ransomware and Cryptominers). Finally, our findings show that the amount of time a host is active, the volume of files generated on the machine, the number and reputation of vendors of the installed applications, the host geographical location, and its recurrent infected state carry useful information as indicators of systematic risk of malware encounters. Activity days and hours have a higher influence in the risk of consumers, increasing the odds of encountering malware of 4.51 and 2.65 times. In addition, we measure that the volume of files generated on the host represents a reliable indicator, especially when considering Adware. We further report that the likelihood of encountering Worms and Adware is much higher (on average 8 times in consumers and enterprises) for those machines that already reported this kind of signature in the past.<\/jats:p>","DOI":"10.1145\/3565362","type":"journal-article","created":{"date-parts":[[2022,10,3]],"date-time":"2022-10-03T12:26:51Z","timestamp":1664800011000},"page":"1-30","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":4,"title":["A Comparison of Systemic and Systematic Risks of Malware Encounters in Consumer and Enterprise Environments"],"prefix":"10.1145","volume":"26","author":[{"given":"Savino","family":"Dambra","sequence":"first","affiliation":[{"name":"Eurecom, Biot, France"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Leyla","family":"Bilge","sequence":"additional","affiliation":[{"name":"Norton Research Group, France"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Davide","family":"Balzarotti","sequence":"additional","affiliation":[{"name":"Eurecom, Biot, France"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2023,4,12]]},"reference":[{"key":"e_1_3_3_2_2","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134022"},{"key":"e_1_3_3_3_2","volume-title":"Proceedings of the USENIX Security Symposium","author":"Caballero Juan","year":"2011","unstructured":"Juan Caballero, Chris Grier, Christian Kreibich, and Vern Paxson. 2011. Measuring pay-per-install: The commoditization of malware distribution. In Proceedings of the USENIX Security Symposium. The Advanced Computing Systems Association."},{"key":"e_1_3_3_4_2","doi-asserted-by":"publisher","DOI":"10.1017\/CBO9781139013567"},{"key":"e_1_3_3_5_2","doi-asserted-by":"publisher","DOI":"10.1145\/2590296.2590347"},{"key":"e_1_3_3_6_2","unstructured":"Cisco. 2019. Cisco Annual Cybersecurity Report. Retrieved from https:\/\/www.cisco.com\/c\/dam\/m\/hu_hu\/campaigns\/security-hub\/pdf\/acr-2018.pdf."},{"key":"e_1_3_3_7_2","unstructured":"John Cloonan. 2017. Advanced Malware Detection\u2014Signatures vs. Behavior Analysis. Retrieved from https:\/\/www.infosecurity-magazine.com\/opinions\/malware-detection-signatures\/."},{"key":"e_1_3_3_8_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.irfa.2019.101386"},{"key":"e_1_3_3_9_2","unstructured":"Retrieved from https:\/\/ www.eastwest.ngo\/sites\/default\/files\/ideas-files\/cyber-insurance-and-systemic-market-risk.pdf 2018 Cyber Insurance and Systemic Market Risk"},{"key":"e_1_3_3_10_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00019"},{"key":"e_1_3_3_11_2","first-page":"2189","volume-title":"Proceedings of the 31st USENIX Security Symposium (USENIX Security\u201922)","author":"Dambra Savino","year":"2022","unstructured":"Savino Dambra, Iskander Sanchez-Rola, Leyla Bilge, and Davide Balzarotti. 2022. When Sally met trackers: Web tracking from the users\u2019 perspective. In Proceedings of the 31st USENIX Security Symposium (USENIX Security\u201922). 2189\u20132206."},{"key":"e_1_3_3_12_2","unstructured":"Retrieved from https:\/\/www.aig.ie\/latest-insights\/is-cyber-risk-systemic 2017 Is Cyber Risk Systemic?"},{"key":"e_1_3_3_13_2","unstructured":"Retrieved from https:\/\/en.wikipedia.org\/wiki\/ISO_3166-1 1997 ISO 3166-1"},{"key":"e_1_3_3_14_2","article-title":"Kaspersky Security Bulletin 2018. Threat Predictions for 2019","year":"2018","unstructured":"Kaspersky. 2018. Kaspersky Security Bulletin 2018. Threat Predictions for 2019. Retrieved from https:\/\/bit.ly\/2Wq5eIw.","journal-title":"Retrieved from https:\/\/bit.ly\/2Wq5eIw"},{"key":"e_1_3_3_15_2","article-title":"Microsoft Security Intelligence Report","author":"Kelley Diana","year":"2019","unstructured":"Diana Kelley. 2019. Microsoft Security Intelligence Report. Retrieved from https:\/\/www.microsoft.com\/security\/blog\/2019\/02\/28\/microsoft-security-intelligence-report-volume-24-is-now-available.","journal-title":"Retrieved from https:\/\/www.microsoft.com\/security\/blog\/2019\/02\/28\/microsoft-security-intelligence-report-volume-24-is-now-available"},{"key":"e_1_3_3_16_2","doi-asserted-by":"publisher","DOI":"10.5555\/3241094.3241152"},{"key":"e_1_3_3_17_2","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23522"},{"key":"e_1_3_3_18_2","article-title":"McAfee Labs Threats Report","author":"Labs McAfee","year":"2018","unstructured":"McAfee Labs. 2018. McAfee Labs Threats Report. Retrieved from https:\/\/www.mcafee.com\/enterprise\/en-us\/assets\/reports\/rp-quarterly-threats-dec-2018.pdf.","journal-title":"Retrieved from https:\/\/www.mcafee.com\/enterprise\/en-us\/assets\/reports\/rp-quarterly-threats-dec-2018.pdf"},{"key":"e_1_3_3_19_2","article-title":"2019 State of Malware","author":"labs MalwareBytes","year":"2019","unstructured":"MalwareBytes labs. 2019. 2019 State of Malware. Retrieved from https:\/\/resources.malwarebytes.com\/files\/2019\/01\/Malwarebytes-Labs-2019-State-of-Malware-Report-2.pdf.","journal-title":"Retrieved from https:\/\/resources.malwarebytes.com\/files\/2019\/01\/Malwarebytes-Labs-2019-State-of-Malware-Report-2.pdf"},{"key":"e_1_3_3_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2017.59"},{"key":"e_1_3_3_21_2","doi-asserted-by":"publisher","DOI":"10.1109\/MALWARE.2014.6999412"},{"key":"e_1_3_3_22_2","first-page":"1009","volume-title":"Proceedings of the 24th USENIX Security Symposium","author":"Liu Yang","year":"2015","unstructured":"Yang Liu, Armin Sarabi, Jing Zhang, Parinaz Naghizadeh, Manish Karir, Michael Bailey, and Mingyan Liu. 2015. Cloudy with a chance of breach: Forecasting cyber security incidents. In Proceedings of the 24th USENIX Security Symposium. 1009\u20131024."},{"key":"e_1_3_3_23_2","doi-asserted-by":"publisher","DOI":"10.1145\/2713579.2713582"},{"key":"e_1_3_3_24_2","article-title":"Visualization with Python","year":"2022","unstructured":"Matplotlib. 2022. Visualization with Python. Retrieved from https:\/\/matplotlib.org\/.","journal-title":"Retrieved from https:\/\/matplotlib.org\/"},{"key":"e_1_3_3_25_2","first-page":"1","volume-title":"Proceedings of the Symposium and Bootcamp on the Science of Security","author":"Mezzour Ghita","year":"2015","unstructured":"Ghita Mezzour, Kathleen M. Carley, and L. Richard Carley. 2015. An empirical study of global malware encounters. In Proceedings of the Symposium and Bootcamp on the Science of Security. 1\u201311."},{"key":"e_1_3_3_26_2","article-title":"Global mapping of cyber attacks","author":"Mezzour Ghita","year":"2014","unstructured":"Ghita Mezzour, L. Carley, and Kathleen M. Carley. 2014. Global mapping of cyber attacks. Retrieved from SSRN 2729302 (2014).","journal-title":"Retrieved from SSRN 2729302"},{"key":"e_1_3_3_27_2","doi-asserted-by":"publisher","DOI":"10.1093\/esr\/jcp006"},{"key":"e_1_3_3_28_2","volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS)","author":"Moshchuk Alexander","year":"2006","unstructured":"Alexander Moshchuk, Tanya Bragin, Steven D. Gribble, and Henry M. Levy. 2006. A crawler-based study of spyware in the web. In Proceedings of the Network and Distributed System Security Symposium (NDSS)."},{"key":"e_1_3_3_29_2","article-title":"The fundamental package for scientific computing with Python","year":"2022","unstructured":"Numpy. 2022. The fundamental package for scientific computing with Python. Retrieved from https:\/\/numpy.org\/.","journal-title":"Retrieved from https:\/\/numpy.org\/"},{"key":"e_1_3_3_30_2","article-title":"Python data analysis library","year":"2022","unstructured":"Pandas. 2022. Python data analysis library. Retrieved from https:\/\/pandas.pydata.org\/.","journal-title":"Retrieved from https:\/\/pandas.pydata.org\/"},{"key":"e_1_3_3_31_2","article-title":"The Ultimate List of Cyber Security Statistics for 2019","year":"2019","unstructured":"PurpleSec. 2019. The Ultimate List of Cyber Security Statistics for 2019. Retrieved from https:\/\/purplesec.us\/resources\/cyber-security-statistics\/.","journal-title":"Retrieved from https:\/\/purplesec.us\/resources\/cyber-security-statistics\/"},{"key":"e_1_3_3_32_2","unstructured":"Retrieved from http:\/\/web.stanford.edu\/csimoiu\/doc\/Global_CRQ_Network_Report.pdf 2018 Quantifying Systemic Cyber Risk"},{"key":"e_1_3_3_33_2","article-title":"Content analysis of cyber insurance policies: How do carriers write policies and price cyber risk?","author":"Romanosky Sasha","year":"2017","unstructured":"Sasha Romanosky, Lilian Ablon, Andreas Kuehn, and Therese Jones. 2017. Content analysis of cyber insurance policies: How do carriers write policies and price cyber risk? Retrieved from SSRN 2929137 (2017).","journal-title":"Retrieved from SSRN 2929137"},{"key":"e_1_3_3_34_2","volume-title":"Proceedings of the Workshop on the Economics of Information Security","author":"Sarabi Armin","year":"2015","unstructured":"Armin Sarabi, Parinaz Naghizadeh, Yang Liu, and Mingyan Liu. 2015. Prioritizing security spending: A quantitative analysis of risk distributions for different business profiles. In Proceedings of the Workshop on the Economics of Information Security."},{"key":"e_1_3_3_35_2","article-title":"Machine Learning in Python","year":"2022","unstructured":"Scikit-learn. 2022. Machine Learning in Python. Retrieved from https:\/\/scikit-learn.org\/stable\/.","journal-title":"Retrieved from https:\/\/scikit-learn.org\/stable\/"},{"key":"e_1_3_3_36_2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243779"},{"key":"e_1_3_3_37_2","article-title":"Desktop Operating System Market Share Worldwide","year":"2022","unstructured":"StatCounter. 2022. Desktop Operating System Market Share Worldwide. Retrieved from https:\/\/gs.statcounter.com\/os-market-share\/desktop\/worldwide.","journal-title":"Retrieved from https:\/\/gs.statcounter.com\/os-market-share\/desktop\/worldwide"},{"key":"e_1_3_3_38_2","article-title":"Gartner Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019","author":"Moore Susan","year":"2018","unstructured":"Susan Moore and Emma Keen. 2018. Gartner Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019. Retrieved from https:\/\/gtnr.it\/2zQUueM.","journal-title":"Retrieved from https:\/\/gtnr.it\/2zQUueM"},{"key":"e_1_3_3_39_2","article-title":"Internet Security Threat Report","year":"2019","unstructured":"Symantec. 2019. Internet Security Threat Report. Retrieved from https:\/\/docs.broadcom.com\/doc\/istr-24-executive-summary-en.","journal-title":"Retrieved from https:\/\/docs.broadcom.com\/doc\/istr-24-executive-summary-en"},{"key":"e_1_3_3_40_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-662-47854-7_2"},{"key":"e_1_3_3_41_2","article-title":"Cybersecurity: Industry Overview, Market Map, Global Investments","author":"Ventures OMERS","year":"2019","unstructured":"OMERS Ventures. 2019. Cybersecurity: Industry Overview, Market Map, Global Investments. Retrieved from https:\/\/ bit.ly\/2L52hbn.","journal-title":"Retrieved from https:\/\/ bit.ly\/2L52hbn"},{"key":"e_1_3_3_42_2","article-title":"Usage statistics of operating systems for websites","year":"2022","unstructured":"W3techs. 2022. Usage statistics of operating systems for websites. Retrieved from https:\/\/w3techs.com\/technologies\/overview\/operating_system.","journal-title":"Retrieved from https:\/\/w3techs.com\/technologies\/overview\/operating_system"},{"key":"e_1_3_3_43_2","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660330"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3565362","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3565362","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:37:12Z","timestamp":1750178232000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3565362"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,4,12]]},"references-count":42,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2023,5,31]]}},"alternative-id":["10.1145\/3565362"],"URL":"https:\/\/doi.org\/10.1145\/3565362","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,4,12]]},"assertion":[{"value":"2021-08-09","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-09-26","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-04-12","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}