; ============================================================= ; ISO 27001 DMDU Agent-Based Model v2 — Production ; Cluster 0 (18 controls) ; Sector: data-regulated ; Hub: A.8.12 ; Max coupling weight: 5.50 ; Generated: 2026-04-01T20:23:42.632Z ; ============================================================= ; All dynamics derive from slider parameters and coupling weights. ; No hardcoded thresholds or rates in the go procedure. ; Category-specific behaviour controlled via base-decay-multiplier ; and org-maturity sliders, not baked-in constants. ; ============================================================= globals [ system-effectiveness ; weighted mean across all agents min-agent-effectiveness ; weakest single agent cascade-count ; cumulative cascade events cascade-this-tick ; cascades in current tick recovery-ticks ; ticks to recover after shock shock-active? ; is a shock event in progress? shock-tick ; tick when shock occurred total-investment ; cumulative investment units spent threat-level ; current adaptive threat pressure (0-1) audit-due? ; flag for audit cycle max-coupling-weight ; for normalising coupling effects ] turtles-own [ ctrl-id ; ISO control ID ctrl-name ; human-readable name ctrl-category ; org | ppl | phy | tech effectiveness ; 0.0 to 1.0 base-effectiveness ; initial effectiveness is-hub? ; cluster hub flag sector-weight ; Tier 2 sector weight last-investment-tick ; tick of last refresh/patch/review workaround-level ; 0-1, bypass adoption (all categories) drift-accumulator ; accumulated config/procedural drift category-decay-base ; base decay rate for this category active? ; whether this agent participates in simulation is-optional? ; whether this is a bridge control (toggleable) ] links-own [ coupling-type ; "info-flow" | "resource" | "temporal" | "failure" coupling-weight ; from cluster analysis normalised-weight ; coupling-weight / max-coupling-weight coupling-mechanism ; description ] to setup clear-all set cascade-count 0 set cascade-this-tick 0 set shock-active? false set recovery-ticks 0 set total-investment 0 set threat-level initial-threat-level set audit-due? false set max-coupling-weight 5.50 create-turtles 1 [ set ctrl-id "5.7" set ctrl-name "Threat intelligence" set ctrl-category "org" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.00 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 0.50 set is-optional? false set active? true set color 105 set size 2 setxy 10 0 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "5.9" set ctrl-name "Inventory of information and other associated assets" set ctrl-category "org" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.00 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 0.50 set is-optional? false set active? true set color 105 set size 2 setxy 10 2 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "5.12" set ctrl-name "Classification of information" set ctrl-category "org" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.80 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 0.50 set is-optional? false set active? true set color 105 set size 2 setxy 9 5 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "5.13" set ctrl-name "Labelling of information" set ctrl-category "org" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.60 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 0.50 set is-optional? false set active? true set color 105 set size 2 setxy 7 7 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "5.14" set ctrl-name "Information transfer" set ctrl-category "org" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.00 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 0.50 set is-optional? false set active? true set color 105 set size 2 setxy 6 8 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "5.19" set ctrl-name "Information security in supplier relationships" set ctrl-category "org" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.80 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 0.50 set is-optional? false set active? true set color 105 set size 2 setxy 4 9 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "5.21" set ctrl-name "Managing information security in the ICT supply chain" set ctrl-category "org" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.00 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 0.50 set is-optional? false set active? true set color 105 set size 2 setxy 1 10 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "5.22" set ctrl-name "Monitoring, review and change management of supplier services" set ctrl-category "org" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.00 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 0.50 set is-optional? false set active? true set color 105 set size 2 setxy -1 10 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "5.34" set ctrl-name "Privacy and protection of PII" set ctrl-category "org" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 2.50 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 0.50 set is-optional? false set active? true set color 105 set size 2 setxy -4 9 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "6.6" set ctrl-name "Confidentiality or non-disclosure agreements" set ctrl-category "ppl" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.00 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 1.50 set is-optional? false set active? true set color 55 set size 2 setxy -6 8 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "7.10" set ctrl-name "Storage media" set ctrl-category "phy" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.00 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 0.70 set is-optional? false set active? true set color 25 set size 2 setxy -7 7 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "7.14" set ctrl-name "Secure disposal or re-use of equipment" set ctrl-category "phy" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.00 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 0.70 set is-optional? false set active? true set color 25 set size 2 setxy -9 5 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "8.10" set ctrl-name "Information deletion" set ctrl-category "tech" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.80 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 1.00 set is-optional? false set active? true set color 125 set size 2 setxy -10 2 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "8.11" set ctrl-name "Data masking" set ctrl-category "tech" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 2.00 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 1.00 set is-optional? false set active? true set color 125 set size 2 setxy -10 0 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "8.12" set ctrl-name "Data leakage prevention" set ctrl-category "tech" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? true set sector-weight 2.20 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 1.00 set is-optional? false set active? true set color 125 set size 3 setxy -10 -2 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "8.16" set ctrl-name "Monitoring activities" set ctrl-category "tech" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 2.00 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 1.00 set is-optional? false set active? true set color 125 set size 2 setxy -9 -5 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "8.30" set ctrl-name "Outsourced development" set ctrl-category "tech" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.00 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 1.00 set is-optional? false set active? true set color 125 set size 2 setxy -7 -7 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "8.33" set ctrl-name "Test information" set ctrl-category "tech" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.00 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 1.00 set is-optional? false set active? true set color 125 set size 2 setxy -6 -8 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "8.8" set ctrl-name "Management of technical vulnerabilities" set ctrl-category "tech" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.00 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 1.00 set is-optional? true set active? include-A.8-8 ifelse active? [ show-turtle ] [ hide-turtle ] set color 125 set size 1.5 setxy -5 -13 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "5.20" set ctrl-name "Addressing information security within supplier agreements" set ctrl-category "org" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.00 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 0.50 set is-optional? true set active? include-A.5-20 ifelse active? [ show-turtle ] [ hide-turtle ] set color 105 set size 1.5 setxy -2 -14 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "5.23" set ctrl-name "Information security for use of cloud services" set ctrl-category "org" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.00 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 0.50 set is-optional? true set active? include-A.5-23 ifelse active? [ show-turtle ] [ hide-turtle ] set color 105 set size 1.5 setxy 2 -14 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "5.24" set ctrl-name "Information security incident management planning and preparation" set ctrl-category "org" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.60 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 0.50 set is-optional? true set active? include-A.5-24 ifelse active? [ show-turtle ] [ hide-turtle ] set color 105 set size 1.5 setxy 5 -13 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "8.25" set ctrl-name "Secure development lifecycle" set ctrl-category "tech" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.00 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 1.00 set is-optional? true set active? include-A.8-25 ifelse active? [ show-turtle ] [ hide-turtle ] set color 125 set size 1.5 setxy 8 -12 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "5.10" set ctrl-name "Acceptable use of information and other associated assets" set ctrl-category "org" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.00 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 0.50 set is-optional? true set active? include-A.5-10 ifelse active? [ show-turtle ] [ hide-turtle ] set color 105 set size 1.5 setxy 10 -9 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "5.33" set ctrl-name "Protection of records" set ctrl-category "org" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.80 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 0.50 set is-optional? true set active? include-A.5-33 ifelse active? [ show-turtle ] [ hide-turtle ] set color 105 set size 1.5 setxy 12 -7 set label ctrl-id set label-color white - 3 ] create-turtles 1 [ set ctrl-id "6.3" set ctrl-name "Information security awareness, education and training" set ctrl-category "ppl" set effectiveness org-maturity set base-effectiveness effectiveness set is-hub? false set sector-weight 1.40 set last-investment-tick 0 set workaround-level 0 set drift-accumulator 0 set category-decay-base 1.50 set is-optional? true set active? include-A.6-3 ifelse active? [ show-turtle ] [ hide-turtle ] set color 55 set size 1.5 setxy 14 -3 set label ctrl-id set label-color white - 3 ] ask turtle 0 [ create-link-to turtle 14 [ set coupling-type "info-flow" set coupling-weight 2.20 set normalised-weight 0.400 set coupling-mechanism "Threat data informs data leakage prevention rule tuning" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 0 [ create-link-to turtle 15 [ set coupling-type "info-flow" set coupling-weight 2.00 set normalised-weight 0.364 set coupling-mechanism "Threat intelligence drives monitoring rule adjustments" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 1 [ create-link-to turtle 2 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Inventory provides the set of assets requiring classification" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 1 [ create-link-to turtle 3 [ set coupling-type "info-flow" set coupling-weight 1.60 set normalised-weight 0.291 set coupling-mechanism "Asset labelling requires knowing what assets exist" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 2 [ create-link-to turtle 1 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Classification applies to inventoried information assets" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 2 [ create-link-to turtle 3 [ set coupling-type "temporal" set coupling-weight 1.60 set normalised-weight 0.291 set coupling-mechanism "Classification must precede labelling implementation" set color 56 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 2 [ create-link-to turtle 4 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Transfer rules depend on classification level" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 2 [ create-link-to turtle 12 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Data deletion requirements depend on classification level" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 2 [ create-link-to turtle 13 [ set coupling-type "info-flow" set coupling-weight 2.00 set normalised-weight 0.364 set coupling-mechanism "Data masking requirements driven by classification" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 2 [ create-link-to turtle 14 [ set coupling-type "info-flow" set coupling-weight 2.20 set normalised-weight 0.400 set coupling-mechanism "DLP rules calibrated to information classification levels" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 3 [ create-link-to turtle 2 [ set coupling-type "temporal" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Labels must reflect classification decisions" set color 56 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 3 [ create-link-to turtle 4 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Transfer controls reference labels to enforce handling rules" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 3 [ create-link-to turtle 14 [ set coupling-type "info-flow" set coupling-weight 2.20 set normalised-weight 0.400 set coupling-mechanism "DLP systems use labels to trigger blocking/alerting" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 4 [ create-link-to turtle 2 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Transfer rules calibrated to classification level" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 4 [ create-link-to turtle 3 [ set coupling-type "info-flow" set coupling-weight 1.60 set normalised-weight 0.291 set coupling-mechanism "Labels guide automated transfer controls" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 4 [ create-link-to turtle 5 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Supplier information transfer requires contractual controls" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 4 [ create-link-to turtle 14 [ set coupling-type "info-flow" set coupling-weight 2.20 set normalised-weight 0.400 set coupling-mechanism "DLP enforces transfer restrictions technically" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 5 [ create-link-to turtle 4 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Data transfer to suppliers governed by transfer policies" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 5 [ create-link-to turtle 6 [ set coupling-type "temporal" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Supplier ICT risk assessment informs relationship controls" set color 56 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 5 [ create-link-to turtle 7 [ set coupling-type "temporal" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Supplier performance monitoring against security requirements" set color 56 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 6 [ create-link-to turtle 5 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "ICT supply chain is critical subset of supplier risk" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 6 [ create-link-to turtle 7 [ set coupling-type "temporal" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "ICT supplier monitoring requires specialized assessment" set color 56 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 7 [ create-link-to turtle 5 [ set coupling-type "temporal" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Monitoring validates ongoing supplier compliance" set color 56 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 7 [ create-link-to turtle 6 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "ICT supply changes trigger reassessment" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 7 [ create-link-to turtle 15 [ set coupling-type "info-flow" set coupling-weight 2.00 set normalised-weight 0.364 set coupling-mechanism "Supplier activity monitoring feeds security event detection" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 8 [ create-link-to turtle 2 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "PII requires specific classification and handling" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 8 [ create-link-to turtle 5 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Supplier handling of PII requires contractual controls" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 8 [ create-link-to turtle 12 [ set coupling-type "info-flow" set coupling-weight 3.60 set normalised-weight 0.655 set coupling-mechanism "PII deletion rights drive data deletion procedures" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 8 [ create-link-to turtle 13 [ set coupling-type "info-flow" set coupling-weight 4.00 set normalised-weight 0.727 set coupling-mechanism "Data masking applied to PII in non-production environments" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 8 [ create-link-to turtle 14 [ set coupling-type "info-flow" set coupling-weight 5.50 set normalised-weight 1.000 set coupling-mechanism "DLP rules specifically target PII leakage" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 9 [ create-link-to turtle 2 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "NDA scope calibrated to information classification" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 9 [ create-link-to turtle 5 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Supplier NDAs part of supplier relationship management" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 10 [ create-link-to turtle 1 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Media inventory as subset of asset management" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 10 [ create-link-to turtle 2 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Media handling rules calibrated to data classification" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 10 [ create-link-to turtle 4 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Media transport is information transfer requiring controls" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 10 [ create-link-to turtle 12 [ set coupling-type "temporal" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Media sanitization aligned with data deletion requirements" set color 56 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 11 [ create-link-to turtle 1 [ set coupling-type "temporal" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Disposed equipment removed from asset inventory" set color 56 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 11 [ create-link-to turtle 2 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Disposal procedures calibrated to data classification" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 11 [ create-link-to turtle 10 [ set coupling-type "temporal" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Equipment disposal includes media sanitization" set color 56 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 11 [ create-link-to turtle 12 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Data deletion verification before equipment disposal" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 12 [ create-link-to turtle 2 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Deletion policies calibrated to classification" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 12 [ create-link-to turtle 8 [ set coupling-type "info-flow" set coupling-weight 2.50 set normalised-weight 0.455 set coupling-mechanism "PII deletion rights (right to erasure)" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 12 [ create-link-to turtle 10 [ set coupling-type "temporal" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Media sanitization includes data deletion" set color 56 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 12 [ create-link-to turtle 11 [ set coupling-type "temporal" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Equipment disposal requires data deletion verification" set color 56 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 13 [ create-link-to turtle 2 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Masking requirements driven by data classification" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 13 [ create-link-to turtle 8 [ set coupling-type "info-flow" set coupling-weight 2.50 set normalised-weight 0.455 set coupling-mechanism "PII masking for privacy protection" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 14 [ create-link-to turtle 0 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Threat intel informs DLP rule tuning" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 14 [ create-link-to turtle 2 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "DLP rules calibrated to classification levels" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 14 [ create-link-to turtle 3 [ set coupling-type "info-flow" set coupling-weight 1.60 set normalised-weight 0.291 set coupling-mechanism "DLP uses labels to identify sensitive data" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 14 [ create-link-to turtle 4 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "DLP enforces transfer restrictions" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 14 [ create-link-to turtle 8 [ set coupling-type "info-flow" set coupling-weight 2.50 set normalised-weight 0.455 set coupling-mechanism "DLP targets PII leakage specifically" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 14 [ create-link-to turtle 15 [ set coupling-type "info-flow" set coupling-weight 4.00 set normalised-weight 0.727 set coupling-mechanism "DLP alerts feed security monitoring" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 15 [ create-link-to turtle 0 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Threat intel drives monitoring rule updates" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 15 [ create-link-to turtle 14 [ set coupling-type "info-flow" set coupling-weight 2.20 set normalised-weight 0.400 set coupling-mechanism "DLP alerts feed monitoring" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 16 [ create-link-to turtle 5 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Development outsourcing is supplier relationship" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 16 [ create-link-to turtle 6 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Outsourced development introduces ICT supply chain risk" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 17 [ create-link-to turtle 8 [ set coupling-type "info-flow" set coupling-weight 2.50 set normalised-weight 0.455 set coupling-mechanism "PII in test data requires privacy protection" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ask turtle 17 [ create-link-to turtle 13 [ set coupling-type "info-flow" set coupling-weight 2.00 set normalised-weight 0.364 set coupling-mechanism "Production data for testing requires masking" set color 96 set thickness 0.05 + normalised-weight * 0.3 ] ] ; Bridge couplings — activate/deactivate with optional agents ask turtle 18 [ create-link-to turtle 0 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Threat intel prioritizes vulnerability remediation" set color 96 set thickness 0.05 + 0.182 * 0.3 ] ] ask turtle 18 [ create-link-to turtle 1 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Asset inventory defines vulnerability scanning scope" set color 96 set thickness 0.05 + 0.182 * 0.3 ] ] ask turtle 18 [ create-link-to turtle 6 [ set coupling-type "failure" set coupling-weight 2.00 set normalised-weight 0.364 set coupling-mechanism "Supply chain vulnerabilities propagate into managed systems" set color 16 set thickness 0.05 + 0.364 * 0.3 ] ] ask turtle 0 [ create-link-to turtle 18 [ set coupling-type "temporal" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Threat intel prioritizes which vulnerabilities to patch first" set color 56 set thickness 0.05 + 0.182 * 0.3 ] ] ask turtle 1 [ create-link-to turtle 18 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Asset inventory defines vulnerability scanning scope — unknown assets are unscanned" set color 96 set thickness 0.05 + 0.182 * 0.3 ] ] ask turtle 6 [ create-link-to turtle 18 [ set coupling-type "failure" set coupling-weight 2.00 set normalised-weight 0.364 set coupling-mechanism "Supply chain compromise introduces vulnerabilities into managed systems" set color 16 set thickness 0.05 + 0.364 * 0.3 ] ] ask turtle 19 [ create-link-to turtle 5 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Agreement terms implement supplier security policy" set color 96 set thickness 0.05 + 0.327 * 0.3 ] ] ask turtle 19 [ create-link-to turtle 7 [ set coupling-type "temporal" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Agreements define measurable criteria for monitoring" set color 56 set thickness 0.05 + 0.182 * 0.3 ] ] ask turtle 5 [ create-link-to turtle 19 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Supplier requirements embedded in contractual agreements" set color 96 set thickness 0.05 + 0.327 * 0.3 ] ] ask turtle 7 [ create-link-to turtle 19 [ set coupling-type "temporal" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Review against contractual security criteria" set color 56 set thickness 0.05 + 0.182 * 0.3 ] ] ask turtle 20 [ create-link-to turtle 5 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Cloud providers are suppliers requiring relationship management" set color 96 set thickness 0.05 + 0.327 * 0.3 ] ] ask turtle 20 [ create-link-to turtle 6 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Cloud supply chain introduces vendor-specific risks" set color 96 set thickness 0.05 + 0.182 * 0.3 ] ] ask turtle 0 [ create-link-to turtle 20 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Threat intel informs cloud security risk assessment" set color 96 set thickness 0.05 + 0.182 * 0.3 ] ] ask turtle 5 [ create-link-to turtle 20 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Cloud suppliers are a major subset of supplier relationships" set color 96 set thickness 0.05 + 0.327 * 0.3 ] ] ask turtle 21 [ create-link-to turtle 0 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Threat intel shapes incident response playbooks" set color 96 set thickness 0.05 + 0.182 * 0.3 ] ] ask turtle 21 [ create-link-to turtle 15 [ set coupling-type "info-flow" set coupling-weight 2.00 set normalised-weight 0.364 set coupling-mechanism "Monitoring capabilities determine what incidents are detectable" set color 96 set thickness 0.05 + 0.364 * 0.3 ] ] ask turtle 0 [ create-link-to turtle 21 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Threat context shapes incident response playbooks" set color 96 set thickness 0.05 + 0.182 * 0.3 ] ] ask turtle 15 [ create-link-to turtle 21 [ set coupling-type "info-flow" set coupling-weight 2.00 set normalised-weight 0.364 set coupling-mechanism "Monitoring capabilities define detectable incident types" set color 96 set thickness 0.05 + 0.364 * 0.3 ] ] ask turtle 22 [ create-link-to turtle 6 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Third-party component vetting in development" set color 96 set thickness 0.05 + 0.182 * 0.3 ] ] ask turtle 6 [ create-link-to turtle 22 [ set coupling-type "temporal" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Third-party components in development pipeline need vetting" set color 56 set thickness 0.05 + 0.182 * 0.3 ] ] ask turtle 13 [ create-link-to turtle 22 [ set coupling-type "info-flow" set coupling-weight 2.00 set normalised-weight 0.364 set coupling-mechanism "Development environments use masked production data" set color 96 set thickness 0.05 + 0.364 * 0.3 ] ] ask turtle 16 [ create-link-to turtle 22 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Outsourced development must follow SDLC" set color 96 set thickness 0.05 + 0.182 * 0.3 ] ] ask turtle 23 [ create-link-to turtle 1 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Rules must cover all inventoried assets" set color 96 set thickness 0.05 + 0.182 * 0.3 ] ] ask turtle 1 [ create-link-to turtle 23 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Asset inventory defines scope for acceptable use policies" set color 96 set thickness 0.05 + 0.182 * 0.3 ] ] ask turtle 2 [ create-link-to turtle 23 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Acceptable use rules vary by classification" set color 96 set thickness 0.05 + 0.327 * 0.3 ] ] ask turtle 24 [ create-link-to turtle 2 [ set coupling-type "info-flow" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Records classified according to sensitivity" set color 96 set thickness 0.05 + 0.327 * 0.3 ] ] ask turtle 24 [ create-link-to turtle 12 [ set coupling-type "temporal" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Record deletion must follow retention policies" set color 56 set thickness 0.05 + 0.327 * 0.3 ] ] ask turtle 12 [ create-link-to turtle 24 [ set coupling-type "temporal" set coupling-weight 1.80 set normalised-weight 0.327 set coupling-mechanism "Deletion must respect retention requirements" set color 56 set thickness 0.05 + 0.327 * 0.3 ] ] ask turtle 25 [ create-link-to turtle 0 [ set coupling-type "info-flow" set coupling-weight 1.00 set normalised-weight 0.182 set coupling-mechanism "Emerging threats inform training updates" set color 96 set thickness 0.05 + 0.182 * 0.3 ] ] ask turtle 25 [ create-link-to turtle 3 [ set coupling-type "info-flow" set coupling-weight 1.60 set normalised-weight 0.291 set coupling-mechanism "Training covers information labelling procedures" set color 96 set thickness 0.05 + 0.291 * 0.3 ] ] ask turtle 3 [ create-link-to turtle 25 [ set coupling-type "info-flow" set coupling-weight 1.60 set normalised-weight 0.291 set coupling-mechanism "Users must be trained to apply labels correctly" set color 96 set thickness 0.05 + 0.291 * 0.3 ] ] ; Hide links to inactive optional agents ask links [ if (not [active?] of end1) or (not [active?] of end2) [ hide-link ] ] update-metrics reset-ticks end to go set cascade-this-tick 0 ; === 1. NATURAL DECAY === ; Rate = base-decay-rate × category-decay-base × (1 + budget-pressure) ; No hardcoded rates — all from sliders and agent properties ask turtles with [active?] [ let effective-decay base-decay-rate * category-decay-base * (1 + budget-pressure) set effectiveness effectiveness - effective-decay ; Drift accumulates proportionally to decay set drift-accumulator drift-accumulator + effective-decay * 0.5 ] ; === 2. INVESTMENT / REFRESH CYCLES === ; Every category gets refreshed on its own cycle ; ppl: training cycle, tech: patch cycle, org: review cycle, phy: inspection cycle ask turtles with [active?] [ let cycle-length investment-cycle-length ; Tech controls have shorter cycles (patching is more frequent than policy review) if ctrl-category = "tech" [ set cycle-length cycle-length * 0.5 ] ; Physical controls have longer cycles (inspections less frequent) if ctrl-category = "phy" [ set cycle-length cycle-length * 1.5 ] if ticks > 0 and ticks - last-investment-tick >= cycle-length [ ; Investment boost depends on: investment-effectiveness slider, ; reduced by workaround level (entrenched bypasses resist improvement), ; and management attention let boost investment-effectiveness * (1 - workaround-level * 0.7) * (0.5 + management-attention * 0.5) set effectiveness min list 1.0 (effectiveness + boost) ; Reset drift partially (investment addresses drift but doesn't eliminate it) set drift-accumulator drift-accumulator * (1 - investment-effectiveness) set last-investment-tick ticks set total-investment total-investment + 1 ] ] ; === 3. WORKAROUND / BYPASS DYNAMICS === ; All control types develop workarounds when effectiveness is low ; Contagion rate from workaround-contagion-rate slider ask turtles with [active?] [ ; Self-adoption: when effectiveness drops below failure threshold, ; workarounds develop at rate proportional to gap if effectiveness < failure-threshold [ let gap failure-threshold - effectiveness set workaround-level min list 1.0 (workaround-level + gap * workaround-contagion-rate) ] ; Social/systemic contagion from neighbours if any? link-neighbors with [active?] [ let neighbor-wa mean [workaround-level] of link-neighbors with [active?] if neighbor-wa > workaround-level [ set workaround-level workaround-level + workaround-contagion-rate * (neighbor-wa - workaround-level) ] ] ; Workarounds decay slowly when effectiveness is high (good practices crowd out bypasses) if effectiveness > failure-threshold + 0.2 [ set workaround-level max list 0 (workaround-level - workaround-contagion-rate * 0.3) ] ] ; === 4. COUPLING PROPAGATION === ; Impact magnitude = normalised-weight × coupling-strength slider × gap ; No hardcoded impact values — everything from weights and parameters ask links with [[active?] of end1 and [active?] of end2] [ let source-eff [effectiveness] of end1 let target-eff [effectiveness] of end2 let impact-base normalised-weight * coupling-strength ; FAILURE PROPAGATION: source below threshold degrades target if coupling-type = "failure" and source-eff < failure-threshold [ let gap failure-threshold - source-eff let impact gap * impact-base ask end2 [ set effectiveness effectiveness - impact ] if impact > cascade-detection-threshold [ set cascade-this-tick cascade-this-tick + 1 ] ] ; INFO FLOW: degraded source reduces quality of information to target ; Increases target's drift rate (stale information leads to drift) if coupling-type = "info-flow" and source-eff < failure-threshold [ let gap failure-threshold - source-eff ask end2 [ set drift-accumulator drift-accumulator + gap * impact-base * 0.5 ] ] ; RESOURCE COMPETITION: when both are below threshold, they compete ; The one with lower effectiveness loses more (weak get weaker) if coupling-type = "resource" and source-eff < failure-threshold and target-eff < failure-threshold [ let competition-loss impact-base * budget-pressure ask end2 [ set effectiveness effectiveness - competition-loss ] ] ; TEMPORAL DEPENDENCY: source must be functional for target to maintain ; If source is deeply degraded, target cannot be maintained at all if coupling-type = "temporal" and source-eff < failure-threshold * 0.8 [ let block-factor impact-base * (failure-threshold * 0.8 - source-eff) ask end2 [ set effectiveness effectiveness - block-factor ] ] ] ; === 5. DRIFT EFFECT === ; Accumulated drift (from natural decay + info flow degradation) ; erodes effectiveness. This is the "normalization of deviance" mechanism. ask turtles with [active?] [ if drift-accumulator > 0.1 [ set effectiveness effectiveness - drift-accumulator * base-decay-rate ] ] ; === 6. ADAPTIVE THREAT PRESSURE === ; Threat level increases when system effectiveness drops (attackers probe weakness) ; and decreases when system is strong (attackers look elsewhere) let sys-eff-gap failure-threshold - system-effectiveness if sys-eff-gap > 0 [ set threat-level min list 1.0 (threat-level + sys-eff-gap * threat-adaptation-rate) ] if sys-eff-gap < -0.2 [ set threat-level max list initial-threat-level (threat-level - threat-adaptation-rate * 0.5) ] ; Threat level erodes org and tech controls ask turtles with [active? and (ctrl-category = "org" or ctrl-category = "tech")] [ set effectiveness effectiveness - threat-level * base-decay-rate * threat-novelty ] ; === 7. EXTERNAL SHOCK === if random-float 1 < external-shock-probability and not shock-active? [ set shock-active? true set shock-tick ticks ; Shock severity from slider — multiplied by random factor for variance ask turtles with [active?] [ let survival-factor (1 - shock-severity) + random-float shock-severity set effectiveness effectiveness * survival-factor ; Shock may displace workarounds (crisis can reset or worsen behaviour) set workaround-level workaround-level * (0.5 + random-float 0.5) ] set threat-level min list 1.0 (threat-level + 0.2) ] ; === 8. STAFF TURNOVER === ; Affects people controls directly, org controls indirectly ask turtles with [active? and ctrl-category = "ppl"] [ if random-float 1 < (staff-turnover-rate / 365) [ set effectiveness org-maturity * 0.6 ; New hire at fraction of org baseline set workaround-level 0 ; Fresh start set drift-accumulator 0 set last-investment-tick ticks ] ] ; Org controls also affected (institutional knowledge loss) ask turtles with [active? and ctrl-category = "org"] [ if random-float 1 < (staff-turnover-rate / 365) * 0.3 [ set effectiveness effectiveness * 0.95 set drift-accumulator drift-accumulator + 0.05 ] ] ; === 9. AUDIT CYCLE === ; Periodic audit detects drift and forces correction set audit-due? (ticks > 0 and ticks mod audit-cycle-length = 0) if audit-due? [ ask turtles with [active?] [ ; Audit detects drift proportional to drift-accumulator ; Correction proportional to management attention let correction drift-accumulator * management-attention * investment-effectiveness set effectiveness min list 1.0 (effectiveness + correction) set drift-accumulator drift-accumulator * (1 - management-attention) ; Audit reduces workarounds (visibility effect) set workaround-level workaround-level * (1 - management-attention * 0.5) ] ] ; === 10. CLAMP AND UPDATE === ask turtles with [active?] [ set effectiveness max list 0 (min list 1 effectiveness) set workaround-level max list 0 (min list 1 workaround-level) ] set cascade-count cascade-count + cascade-this-tick update-metrics ; Recovery detection if shock-active? and system-effectiveness > failure-threshold + 0.1 [ set recovery-ticks ticks - shock-tick set shock-active? false ] ; Visualisation ask turtles with [active?] [ let base-hue ifelse-value (ctrl-category = "org") [105] [ ifelse-value (ctrl-category = "ppl") [55] [ ifelse-value (ctrl-category = "phy") [25] [125]]] set color scale-color base-hue effectiveness 0 1.2 ; Show workaround level as shape ifelse workaround-level > 0.3 [ set shape "triangle" ] [ set shape "circle" ] ] ask links with [[active?] of end1 and [active?] of end2] [ ; Highlight active failure propagation ifelse coupling-type = "failure" and [effectiveness] of end1 < failure-threshold [ set color red set thickness 0.3 ] [ set color (item (position coupling-type ["info-flow" "resource" "temporal" "failure"]) [96 26 56 16]) set thickness 0.05 + normalised-weight * 0.3 ] ] tick if ticks >= simulation-length [ stop ] end to update-metrics ; Only count active agents in metrics let active-agents turtles with [active?] ifelse any? active-agents [ let total-w sum [sector-weight] of active-agents set system-effectiveness sum [effectiveness * sector-weight] of active-agents / total-w set min-agent-effectiveness min [effectiveness] of active-agents ] [ set system-effectiveness 0 set min-agent-effectiveness 0 ] end @#$#@#$#@ GRAPHICS-WINDOW 220 10 657 448 -1 -1 13.0 1 10 1 1 1 0 0 0 1 -16 16 -16 16 1 1 1 ticks 30.0 SLIDER 10 10 210 43 org-maturity org-maturity 0.3 1 0.75 0.05 1 0-1 HORIZONTAL SLIDER 10 46 210 79 initial-threat-level initial-threat-level 0 1 0.2 0.05 1 0-1 HORIZONTAL SLIDER 10 82 210 115 budget-pressure budget-pressure 0 1 0.3 0.05 1 0-1 HORIZONTAL SLIDER 10 118 210 151 staff-turnover-rate staff-turnover-rate 0 0.5 0.15 0.01 1 per year HORIZONTAL SLIDER 10 154 210 187 base-decay-rate base-decay-rate 0.0005 0.01 0.002 0.0005 1 per tick HORIZONTAL SLIDER 10 190 210 223 investment-cycle-length investment-cycle-length 14 365 90 7 1 ticks HORIZONTAL SLIDER 10 226 210 259 investment-effectiveness investment-effectiveness 0.05 0.5 0.2 0.05 1 0-1 HORIZONTAL SLIDER 10 262 210 295 management-attention management-attention 0 1 0.5 0.05 1 0-1 HORIZONTAL SLIDER 10 298 210 331 coupling-strength coupling-strength 0.01 0.3 0.1 0.01 1 multiplier HORIZONTAL SLIDER 10 334 210 367 failure-threshold failure-threshold 0.2 0.7 0.5 0.05 1 0-1 HORIZONTAL SLIDER 10 370 210 403 cascade-detection-threshold cascade-detection-threshold 0.005 0.1 0.02 0.005 1 impact HORIZONTAL SLIDER 10 406 210 439 workaround-contagion-rate workaround-contagion-rate 0.001 0.05 0.01 0.001 1 per tick HORIZONTAL SLIDER 10 442 210 475 threat-novelty threat-novelty 0 1 0.2 0.05 1 0-1 HORIZONTAL SLIDER 10 478 210 511 threat-adaptation-rate threat-adaptation-rate 0 0.05 0.01 0.005 1 per tick HORIZONTAL SLIDER 10 514 210 547 external-shock-probability external-shock-probability 0 0.02 0.002 0.001 1 per tick HORIZONTAL SLIDER 10 550 210 583 shock-severity shock-severity 0.1 0.9 0.5 0.05 1 0-1 HORIZONTAL SLIDER 10 586 210 619 audit-cycle-length audit-cycle-length 30 365 180 30 1 ticks HORIZONTAL SLIDER 10 622 210 655 simulation-length simulation-length 365 3650 730 365 1 ticks HORIZONTAL BUTTON 10 658 110 691 setup setup NIL 1 T OBSERVER NIL NIL NIL NIL 1 BUTTON 115 658 210 691 go go T 1 T OBSERVER NIL NIL NIL NIL 1 SWITCH 10 698 210 731 include-A.8-8 include-A.8-8 0 1 -1000 SWITCH 10 734 210 767 include-A.5-20 include-A.5-20 0 1 -1000 SWITCH 10 770 210 803 include-A.5-23 include-A.5-23 0 1 -1000 SWITCH 10 806 210 839 include-A.5-24 include-A.5-24 0 1 -1000 SWITCH 10 842 210 875 include-A.8-25 include-A.8-25 0 1 -1000 SWITCH 10 878 210 911 include-A.5-10 include-A.5-10 0 1 -1000 SWITCH 10 914 210 947 include-A.5-33 include-A.5-33 0 1 -1000 SWITCH 10 950 210 983 include-A.6-3 include-A.6-3 0 1 -1000 PLOT 670 10 980 180 System effectiveness ticks effectiveness 0.0 10.0 0.0 1.0 true true "" "" PENS "system" 1.0 0 -13345367 true "" "plot system-effectiveness" "min" 1.0 0 -2674135 true "" "plot min-agent-effectiveness" "threshold" 1.0 0 -7500403 true "" "plot failure-threshold" PLOT 670 190 980 340 Cascade events ticks cascades/tick 0.0 10.0 0.0 5.0 true true "" "" PENS "per-tick" 1.0 0 -2674135 true "" "plot cascade-this-tick" "cumulative" 1.0 0 -955883 true "" "plot cascade-count / 10" PLOT 670 350 980 490 Threat & workaround ticks level 0.0 10.0 0.0 1.0 true true "" "" PENS "threat" 1.0 0 -8630108 true "" "plot threat-level" "workaround" 1.0 0 -1184463 true "" "plot mean [workaround-level] of turtles with [active?]" "drift" 1.0 0 -7500403 true "" "plot mean [drift-accumulator] of turtles with [active?]" PLOT 670 500 980 650 Agent effectiveness ticks effectiveness 0.0 10.0 0.0 1.0 true true "" "" PENS "A.5.7" 1.0 0 -13345367 true "" "if 0 < count turtles and [active?] of turtle 0 [ plot [effectiveness] of turtle 0 ]" "A.5.9" 1.0 0 -2674135 true "" "if 1 < count turtles and [active?] of turtle 1 [ plot [effectiveness] of turtle 1 ]" "A.5.12" 1.0 0 -955883 true "" "if 2 < count turtles and [active?] of turtle 2 [ plot [effectiveness] of turtle 2 ]" "A.5.13" 1.0 0 -1184463 true "" "if 3 < count turtles and [active?] of turtle 3 [ plot [effectiveness] of turtle 3 ]" "A.5.14" 1.0 0 -8630108 true "" "if 4 < count turtles and [active?] of turtle 4 [ plot [effectiveness] of turtle 4 ]" "A.5.19" 1.0 0 -10899396 true "" "if 5 < count turtles and [active?] of turtle 5 [ plot [effectiveness] of turtle 5 ]" "A.5.21" 1.0 0 -13840069 true "" "if 6 < count turtles and [active?] of turtle 6 [ plot [effectiveness] of turtle 6 ]" "A.5.22" 1.0 0 -5825686 true "" "if 7 < count turtles and [active?] of turtle 7 [ plot [effectiveness] of turtle 7 ]" "A.5.34" 1.0 0 -6459832 true "" "if 8 < count turtles and [active?] of turtle 8 [ plot [effectiveness] of turtle 8 ]" "A.6.6" 1.0 0 -1664597 true "" "if 9 < count turtles and [active?] of turtle 9 [ plot [effectiveness] of turtle 9 ]" "A.7.10" 1.0 0 -2064490 true "" "if 10 < count turtles and [active?] of turtle 10 [ plot [effectiveness] of turtle 10 ]" "A.7.14" 1.0 0 -7500403 true "" "if 11 < count turtles and [active?] of turtle 11 [ plot [effectiveness] of turtle 11 ]" "A.8.10" 1.0 0 -4079321 true "" "if 12 < count turtles and [active?] of turtle 12 [ plot [effectiveness] of turtle 12 ]" "A.8.11" 1.0 0 -612749 true "" "if 13 < count turtles and [active?] of turtle 13 [ plot [effectiveness] of turtle 13 ]" "A.8.12" 1.0 0 -723837 true "" "if 14 < count turtles and [active?] of turtle 14 [ plot [effectiveness] of turtle 14 ]" "A.8.16" 1.0 0 -11221820 true "" "if 15 < count turtles and [active?] of turtle 15 [ plot [effectiveness] of turtle 15 ]" "A.8.30" 1.0 0 -2139308 true "" "if 16 < count turtles and [active?] of turtle 16 [ plot [effectiveness] of turtle 16 ]" "A.8.33" 1.0 0 -8990512 true "" "if 17 < count turtles and [active?] of turtle 17 [ plot [effectiveness] of turtle 17 ]" "A.8.8*" 1.0 0 -3508570 true "" "if 18 < count turtles and [active?] of turtle 18 [ plot [effectiveness] of turtle 18 ]" "A.5.20*" 1.0 0 -13345367 true "" "if 19 < count turtles and [active?] of turtle 19 [ plot [effectiveness] of turtle 19 ]" "A.5.23*" 1.0 0 -2674135 true "" "if 20 < count turtles and [active?] of turtle 20 [ plot [effectiveness] of turtle 20 ]" "A.5.24*" 1.0 0 -955883 true "" "if 21 < count turtles and [active?] of turtle 21 [ plot [effectiveness] of turtle 21 ]" "A.8.25*" 1.0 0 -1184463 true "" "if 22 < count turtles and [active?] of turtle 22 [ plot [effectiveness] of turtle 22 ]" "A.5.10*" 1.0 0 -8630108 true "" "if 23 < count turtles and [active?] of turtle 23 [ plot [effectiveness] of turtle 23 ]" "A.5.33*" 1.0 0 -10899396 true "" "if 24 < count turtles and [active?] of turtle 24 [ plot [effectiveness] of turtle 24 ]" "A.6.3*" 1.0 0 -13840069 true "" "if 25 < count turtles and [active?] of turtle 25 [ plot [effectiveness] of turtle 25 ]" MONITOR 670 660 760 705 Sys eff system-effectiveness 3 1 11 MONITOR 770 660 860 705 Min eff min-agent-effectiveness 3 1 11 MONITOR 870 660 960 705 Cascades cascade-count 0 1 11 MONITOR 670 710 760 755 Threat threat-level 3 1 11 MONITOR 770 710 860 755 Workaround mean [workaround-level] of turtles with [active?] 3 1 11 MONITOR 870 710 960 755 Investment total-investment 0 1 11 @#$#@#$#@ @#$#@#$#@ ## WHAT IS IT? Agent-based model of ISO 27001 Annex A control cluster 0. **Sector:** data-regulated **Controls:** A.5.7 (Threat intelligence), A.5.9 (Inventory of information and other associated assets), A.5.12 (Classification of information), A.5.13 (Labelling of information), A.5.14 (Information transfer), A.5.19 (Information security in supplier relationships), A.5.21 (Managing information security in the ICT supply chain), A.5.22 (Monitoring, review and change management of supplier services), A.5.34 (Privacy and protection of PII), A.6.6 (Confidentiality or non-disclosure agreements), A.7.10 (Storage media), A.7.14 (Secure disposal or re-use of equipment), A.8.10 (Information deletion), A.8.11 (Data masking), A.8.12 (Data leakage prevention), A.8.16 (Monitoring activities), A.8.30 (Outsourced development), A.8.33 (Test information) ## HOW IT WORKS Each ISO 27001 control is an agent with an effectiveness state (0-1). Controls interact through four coupling types derived from structural analysis: information flow, shared resources, temporal dependencies, and failure propagation. **No values are hardcoded.** All dynamics derive from slider parameters: - **org-maturity**: Starting effectiveness of all controls (organisational baseline) - **base-decay-rate**: How fast controls naturally degrade per tick (day) - **investment-cycle-length**: How often controls receive investment (training, patching, review, inspection) - **investment-effectiveness**: How much each investment cycle restores effectiveness - **coupling-strength**: How strongly coupled controls affect each other - **failure-threshold**: Below this effectiveness, a control is considered failing and triggers coupling effects - **workaround-contagion-rate**: How fast workarounds spread when controls are weak - **threat-adaptation-rate**: How fast attackers adapt to exploit weak systems - **audit-cycle-length**: How often audits occur (detecting drift and forcing correction) ## DMDU USAGE Use BehaviorSpace to sweep the parameter space. Apply PRIM/CART to the results to discover which **combinations of parameter values** produce system failure. These combinations are your scenario discovery results — the conditions under which your ISMS breaks down. ## OPTIONAL BRIDGE CONTROLS The following controls were excluded from the core cluster by the community detection algorithm but have significant couplings to cluster members. Toggle them on via the switches in the interface to explore how adding these controls changes system dynamics. Re-run setup after toggling. - **A.8.8** (tech) Management of technical vulnerabilities — 3 links to cluster, 3 from cluster - **A.5.20** (org) Addressing information security within supplier agreements — 2 links to cluster, 2 from cluster - **A.5.23** (org) Information security for use of cloud services — 2 links to cluster, 2 from cluster - **A.5.24** (org) Information security incident management planning and preparation — 2 links to cluster, 2 from cluster - **A.8.25** (tech) Secure development lifecycle — 1 links to cluster, 3 from cluster - **A.5.10** (org) Acceptable use of information and other associated assets — 1 links to cluster, 2 from cluster - **A.5.33** (org) Protection of records — 2 links to cluster, 1 from cluster - **A.6.3** (ppl) Information security awareness, education and training — 2 links to cluster, 1 from cluster Controls marked with * in the agent plot are optional. @#$#@#$#@ @#$#@#$#@ setup go system-effectiveness min-agent-effectiveness cascade-count recovery-ticks threat-level mean [workaround-level] of turtles with [active?] mean [drift-accumulator] of turtles with [active?] @#$#@#$#@ @#$#@#$#@ @#$#@#$#@ @#$#@#$#@ @#$#@#$#@