"I'd be interested in knowing how linking aggregated attack information to country of origin is actually valuable relative to our ability to respond to it."
The simulations we have been running are at the AS level, but country level information is useful for running some of the scenarios we are interested in. Currently we have been starting attacks on the AS graph from randomly selected networks, but thought it would be interesting to start attacks from frequent bad actors. The country level part comes in since we are doing this from an economic/policy perspective. If you are going to invest money in cybersecurity what are the most important networks to protect. If there needs to be cross country cooperation, which countries are the most important to get to sign on. Still not sure how effective of a way this is to look at the problem, but it is one of the scenarios we are running through along with market forces, best practices, insurance, liability etc etc.
If anyone is intersted we'll be posting the general approach and models on the xxx.lanl.gov site in the next day or so. I can post the link if folks are intersted, any feedback would be greatly appreciated.