In dynamic and regulated critical environments, continuously assessing cyber risks is essential for efective situational awareness and decision-making. While methodologies like Security Risk Analysis (SRA) and Threat Assessment and Remediation Analysis (TARA) provide structured approaches, they often lack dynamic updates, real-time threat modeling, and advanced visualization capabilities. This paper introduces Cyber-DRIVE, a novel framework for dynamic risk analysis, incident response, and situational awareness. By separating technological and business-critical asset models, Cyber-DRIVE enables cyber analysts to evaluate likelihoods and incidents, while business decision-makers assess the impact of Confidentiality, Integrity, and Availability (CIA) degradations. The framework integrates real-time Cyber Threat Intelligence (CTI), supports dynamic ”what-if” scenarios using MITRE D3FEND techniques, and provides advanced visualizations of complex infrastructures. Cyber-DRIVE addresses limitations in existing SRA and TARA tools by improving risk estimation accuracy, enabling faster response to changing threat landscapes, and supporting interoperability with Security Operations Centers (SOC) and orchestration platforms (SOAR). A case study demonstrates its applicability in modeling realistic infrastructures and evaluating cyber-attack scenarios.
(E. Russo)
CEUR
ceur-ws.org
Cyber-DRIVE framework Public ATT&CK Framework Public D3FEND Framework Scored Public D3FEND Framework concepts from ITSRM, most notably the separation between the technological (focused on systems and infrastructure) and “primary” assets (focused on business-critical resources) models. This separation enables a clear abstraction and segregation of roles and competencies between two user categories: () cyber technology analysts, who estimate likelihoods and validate or reject hypotheses based on detected indicators of compromise and attacks (and investigation when cyber incidents occur), and () business or process operations analysts, who understand the value of assets and estimate the impact of Confidentiality, Integrity, and Availability (CIA) degradation on those assets.
Our approach aims to advance the capabilities of current SRA and TARA tools by enhancing risk estimation accuracy, response times in case of model changes, and information updates on cyber threat behaviors and used tactics and techniques. As a result, it enables the realization of risk management, situational awareness, and decision support tools for a cyber response against security incidents by interoperating with Security Operations Centers (SOC) and orchestration platforms (SOAR), and by being fed with Cyber Threat Intelligence (CTI). Moreover, it supports dynamic “what-if” evaluations of active countermeasures based on techniques described in the MITRE D3FEND framework [7]. Finally, it provides comprehensive visual representations of complex cyberspaces, including software-defined networking, virtualization, and containerization.
The main contribution of the paper can be summarized as follows.
• We present the Cyber-DRIVE framework, designed for dynamic cyber risk identification, analysis, and assessment. • We define a flexible cybersecurity ontology and propagation rules, enabling the customization of the framework as the core engine for a wide range of domain-specific Dynamic Risk Management tools. • We propose an asset modeling methodology that surpasses traditional dependency trees or graphs used in classical SRA. It employs Markov Decision Process (MDP) modeling and optimization, with transition probabilities automatically estimated using scores derived from the widely recognized MITRE D3FEND framework.
Paper Structure. The paper is structured as follows. Section 2 presents related work. Section 3 details our methodology. Section 4 describes our reference case study. Section 5 discusses our solution, and Section 6 draws the conclusions.
Table 1 compares the Cyber-DRIVE framework against three mainstream RSA methods (i.e., MAGERIT/PILAR, FAIR, ITSRM) and features defined by the TARA metamodel.
TARA methodologies use catalogs of Attack Vectors (AVs) to ensure consistent threat identification and risk scenario definition. However, RSA tools often rely on fixed taxonomies, limiting adaptability to evolving threats. Cyber-DRIVE addresses this by integrating the dynamic ATT&CK Framework, providing up-to-date representation of Tactics, Techniques, and Procedures (TTPs) for emerging threats.
TARA methodologies use predefined Countermeasures (CMs) mapped to threats via consistent catalogs. RSA tools rely on static taxonomies, limiting adaptability to specific contexts or new vulnerabilities. Cyber-DRIVE improves this with the D3FEND Framework, ofering detailed and flexible countermeasure mapping for better response planning .
TARA methodologies rank AVs and CMs using scoring models based on risk and cost-efectiveness, aiding decision-making. RSA tools rely on rigid lookup tables, limiting adaptability. Cyber-DRIVE uses dynamic, context-aware scoring from the D3FEND Framework for flexible risk evaluation and mitigation prioritization.
RSA tools use static threat matrices, limiting efectiveness in dynamic cyber environments. CyberDRIVE addresses this with real-time kill chain generation, modeling adversarial strategies to identify likely attack paths and impacts for adaptive threat analysis.
TARA methodologies and RSA tools use asset taxonomies to map TTPs to countermeasures, but these mappings are often predefined and static. This requires manual updates to adapt to changes in the threat landscape. Cyber-DRIVE automates this process by relying on a dynamic ontology based on the D3FEND framework, ensuring flexible and consistent mapping of threats to countermeasures.
RSA tools and TARA methodologies typically use static, predefined asset taxonomies that do not account for the complexity of modern infrastructures. Cyber-DRIVE introduces a customizable asset ontology, which allows for the modeling of diverse types of assets, including physical, logical, and cyber persona assets. This flexibility supports the representation of complex infrastructures, such as virtualized environments and containerized systems, while maintaining compliance with a baseline ontology.
RSA tools often rely on hierarchical or nested dependency models, which can oversimplify the relationships between assets and their dependencies. Cyber-DRIVE improves this by introducing a layered dependency model that distinguishes between technological and primary assets. This enables more accurate modeling of how risks propagate through a system.
RSA tools and TARA methodologies typically apply static risk scoring or weighted scoring models. These approaches lack adaptability and are often insuficient for dynamically evolving cyber environments. Cyber-DRIVE integrates dynamic scoring models derived from the D3FEND Framework, improving accuracy and enabling real-time updates to reflect changing risks and vulnerabilities.
The architecture of Cyber-DRIVE consists of three basic components: () Knowledge Base (KB), an ontology-based, fine-grained knowledge base containing models of user-defined ICT infrastructures (extensible to other domains), () Kill Chains Generation (KGC), an optimization algorithm based on Markov Decision Process (MDP) modeling, utilizing Reinforcement Learning (RL) techniques [8], and () Risk Extraction (REX), a risk calculation and aggregation procedure that utilizes the most likely kill chains previously generated.
Cyber-DRIVE evaluates potential cybersecurity attack paths in near real-time by leveraging the D3FEND framework (which complements the ATT&CK matrix) and extending its use through a proprietary ontology stored in its KB. The KB enables the modeling of realistic ICT processing and networking stacks, enriching the technological asset landscape with security mechanisms, measures, and CVEs. Users can freely model their infrastructures while ensuring compliance with the baseline ontology in the KB, which forms the foundation for accurate and explainable risk evaluations.
During the KCG phase, the Cyber-DRIVE engine uses the enriched KB to generate adversarial kill chains based on the most threat-rewarding paths. It propagates attack likelihoods from the technological asset layer to the primary asset layer, projecting Confidentiality, Integrity, and Availability (CIA) degradation for primary assets.
Finally, the REX phase then aggregates the results of the kill chain analysis, calculating the expected levels of degradation (likelihood) and the impact for each cybersecurity risk dimension. This process allows the system to provide actionable insights on residual risks and enable dynamic “what if” assessments for exploring the efectiveness of mitigation solutions.
The Knowledge Base (KB) contains the user-defined model of technological assets and the corresponding ontology, which guides model creation and validation. Technological assets are classified into physical (e.g., servers, switches, devices), logical (e.g., OS, software, artifacts), cyber persona (e.g., credentials, email accounts), or human world entities (e.g., administrators, end-users). The ontology is partially proprietary (covering technological asset entities and their relationships) and partially standard, based on the D3FEND Ontology Framework. Pertinence links connect D3FEND artifacts to proprietary technological asset models, weighted to estimate the efectiveness of attack tactics/techniques and the defensive resistance of D3FEND techniques. These scores feed directly into evaluating transition probabilities for the MDP problem that generates the potential kill chains (see below).
The KB also includes Security Mechanisms and Security Threats. Users can instantiate Security Mechanisms to represent preventive, mitigative, or protective technologies defending specific assets. These mechanisms establish “defends” relationships with technological assets, defining where and how security measures can be applied, adding realism to “what-if” analysis. Additionally, Security Mechanisms are modeled as implemented within technological assets, enabling the system to account for risks afecting both the protected assets and the assets hosting the protective mechanisms. This feature allows further research and potential algorithm extension to encompass cases where risk afects technological assets that also implement in some way the Security Mechanism protecting other assets.
Security threats justify the need for Security Mechanisms. These threats establish “attacks” relationships with technological assets, parametrized using ATT&CK tactics and techniques. This integration ensures that the impact of Security Threats on the asset model is incorporated into residual risk calculations, similar to the efects of cyber incidents.
Finally, the KB allows users to adjust the relative importance of CIA dimensions for each primary asset, enabling tailored risk assessments.
The generation of adversary kill chains for risk evaluation is a key research area in cyber risk management [9]. Our approach relies on a probabilistic attack path generation [10] obtained by preparing, running, and solving an MDP model. The above kill chains are the results of optimal decision strategies in a carefully crafted MDP space of states/actions.
Using an MDP framework ensures eficient handling of the combinatorial complexity in large attack path search spaces, provides a robust foundation for simulating cyber threat actions, and captures the probabilistic and unpredictable nature of advanced threats like APTs. Its state/action abstraction aligns with the logical movements of cyber threats in constrained environments. At the same time, its reinforcement learning basis supports future research leveraging advanced AI techniques for improved scalability and accuracy.
Below, we introduce the overall procedure in terms of defining the input of the MDP problem, representing states and actions in the MDP model, estimating probabilities in MDP transitions, and defining the rewarding mechanism.
Problem input. The MDP problem input is dynamically adjusted/updated according to the risk evaluation setting. From the risk management perspective, it can reflect the need to evaluate CIA-based risk values without any countermeasure (initial/baseline risk), with only default active countermeasures (steady state risk), or otherwise triggered with additional countermeasures to assess Cyber Response Options during Cyber Incident Response (residual risk).
States. A state represents the levels and types of cyber threat advantage, i.e., the obtained foothold over any technological asset of the target system landscape together with information flags . Flags keep track of the status of the privilege escalation, persistency, and/or command and control capability obtained from the technological asset. As realistic target infrastructures can have hundreds or even thousands of technological elements, the Cyber-DRIVE framework avoids a possible combinatorial explosion due to the state cardinality by properly segmenting the state representations encoding during the optimization problem preparation.
Actions. Actions in the MDP model represent adversary choices to transition between states, expanding their attack path and/or increasing their threatening posture. These actions are encoded as threat propagation rules, which define how adversaries explore and exploit realistic attack paths. Actions originating from a specific state, such as a technological asset with a predefined compromise status like Elevation of Privilege (EoP) or Command and Control (C2), can semantically correspond to TTPs, CVE exploits, or malicious but system-legitimate activities (e.g., using stolen credentials to access otherwise restricted services or data).
Transition probabilities estimation. Each state/action transition probability is estimated via an evaluation function that depends on the type of action.
For action associated with an ATT&CK Tactic or Technique, the approach is inspired by MITRE recommendations for TARA methods [2, 4.2 Assessing Countermeasure Efects]. Briefly, these recommendations surpass the characterization of countermeasures with a binary state (efective or it is not) and classify their efects by type, i.e., detect, neutralize, limit, and recover, and by magnitude, i.e., low, medium, and high.
Building on this perspective, our approach develops and applies a more sophisticated cyber efects model, fully leveraging the D3FEND ontology artifacts and, particularly, the existing relationship among techniques and artifacts.
For each technological asset in the model, quantifying this interaction requires calculating the Threat, Defense, and Mitigated Intensity Scores. To enable these calculations, we consider ( ) , the set of artifacts pertaining to each asset. The integer-valued function ( , artifact ∈ ( )) assigns weights to artifacts based on their pertinence to the asset.
To calculate the Threat Intensity Score ( , ) for any attack technique whose actions act on the set of artifacts ( ) , the following formula is applied: ( , ) =
[ ( , , ) ⋅ ( , where ( , , ) represents the contribution of each action of technique on the specific artifact , within the context of the technological asset , namely the Threat Action Score. This score is a framework-defined parameter estimated by experts, reflecting the relative severity of diferent attack actions.
To calculate the Defense Intensity Score ( , ) for any defense technique whose actions act on the set of artifacts ( ) , the following formula is applied: ( , ) = where ( , , ) represents the contribution of each action of defense technique on the specific artifact , within the context of the technological asset , namely the Defense Action Score. Like TAS, it is a framework-defined parameter estimated by experts, reflecting the relative efectiveness of defense actions.
Finally, to calculate the Mitigated Threat Intensity Score ( , , ( )) for any attack technique applicable to the asset , and any set of given defense techniques ( ) acting on ( ) , the following formula is applied: ( , , ( )) = [( ( , ) − ( , ) ) ⋅ ( , ) where ( , ) is the Threat Intensity Score for technique and ( , ) is the Defense Intensity Score for technique , both evaluated for the specific artifact within the context of the technological asset .
The scheme of MDP transition probabilities is derived by normalizing the Mitigated Threat Intensity Score at the graph level, which serves as the overall scoring function. This function estimates the efectiveness of the given ATT&CK Technique over the target Technological Asset , while accounting for the defensive resistance provided by the selected mitigations (( ) ) in the form of D3FEND techniques.
The MDP transition probability scheme is derived by normalizing the Mitigated Threat Intensity Score at the graph level. This score serves as the overall function to estimate the efectiveness of a given ATT&CK technique on a target technological asset, while also considering the defensive resistance provided by user-selected D3FEND techniques during the risk evaluation process. The numerical balance is safeguarded through saturation functions (MAX, MIN) and standard normalization operations. This ultimately contributes to estimating the transition probability distribution over MDP states reachable from a given initial state, when a cyber threat action aligns with a specific ATT&CK tactic or technique. Although transition probabilities in the MDP problem are generated automatically, the framework allows users to override these parameters for fine-tuning specific propagation rules.
For actions associated with a CVE exploit, each MDP state/action transition probability is estimated using an evaluation function based partially on the CVSS score system [11] and partially on expertprovided data for new CVEs applicable to the technological asset landscape. Cyber-DRIVE mitigates such exploits through CVE removal (e.g., patching or procedures linked to the CVE description), fully counterbalancing the associated threat intensity score.
For actions representing malicious but system-legitimate use, the transition probability is set to a constant value between 90% and 100%, as these actions are inherently hard to detect and prevent due to their legitimacy.
Rewarding. The rewarding strategy of the MDP problem is designed to prioritize states where the threat gains an advantage over technological assets that are linked to the user-defined primary assets (see the Dependency model layer in Section 3.3). This approach ensures that the generated threat strategies focus on degrading the CIA of technological assets, ultimately impacting the CIA dimensions of the primary assets.
This phase starts by post-processing the outcome of the optimization problem, which is an optimal strategy in the threat advantage state space, to project it into a viable attack path in the technological cyber terrain. During the risk extraction process, the paths originating from the assets declared in the cyber incidents and terminating at the technological assets on which primary assets depend are considered. These paths are derived from the optimal strategy generated as the solution to the MDP problem, which is triggered by the active cyber incident information and the hypothesized set of mitigation measures to be activated as input. During extraction, path probabilities are calculated starting from the transition probabilities used for the MDP problem input.
Other KPIs are gathered during the extraction process based on the attributes stored in each threat action propagation rule, such as the stealthiness/detectability level and the CIA degradation likelihoods for all the assets involved in the threat paths. In particular, the CIA degradation likelihoods are considered for the technological asset at the end of the path, on which primary assets depend. These likelihoods are multiplied by the overall path probability to compute the total CIA degradation likelihood for each technological asset.
The last steps of the processing are: () the projection and calculation to the primary asset CIA degradation likelihoods through the dependency model layer, and () the application of risk formula taking into account the primary assets CIA degradation likelihoods and the corresponding loss values. Dependency model layer. We propose a dependency model that enables users to define logical gates representing reasonable projections for the CIA dimensions. This solution applies not only to Availability—–where AND and OR logic is straightforwardly interpreted and utilized to model redundancy, recovery, and primary versus alternative dependencies–—but also to Confidentiality and Integrity.
The dependency model layer relies on three logical gates: AND, OR, and MAX. AND gates are helpful for modeling single points of failure, where a direct degradation of one technological asset fully propagates to the dependent primary asset. OR gates are suitable for redundancy modeling, where the presence of alternative assets can mitigate the degradation of a single technological asset. MAX gates are applied in scenarios where the maximum degradation among multiple technological assets defines the impact on the primary asset.
Risk formula. The key parameters required for risk calculation, which are assigned to each primary asset, as well as the calculations for likelihood, impact, and risk evaluation, can vary depending on the most suitable value modeling approach for the specific application. In Cyber-DRIVE, we chose not to treat the value as an additive and potentially unbounded measure (as might be the case if a value represents monetary amounts). Instead, Cyber-DRIVE adopts the concept of a consumable, finite value measure, which is more suitable for addressing risks associated with assets such as technical performance or operational capabilities. This approach benefits applications where additional domainspecific impact models are applied downstream to Cyber-DRIVE. Examples include evaluating security risks in embedded systems for cyber-physical systems or assessing mission risks and impact indicators in the context of military operations planning.
The Cyber-DRIVE framework evaluates primary asset risk through three components: input parameters provided by the user, intermediate results bridging input to output, and final output parameters summarizing overall risk.
Input parameters are provided by the business-level user and ensure that the evaluation process reflects organizational priorities and dependencies. Considering ∈ {, , } , the parameters include: • • - • •
_
, intrinsic total value assigned to the primary asset ( ). _
, value loss in case of total loss for the primary asset ( ). ,
, CIA relative weight (relevance) for the primary asset ( ).
, likelihoods associated with technical assets. • _ ( 1, … , of degradation for technical assets ( 1 , … , through user-defined or gates with , giving ), processing of Cyber-DRIVE generated likelihoods ) involved in the cyber incident as output.
The intermediate results are derived from the dependency model and input parameters to quantify the likelihood and impact of degradation for each security dimension ∈ {, , } .
, is the relative consequence (or impact) for any security dimension . It represents the proportion of the potential value loss for the primary asset due to the degradation of , normalized by the total value of the asset: = - _ _ asset ( _ _ , for the primary asset ( ):
is the likelihood of degradation for the security dimension . Computed using the dependency model, it aggregates the degradation likelihoods of all related technical assets ( based on user-defined gates (AND or OR): is the overall risk for the primary asset ( ). It is calculated by combining the relative consequence and degradation likelihood for each security dimension , weighted by their relative importance. It can also be expressed as: , , , , ⋅ ( ⋅ =
_ combines the consequence ( , ( for the security dimension , quantifying the expected degradation impact: _ = ⋅ The output parameters represent the aggregated consequences, likelihoods, and risks for each primary ) after processing the intermediate results. These are defined as follows: aggregates across all security
dimensions , weighted by their = ∑ = ∑ = is the overall likelihood of degradation for the primary asset ( ). It is derived as the ratio of the overall loss risk to the aggregated consequence:
To test and generate benchmark output data for Cyber-DRIVE, we modeled a ICT infrastructure using the Cyber-DRIVE ontology, as shown in Figure 1, and simulated a realistic company network for evaluation. Briefly, at the top of the diagram, a simulated Internet connection includes routers and infrastructure services such as DNS servers. In the middle, the company backbone network connects the DMZ, core infrastructure, and client areas. Each element in the diagram represents a technological asset, which provides the functionality of primary assets, such as data or services that are targets of risk calculation. These assets correspond to physical workstations or network devices. On top of these physical elements, we modeled software components like operating systems, application software, services, network interfaces, user accounts, and credentials. The Cyber-DRIVE ontology defines all possible relationships between components and their attributes. For instance, attributes include trafic type (e.g., user sessions, email, web), encryption level, storage information (e.g., local, cloud), and authentication types (e.g., local, domain, two-factor).
Kill chain of the modeled attack.
We modeled an attacker sending an email containing malware to an engineering user, who opens a malicious macro that downloads and persists a file from the attacker’s
Cyber-DRIVE encodes these steps as follow: (
Table 2 represents the translation of the modeled kill chain into Cyber-DRIVE propagation rules. The Propagation Rule and Description columns specify the rule and its concise description governing how the attack progresses based on the interaction between the asset’s properties and the threat advantage. The Tech Asset Type categorizes the afected assets (e.g., servers, clients, or specific software). It can specify both the source and the destination assets. The Properties of the Technological Asset column lists relevant characteristics of the asset involved in each action, such as trafic profiles, software attributes, or storage types. Finally, the Threat Advantage State specifies the attacker’s pre-existing threat advantages necessary to execute the step and the resulting advantage gained. In particular, we specify a multi-attribute advantage state in terms of gained privilege level, obtained persistence, obtained external communication (and command reception) capability, and obtained availability/readiness to execute a payload.
For example, step (
Moreover, Figure 1 illustrates the visualization capabilities of the framework. In particular, CyberDRIVE highlights the expected attack path in red, identifying the client machine where the email is received, the assets involved in lateral movements, and the final target system.
The Cyber-DRIVE framework achieves dynamic cyber risk management by integrating advanced probabilistic modeling, ontology-based knowledge representation, and real-time adaptability. The adoption of MDPs enables the dynamic generation of optimal kill chains by analyzing threat propagation paths and incorporating evolving cyber incident data, hypothesized countermeasures, and KB inputs. Furthermore, the dependency model layer facilitates the seamless propagation of risk impacts from technological assets to primary assets, supporting real-time updates of risk metrics as new information becomes available. This dynamic capability ensures that Cyber-DRIVE remains efective in scenarios where rapid decision-making and adaptation are crucial.
For risk analysis, Cyber-DRIVE leverages threat and defense intensity scores derived from the stat-ofthe-art MITRE ATT&CK and D3FEND frameworks. These scores are dynamically applied to evaluate the likelihood and impact of attack techniques on technological assets. Resulting evaluations are projected onto primary assets through the dependency model layer, mapping technical risks to business impacts using logical gates (AND, OR, MAX). This feature ensures that the analysis bridges both technical and operational perspectives.
In terms of risk assessment, Cyber-DRIVE combines likelihoods and impact metrics through a structured risk formula, producing clear and actionable insights for each primary asset. By supporting “what-if” analysis, the framework enables users to evaluate the efects of mitigation measures and adjust risk estimates in realtime. This capability ensures informed decision-making for efective and costeficient incident response strategies. Moreover, it is worth noting that the framework fits the cognitive needs of business process experts and decision-makers who focus on asset value and potential value loss while abstracting the technological details of cyber threat propagation. These details are managed by cyber protection service providers, ensuring that risk assessments bridge technical evaluations with actionable business insights.
This paper presents the development of the Cyber-DRIVE framework, guided by key requirements and insights from RSA and TARA methodologies. The proposed methodology, with its potential applications and functional components, demonstrates a robust approach to cyber risk management. A realistic case study of a complex cyber-attack benchmarks the efectiveness of the kill chain generation approach. These contributions position Cyber-DRIVE as a promising tool for advancing cyber risk management by addressing the evolving challenges of cybersecurity in dynamic and critical environments.
This work was partially funded by the European Defence Industrial Development Programme (EDIDP) project “European Cyber Situational Awareness Platform” (ECYSAP) and the NextGenerationEU project “Security and Rights in CyberSpace” (SERICS).
The author(s) have not employed any Generative AI tools. [11] X. Ou, S. Govindavajhala, A. W. Appel, MulVAL: A logic-based network security analyzer, in: 14th USENIX Security Symposium (USENIX Security 05), USENIX Association, Baltimore, MD, 2005. URL: https://www.usenix.org/conference/14th-usenix-security-symposium/ mulval-logic-based-network-security-analyzer. [12] MITRE ATT&CK, Spearphishing attachment, https://attack.mitre.org/techniques/T1566/001/, 2023.
URL: https://attack.mitre.org/techniques/T1566/001/, accessed on December 2024. [13] MITRE ATT&CK, User execution: Malicious file, https://attack.mitre.org/techniques/T1204/002/, 2023. URL: https://attack.mitre.org/techniques/T1204/002/, accessed on December 2024.
n b a ~ ~ ~ ~ 1 ~ y : y y y y n n n y y y y y n n n n n
a o s u r s
P e c O ra t .
M a ic I f f T e d f li n f o o r P
o s u r s
P e c b i n ff il a r o e d t
S i n s
u l f
a ro o h P b .
a t a
D M a ic In f f . i L P TD gn e i g m a a E tr t . a D c i if : 2 e l q n q n b e a e a O R ~ R ~
m h h p c C 0 & .0 T 6 y n ~ : o
e m T i ~ : o
e T i l ~ : o T i l C e : il n F s u i
o U cxe il
c E a
M t C a ro c 2C ilp r
P p e A ya o
L B s go tr : r
o no itn o to c o uA xEe troM t
P
H S x S x t x K C & 7 T 0 T 1
T R 1 5 w t f o S
m em te t s y S s y S t l C r e t
C r e C , m e y S t n C o C : r F y S r e S t n e
o H b 7 S n 8 S I 3 6 = = 2 7 8 D u R y S m m o o C C , , S r
m m o o C :
m To ro
F p o
9 & 8 T 4 T 1 A T E :c R s y S m o
C e , e w t s y S
T To li
C r e n o i ta tc a ru D t