Here's what I'm thinking about currently... comments are welcome!

I liked the Security Tally trigger threshold lists in the previous edition, where the system increases its countermeasures depending on how many hits it accumulates over time. That's a nice and simple system that works well and isn't all-or-nothing. I tried to make something similar, which is fast-playing (once it's done) and also fun and exciting.
I was thinking about something along these lines (still work in progress):
There are six general Security Ratings to categorize nodes and systems. 1 is only rudimentory security, while 6 means state of the art high-level security (only for the most important nodes in corporate systems and such; high-level security measures are expensive). Depending on the Security Rating, responses will trigger faster and be more drastic.
Hackers always make opposed tests in the system, just as normal in SR4.
Whenever the system wins on an opposed test, the total hits (not just net hits) are noted and tallied together into an Alarm Total.
When hacking in (on the fly or probing the target first) the system's hits (not net hits) are tallied together to determine the state of the system at the point the hacker made it inside. There is no immediate response yet (see below).
Once inside, any opposed tests against IC or other defenses also add to the total, and immediate responses happen whenever the system wins on an opposed test.
Two things happen whenever the system (or one of its security measures) wins on an opposed test:
1) Immediate Response (Node): Depending on the net hits scored and the Node Security Rating, as well as the current Alarm Level (see below), the system will trigger some immediate responses in the node in question; usually these will be investigative in nature (i.e. validate the user ID (Hacking+Exploit vs Analyze+Firewall; the system triggers immediate responses and raises the Alarm Total as normal), or send some IC to guard the node in question), but when the system is on Active Alert (see below) the responses will change and combat measures are executed against the intruder.
2) Accumulated Response (System): Total hits (not just net hits) are tallied together over all opposed tests where the system wins during a hacking attempt (similar to an extended test); this is called the Alarm Total. For every multiple by which the Alarm Total beats the hacker's Stealth Rating (i.e. Rating 4 means at 4, 8, 12, 16, etc hits) the system's Alarm Level is raised by one step (starting from 0). In other words, the Alarm Level equals Alarm Total / Stealth Rating (round down).
(If there are multiple hackers in the same system, even if they are independent of each other, all hits are tallied together nonetheless; only the immediate response is individual; the compared Stealth Rating should be the lowest one present in the system in that case.)
Whenever a new Alarm Level is reached, the system will trigger system-wide responses (depending on the System Security Rating), releasing IC to patrol or guard specified nodes (depending on each node's Node Security Rating), requesting security hackers for investigation and so on, even system shutdown is possible.
Low Alarm Levels (usually up to 3) mean the system is on Passive Alert (i.e. a possible intrusion, but not verified yet), while higher Alarm Levels (usually 4+) mean, that the system is on Active Alert (verification that the system is compromised). Once the system is on Active Alert, combat measures are executed (or even some nodes or the whole system are shut down); this is also the point where Black IC typically appears on the stage. Investigating IC or security hackers can set a system on Active Alert immediately, if they identify an intruder, likewise system-wide Active Alert could happen as an immediate response in a node (typically only for nodes with a higher Node Security Rating, and triggered with a high number of net hits). If an Active Alert is triggered directly like this, the system is set to the lowest Alarm Level with Active Alert (unless it already has a higher Alarm Level, of course, in which case nothing additional happens), and the Alarm Total is set to the new Alarm Level x Stealth Rating (the minimum to reach that Alarm Level, also only if it isn't higher already). Glitches automatically raise the Alarm Level by one (the Alarm Total is set to the minimum for that Alarm Level as above).
The Alarm Level is added to the system's Firewall for all further opposed tests in every node. There's no additional +4 bonus to the Firewall on an Active Alert.
The Alarm Level is also added to the net hits scored in order to check for immediate response in the current node (see above), which means that when the system is on alarm, responses are generally more drastic.
With appropriate access level (security or admin) and when in the appropriate node, it might be possible to lower the Alarm Level, but otherwise it only goes up.
Immediate Response
Each node has a Node Security Rating and a list with immediate responses listed by net hits + Alarm Level (these are added together before determining the response). There should be standard lists (though specific systems could vary here) to make things easy and to help judge proper countermeasures (one for each of the six Security Ratings).
Specifics still need to be ironed out here, but a list could look like this:
QUOTE
Node Security Rating 4:
No Alert (Alarm Level 0) or Passive Alert (Alarm Level 1-3)
net hits + Alarm Level =
1 : none
2 : validate user ID
3 : validate user ID and send Rating 3 White IC (Analyze) to guard the node
4 : validate user ID and send Rating 4 Grey IC (Analyze) to guard the node
5+ : Active Alert and send Rating 4 Grey IC (Attack) to the node
Active Alert (Alarm Level 4+)
net hits + Alarm Level =
1-4 : N/A
5 : send Rating 3 Grey IC (Attack) to the node
6 : send Rating 4 Grey IC (Attack) to the node
7+ : send Rating 3 Black IC (Blackout) to the node
No Alert (Alarm Level 0) or Passive Alert (Alarm Level 1-3)
net hits + Alarm Level =
1 : none
2 : validate user ID
3 : validate user ID and send Rating 3 White IC (Analyze) to guard the node
4 : validate user ID and send Rating 4 Grey IC (Analyze) to guard the node
5+ : Active Alert and send Rating 4 Grey IC (Attack) to the node
Active Alert (Alarm Level 4+)
net hits + Alarm Level =
1-4 : N/A
5 : send Rating 3 Grey IC (Attack) to the node
6 : send Rating 4 Grey IC (Attack) to the node
7+ : send Rating 3 Black IC (Blackout) to the node
Accumulated Response
There also needs to be a standard list for what happens at what Alarm Level in the system (depending on the System Security Rating) and in each node (with a certain Node Security Rating).
An entry in this list could look like this:
QUOTE
System Security Rating 4:
Alarm Level 3 (Passive Alert)
Request Security Hacker for immediate investigation. Notify Users of a possible security breach. Send Rating 3 Grey IC (watchdog profile) on guard in every node with a Node Security Rating of 5+. Send Rating 4 Grey IC (tracker profile) on patrol through all nodes with Node Security Rating 3-4.
Alarm Level 3 (Passive Alert)
Request Security Hacker for immediate investigation. Notify Users of a possible security breach. Send Rating 3 Grey IC (watchdog profile) on guard in every node with a Node Security Rating of 5+. Send Rating 4 Grey IC (tracker profile) on patrol through all nodes with Node Security Rating 3-4.
Terminology: Node Security Rating is the security level of a specific node. More important nodes typically have a higher Security Rating. It ranges from 1 to 6. System Security Rating is the system's overall level of security, the System Security Rating is not directly related to the Node Security Rating (though higher Node Security Ratings are typically found in systems with a high System Security Rating). It, likewise, ranges from 1 to 6. Alarm Total is the total number of accumulated hits the system gained during the hacking attempt, where all hits (not just net hits) scored in opposed tests where the system has won are tallied together. Alarm Level is the state of alarm in the system and equal to Alarm Total / Stealth Rating (round down). As it grows higher, the system becomes gradually more difficult to hack. Passive Alert means the system has noticed anomalies and investigates further (typically for Alarm Levels up to 3). Active Alert means the system has verified that it is compromised and an intruder is present; combat measures are executed (typically for Alarm Levels of 4 or higher). Validate user ID is a Hacking+Exploit vs Analyze+Firewall opposed test; the system triggers immediate responses and raises the Alarm Total as normal. Black IC is IC employing Blackout or Black Hammer attack programs, while Grey IC only uses standard attack routines. White IC has no attack programs and is purely investigative in nature. Guarding IC remains at the specified node and analyzes all users in the node once per combat round or attacks/tracks intruders, while patrolling IC randomly switches from node to node (remaining in each node for one combat round, analyzing all users it encounters, unless it finds an intruder to attack/track, in which case it stops patrolling and continues to harrass the intruder). The program listed with each IC determines its main purpose, most IC will have additional programs, that are necessary to fulfill its role.
When things should be kept fast and simple, a system could easily be modeled with just a single node with Node Security Rating = System Security Rating. But it also allows to design more complex systems that way as well.
So, what do you think about this so far?
UPDATE! Here are some generic lists, which could be used to try this system out. They are a bit more condensed and instead of having seperate lists for the various Ratings, they incorporate the Ratings into the various responses to allow them to be used in all sorts of systems.
The table for immediate responses just lists generic Node Responses with a Rating. These Node Response Ratings are looked up in the table below by consulting the entry corresponding to the NRR (Node Response Rating) and occasionally also the SSR (System Security Rating); e.g. for a Rating 3 Node Response in a System with System Security Rating 4 you look at the entry for NRR 3 (SSR 4), which says "Rating (NSR) Grey IC (Track)", i.e. send a Grey IC (with Track program) with a Rating equal to the Node Security Rating into the node.
Abbreviations:
NSR - Node Security Rating
NRR - Node Response Rating
SSR - System Security Rating
QUOTE
IMMEDIATE RESPONSE
No Alert (Alarm Level 0)
net hits =
1 : no response
2-3 : validate user ID
4+ : set Passive Alert, validate user ID and Rating 1 Node Response
Passive Alert (Alarm Level 1-3)
net hits + Alarm Level =
1 : N/A
2 : validate user ID
3 : validate user ID and Rating 1 Node Response
4 : validate user ID and Rating 2 Node Response
5 : validate user ID and Rating 3 Node Response
6+ : set Active Alert, attempt to terminate connection and Rating 4 Node Response
Active Alert (Alarm Level 4+)
net hits + Alarm Level =
1-4 : N/A
5 : Rating 4 Node Response
6 : Rating 5 Node Response
7+ : Rating 6 Node Response
No Alert (Alarm Level 0)
net hits =
1 : no response
2-3 : validate user ID
4+ : set Passive Alert, validate user ID and Rating 1 Node Response
Passive Alert (Alarm Level 1-3)
net hits + Alarm Level =
1 : N/A
2 : validate user ID
3 : validate user ID and Rating 1 Node Response
4 : validate user ID and Rating 2 Node Response
5 : validate user ID and Rating 3 Node Response
6+ : set Active Alert, attempt to terminate connection and Rating 4 Node Response
Active Alert (Alarm Level 4+)
net hits + Alarm Level =
1-4 : N/A
5 : Rating 4 Node Response
6 : Rating 5 Node Response
7+ : Rating 6 Node Response
QUOTE
NODE RESPONSE
NRR 1 (SSR 1-6) : Rating (NSR) White IC (Analyze)
NRR 2 (SSR 1-6) : Rating (NSR+1) White IC (Analyze)
NRR 3 (SSR 1-6) : Rating (NSR) Grey IC (Track)
NRR 4 (SSR 1-6) : Rating (NSR) Grey IC (Attack)
NRR 5 (SSR 1-4) : Rating (NSR+1) Grey IC (Attack)
NRR 5 (SSR 5-6) : Rating (NSR-1) Black Ice (Blackout)
NRR 6 (SSR 1-3) : Rating (NSR+2) Grey IC (Attack)
NRR 6 (SSR 4) : Rating (NSR) Black Ice (Blackout)
NRR 6 (SSR 5-6) : Rating (NSR) Black Ice (Black Hammer)
----------
If the IC Rating would be 0, no IC is sent.
If the IC Rating would be 7 or higher, the IC Rating is 6 instead, and the number of IC sent is the calculated Rating - 6.
NRR 1 (SSR 1-6) : Rating (NSR) White IC (Analyze)
NRR 2 (SSR 1-6) : Rating (NSR+1) White IC (Analyze)
NRR 3 (SSR 1-6) : Rating (NSR) Grey IC (Track)
NRR 4 (SSR 1-6) : Rating (NSR) Grey IC (Attack)
NRR 5 (SSR 1-4) : Rating (NSR+1) Grey IC (Attack)
NRR 5 (SSR 5-6) : Rating (NSR-1) Black Ice (Blackout)
NRR 6 (SSR 1-3) : Rating (NSR+2) Grey IC (Attack)
NRR 6 (SSR 4) : Rating (NSR) Black Ice (Blackout)
NRR 6 (SSR 5-6) : Rating (NSR) Black Ice (Black Hammer)
----------
If the IC Rating would be 0, no IC is sent.
If the IC Rating would be 7 or higher, the IC Rating is 6 instead, and the number of IC sent is the calculated Rating - 6.
QUOTE
ACCUMULATED RESPONSE
Alarm Level 0 (No Alert)
Nothing happens.
Alarm Level 1 (Passive Alert)
SSR 4-6: Send Rating (SSR-1) White IC (Analyze) on patrol through all nodes with NSR 4+.
SSR 6: Notify System Owner of a possible security breach.
Alarm Level 2 (Passive Alert)
Send Rating (SSR-1) White IC (Analyze) on patrol through all nodes with NSR 3-4.
Send Rating (SSR) White IC (Analyze) on patrol through all nodes with NSR 5+.
SSR 5-6: Notify System Owner of a possible security breach.
SSR 6: Request Security Hacker for immediate investigation.
Alarm Level 3 (Passive Alert)
Send Rating (SSR) White IC (Analyze) on guard in every node with NSR 4+.
Send Rating (SSR-1) Grey IC (Track) on patrol through all nodes with NSR 4+.
SSR 4-6: Notify System Owner of a possible security breach.
SSR 5: Request Security Hacker for immediate investigation.
Alarm Level 4 (Active Alert)
Notify Users and System Owner of a confirmed security breach.
Remove all patrolling White IC.
Send Rating (SSR) Grey IC (Attack) on guard in every node with NSR 5+.
Send Rating (SSR) Grey IC (Track) on patrol through all nodes.
SSR 4: Request Security Hacker for immediate investigation.
Alarm Level 5 (Active Alert)
Notify Users and System Owner of a confirmed security breach.
Terminate all User Connections without valid Security or Admin access level.
Shut down all nodes with NSR 6.
Send Rating (SSR+1) Grey IC (Attack) on patrol through all nodes.
SSR 3: Request Security Hacker for immediate investigation.
Alarm Level 6 (Active Alert)
Notify Users and System Owner of a confirmed security breach.
Terminate all User Connections without valid Security or Admin access level.
Shut down all nodes with NSR 5.
Send Rating (SSR+2) Grey IC (Attack) on patrol through all nodes.
Alarm Level 7+ (Active Alert)
Notify Users and System Owner of System Shutdown.
Complete System Shutdown.
----------
If the IC Rating would be 0, no IC is sent.
If the IC Rating would be 7 or higher, the IC Rating is 6 instead, and the number of IC sent is the calculated Rating - 6.
Alarm Level 0 (No Alert)
Nothing happens.
Alarm Level 1 (Passive Alert)
SSR 4-6: Send Rating (SSR-1) White IC (Analyze) on patrol through all nodes with NSR 4+.
SSR 6: Notify System Owner of a possible security breach.
Alarm Level 2 (Passive Alert)
Send Rating (SSR-1) White IC (Analyze) on patrol through all nodes with NSR 3-4.
Send Rating (SSR) White IC (Analyze) on patrol through all nodes with NSR 5+.
SSR 5-6: Notify System Owner of a possible security breach.
SSR 6: Request Security Hacker for immediate investigation.
Alarm Level 3 (Passive Alert)
Send Rating (SSR) White IC (Analyze) on guard in every node with NSR 4+.
Send Rating (SSR-1) Grey IC (Track) on patrol through all nodes with NSR 4+.
SSR 4-6: Notify System Owner of a possible security breach.
SSR 5: Request Security Hacker for immediate investigation.
Alarm Level 4 (Active Alert)
Notify Users and System Owner of a confirmed security breach.
Remove all patrolling White IC.
Send Rating (SSR) Grey IC (Attack) on guard in every node with NSR 5+.
Send Rating (SSR) Grey IC (Track) on patrol through all nodes.
SSR 4: Request Security Hacker for immediate investigation.
Alarm Level 5 (Active Alert)
Notify Users and System Owner of a confirmed security breach.
Terminate all User Connections without valid Security or Admin access level.
Shut down all nodes with NSR 6.
Send Rating (SSR+1) Grey IC (Attack) on patrol through all nodes.
SSR 3: Request Security Hacker for immediate investigation.
Alarm Level 6 (Active Alert)
Notify Users and System Owner of a confirmed security breach.
Terminate all User Connections without valid Security or Admin access level.
Shut down all nodes with NSR 5.
Send Rating (SSR+2) Grey IC (Attack) on patrol through all nodes.
Alarm Level 7+ (Active Alert)
Notify Users and System Owner of System Shutdown.
Complete System Shutdown.
----------
If the IC Rating would be 0, no IC is sent.
If the IC Rating would be 7 or higher, the IC Rating is 6 instead, and the number of IC sent is the calculated Rating - 6.
Bye
Thanee