TITLE:
The “Iterated Weakest Link” Model of Adaptive Security Investment
AUTHORS:
Rainer Böhme, Tyler Moore
KEYWORDS:
Optimal Security Investment under Uncertainty, Return on Security Investment
JOURNAL NAME:
Journal of Information Security,
Vol.7 No.2,
March
31,
2016
ABSTRACT: We devise a model for security investment that reflects dynamic
interaction between a defender, who faces uncertainty, and an attacker, who
repeatedly targets the weakest link. Using the model, we derive and compare
optimal security investment over multiple periods, exploring the delicate
balance between proactive and reactive security investment. We show how the
best strategy depends on the defender’s knowledge about prospective attacks and
the recoverability of costs when upgrading defenses reactively. Our model
explains why security under-investment is sometimes rational even when
effective defenses are available and can be deployed independently of other
parties’ choices. Finally, we connect the model to real-world security problems
by examining two case studies where empirical data are available: computers
compromised for use in online crime and payment card security.