The Iterated Weakest Link - A Model of Adaptive Security Investment

We devise a model for security investment that reflects dynamic interaction between a defender, who faces uncertainty, and an attacker, who repeatedly targets the weakest link. Using the model, we derive and compare optimal security investment over multiple periods, exploring the delicate balance between proactive and reactive security investment. We show how the best strategy depends on the defender’s knowledge about prospective attacks and the recoverability of costs when upgrading defenses reactively. Our model explains why security under-investment is sometimes rational even when effective defenses are available and can be deployed independently of other parties’ choices. Finally, we connect the model to real-world security problems by examining two case studies where empirical data are available: computers compromised for use in online crime and payment card security.

• Publication year

  2016

• Venue

  Workshop on the Economics of Information Security

• Publication date

  2016-03-16

• Fields of study

  Computer Science, Economics

• Identifiers
  DOI 10.4236/JIS.2016.72006
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• On the Effects of Registrar-level Intervention

  2011cited by this paper
• Using Real Option Thinking to Improve Decision Making in Security Investment

  2010cited by this paper
• The iterated weakest link

  2010cited by this paper
• Decision and Game Theory for Security

  2010cited by this paper
• Optimal Information Security Investment with Penetration Testing

  2010cited by this paper
• Modeling Cyber-Insurance: Towards a Unifying Framework

  2010cited by this paper
• Cybersecurity: Stakeholder incentives, externalities, and policy options

  2009cited by this paper
• Optimised to Fail: Card Readers for Online Banking

  2009cited by this paper
• A walk on the dark side

  2008cited by this paper
• Investments in Information Security: A Real Options Perspective with Bayesian Postaudit

  2008cited by this paper
• Secure or insure?: a game-theoretic analysis of information security games

  2008cited by this paper
• Intrusion-Detection Policies for IT Security Breaches

  2008cited by this paper
• Economics of Malware: Security Decisions, Incentives and Externalities

  2008cited by this paper
• Thinking Inside the Box: System-Level Failures of Tamper Proofing

  2008influential reference
• Reinterpreting the Disclosure Debate for Web Infections

  2008cited by this paper
• Examining the impact of website take-down on phishing

  2007influential reference
• Choosing What to Protect: Strategic Defensive Allocation Against an Unknown Attacker

  2007cited by this paper
• Intrusion Prevention in Information Systems: Reactive and Proactive Responses

  2007cited by this paper
• Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks

  2007cited by this paper
• The Economics of Information Security

  2006cited by this paper
• Models and Measures for Correlation in Cyber-Insurance

  2006cited by this paper
• Understanding and Influencing Attackers' Decisions: Implications for Security Investment Strategies

  2006cited by this paper
• A Model for Opportunistic Network Exploits: The Case of P2P Worms

  2006cited by this paper
• The Economic Incentives for Sharing Security Information

  2005cited by this paper
• Vulnerability Markets What is the economic value of a zero-day exploit ?

  2005cited by this paper
• Toward econometric models of the security risk from remote attacks

  2005cited by this paper
• Improving the ROI of the security management process

  2004cited by this paper
• Basic concepts and taxonomy of dependable and secure computing

  2004cited by this paper
• System Reliability and Free Riding

  2004influential reference
• Information Security Expenditures and Real Options: A Wait-and-See Approach

  2003influential reference
• Interdependent Security

  2003cited by this paper
• Advanced Techniques for Modeling Terrorism Risk

  2002cited by this paper
• The economics of information security investment

  2002cited by this paper
• Why information security is hard - an economic perspective

  2001cited by this paper
• How much is enough? A risk management approach to computer security

  2000cited by this paper
• A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior

  1997cited by this paper
• On the quantitative assessment of behavioural security

  1996cited by this paper
• Why cryptosystems fail

  1994cited by this paper
• A walk on the dark side

  1993cited by this paper
• Towards Operational Measures of Computer Security

  1993cited by this paper
• 2010 IEEE Symposium on Security and Privacy Chip and PIN is Broken

  year unknowncited by this paper

• Voluntary Investment, Mandatory Minimums, or Cyber Insurance: What Minimizes Losses?

  2025cites this paper
• How Does AI Transform Cyber Risk Management?

  2025cites this paper
• Optimal Information System Security Investment: A Control-Theoretic Approach to Balancing Continuous Maintenance and Periodic Upgrades

  2025cites this paper
• A Security Assessment tool for Quantum Threat Analysis

  2024cites this paper
• Evolution and governance of online public opinion during COVID-19: a hybrid approach using communication visualization, SIR modeling, and simulation validation

  2024cites this paper
• Scalable and Feasible Honeypot Solution for SMEs in Cloud Environments

  2024cites this paper
• Capturing the Dynamic Nature of Cyber Risk: Evidence from an Explorative Case Study

  2023cites this paper
• Cybersecurity For Defense Economists

  2022cites this paper
• Decision-Makers' Understanding of Cyber-Security's Systemic and Dynamic Complexity: Insights from a Board Game for Bank Managers

  2022cites this paper
• Hacking for good: Leveraging HackerOne data to develop an economic model of Bug Bounties

  2021cites this paper
• Ten years of attacks on companies using visual impersonation of domain names

  2020cites this paper
• Internet Security

  2020influential citation
• Modeling the Effect of Spending on Cyber Security by Using Surplus Process

  2020cites this paper
• Cyber Insurance and Risk Management: A Normative Analysis

  2019cites this paper
• Development of scenario modeling of conflict tools in a security system based on formal grammars

  2019cites this paper
• Cybersecurity Information Sharing Ecosystems: From the Perspective of Value Creation and Security Investments

  2019cites this paper
• Development of the interacting agents behavior scenario in the cyber security system

  2019cites this paper
• Dynamic Games in Cyber-Physical Security: An Overview

  2019cites this paper
• Monte Carlo methods to investigate how aggregated cyber insurance claims data impacts security investments

  2018influential citation
• Cyber-Warranties as a Quality Signal for Information Security Products

  2018cites this paper
• Challenges to Cybersecurity: Current State of Affairs

  2018cites this paper
• Understanding the dynamics of Information Security Investments: A Simulation-Based Approach

  2017cites this paper
• Enterprise security investment through time when facing different types of vulnerabilities

  2017cites this paper
• Economically Optimal Variable Tag Length Message Authentication

  2017cites this paper
• The practice of information security: An analysis of government employees in Tanzania using the Health Belief Model (HBM)

  2017cites this paper
• Survey on economics of information security

  2016cites this paper
• Software Security Investment: The Right Amount of a Good Thing

  2016cites this paper
• A case for the economics of secure software development

  2016cites this paper
• Misuse, Abuse and Reuse: Economic Utility Functions for Characterising Security Requirements

  2016cites this paper
• Modeling costly learning and counter-learning in a defender-attacker game with private defender information

  2016cites this paper
• The Days Before Zero Day: Investment Models for Secure Software Engineering

  2016influential citation
• A differential game approach to security investment and information sharing in a competitive environment

  2016cites this paper
• Target selection regarding financial malware attacks within the Single Euro Payments Area: Mixed methods research: The expectations of experts versus the patterns shown by the Zeus dataset

  2016cites this paper
• The impact of information sharing on cybersecurity underinvestment: A real options perspective

  2015cites this paper
• From Physical Security to Cyber Security ?

  2015cites this paper
• Applications of game theory in information security

  2015cites this paper
• From physical security to cybersecurity

  2015cites this paper
• The effect of cybercrime on a Bank's finances

  2014cites this paper
• Reinforcement Learning Algorithms for Adaptive Cyber Defense against Heartbleed

  2014cites this paper
• Economic Incentives in the HTTPS Authentication Process

  2014cites this paper
• How Bad is it? – A Branching Activity Model to Estimate the Impact of Information Security Breaches

  2013influential citation
• Small World: Collisions Among Attackers in a Finite Population

  2013cites this paper
• Game theory meets network security and privacy

  2013cites this paper
• Pools, clubs and security: designing for a party not a person

  2012cites this paper
• Financial Cryptography and Data Security

  2012influential citation
• The Theory of Optimal Investment in Information Security and Adjustment Costs: An Impulse Control Approach

  2012cites this paper
• To Invest or Not to Invest? Assessing the Economic Viability of a Policy and Security Configuration Management Tool

  2012cites this paper
• Chapter 21 1 Internet Security

  2012influential citation
• Using Signaling Games to Model the Multi-step Attack-Defense Scenarios on Confidentiality

  2012cites this paper
• Security Audits Revisited

  2012cites this paper
• Why do Nigerian Scammers Say They are From Nigeria?

  2012cites this paper
• Are We Compromised? Modelling Security Assessment Games

  2012cites this paper
• Оптимізація розподілу ресурсів захисту інформації в динамічному режимі

  2012cites this paper
• Economics and Internet Security: A Survey of Recent Analytical, Empirical, and Behavioral Research

  2011cites this paper
• The Interdependent Nature of National Cyber Security: Motivating Private Action for a Public Good

  2011cites this paper
• Where Do All the Attacks Go?

  2011cites this paper
• Optimal Information Security Investment with Penetration Testing

  2010influential citation
• The iterated weakest link

  2010cites this paper
• Modeling Cyber-Insurance: Towards a Unifying Framework

  2010cites this paper
• Security Decision Support Challenges in Data Collection and Use

  2010cites this paper
• Security Metrics and Security Investment Models

  2010influential citation
• Security Decision Support Challenges in Data Collection and Use

  2010cites this paper
• The Plight of the Targeted Attacker in a World of Scale

  2010influential citation
• Challenges in Data Collection and Use

  2010cites this paper
• Dynamic policy-based IDS configuration

  2009cites this paper
• Identifying Subdomain Doppelg¨anger Attacks against Companies

  year unknowncites this paper