The “Iterated Weakest Link” Model of Adaptive Security Investment

作     者：Rainer Böhme Tyler Moore Rainer Böhme;Tyler Moore

作者机构：Department of Computer Science Universitat Innsbruck Innsbruck Austria Tandy School of Computer Science University of Tulsa Oklahoma USA 

出 版 物：《Journal of Information Security》 (信息安全（英文）)

年 卷 期：2016年第7卷第2期

页      面：81-102页

学科分类：08[工学] 0812[工学-计算机科学与技术（可授工学、理学学位）] 

主　　题：Optimal Security Investment under Uncertainty Return on Security Investment 

摘      要：We devise a model for security investment that reflects dynamic interaction between a defender, who faces uncertainty, and an attacker, who repeatedly targets the weakest link. Using the model, we derive and compare optimal security investment over multiple periods, exploring the delicate balance between proactive and reactive security investment. We show how the best strategy depends on the defender’s knowledge about prospective attacks and the recoverability of costs when upgrading defenses reactively. Our model explains why security under-investment is sometimes rational even when effective defenses are available and can be deployed independently of other parties’ choices. Finally, we connect the model to real-world security problems by examining two case studies where empirical data are available: computers compromised for use in online crime and payment card security.