The Iterated Weakest Link - A Model of Adaptive Security Investment

We devise a model for security investment that reflects dynamic interaction between a defender, who faces uncertainty, and an attacker, who repeatedly targets the weakest link. Using the model, we derive and compare optimal security investment over multiple periods, exploring the delicate balance between proactive and reactive security investment. We show how the best strategy depends on the defender’s knowledge about prospective attacks and the recoverability of costs when upgrading defenses reactively. Our model explains why security under-investment is sometimes rational even when effective defenses are available and can be deployed independently of other parties’ choices. Finally, we connect the model to real-world security problems by examining two case studies where empirical data are available: computers compromised for use in online crime and payment card security.

[1]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[2]  He Liu,et al.  On the Effects of Registrar-level Intervention , 2011, LEET.

[3]  Rainer Böhme,et al.  Optimal Information Security Investment with Penetration Testing , 2010, GameSec.

[4]  Hemantha S. B. Herath,et al.  Investments in Information Security: A Real Options Perspective with Bayesian Postaudit , 2008, J. Manag. Inf. Syst..

[5]  Lawrence A. Gordon,et al.  Information Security Expenditures and Real Options: A Wait-and-See Approach , 2003 .

[6]  John A. Major Advanced Techniques for Modeling Terrorism Risk , 2002 .

[7]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[8]  Tomas Olovsson,et al.  A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior , 1997, IEEE Trans. Software Eng..

[9]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[10]  Maya Daneva,et al.  Using Real Option Thinking to Improve Decision Making in Security Investment , 2010, OTM Conferences.

[11]  Rainer Böhme,et al.  Vulnerability Markets What is the economic value of a zero-day exploit ? , 2005 .

[12]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[13]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[14]  J. Bauer,et al.  Economics of Malware: Security Decisions, Incentives and Externalities , 2008 .

[15]  Rainer Böhme,et al.  Models and Measures for Correlation in Cyber-Insurance , 2006, WEIS.

[16]  John S. Baras,et al.  Decision and Game Theory for Security , 2010, Lecture Notes in Computer Science.

[17]  Tyler Moore,et al.  The iterated weakest link , 2010, IEEE Security & Privacy.

[18]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[19]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[20]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[21]  Mike Bond,et al.  2010 IEEE Symposium on Security and Privacy Chip and PIN is Broken , 2022 .

[22]  Huseyin Cavusoglu,et al.  Intrusion-Detection Policies for IT Security Breaches , 2008, INFORMS J. Comput..

[23]  Rachel Greenstadt,et al.  Reinterpreting the Disclosure Debate for Web Infections , 2008, WEIS.

[24]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .

[25]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[26]  David J. Pivar A walk on the dark side , 1993 .

[27]  Erland Jonsson,et al.  On the quantitative assessment of behavioural security , 1996, ACISP.

[28]  Tyler Moore,et al.  Examining the impact of website take-down on phishing , 2007, eCrime '07.

[29]  Stuart E. Schechter Toward econometric models of the security risk from remote attacks , 2005, IEEE Security & Privacy.

[30]  Larry Samuelson,et al.  Choosing What to Protect: Strategic Defensive Allocation Against an Unknown Attacker , 2005 .

[31]  Dmitri Nizovtsev,et al.  Understanding and Influencing Attackers' Decisions: Implications for Security Investment Strategies , 2006, WEIS.

[32]  Steven J. Murdoch,et al.  Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks , 2007, USENIX Security Symposium.

[33]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[34]  Johannes M. Bauer,et al.  Cybersecurity: Stakeholder incentives, externalities, and policy options , 2009 .

[35]  John Field A WALK ON THE DARK SIDE , 2008 .

[36]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[37]  Wei T. Yue,et al.  Intrusion Prevention in Information Systems: Reactive and Proactive Responses , 2007, J. Manag. Inf. Syst..

[38]  Steven J. Murdoch,et al.  Thinking Inside the Box: System-Level Failures of Tamper Proofing , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[39]  Carrie Gates,et al.  A Model for Opportunistic Network Exploits: The Case of P2P Worms , 2006, WEIS.

[40]  Steve Purser Improving the ROI of the security management process , 2004, Comput. Secur..

[41]  Steven J. Murdoch,et al.  Optimised to Fail: Card Readers for Online Banking , 2009, Financial Cryptography.