JIS  Vol.7 No.2 , March 2016
The “Iterated Weakest Link” Model of Adaptive Security Investment
Abstract: We devise a model for security investment that reflects dynamic interaction between a defender, who faces uncertainty, and an attacker, who repeatedly targets the weakest link. Using the model, we derive and compare optimal security investment over multiple periods, exploring the delicate balance between proactive and reactive security investment. We show how the best strategy depends on the defender’s knowledge about prospective attacks and the recoverability of costs when upgrading defenses reactively. Our model explains why security under-investment is sometimes rational even when effective defenses are available and can be deployed independently of other parties’ choices. Finally, we connect the model to real-world security problems by examining two case studies where empirical data are available: computers compromised for use in online crime and payment card security.
Cite this paper: Böhme, R. and Moore, T. (2016) The “Iterated Weakest Link” Model of Adaptive Security Investment. Journal of Information Security, 7, 81-102. doi: 10.4236/jis.2016.72006.

[1]   Anderson, R. and Moore, T. (2006) The Economics of Information Security. Science, 314, 610-613.

[2]   Varian, H.R. (2004) System Reliability and Free Riding. In: Camp, L.J. and Lewis, S., Eds., Economics of Information Security, Springer Verlag, New York, 1-15.

[3]   Kunreuther, H. and Heal, G. (2003) Interdependent Security. Journal of Risk and Uncertainty, 26, 231-249.

[4]   Bauer, J.M. and van Eeten, M. (2009) Cybersecurity: Stakeholder Incentives, Externalities, and Policy Options. Telecommunications Policy, 33, 706-719.

[5]   Bohme, R. and Moore, T. (2010) The Iterated Weakest Link. IEEE Security & Privacy, 8, 53-55.

[6]   Gordon, L.A. and Loeb, M.P. (2002) The Economics of Information Security Investment. ACM Transactions on Information and System Security, 5, 438-457.

[7]   Collins, M., Gates, C. and Kataria, G. (2006) A Model for Opportunistic Network Exploits: The Case of P2P Worms. Proc. of Workshop on the Economics of Information Security (WEIS), Cambridge, 26-28 June 2006.

[8]   Major, J.A. (2002) Advanced Techniques for Modelling Terrorism Risk. Journal of Risk Finance, 4, 15-24.

[9]   Thomas, K., Huang, D.Y., Wang, D., Bursztein, E., Grier, C., Holt, T.J., et al. (2015) Framing Dependencies Introduced by Underground Commoditization. Workshop on the Economics of Information Security (WEIS), Delft, 22-23 June 2015.

[10]   Hoo, K.J.S. (2002) How Much Is Enough? A Risk-Management Approach to Computer Security. Workshop on Economics and Information Security (WEIS), Berkeley, 16-17 May 2002.

[11]   Purser, S.A. (2004) Improving the ROI of the Security Management Process. Computers & Security, 23, 542-546.

[12]   Gal-Or, E. and Ghose, A. (2005) The Economic Incentives for Sharing Security Information. Information Systems Research, 16, 186-208.

[13]   Laube, S. and Bohme, R. (2015) Mandatory Security Information Sharing with Authorities: Implications on Investments in Internal Controls. 2nd ACM Workshop on Information Sharing and Collaborative Security, Denver, 12-16 October 2015, 31-42.

[14]   The Economist (2007) A Walk on the Dark Side.

[15]   Krebs, B. (2008) Major Source of Online Scams and Spams Knocked Offline. Washington Post, 11 November 2008.

[16]   Krebs, B. (2008) EstDomains: A Sordid History and a Storied CEO. Washington Post, 8 September 2008.

[17]   ICANN (2008) Termination of Registrar EstDomains to Go Ahead.

[18]   Moore, T. and Clayton, R. (2007) Examining the Impact of Website Take-Down on Phishing. Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit, Pittsburgh, 4-5 October 2007, 1-13.

[19]   Day, O., Palmen, B. and Greenstadt, R. (2008) Reinterpreting the Disclosure Debate for Web Infections. In: Johnson, M.E., Ed., Managing Information Risk and the Economics of Security, Springer, New York, 179-197.

[20]   Liu, H., Levchenko, K., Felegyházi, M., Kreibich, C., Maier, G., Voelker, G.M. and Savage, S. (2011) On the Effects of Registrar-Level Intervention. Proceedings of the 4th USENIX Conference on Large-Scale Exploits and Emergent Threats, LEET’11, Berkeley, 5.

[21]   McCoy, D., Dharmdasani, H., Kreibich, C., Voelker, G.M. and Savage, S. (2012) Priceless: The Role of Payments in Abuse-Advertised Goods. Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS’12, Raleigh, 16-18 October 2012, 845-856.

[22]   APACS (2007) 2007 UK Chip and PIN Report.

[23]   The UK Cards Association. Card Fraud Figures. Retrieved on 29 December 2015.

[24]   LLC EMVCo. EMV 4.1, June 2004.

[25]   Drimer, S. and Murdoch, S.J. (2007) Keep Your Enemies Close: Distance Bounding against Smartcard Relay Attacks. Proceedings of 16th USENIX Security Symposium, Boston, 6-10 August 2007, Article No. 7.

[26]   Drimer, S., Murdoch, S.J. and Anderson, R. (2008) Thinking Inside the Box: System-Level Failures of Tamper Proofing. IEEE Symposium on Security & Privacy, Oakland, 18-22 May 2008, 281-295.

[27]   Murdoch, S.J., Drimer, S., Anderson, R. and Bond, M. (2010) Chip and PIN Is Broken. 2010 IEEE Symposium on Security and Privacy (SP), Oakland, 16-19 May 2010, 433-446.

[28]   Drimer, S., Murdoch, S.J. and Anderson, R. (2009) Optimised to Fail: Card Readers for Online Banking. In: Dingledine, R. and Golle, P., Eds., Financial Cryptography and Data Security, Lecture Notes in Computer Science, Vol. 5628, Springer, Berlin, 184-200.

[29]   Spamhaus (2007) Report on the Criminal “Rock Phish” Domains Registered at (Press Release).

[30]   Gordon, L.A., Loeb, M.P. and Lucyshyn, W. (2003) Information Security Expenditures and Real Options: A Wait-and-See Approach. Computer Security Journal, 14, 1-7.

[31]   Schechter, S.E. (2005) Toward Econometric Models of the Security Risk from Remote Attacks. IEEE Security and Privacy, 3, 40-44.

[32]   Littlewood, B., Brocklehurst, S., Fenton, N., Mellor, P., Page, S., Wright, D., et al. (1994) Towards Operational Measures of Computer Security. Journal of Computer Security, 2, 211-229.

[33]   Jonsson, E. and Andersson, M. (1996) On the Quantitative Assessment of Behavioural Security. In: Pieprzyk, J. and Seberry, J., Eds., Information Security and Privacy, Lecture Notes in Computer Science, Vol. 1172, Springer-Verlag, Berlin, 228-241.

[34]   Jonsson, E. and Olovsson, T. (1997) A Quantitative Model of the Security Intrusion Process Based on Attacker Behaviour. IEEE Transactions on Software Engineering, 23, 235-245.

[35]   Avizienis, A., Laprie, J.-C., Randell, B. and Landwehr, C. (2004) Basic Concepts and Taxonomy of Dependable and Secure Computing. IEEE Transactions on Dependable and Secure Computing, 1, 11-33.

[36]   Anderson, R. (2001) Why Information Security Is Hard—An Economic Perspective. Annual Computer Security Applications Conference (ACSAC), New Orleans, 10-14 December 2001, 358-365.

[37]   Bohme, R. and Schwartz, G. (2010) Modeling Cyber-Insurance: Towards a Unifying Framework. Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, 7-8 June 2010.

[38]   Yue, W.T. and Cakanyildirim, M. (2007) Intrusion Prevention in Information Systems: Reactive and Proactive Responses. Journal of Management Information Systems, 24, 329-353.

[39]   Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) The Impact of Information Sharing on Cybersecurity Underinvestment: A Real Options Perspective. Journal of Accounting and Public Policy, 34, 509-519.

[40]   Herath, H.S.B. and Herath, T.C. (2008) Investments in Information Security: A Real Options Perspective with Bayesian Postaudit. Journal of Management Information Systems, 25, 337-375.

[41]   Franqueira, V.N.L., Houmb, S.H. and Daneva, M. (2010) Using Real Option Thinking to Improve Decision Making in Security Investment. In: Meersman, R., Dillon, T.S. and Herrero, P., Eds., On the Move to Meaningful Internet Systems: OTM, Lecture Notes in Computer Science, Vol. 6426, Springer, Berlin, 619-638.

[42]   Barth, A., Rubinstein, B.I.P., Sundararajan, M., Mitchell, J.C., Song, D. and Bartlettm, P.L. (2010) A Learning-Based Approach to Reactive Security. In: Radu, S., Ed., Financial Cryptography and Data Security, Lecture Notes in Computer Science, Vol. 6052, Springer, Berlin, 192-206.

[43]   Ogut, H., Cavusoglu, H. and Raghunathan, S. (2008) Intrusion Detection Policies for It Security Breaches. INFORMS Journal on Computing, 20, 112-123.

[44]   Zhu, M., Hu, Z. and Liu, P. (2014) Reinforcement Learning Algorithms for Adaptive Cyber Defense against Heartbleed. Proceedings of the 1st ACM Workshop on Moving Target Defense, Scottsdale, 3-7 November 2014, 51-58.

[45]   Kwon, J. and Johnson, M.E. (2014) Proactive versus Reactive Security Investments in the Healthcare Sector. MIS Quarterly, 38, 451-471.

[46]   Manshaei, M.H., Zhu, Q., Alpcan, T., Basar, T. and Hubeaux, J.-P. (2013) Game Theory Meets Network Security and Privacy. ACM Computing Surveys, 45, Article No. 25.

[47]   Bier, V., Oliveros, S. and Samuelson, L. (2007) Choosing What to Protect: Strategic Defensive Allocation against an Unknown Attacker. Journal of Public Economic Theory, 9, 563-587.

[48]   Cremonini, M. and Nizovtsev, D. (2006) Understanding and Influencing Attackers’ Decisions: Implications for Security Investment Strategies. Workshop on the Economics of Information Security (WEIS), Robinson College, University of Cambridge, 26-28 June 2006.

[49]   van Dijk, M., Juels, A., Oprea, A. and Rivest, R.L. (2013) FlipIt: The Game of “Stealthy Takeover”. Journal of Cryptology, 26, 655-713.

[50]   Bohme, R. and Moore, T. (2009) The Iterated Weakest Link: A Model of Adaptive Security Investment. Workshop on the Economics of Information Security (WEIS), University College London, 24-25 June 2009.

[51]   Bohme, R. and Felegyházi, M. (2010) Optimal Information Security Investment with Penetration Testing. In: Alpcan, T., Buttyán, L. and Baras, J.S., Eds., Decision and Game Theory for Security, Lecture Notes in Computer Science, Vol. 6442, Springer, Berlin, 21-37.