<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE article  PUBLIC "-//NLM//DTD Journal Publishing DTD v3.0 20080202//EN" "http://dtd.nlm.nih.gov/publishing/3.0/journalpublishing3.dtd"><article xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" dtd-version="3.0" xml:lang="en" article-type="research article"><front><journal-meta><journal-id journal-id-type="publisher-id">JIS</journal-id><journal-title-group><journal-title>Journal of Information Security</journal-title></journal-title-group><issn pub-type="epub">2153-1234</issn><publisher><publisher-name>Scientific Research Publishing</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.4236/jis.2016.72006</article-id><article-id pub-id-type="publisher-id">JIS-65271</article-id><article-categories><subj-group subj-group-type="heading"><subject>Articles</subject></subj-group><subj-group subj-group-type="Discipline-v2"><subject>Computer Science&amp;Communications</subject></subj-group></article-categories><title-group><article-title>
 
 
  The “Iterated Weakest Link” Model of Adaptive Security Investment
 
</article-title></title-group><contrib-group><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>ainer</surname><given-names>Böhme</given-names></name><xref ref-type="aff" rid="aff1"><sup>1</sup></xref></contrib><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Tyler</surname><given-names>Moore</given-names></name><xref ref-type="aff" rid="aff2"><sup>2</sup></xref></contrib></contrib-group><aff id="aff2"><addr-line>Tandy School of Computer Science, University of Tulsa, Oklahoma, USA</addr-line></aff><aff id="aff1"><addr-line>Department of Computer Science, Universitat Innsbruck, Innsbruck, Austria</addr-line></aff><pub-date pub-type="epub"><day>16</day><month>03</month><year>2016</year></pub-date><volume>07</volume><issue>02</issue><fpage>81</fpage><lpage>102</lpage><history><date date-type="received"><day>24</day>	<month>February</month>	<year>2016</year></date><date date-type="rev-recd"><day>accepted</day>	<month>28</month>	<year>March</year>	</date><date date-type="accepted"><day>31</day>	<month>March</month>	<year>2016</year></date></history><permissions><copyright-statement>&#169; Copyright  2014 by authors and Scientific Research Publishing Inc. </copyright-statement><copyright-year>2014</copyright-year><license><license-p>This work is licensed under the Creative Commons Attribution International License (CC BY). http://creativecommons.org/licenses/by/4.0/</license-p></license></permissions><abstract><p>
 
 
  We devise a model for security investment that reflects dynamic interaction between a defender, who faces uncertainty, and an attacker, who repeatedly targets the weakest link. Using the model, we derive and compare optimal security investment over multiple periods, exploring the delicate balance between proactive and reactive security investment. We show how the best strategy depends on the defender’s knowledge about prospective attacks and the recoverability of costs when upgrading defenses reactively. Our model explains why security under-investment is sometimes rational even when effective defenses are available and can be deployed independently of other parties’ choices. Finally, we connect the model to real-world security problems by examining two case studies where empirical data are available: computers compromised for use in online crime and payment card security.
 
</p></abstract><kwd-group><kwd>Optimal Security Investment under Uncertainty</kwd><kwd> Return on Security Investment</kwd></kwd-group></article-meta></front><body><sec id="s1"><title>1. Security Investment in an Uncertain World</title><p>We hear about security breaches in the news almost daily, each bigger and more costly than the last. Does this reflect flawed technology, policy, or simply ineptitude? What if, instead, allowing some attacks to succeed is entirely rational for businesses? Rather than over-invest proactively, firms could wait to observe which attacks work and use this knowledge to better allocate security spending. In this article, we describe a model that weighs the merits of such an approach.</p><p>One key insight from the economics of information security literature is that attackers bent on undermining a system’s security operate strategically [<xref ref-type="bibr" rid="scirp.65271-ref1">1</xref>] . Moreover, information systems are often structured so that a system’s overall security depends on its weakest link [<xref ref-type="bibr" rid="scirp.65271-ref2">2</xref>] . A careless programmer in a software firm can intro- duce a critical vulnerability. The Internet’s global, distributed architecture leads to security being dominated by the weakest link―attackers compromise machines hosted at Internet service providers (ISPs) with lax enforce- ment policies or located in uncooperative countries. Attackers have repeatedly exhibited a knack for identifying the easiest way to bypass a system’s security, even when the system’s designer remains unaware of the parti- cular weakness.</p><p>However, systems do not exist in a vacuum; rather, defenders respond to attacks by plugging known holes. And yet, as soon as one weakest link is fixed, another weak point is often identified and exploited. Therefore, a strong dynamic component is at play: attackers find the weakest link; defenders fix the problem; attackers find new holes which are then plugged, and so on. We see that this pattern emerges repeatedly. For instance, attackers construct networks of compromised machines (so-called botnets) to pester legitimate users by emitting spam, distributing malware and hosting phishing websites. Attackers concentrate their efforts at the most irresponsible ISPs, moving on to others only after the ISP cleans up its act or is shut down. Likewise, technical countermeasures to payment card fraud have evolved over time, causing fraudsters to adopt new strategies as old weaknesses are fixed. For example, when UK banks migrated to PIN verification of transactions rather than signatures, in-person retail fraud declined while overseas ATM fraud and card-not-present fraud skyrocketed.</p><p>In this article, we devise a model that reflects this dynamic interaction between attackers and defenders. Our model captures the iterative aspect of attack and defense; we exclusively study the case where security depends on the weakest link; consequently, we model the iterated weakest link.</p><p>Plugging known holes come at a cost for the defender. And as often experienced in real systems, this cost is not always proportional to the number of controls in place. For example, organization science suggests that complexity adds super-linear administrative costs, for instance to pay a manager who directs several employees where each is an expert for a particular control. Conflicting defenses also emerge from incompatible systems, e.g., running two virus scanners on the same machine to increase coverage slows down the machine and causes errors. Lastly, human behavior fundamentally limits the composability of defenses: a password policy that re- quires both special characters (defense 1) and frequent password changes (defense 2) encourages people to stick their password on their monitor. Our model can account for interdependent defensive countermeasures.</p><p>Practical security engineers will note that it is already difficult to obtain detailed information on cost struc- tures, but what is even more unrealistic is attempts to determine the attackers’ cost and plug them into decision tables. In the real world, defenders almost always operate with incomplete information, and oftentimes a rough gauge on the relative magnitude of known threats is all the information available to a decision maker.</p><p>So another key characteristic of our model is to reflect uncertainty about which components are weakest, and therefore, which components are most susceptible to attack. All chief information security officers (CISOs) know that the security of their computer systems is imperfect at best; the better ones have catalogued the many ways an attacker might penetrate their systems, mitigating risks where possible and accepting the rest. What they remain uncertain about is which, if any, of the vulnerable components an attacker will choose to exploit. We capture this uncertainty into our model and use it to analyze how defense strategies change as knowledge about the attacker varies.</p><p>We reach several interesting conclusions upon examining the model. By comparing the static case (a single round of attack and defense) to the dynamic one (multiple rounds), we find that different defender strategies may prevail. When the defender only gets one chance to protect a system, increasing uncertainty about which link is weakest causes the defender to protect more assets, but only up to a point. When uncertainty is too high, the defender does not know which asset to protect and so chooses to protect none. If instead we allow for repeated defensive investments, an uncertain defender will initially protect fewer assets and wait for the attacker to “identify” the weakest links to be fixed in later rounds. Hence, it can be quite rational to under-invest in security until threats are realized. Unlike in other theories, this type of under-investment is not driven by the interrelation with other market participants and resulting incentive systems. Of course, security countermeasures may require significant capital investment from the outset. When we consider unrecoverable costs in our model, we find that for moderate levels of uncertainty, high unrecoverable update costs can raise the proactive protec- tion investment.</p><p>We then translate these findings about optimal defensive strategies into accepted security indicators such as annual loss expectancy (ALE) and return on security investment (ROSI). Return on investment drops as uncer- tainty about known attacks rises, even as the defender grows increasingly reactive when countering realized threats.</p><p>We do not deal with the problem of distributing costs if the defender is in fact a coalition of multiple parties (such as in the case of protecting global infrastructure) and the resulting incentive systems, which we regard as a separate problem to be studied independently. We refer the reader to the literature on externalities, such as [<xref ref-type="bibr" rid="scirp.65271-ref2">2</xref>] - [<xref ref-type="bibr" rid="scirp.65271-ref4">4</xref>] .</p><p>The remainder of this article is organized as follows: Section 2 specifies the model, which is solved later on in Section 3. We apply the model to real problems in two case studies on current topics of information security, namely online crime (Section 5.1) and payment card security (Section 5.2). Section 6 puts our contribution into perspective with prior art, and Section 7 concludes the article.</p><p>Readers who want to glance over the article without getting into the formal details may find the model summary in Section 2.6 along with the interpretation of example results in Section 4 most useful. Also the case studies (Section 5) and the general conclusion (Section 7) do not require deep understanding of the model. A non-technical summary of the model’s key ideas has also appeared in a magazine format [<xref ref-type="bibr" rid="scirp.65271-ref5">5</xref>] .</p></sec><sec id="s2"><title>2. Model</title><p>Imagine a simplistic world, in which a defender protects an asset of value a against a dispersed set of possibly heterogeneous attackers. There exist n possible threats, which can be regarded as distinct attack vectors against a single system.<sup>1</sup> Each threat can be warded off by investing in its corresponding defense (or control). In other words, we assume a one-to-one mapping between threats and defenses, and defenses are always effective.</p><sec id="s2_1"><title>2.1. Defender’s Options</title><p>The model is “run” in an iterated player-versus-nature game with discrete time<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x6.png" xlink:type="simple"/></inline-formula>. In each round, the defender makes a security investment decision to define his configuration of defenses <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x7.png" xlink:type="simple"/></inline-formula> and extracts a net return <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x8.png" xlink:type="simple"/></inline-formula> from his asset before the attacker penetrates the system and, if successful, loots a fraction z of the asset. Gross returns are consumed or distributed so that the asset value does not accumulate over time. The defender seeks to maximize his expected return per round, where expectations are taken over the realizations of random variables and averages calculated over time.</p><p>Let elements <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x9.png" xlink:type="simple"/></inline-formula> of the binary column vector <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x10.png" xlink:type="simple"/></inline-formula> indicate whether a defense against the i-th threat is</p><p>implemented (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x11.png" xlink:type="simple"/></inline-formula>) or not<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x12.png" xlink:type="simple"/></inline-formula>, and let <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x13.png" xlink:type="simple"/></inline-formula> be the number of defenses in place.</p><p>The cost of defense <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x14.png" xlink:type="simple"/></inline-formula> in round t can be calculated from an <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x15.png" xlink:type="simple"/></inline-formula> upper triangular cost matrix <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x16.png" xlink:type="simple"/></inline-formula> to reflect possible interdependent defenses,</p><disp-formula id="scirp.65271-formula1448"><label>(1)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x17.png"  xlink:type="simple"/></disp-formula><p>Diagonal elements <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x18.png" xlink:type="simple"/></inline-formula> hold the cost to implement a defense against the i-th threat, and off-diagonal elements <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x19.png" xlink:type="simple"/></inline-formula> indicate the extra costs if the i-th defense is implemented together with the j-th defense. If all off- diagonal elements are zero, then the defenses are independent:<sup>2</sup></p><p>A nice property of the cost matrix is that for positive off-diagonal elements, decreasing marginal utility of defenses has become endogenous to our model. This compares favorably to, say, the Gordon-Loeb framework, in which this property appears as an assumption (A3 of [<xref ref-type="bibr" rid="scirp.65271-ref6">6</xref>] , p. 443).</p></sec><sec id="s2_2"><title>2.2. Defender’s Knowledge</title><p>While the defender may possess some intuition about the relative difficulty of carrying out the n threats, such knowledge may very well be blurred. To model this uncertainty, we order the threats <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x23.png" xlink:type="simple"/></inline-formula> by increasing expected cost of attack, where the expectation is taken from the point of view of the defender. This constitutes our notion of an attack profile. This rank order is also convenient because it allows us to ignore the threats deemed too unlikely when deciding what to defend. This way, one can think of the n threats as those anti- cipated by the defender.</p><p>We define a simple functional form for the expected attack costs <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x24.png" xlink:type="simple"/></inline-formula> of the i-th threat as follows,</p><disp-formula id="scirp.65271-formula1449"><label>(2)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x25.png"  xlink:type="simple"/></disp-formula><p>The unknown true cost<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x26.png" xlink:type="simple"/></inline-formula>, however, is modeled as a Gaussian random variable with mean <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x26.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x27.png" xlink:type="simple"/></inline-formula> and standard deviation <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x26.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x27.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x28.png" xlink:type="simple"/></inline-formula> (truncated to values<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x26.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x27.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x28.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x29.png" xlink:type="simple"/></inline-formula>),</p><disp-formula id="scirp.65271-formula1450"><label>(3)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x30.png"  xlink:type="simple"/></disp-formula><p>The realizations <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x31.png" xlink:type="simple"/></inline-formula> are drawn only once and kept constant over time. We can vary the level of uncertainty by adjusting parameter<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x31.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x32.png" xlink:type="simple"/></inline-formula>. Modeling uncertainty in this way is crucial to the model, since it captures the diffi- culty defenders face in anticipating which of the undefended threats turns out to be the weakest link exploited by the attacker. <xref ref-type="fig" rid="fig1">Figure 1</xref> illustrates the role of uncertainty when ordering threats. The left graph plots a perfect matching between expected and realized costs of attack under certainty; under uncertainty, by contrast, the right graph shows that threat 4, not threat 3 as expected, is the weakest link if defenses 1 and 2 are in place.</p><p>The defender’s knowledge about the attack profile will naturally increase over time once attacks occur, and so her uncertainty decreases as the observed attacks reveal which threat is in fact the weakest link with respect to a given configuration<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x33.png" xlink:type="simple"/></inline-formula>.</p></sec><sec id="s2_3"><title>2.3. Unrecoverable Costs</title><p>So far we have assumed that the defender can upgrade his configuration <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x34.png" xlink:type="simple"/></inline-formula> at any time. This may be necessary in order to adjust to new information on the threat level or to changing risk appetite. For example, a start-up company is exposed to so many risks that is might tolerate a moderate level of information security risk. As the venture grows and develops a brand name, its risk aversion will increase to reflect the higher damage caused by potential reputation losses. Conversely, market competition (alongside herd behavior and short-sighted incen- tives to management) may drive firms to decrease their risk aversion for the sake of higher expected profits.</p><p>As is argued in [<xref ref-type="bibr" rid="scirp.65271-ref6">6</xref>] , security disinvestment is often possible to a certain degree, since personnel can be fired or equipment sold (though sometimes at high transaction costs). However, for many businesses, updating <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x35.png" xlink:type="simple"/></inline-formula> may be very expensive and the costs are spent irrevocably. For instance, the vast majority of the cost to incorporate new security features into bank notes or payment cards are borne when the changes are first made. Producing and distributing tailored tokens or devices to a large and dispersed community is expensive, and unlikely to be repeated often. As unrecoverable costs considerably affect the strategy of security investment in an iterated setting, we include them in our model as follows:</p><fig-group id="fig1"><label><xref ref-type="fig" rid="fig1">Figure 1</xref></label><caption><title> Attack profile. The defender forms expectations about the rank order of attack costs, but does not know the true costs until attacks are actually observed. (a) [certainty:<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x37.png" xlink:type="simple"/></inline-formula>]; (b) [uncertainty:<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x37.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x38.png" xlink:type="simple"/></inline-formula>].</title></caption><fig id ="fig1_1"><label> (b)</label><graphic mimetype="image"   position="float"  xlink:type="simple"  xlink:href="http://html.scirp.org/file/5-7800361x36.png"/></fig></fig-group><disp-formula id="scirp.65271-formula1451"><label>(4)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x39.png"  xlink:type="simple"/></disp-formula><p>Hence, parameter <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x40.png" xlink:type="simple"/></inline-formula> controls the amount of unrecoverable costs, on an ex post basis sometimes referred to as sunk costs.</p></sec><sec id="s2_4"><title>2.4. Attacker’s Options and Knowledge</title><p>Our attacker model is very simple: the attacker identifies and exploits the weakest link, i.e., the threat least costly to the attacker. We do not require the attacker to make a trade-off between cost and potential gains by assuming the same utility is received for exploiting all threats. If the attacker succeeds, regardless of how, he profits<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x41.png" xlink:type="simple"/></inline-formula>, which is added to the defender’s cost. Unlike the defender, the attacker is certain of the cost for each realization of<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x41.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x42.png" xlink:type="simple"/></inline-formula>. The attacker does not operate indiscriminately; rather, he only attacks when it is pro- fitable to do so; that is, if the term <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x41.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x42.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x43.png" xlink:type="simple"/></inline-formula> is not negative.</p><p>These attacker assumptions are quite strong and probably unrealistic in some cases. For targeted attackers in particular, searching for the weakest link could be very expensive. So a more appropriate conception is the presence of many opportunistic attackers [<xref ref-type="bibr" rid="scirp.65271-ref7">7</xref>] who operate independently. Like in swarm intelligence, the chance that one of them finds the hole is quite high.</p><p>Moreover, the attacker’s gain from successful attacks may only represent a small fraction of the defender’s losses. But this is not crucial here since we do not consider attackers’ profits; we simply need an asset-dependent quantity to relate to the cost<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x44.png" xlink:type="simple"/></inline-formula>. A level shift of <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x44.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x45.png" xlink:type="simple"/></inline-formula> could easily account for the negative balance (destruction of wealth) after successful attacks. This assumption is also common in the literature (e.g., [<xref ref-type="bibr" rid="scirp.65271-ref8">8</xref>] ), and justified there by attackers who mainly care about inflicting harm on the defender. In summary, we consider it prudent to err in the direction of a more powerful attacker than an unrealistically weak one.</p></sec><sec id="s2_5"><title>2.5. Simplifying Assumptions</title><p>To make the analysis more tractable, we restrict the space of possible cost matrices <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x46.png" xlink:type="simple"/></inline-formula> by fixing all diagonal elements <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x46.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x47.png" xlink:type="simple"/></inline-formula> to a unit cost of value one and all off-diagonal elements<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x46.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x47.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x48.png" xlink:type="simple"/></inline-formula>, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x46.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x47.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x48.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x49.png" xlink:type="simple"/></inline-formula>to the same constant<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x46.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x47.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x48.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x49.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x50.png" xlink:type="simple"/></inline-formula>. Hence, we can now derive from Equation (1) a simple expression for the cost per round to maintain k defenses,</p><disp-formula id="scirp.65271-formula1452"><label>(5)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x51.png"  xlink:type="simple"/></disp-formula><p>Observe that <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x52.png" xlink:type="simple"/></inline-formula> if <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x52.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x53.png" xlink:type="simple"/></inline-formula> and <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x52.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x53.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x54.png" xlink:type="simple"/></inline-formula> if<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x52.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x53.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x54.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x55.png" xlink:type="simple"/></inline-formula>. Of course, if better knowledge on the cost of defenses is available in practical applications of the model, this assumption can be relaxed and <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x52.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x53.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x54.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x55.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x56.png" xlink:type="simple"/></inline-formula> populated with real data.</p><p>We further assume a risk neutral defender, that is, one who maximizes inter-temporal utility as a linear function of (expected) revenues and costs. We defer consideration of other attitudes towards risk or different time preferences to future work in order to keep the core model lean.</p></sec><sec id="s2_6"><title>2.6. Model Summary and Example Parameters</title><p>Our model can be applied to many scenarios. For now, we demonstrate its parameters in action by considering an imaginary online music store to demonstrate its parameters in action (we describe other scenarios in Section 5). The music store’s asset is the library of audio files and the associated property rights. Let the total value of the asset be one million dollars. To avoid large numbers, we count in thousands of dollars, so asset value a = 1 000. Every year, indexed by t, the net return from online sales amounts to <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x57.png" xlink:type="simple"/></inline-formula> of the asset value.</p><p>Surrounded by malicious competitors, professional cybercriminals and “curious customers”, the store is ex- posed to various threats (say,<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x58.png" xlink:type="simple"/></inline-formula>). In case of a successful attack, the store loses <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x58.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x59.png" xlink:type="simple"/></inline-formula> of the asset value, or $25,000, due to forgone sales and incurred damage. It is known (from industry sources) that, on average over all similar businesses, the cost of a successful attack is at least 15,000 dollars (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x58.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x59.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x60.png" xlink:type="simple"/></inline-formula>). This could be the price for an attack kit against standard software on the underground market for cybercrime supplies [<xref ref-type="bibr" rid="scirp.65271-ref9">9</xref>] . Attack costs also rise with novelty and difficulty of implementation, on average by 1000 dollars for each level of sophistication. Hence, the gradient of the attack cost is<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x58.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x59.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x60.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x61.png" xlink:type="simple"/></inline-formula>. However, these are only average values and it is unknown how much the actual costs are to attack the particular business. This uncertainty can be expressed by the deviation <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x58.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x59.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x60.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x61.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x62.png" xlink:type="simple"/></inline-formula> of the attack costs around the average. To put this parameter in perspective, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x58.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x59.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x60.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x61.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x62.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x63.png" xlink:type="simple"/></inline-formula>means that all attacks can be predicted perfectly, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x58.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x59.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x60.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x61.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x62.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x63.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x64.png" xlink:type="simple"/></inline-formula>means 96% of the attacks can be predicted correctly,<sup>3</sup> and for<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x58.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x59.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x60.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x61.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x62.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x63.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x64.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x65.png" xlink:type="simple"/></inline-formula>, predicting attacks is only 65% successful. This is still somewhat better than random guessing.</p><p>The store owner is not entirely helpless: he may spend on security measures to defend against each of the <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x66.png" xlink:type="simple"/></inline-formula> threats. Each defense costs 1000 dollars per round (this is a constant that defines the unit, so no symbol is required). On top of that, defense interdependence with parameter <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x66.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x67.png" xlink:type="simple"/></inline-formula> accounts for additional cost for every pair of installed defenses. As a consequence, every investment in security must be carefully considered, since countermeasures added later cost more due to increased complexity and interoperability challenges. Finally, parameter <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x66.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x67.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x68.png" xlink:type="simple"/></inline-formula> controls (optional) unrecoverable costs. It describes the cost to update the defense con- figuration as a fraction of the asset value a. In the example of a music store, unrecoverable costs are negligible (i.e.,<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x66.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x67.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x68.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x69.png" xlink:type="simple"/></inline-formula>) since security upgrades do usually not render existing investment useless. However, if the music store served a proprietary audio format targeted to specific playback devices, an exchange of all customers’ physical playback devices to upgrade the defense configuration could be modeled as unrecoverable cost (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x66.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x67.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x68.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x69.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x70.png" xlink:type="simple"/></inline-formula>).</p><p><xref ref-type="table" rid="table1">Table 1</xref> summarizes the parameters of our model and their values used in the subsequent examples. The following section will show how defenders can optimize their security spending in this model. We are primarily interested in exploring how the optimal strategy changes based on the level of uncertainty<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x72.png" xlink:type="simple"/></inline-formula>; we also elaborate on the role of unrecoverable costs<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x72.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x73.png" xlink:type="simple"/></inline-formula>.</p></sec></sec><sec id="s3"><title>3. Analysis</title><p>We distinguish between static analysis, where the defender chooses the configuration in the first round (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x74.png" xlink:type="simple"/></inline-formula>) and keeps it constant further on, and dynamic analysis, where the configuration can be updated in every round. In case of certainty (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x74.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x75.png" xlink:type="simple"/></inline-formula>), a static solution exists that is at least as good as any dynamic strategy. Unrecover- able costs are relevant in the dynamic setting only.</p><table-wrap id="table1" ><label><xref ref-type="table" rid="table1">Table 1</xref></label><caption><title> Overview of model parameters</title></caption><table><tbody><thead><tr><th align="center" valign="middle" >Parameter</th><th align="center" valign="middle" >Symbol</th><th align="center" valign="middle" >Example values</th></tr></thead><tr><td align="center" valign="middle" >Business model</td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >Asset value</td><td align="center" valign="middle" >a</td><td align="center" valign="middle" >1 000</td></tr><tr><td align="center" valign="middle" >Time in years</td><td align="center" valign="middle" >t</td><td align="center" valign="middle" ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x76.png" xlink:type="simple"/></inline-formula></td></tr><tr><td align="center" valign="middle" >Return</td><td align="center" valign="middle" >r</td><td align="center" valign="middle" >5.0%</td></tr><tr><td align="center" valign="middle" >Attacker</td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >Number of threats</td><td align="center" valign="middle" >n</td><td align="center" valign="middle" >25</td></tr><tr><td align="center" valign="middle" >Loss given attack</td><td align="center" valign="middle" >z</td><td align="center" valign="middle" >2.5%</td></tr><tr><td align="center" valign="middle" >Expected minimum attack cost</td><td align="center" valign="middle" ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x77.png" xlink:type="simple"/></inline-formula></td><td align="center" valign="middle" >15</td></tr><tr><td align="center" valign="middle" >Gradient of attack cost</td><td align="center" valign="middle" ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x78.png" xlink:type="simple"/></inline-formula></td><td align="center" valign="middle" >1</td></tr><tr><td align="center" valign="middle" >Level of uncertainty</td><td align="center" valign="middle" ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x79.png" xlink:type="simple"/></inline-formula></td><td align="center" valign="middle" ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x80.png" xlink:type="simple"/></inline-formula></td></tr><tr><td align="center" valign="middle" >Defense</td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >Cost of each individual defense</td><td align="center" valign="middle" >1</td><td align="center" valign="middle" >1 (unit definition)</td></tr><tr><td align="center" valign="middle" >Defense interdependence</td><td align="center" valign="middle" ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x81.png" xlink:type="simple"/></inline-formula></td><td align="center" valign="middle" >0.1</td></tr><tr><td align="center" valign="middle" >Unrecoverable costs</td><td align="center" valign="middle" ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x82.png" xlink:type="simple"/></inline-formula></td><td align="center" valign="middle" >0</td></tr></tbody></table></table-wrap><sec id="s3_1"><title>3.1. Static Solution</title><p>We consider a defender with defense vector <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x83.png" xlink:type="simple"/></inline-formula> where the <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x83.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x84.png" xlink:type="simple"/></inline-formula> lowest cost threats are defended, leaving the remaining <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x83.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x84.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x85.png" xlink:type="simple"/></inline-formula> threats unprotected: <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x83.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x84.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x85.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x86.png" xlink:type="simple"/></inline-formula>and<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x83.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x84.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x85.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x86.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x87.png" xlink:type="simple"/></inline-formula>. Let <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x83.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x84.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x85.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x86.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x87.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x88.png" xlink:type="simple"/></inline-formula> be the return function for this defender,</p><disp-formula id="scirp.65271-formula1453"><label>(6)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x89.png"  xlink:type="simple"/></disp-formula><disp-formula id="scirp.65271-formula1454"><label>(7)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x90.png"  xlink:type="simple"/></disp-formula><p>where q is an indicator variable that takes value one if the attacker is successful and zero otherwise. In the case of certainty, q is fixed for all rounds, so that two outcomes are possible:</p><disp-formula id="scirp.65271-formula1455"><label>(8)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x91.png"  xlink:type="simple"/></disp-formula><disp-formula id="scirp.65271-formula1456"><label>(9)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x92.png"  xlink:type="simple"/></disp-formula><p>The cost term disappears in Equation (8) because if we accept attacks anyway, then there is no need to spend money to make it more difficult for the attacker (i.e., k = 0). Otherwise, the minimal number of defenses <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x93.png" xlink:type="simple"/></inline-formula> to defeat all attacks can be calculated by rearranging Equation (2) and comparing it to the attacker’s gain<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x93.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x94.png" xlink:type="simple"/></inline-formula>,</p><disp-formula id="scirp.65271-formula1457"><label>(10)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x95.png"  xlink:type="simple"/></disp-formula><p>Typically, the best strategy for the defender is to follow whatever is higher, Equation (8) or (9), with<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x96.png" xlink:type="simple"/></inline-formula>. When Equation (9) is lower than Equation (8), the defender finds it profitable to operate without investing in any security measures. We call this situation indefensible, which does not necessarily imply that the business is unsustainable. Rather like in self-insurance, the defender extracts positive gross return after deducting the losses due to successful attacks. Only when both equations are negative, the cost of attacks and the cost of defending them are both so high that the defender’s business becomes unviable.</p><p>In the case of uncertainty (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x97.png" xlink:type="simple"/></inline-formula>), q becomes a random variable and a risk neutral defender maximizes<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x97.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x98.png" xlink:type="simple"/></inline-formula>, where expectations are taken over the realizations of q. For a static solution, it is still rational to use configurations in which lower-order threats are defended first. So we can calculate <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x97.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x98.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x99.png" xlink:type="simple"/></inline-formula> as a function of k as the probability that the cost of at least one of the unprotected threats falls below the threshold<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x97.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x98.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x99.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x100.png" xlink:type="simple"/></inline-formula>,</p><disp-formula id="scirp.65271-formula1458"><label>(11)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x101.png"  xlink:type="simple"/></disp-formula><p>where <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x102.png" xlink:type="simple"/></inline-formula> is the cumulative distribution function of the Gaussian normal distribution. The product term is the probability that none of the <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x102.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x103.png" xlink:type="simple"/></inline-formula> undefended threats materializes, so one minus this term is the probability of at least one successful attack. Inserting into Equation (7), we obtain</p><disp-formula id="scirp.65271-formula1459"><label>(12)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x104.png"  xlink:type="simple"/></disp-formula><p><xref ref-type="fig" rid="fig2">Figure 2</xref> depicts expected returns of the static solution as a function of k for parameters as specified in <xref ref-type="table" rid="table1">Table 1</xref>. Each curve corresponds to different levels of uncertainty; the utility-maximizing selection of <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x105.png" xlink:type="simple"/></inline-formula> for each uncertainty level is circled. In the case of certainty (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x105.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x106.png" xlink:type="simple"/></inline-formula>), the optimal security investment amounts to <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x105.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x106.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x107.png" xlink:type="simple"/></inline-formula> defenses (Equation (10)). Increasing uncertainty affects the optimal strategy in a non-linear manner: while some noise in the predicted attack costs lets the defender take more proactive counter-measures (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x105.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x106.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x107.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x108.png" xlink:type="simple"/></inline-formula>), the cost of this over-investment start to outweigh the protected revenues when uncertainty is too high (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x105.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x106.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x107.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x108.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x109.png" xlink:type="simple"/></inline-formula>). Eventually, it becomes rational for more uninformed defenders to refrain from any defense and instead accept moderate losses in each round. In other words, knowing your enemy is a prerequisite for taking tailored countermeasures, and tailored defense is the only option if comprehensive defense (i.e.,<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x105.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x106.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x107.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x108.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x109.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x110.png" xlink:type="simple"/></inline-formula>) is prohibitively expensive.</p></sec><sec id="s3_2"><title>3.2. Dynamic (Iterated) Solution</title><p>When <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x111.png" xlink:type="simple"/></inline-formula> (uncertainty), the static solution is often sub-optimal because observed attacks reveal additional</p><fig id="fig2"  position="float"><label><xref ref-type="fig" rid="fig2">Figure 2</xref></label><caption><title> Static solutions for the parameters asset value a = 1000, return r = 5%, loss given attack<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x113.png" xlink:type="simple"/></inline-formula>, minimum expected cost of attack<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x113.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x114.png" xlink:type="simple"/></inline-formula>, gradient of attack cost<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x113.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x114.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x115.png" xlink:type="simple"/></inline-formula>, defense interdependence<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x113.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x114.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x115.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x116.png" xlink:type="simple"/></inline-formula>, and<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x113.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x114.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x115.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x116.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x117.png" xlink:type="simple"/></inline-formula>. The optimal number of defenses <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x113.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x114.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x115.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x116.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x117.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x118.png" xlink:type="simple"/></inline-formula> is circled for each curve</title></caption><graphic mimetype="image"   position="float"  xlink:type="simple"  xlink:href="http://html.scirp.org/file/5-7800361x112.png"/></fig><p>information about the true cost of attack. This information could be used to reconfigure the defenses adaptively. In the dynamic case, uncertainty is repeatedly eliminated for targets revealed to be the weakest link. Con- sequently, this reduction in uncertainty for later rounds can lead to a better outcome for the defender than in the static case. In general, the inter-temporal outcome is the sum of all returns over a period of time<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x119.png" xlink:type="simple"/></inline-formula>,</p><disp-formula id="scirp.65271-formula1460"><label>(13)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x120.png"  xlink:type="simple"/></disp-formula><p>and can be maximized by adjusting <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x121.png" xlink:type="simple"/></inline-formula> adaptively. At each point in time t, the defender learns about the materialized threat (if any) of period<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x121.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x122.png" xlink:type="simple"/></inline-formula>. In Equation (13), <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x121.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x122.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x123.png" xlink:type="simple"/></inline-formula>, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x121.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x122.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x123.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x124.png" xlink:type="simple"/></inline-formula>and<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x121.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x122.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x123.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x124.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x125.png" xlink:type="simple"/></inline-formula>, are functions of the sequence of configurations <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x121.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x122.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x123.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x124.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x125.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x126.png" xlink:type="simple"/></inline-formula> and the random realization of<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x121.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x122.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x123.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x124.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x125.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x126.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x127.png" xlink:type="simple"/></inline-formula>. Due to this stochastic component and its subsequent path dependencies through adaptation, the analysis must be based on expectations over all possible realizations. We will first discuss the simpler case without fully recoverable costs (i.e.,<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x121.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x122.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x123.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x124.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x125.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x126.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x127.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x128.png" xlink:type="simple"/></inline-formula>) before moving on to the general case.</p><sec id="s3_2_1"><title>3.2.1. Special Case: All Costs Recoverable</title><p>The defender has to choose a proactive defense <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x129.png" xlink:type="simple"/></inline-formula> against the <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x129.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x130.png" xlink:type="simple"/></inline-formula> most probable threats, so that <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x129.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x130.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x131.png" xlink:type="simple"/></inline-formula> = 1 and<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x129.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x130.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x131.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x132.png" xlink:type="simple"/></inline-formula>. Unless this configuration is already secure, the defender would iteratively add another defense in each round as the attacker targets new weak links. The order of these reactive defenses is determined by the order of<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x129.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x130.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x131.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x132.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x133.png" xlink:type="simple"/></inline-formula>, and thus by the realization of the random vector<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x129.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x130.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x131.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x132.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x133.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x134.png" xlink:type="simple"/></inline-formula>. This way, one weakest link is fixed after another. It follows from the path dependencies that once a secure configuration is found, the defender would not touch <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x129.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x130.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x131.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x132.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x133.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x134.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x135.png" xlink:type="simple"/></inline-formula> anymore: in this model, it is always better to start with a lower proactive defense <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x129.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x130.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x131.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x132.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x133.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x134.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x135.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x136.png" xlink:type="simple"/></inline-formula> than tinkering with existing defenses after a couple of rounds. This is so because the uncertainty about the realization of <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x129.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x130.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x131.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x132.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x133.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x134.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x135.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x136.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x137.png" xlink:type="simple"/></inline-formula> is not reduced, while the direct and indirect (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x129.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x130.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x131.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x132.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x133.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x134.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x135.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x136.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x137.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x138.png" xlink:type="simple"/></inline-formula>) cost of the <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x129.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x130.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x131.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x132.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x133.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x134.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x135.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x136.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x137.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x138.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x139.png" xlink:type="simple"/></inline-formula>-th defense has to be born for all intermediate rounds.</p><p>Let <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x140.png" xlink:type="simple"/></inline-formula> (with<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x140.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x141.png" xlink:type="simple"/></inline-formula>) be the number of rounds with successful attacks, then <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x140.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x141.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x142.png" xlink:type="simple"/></inline-formula> is the final secure configuration that is eventually reached if<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x140.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x141.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x142.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x143.png" xlink:type="simple"/></inline-formula>. If all costs are recoverable, then Equation (13) can be rewritten as</p><disp-formula id="scirp.65271-formula1461"><label>(14)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x144.png"  xlink:type="simple"/></disp-formula><disp-formula id="scirp.65271-formula1462"><label>(15)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x145.png"  xlink:type="simple"/></disp-formula><p>after inserting Equation (5) we obtain:</p><disp-formula id="scirp.65271-formula1463"><label>(16)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x146.png"  xlink:type="simple"/></disp-formula><p>Equation (15) holds because <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x147.png" xlink:type="simple"/></inline-formula> is constant when <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x147.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x148.png" xlink:type="simple"/></inline-formula> is constant. A closed-form expression for Equation (16) can be obtained by replacing the remaining sums by first and second order arithmetic progression formulas. This expression gives the output y as a function of the proactive defense <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x147.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x148.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x149.png" xlink:type="simple"/></inline-formula> and the number of rounds under attack<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x147.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x148.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x149.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x150.png" xlink:type="simple"/></inline-formula>. The latter parameter in fact depends on the random realization of<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x147.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x148.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x149.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x150.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x151.png" xlink:type="simple"/></inline-formula>. The expectation of the term in Equation (16) can be calculated by the sum of all possible values for<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x147.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x148.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x149.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x150.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x151.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x152.png" xlink:type="simple"/></inline-formula>, weighted by the respective probability of occurrence<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x147.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x148.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x149.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x150.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x151.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x152.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x153.png" xlink:type="simple"/></inline-formula>.</p><p>To calculate<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x154.png" xlink:type="simple"/></inline-formula>, we interpret the condition for a successful attack <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x154.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x155.png" xlink:type="simple"/></inline-formula> as Bernoulli random variable with probability of attack</p><disp-formula id="scirp.65271-formula1464"><label>(17)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x156.png"  xlink:type="simple"/></disp-formula><p>Hence, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x157.png" xlink:type="simple"/></inline-formula>is the parameter vector of non-homogeneous independent Bernoulli variables. For reasonable para- meter choices, the sum of these random vectors can be approximated by the Gaussian distribution with location</p><p><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x158.png" xlink:type="simple"/></inline-formula>and variance<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x158.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x159.png" xlink:type="simple"/></inline-formula>. This completes the analysis. Next, we compute the optimal</p><p>choices for the proactive defense <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x160.png" xlink:type="simple"/></inline-formula> (that maximize the expected inter-temporal outcome) numerically by searching for the supremum of <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x160.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x161.png" xlink:type="simple"/></inline-formula> in the integer range<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x160.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x161.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x162.png" xlink:type="simple"/></inline-formula>.</p><p><xref ref-type="fig" rid="fig3">Figure 3</xref> shows expected returns per round of the dynamic solution for the same parameters as in <xref ref-type="fig" rid="fig2">Figure 2</xref>, now as a function of the proactive defense<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x163.png" xlink:type="simple"/></inline-formula>. Similar to <xref ref-type="fig" rid="fig2">Figure 2</xref>, the optimal proactive defense for each value of <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x163.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x164.png" xlink:type="simple"/></inline-formula> is circled. Obviously, in the case of certainty (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x163.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x164.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x165.png" xlink:type="simple"/></inline-formula>), the optimal proactive defense <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x163.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x164.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x165.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x166.png" xlink:type="simple"/></inline-formula> equals the result of the static analysis. If there is no uncertainty, a defender does not gain any information from observed attacks and can define the optimal configuration entirely proactively. However, as soon as uncertainty arises, the optimal strategies in the static and dynamic case diverge. While some uncertainty (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x163.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x164.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x165.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x166.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x167.png" xlink:type="simple"/></inline-formula>, but small) makes a static defender more cautious (to reduce the probability of being vulnerable) and leads him to spend more, a dynamic defender knows that he will be able to adjust later and can thus take on more risk in the first place. The higher the uncertainty, the more valuable the information gleaned from observed attacks becomes and the lower the optimal share of proactive defense.</p><p>Moreover, observe that an indefensible state is already reached for <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x168.png" xlink:type="simple"/></inline-formula> in <xref ref-type="fig" rid="fig2">Figure 2</xref> for the static case, whereas much higher uncertainty is needed to let a defender refrain from all proactive investment in the dynamic case (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x168.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x169.png" xlink:type="simple"/></inline-formula>in <xref ref-type="fig" rid="fig3">Figure 3</xref>). So we gain the insight that the sheer possibility of adjusting defenses reactively can stimulate proactive security investment when the uncertainty is high.</p></sec><sec id="s3_2_2"><title>3.2.2. General Case</title><p>To consider unrecoverable costs in the analysis, Equation (13) is rearranged to the form of Equation (14) as</p><fig id="fig3"  position="float"><label><xref ref-type="fig" rid="fig3">Figure 3</xref></label><caption><title> Dynamic solutions for the same parameters as in <xref ref-type="fig" rid="fig2">Figure 2</xref> (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x171.png" xlink:type="simple"/></inline-formula>, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x171.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x172.png" xlink:type="simple"/></inline-formula>, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x171.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x172.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x173.png" xlink:type="simple"/></inline-formula>, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x171.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x172.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x173.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x174.png" xlink:type="simple"/></inline-formula>, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x171.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x172.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x173.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x174.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x175.png" xlink:type="simple"/></inline-formula>, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x171.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x172.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x173.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x174.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x175.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x176.png" xlink:type="simple"/></inline-formula>, and<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x171.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x172.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x173.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x174.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x175.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x176.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x177.png" xlink:type="simple"/></inline-formula>). The opti- mal number of proactive defenses is circled for each curve</title></caption><graphic mimetype="image"   position="float"  xlink:type="simple"  xlink:href="http://html.scirp.org/file/5-7800361x170.png"/></fig><p>follows:</p><disp-formula id="scirp.65271-formula1465"><label>(18)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x178.png"  xlink:type="simple"/></disp-formula><p>The second sum does not include s<sub>t</sub> because d<sub>t</sub> remains constant for t &gt; t<sub>att</sub>. Rearranging and inserting Equation (4) yields</p><disp-formula id="scirp.65271-formula1466"><label>(19)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x179.png"  xlink:type="simple"/></disp-formula><p>We proceed as with Equation (16) in the special case with all costs recoverable. It is possible to keep the same strategy of iterated investment because the elements of the random vector <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x180.png" xlink:type="simple"/></inline-formula> are independent and observing one attack does not inform the defender on what the next weakest link will be. Also with unrecoverable costs at every update, it would be irrational to invest in bundles of reactive defenses if one had not done so proactively. However, if unrecoverable costs are not negligible, the effort spent on proactive measures changes substantially. For a finite horizons<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x180.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x181.png" xlink:type="simple"/></inline-formula>, however, it is rational for the defender to reflect on the strategy after having observed an attack in<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x180.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x181.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x182.png" xlink:type="simple"/></inline-formula>: for very high<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x180.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x181.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x182.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x183.png" xlink:type="simple"/></inline-formula>, he might prefer not to defend at all and accept losses in the remaining <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x180.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x181.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x182.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x183.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x184.png" xlink:type="simple"/></inline-formula> rounds. This is like a reduction to Equation (8) of the static case. This lends to another interpretation of introduc- ing unrecoverable costs in our model: they cause an increase in z for <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x180.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x181.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x182.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x183.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x184.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x185.png" xlink:type="simple"/></inline-formula> rounds (if the iterated patching starts) combined with the option to fall back to the static case (without the increase in z).</p><p><xref ref-type="fig" rid="fig4">Figure 4</xref> illustrates the structure of the general decision problem and <xref ref-type="table" rid="table2">Table 2</xref> displays the corresponding expressions for calculating the costs at the different types of terminal nodes T<sub>1</sub>, T<sub>4</sub>. With unrecoverable costs, ignore becomes a valid choice as it may be cheaper than disinvest.</p><p>In <xref ref-type="fig" rid="fig5">Figure 5</xref>, we fix two settings for the level uncertainty, low (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x186.png" xlink:type="simple"/></inline-formula>) and high (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x186.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x187.png" xlink:type="simple"/></inline-formula>), and plot expected</p><fig id="fig4"  position="float"><label><xref ref-type="fig" rid="fig4">Figure 4</xref></label><caption><title> Decision tree of iterated weakest link model with unrecoverable costs. S is the start node, T<sub>1</sub>, T<sub>4</sub> refer to terminal nodes, P denotes player (i.e., defender) and N denotes nature (i.e., attackers)</title></caption><graphic mimetype="image"   position="float"  xlink:type="simple"  xlink:href="http://html.scirp.org/file/5-7800361x188.png"/></fig><table-wrap id="table2" ><label><xref ref-type="table" rid="table2">Table 2</xref></label><caption><title> Cost at terminal nodes as function of k<sub>1</sub> and t (if applicable)</title></caption><table><tbody><thead><tr><th align="center" valign="middle" >T<sub>1</sub></th><th align="center" valign="middle" ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x189.png" xlink:type="simple"/></inline-formula></th></tr></thead><tr><td align="center" valign="middle" >T<sub>2</sub></td><td align="center" valign="middle" ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x190.png" xlink:type="simple"/></inline-formula></td></tr><tr><td align="center" valign="middle" >T<sub>3</sub></td><td align="center" valign="middle" ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x191.png" xlink:type="simple"/></inline-formula></td></tr><tr><td align="center" valign="middle" >T<sub>4</sub></td><td align="center" valign="middle" ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x192.png" xlink:type="simple"/></inline-formula></td></tr></tbody></table></table-wrap><fig-group id="fig5"><label><xref ref-type="fig" rid="fig5">Figure 5</xref></label><caption><title> Dynamic solutions with unrecoverable costs for low (left) and high (right) uncertainty. All other parameters as in <xref ref-type="fig" rid="fig2">Figure 2</xref> (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x194.png" xlink:type="simple"/></inline-formula>, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x194.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x195.png" xlink:type="simple"/></inline-formula>, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x194.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x195.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x196.png" xlink:type="simple"/></inline-formula>, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x194.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x195.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x196.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x197.png" xlink:type="simple"/></inline-formula>, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x194.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x195.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x196.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x197.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x198.png" xlink:type="simple"/></inline-formula>, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x194.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x195.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x196.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x197.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x198.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x199.png" xlink:type="simple"/></inline-formula>, and<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x194.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x195.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x196.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x197.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x198.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x199.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x200.png" xlink:type="simple"/></inline-formula>). <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x194.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x195.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x196.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x197.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x198.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x199.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x200.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x201.png" xlink:type="simple"/></inline-formula>controls the amount of unrecoverable update costs (as fraction of a), <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x194.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x195.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x196.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x197.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x198.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x199.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x200.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x201.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x202.png" xlink:type="simple"/></inline-formula>is a measure of uncertainty. The optimal number of proactive defenses is circled for each curve. (a) Low uncertainty: σ = 2; (b) High uncertainty: σ = 4.</title></caption><fig id ="fig5_1"><label> (b)</label><graphic mimetype="image"   position="float"  xlink:type="simple"  xlink:href="http://html.scirp.org/file/5-7800361x193.png"/></fig></fig-group><p>returns per period as a function of the proactive defense <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x204.png" xlink:type="simple"/></inline-formula> for various settings of<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x204.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x205.png" xlink:type="simple"/></inline-formula>. Observe in <xref ref-type="fig" rid="fig5">Figure 5</xref>(a) that higher unrecoverable update costs triggers greater precaution and forces the defender to invest more in proactive security. This is consistent with common sense. However, if the uncertainty is high, then there exists a threshold for the unrecoverable costs above which a defender “surrenders” and prefers to cope with the attacks, as visible in <xref ref-type="fig" rid="fig5">Figure 5</xref>(a) for values of <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x204.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x205.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x206.png" xlink:type="simple"/></inline-formula> of the asset. The similarity to the static case can also be seen by comparing the similar shape of the curves. Note that these results should be interpreted with caution as they depend on a finite horizon<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x204.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x205.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x206.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x207.png" xlink:type="simple"/></inline-formula>, which might not apply to all business cases.</p></sec></sec></sec><sec id="s4"><title>4. Security Investment Based on the Iterated Weakest Link Model</title><p>As we have analyzed the optimal strategies of the defender in the previous sections, we can now use the model to calculate some key indicators that relate to practical experience. <xref ref-type="table" rid="table3">Table 3</xref> compares typical security indicators derived from the model for different degrees of uncertainty (in columns) and different defense strategies (row sections―static/dynamic/dynamic with unrecoverable costs). The list of indicators includes:</p><p>・ Optimal defense is a memo item that describes the optimal defense strategy<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x208.png" xlink:type="simple"/></inline-formula>. All other indicators are computed on the assumption that a rational defender follows this strategy.</p><p>・ Attack intensity measures the probability of a successful attack per round, averaged over all <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x209.png" xlink:type="simple"/></inline-formula> rounds.</p><p>・ Average gross return is the objective function of the optimization problem, scaled to a percentage of the asset value a. The average is computed over all <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x210.png" xlink:type="simple"/></inline-formula> periods and expectations are taken over all realizations of the stochastic component<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x210.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x211.png" xlink:type="simple"/></inline-formula>, weighted by their respective probability of occurrence. Higher values are better.</p><p>・ Average security spending is the average effort spent on defenses, comprising direct, indirect and un- recoverable costs (if applicable). Averages and expectations are computed as for gross returns. Lower values are not necessarily better; what matters is the efficiency of the security spending, i.e., how security spending compares against prevented losses. This depends on how targeted the defense configuration is to the reali- zation of the attack profile.</p><p>・ Annual loss expectation (ALE) measures expected foregone profits per period [<xref ref-type="bibr" rid="scirp.65271-ref10">10</xref>] .<sup>4</sup> ALE can be computed for two scenarios: <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x212.png" xlink:type="simple"/></inline-formula>is the (hypothetical) ALE if no defenses were deployed, and <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x212.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x213.png" xlink:type="simple"/></inline-formula> is the ALE of the respective defense strategy. Expectations are taken over realizations of the random vector<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x212.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x213.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x214.png" xlink:type="simple"/></inline-formula>.</p><p>・ Return on information security investment (ROSI) is a summary measure to quantify the effectiveness of security investment. We follow the approach in [<xref ref-type="bibr" rid="scirp.65271-ref11">11</xref>] and normalize the indicators by the security spending, i.e.,</p><table-wrap id="table3" ><label><xref ref-type="table" rid="table3">Table 3</xref></label><caption><title> Key security investment indicators derived from the model</title></caption><table><tbody><thead><tr><th align="center" valign="middle" ></th><th align="center" valign="middle"  colspan="5"  >Level of uncertainty</th><th align="center" valign="middle" ></th></tr></thead><tr><td align="center" valign="middle" >Indicator</td><td align="center" valign="middle" ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x215.png" xlink:type="simple"/></inline-formula></td><td align="center" valign="middle" ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x216.png" xlink:type="simple"/></inline-formula></td><td align="center" valign="middle" ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x217.png" xlink:type="simple"/></inline-formula></td><td align="center" valign="middle"  colspan="2"  ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x218.png" xlink:type="simple"/></inline-formula></td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >Static defense</td><td align="center" valign="middle"  colspan="6"  ></td></tr><tr><td align="center" valign="middle" >Optimal defense <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x219.png" xlink:type="simple"/></inline-formula></td><td align="center" valign="middle" >11</td><td align="center" valign="middle" >12</td><td align="center" valign="middle"  colspan="2"  >0</td><td align="center" valign="middle" >0</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >Attack intensity (% rounds)</td><td align="center" valign="middle" >0.0</td><td align="center" valign="middle" >2.4</td><td align="center" valign="middle"  colspan="2"  >100.0</td><td align="center" valign="middle" >100.0</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >Avg. gross return (% asset)</td><td align="center" valign="middle" >3.4</td><td align="center" valign="middle" >3.1</td><td align="center" valign="middle"  colspan="2"  >2.5</td><td align="center" valign="middle" >2.5</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >Avg. security spending (% asset)</td><td align="center" valign="middle" >1.6</td><td align="center" valign="middle" >1.9</td><td align="center" valign="middle"  colspan="2"  >0.0</td><td align="center" valign="middle" >0.0</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x220.png" xlink:type="simple"/></inline-formula></td><td align="center" valign="middle" >0.0</td><td align="center" valign="middle" >0.6</td><td align="center" valign="middle"  colspan="2"  >25.0</td><td align="center" valign="middle" >25.0</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >ROSI (% security spending)</td><td align="center" valign="middle" >51.5</td><td align="center" valign="middle" >31.2</td><td align="center" valign="middle"  colspan="2"  >-</td><td align="center" valign="middle" >-</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >Dynamic defense w/o sunk costs</td><td align="center" valign="middle"  colspan="6"  ></td></tr><tr><td align="center" valign="middle" >Optimal proactive defense <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x221.png" xlink:type="simple"/></inline-formula></td><td align="center" valign="middle" >11</td><td align="center" valign="middle" >9</td><td align="center" valign="middle"  colspan="2"  >7</td><td align="center" valign="middle" >3</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >Attack intensity (% rounds)</td><td align="center" valign="middle" >0.0</td><td align="center" valign="middle" >6.1</td><td align="center" valign="middle"  colspan="2"  >15.7</td><td align="center" valign="middle" >32.7</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >Avg. gross return (% asset)</td><td align="center" valign="middle" >3.4</td><td align="center" valign="middle" >3.2</td><td align="center" valign="middle"  colspan="2"  >3.0</td><td align="center" valign="middle" >2.7</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >Avg. security spending (% asset)</td><td align="center" valign="middle" >1.6</td><td align="center" valign="middle" >1.5</td><td align="center" valign="middle"  colspan="2"  >1.6</td><td align="center" valign="middle" >1.4</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x222.png" xlink:type="simple"/></inline-formula></td><td align="center" valign="middle" >0.0</td><td align="center" valign="middle" >1.5</td><td align="center" valign="middle"  colspan="2"  >3.9</td><td align="center" valign="middle" >8.2</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >ROSI (% security spending)</td><td align="center" valign="middle" >51.5</td><td align="center" valign="middle" >52.8</td><td align="center" valign="middle"  colspan="2"  >35.2</td><td align="center" valign="middle" >18.9</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >Dynamic defense w/ sunk costs</td><td align="center" valign="middle"  colspan="6"  ></td></tr><tr><td align="center" valign="middle" >Optimal proactive defense <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x223.png" xlink:type="simple"/></inline-formula></td><td align="center" valign="middle" >11</td><td align="center" valign="middle" >10</td><td align="center" valign="middle"  colspan="2"  >9</td><td align="center" valign="middle" >0</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >Attack intensity (% rounds)</td><td align="center" valign="middle" >0.0</td><td align="center" valign="middle" >2.9</td><td align="center" valign="middle"  colspan="2"  >9.8</td><td align="center" valign="middle" >100.0</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >Avg. gross return (% asset)</td><td align="center" valign="middle" >3.4</td><td align="center" valign="middle" >3.1</td><td align="center" valign="middle"  colspan="2"  >2.7</td><td align="center" valign="middle" >2.5</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >Avg. security spending (% asset)</td><td align="center" valign="middle" >1.6</td><td align="center" valign="middle" >1.6</td><td align="center" valign="middle"  colspan="2"  >1.9</td><td align="center" valign="middle" >0.0</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x224.png" xlink:type="simple"/></inline-formula></td><td align="center" valign="middle" >0.0</td><td align="center" valign="middle" >0.7</td><td align="center" valign="middle"  colspan="2"  >2.5</td><td align="center" valign="middle" >25.0</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >ROSI (% security spending)</td><td align="center" valign="middle" >51.5</td><td align="center" valign="middle" >50.6</td><td align="center" valign="middle"  colspan="2"  >15.7</td><td align="center" valign="middle" >-</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" >Memo items: no defense</td><td align="center" valign="middle"  colspan="6"  ></td></tr><tr><td align="center" valign="middle" >Avg. gross return (% asset)</td><td align="center" valign="middle" >2.5</td><td align="center" valign="middle" >2.5</td><td align="center" valign="middle"  colspan="2"  >2.5</td><td align="center" valign="middle" >2.5</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x225.png" xlink:type="simple"/></inline-formula></td><td align="center" valign="middle" >25.0</td><td align="center" valign="middle" >25.0</td><td align="center" valign="middle"  colspan="2"  >25.0</td><td align="center" valign="middle" >25.0</td><td align="center" valign="middle" ></td></tr><tr><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td><td align="center" valign="middle" ></td></tr></tbody></table></table-wrap><p>Parameters: asset value<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x226.png" xlink:type="simple"/></inline-formula>, return<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x226.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x227.png" xlink:type="simple"/></inline-formula>, loss given attack<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x226.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x227.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x228.png" xlink:type="simple"/></inline-formula>, min. expected cost of attack<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x226.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x227.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x228.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x229.png" xlink:type="simple"/></inline-formula>, gradient of attack cost<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x226.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x227.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x228.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x229.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x230.png" xlink:type="simple"/></inline-formula>, defense interdependence<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x226.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x227.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x228.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x229.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x230.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x231.png" xlink:type="simple"/></inline-formula>, sunk costs<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x226.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x227.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x228.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x229.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x230.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x231.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x232.png" xlink:type="simple"/></inline-formula>, <inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x226.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x227.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x228.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x229.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x230.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x231.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x232.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x233.png" xlink:type="simple"/></inline-formula>,<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x226.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x227.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x228.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x229.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x230.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x231.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x232.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x233.png" xlink:type="simple"/></inline-formula><inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x234.png" xlink:type="simple"/></inline-formula>. All figures rounded to one decimal digit.</p><disp-formula id="scirp.65271-formula1467"><label>(20)</label><graphic position="anchor" xlink:href="http://html.scirp.org/file/5-7800361x235.png"  xlink:type="simple"/></disp-formula><p>Higher values denote more efficient security investment. The indicator is not defined for cases where no defenses are optimal.</p><p>Unsurprisingly, the three modes of adaptivity concur in the case of certainty (leftmost column in <xref ref-type="table" rid="table3">Table 3</xref>). However, uncertainty creates some remarkable results, which we now discuss.</p><p>For low levels of uncertainty (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x236.png" xlink:type="simple"/></inline-formula>), replacing a static with a dynamic defense strategy primarily reduces security spending, which leads to more observed attacks. However, gross returns increase as well. In fact, se- curity spending is better targeted, over-investment is reduced, and the overall efficiency of security investment (as measured by the ROSI indicator) improves. From this result, we can draw an alternative interpretation to the omnipresent reports of security breaches in the media: rather than rashly framing them as engineering failures, one can also view them as unavoidable side-effects of smart defense strategies that balance the amount of proactive and reactive security investment.</p><p>Regarding attack intensity, a converse effect is observable when uncertainty is higher (<inline-formula><inline-graphic xlink:href="http://html.scirp.org/file/5-7800361x237.png" xlink:type="simple"/></inline-formula>). Here, the attack intensity drops substantially from (almost) 100% in the static case to a very low rate in the dynamic case. At the same time, average returns increase. The reason for this is that high uncertainty lets some defenders refrain from deploying any defenses (and thereby absorbing losses). Only a staged approach gives these in- vestors an incentive to defend against the most aggressive threats. Note that the model identifies the rational response to the private costs faced by defenders. We ignore the public costs created by insecurity. While not addressed by this article, negative externalities of poor security practices are widely considered to be a signifi- cant public problem [<xref ref-type="bibr" rid="scirp.65271-ref2">2</xref>] - [<xref ref-type="bibr" rid="scirp.65271-ref4">4</xref>] . Hence, while it may be narrowly better for some defenders to skimp on security when they are unsure whether they will be targeted, a public policy response may be necessary to compensate for the negative externalities of insecurity caused by such under-investment.</p><p>Unrecoverable costs muddy this picture somewhat. They raise incentives towards more proactive security investment. This leads to higher proactive defenses and thereby lower attack intensity. However, unrecoverable costs also eat up margins, so gross returns tend to decline. Even more importantly, the overall efficiency of the security investment drops, and the differential grows as uncertainty rises. So, some uncertainty combined with expensive infrastructure upgrades can stimulate over-investment―but only to a certain point. Eventually, high uncertainty can demotivate any security investment, similar to what happens in the static case. In the real world, we would expect to see relatively more weight on proactive security when updates case high unrecoverable costs (e.g., payment cards) and the uncertainty is low or moderate, compared to businesses where almost all costs are recoverable (e.g., websites). This prediction could be tested against cross-sectional empirical data in future work. In any case, the above-mentioned excuse of breaches as smart defense strategy does not apply to defenders with high unrecoverable costs. The related policy dimension here is to reduce the uncertainty when it is so high that it discourages security investment. This can be done, for instance, by encouraging information sharing so that the cost of reducing the uncertainty can be borne between several defenders [<xref ref-type="bibr" rid="scirp.65271-ref12">12</xref>] [<xref ref-type="bibr" rid="scirp.65271-ref13">13</xref>] .</p><p>Note that all these conclusions remain fairly robust for other parameters than the example set in <xref ref-type="table" rid="table1">Table 1</xref>. For brevity, we refrain from discussing the influence of all other parameters. Instead, we demonstrate the validity of our model by applying it to two case studies where real data is available.</p></sec><sec id="s5"><title>5. Empirical Evidence for Iterated Weakest Links</title><p>In the following, we will point the reader to past “iterated arms races” in the realm of information security. We argue that such dynamics, against the backdrop of our model, may in fact be rational and should not simply be framed as “failures”. We have selected two cases, one where almost all costs are recoverable (Section 5.1) and another one where unrecoverable costs should not be ignored (Section 5.2).</p><sec id="s5_1"><title>5.1. Case 1: Phishing and Online Crime</title><p>Our first argument focuses on the security of computers comprising the Internet follow an iterated weakest link model. Fundamental to the Internet’s design is the notion that any connected computer can communicate with every other computer. Attackers have relentlessly exploited this structure, constructing networks of compromised machines (so-called botnets) to pester legitimate users by emitting spam, distributing malware and hosting phishing websites. Internet service providers (ISPs) are usually well-placed to detect infection, because evidence of a user’s infection flows over an ISP’s communication systems. Moreover, large companies that act as Internet service providers have technical staff who can detect and clean up infected machines, while domestic users and small businesses are mostly helpless to even recognize when they are compromised; let alone to take appropriate remedial action. However, for every responsible ISP that keeps a clean network, there are countless others who find it more cost-effective to ignore the problem and let infections flourish.</p><p>There is substantial evidence that attackers concentrate their efforts at the most irresponsible ISPs, moving on to others once the ISP cleans up its act or is shut down. For instance, until 2007, a lot of the world’s malware was hosted by the Russian Business Network (RBN), which refused to comply with requests from international law enforcement [<xref ref-type="bibr" rid="scirp.65271-ref14">14</xref>] . After Russian Business Network suddenly went offline in late 2007, malware distribution shifted to other ISPs. In November 2008, a journalist from the Washington Post persuaded upstream bandwidth providers to shut off their connection to San Francisco-based McColo, which led to a temporary fall of almost 70% in the volume of spam worldwide [<xref ref-type="bibr" rid="scirp.65271-ref15">15</xref>] . Apparently, many botnet herders had been using McColo to host their control machines. Spam volume has since recovered as the spammers found new safe havens. In 2008 EstDomains, which served as the primary domain name registrar for malicious websites hosted by Russian Business Network [<xref ref-type="bibr" rid="scirp.65271-ref16">16</xref>] , became the first domain registrar to have its accreditation terminated by the Internet Corporation for Assigned Names and Numbers [<xref ref-type="bibr" rid="scirp.65271-ref17">17</xref>] . Unfortunately, other irresponsible registrars remain.</p><p>Attackers can often move on to exploit the next weakest link in the Internet far faster than defenders can knock them out. Moore and Clayton [<xref ref-type="bibr" rid="scirp.65271-ref18">18</xref>] showed how one leading group of online fraudsters, the rock-phish gang, operated. It registered many malicious web domain names to carry out attacks. Periodically, the gang picked a firm for registering Internet domain names that it had never used before and registered hundreds of web domains, using false names and stolen credit cards. These domains did not resemble normal bank names, so a registrar may not identify foul play, and the first domains to be used for false purposes were not removed quickly.</p><p><xref ref-type="fig" rid="fig6">Figure 6</xref> presents scatter plots of phishing site lifetime based on the date reported from data of [<xref ref-type="bibr" rid="scirp.65271-ref18">18</xref>] . Both .hk (Hong Kong) domains (left) and .cn (China) domains (right) lasted much longer in their first month of use than in later months. The gang targeted Hong Kong domains first in March 2007, followed by Chinese domains in May 2007 after the Hong Kong authorities wised up.</p><p>Such iteration over previously untargeted infrastructure operators is prevalent among many forms of cybercrime. Other researchers have found that websites hosting most malware move from one registrar to the next [<xref ref-type="bibr" rid="scirp.65271-ref19">19</xref>] . Liu et al. studied patterns in the registration and take-down of spam-advertised domains [<xref ref-type="bibr" rid="scirp.65271-ref20">20</xref>] , finding that miscreants register many domains at previously untargeted registrars, repeatedly moving on to new ones following crack-downs. McCoy et al. examined the use of payment processors by unlicensed online pharmacies [<xref ref-type="bibr" rid="scirp.65271-ref21">21</xref>] . They showed that the operators of unlicensed pharmacies initially relied on a small number of payment processors. Once banks were made aware of the criminal behavior, many severed ties with the pharmacies, who quickly made arrangements with new processors.</p></sec><sec id="s5_2"><title>5.2. Case 2: Payment Card Security</title><p>Financial transactions have long been subject to fraud, and banks and payment processors have recognized that fraud has to be managed rather than eliminated. In 2000, the UK banks decided to adopt the EMV card payment system designed by Europay, Mastercard and Visa, popularly known as “Chip and PIN” EMV. The EMV roll-out provides a compelling example of taking security decisions to tackle the weakest link, only to find that the attackers react by exploiting new holes previously ignored. A May 2007 internal report prepared by APACS (since rebranded as the UK Cards Association) compared the expected benefits from EMV adoption to fraud incidence over time. While the report was intended to be kept confidential, it was accidentally leaked and is now hosted on the Cryptome website [<xref ref-type="bibr" rid="scirp.65271-ref22">22</xref>] . We use the data gleaned from this report, as well as more recent public statistics [<xref ref-type="bibr" rid="scirp.65271-ref23">23</xref>] [<xref ref-type="bibr" rid="scirp.65271-ref24">24</xref>] , to demonstrate how the banks’ fight against card fraud has essentially been a sequence of patches to plug weak links.</p><p><xref ref-type="fig" rid="fig7">Figure 7</xref> plots the annual percentage of transaction turnover found to be fraudulent from 1972 to 2014.</p><fig id="fig6"  position="float"><label><xref ref-type="fig" rid="fig6">Figure 6</xref></label><caption><title> Take-down latency for phishing attacks targeting different registrars in spring 2007; lines are five-day moving averages broken down by top-level domain (Source: own aggregation based on data of [<xref ref-type="bibr" rid="scirp.65271-ref18">18</xref>] )</title></caption><graphic mimetype="image"   position="float"  xlink:type="simple"  xlink:href="http://html.scirp.org/file/5-7800361x238.png"/></fig><fig id="fig7"  position="float"><label><xref ref-type="fig" rid="fig7">Figure 7</xref></label><caption><title> Long-term fraud rates as a fraction of overall turnover (Source: [<xref ref-type="bibr" rid="scirp.65271-ref22">22</xref>] [<xref ref-type="bibr" rid="scirp.65271-ref23">23</xref>] )</title></caption><graphic mimetype="image"   position="float"  xlink:type="simple"  xlink:href="http://html.scirp.org/file/5-7800361x239.png"/></fig><p>Notably, there are significant swings in the rate. According to the report [<xref ref-type="bibr" rid="scirp.65271-ref22">22</xref>] , “the industry has responded to crises in card fraud by making significant investment in new preventative measures,” including “terminalisation in the early 80s and, later, a major increase in levels of authorisation during the mid 90s.” Such behavior is consistent with our model of iterating through successive weakest links.</p><p>Around 2000, a fear arose that another uptick in the fraud rate was imminent. The dashed line with triangle markers in <xref ref-type="fig" rid="fig8">Figure 8</xref> plots the forecast losses due to fraud based on maintaining the status quo as of 2000. To stem this expected rise in fraud, UK banks decided to adopt the EMV standard (Chip and PIN) over the course of the next few years. The estimated cost of implementing EMV across the UK was just over &#163;1 billion, shared between the banks and retailers. We can interpret this investment to roll out EMV as unrecoverable costs. The dashed line with diamond markers in <xref ref-type="fig" rid="fig8">Figure 8</xref> plots the forecast losses following EMV adoption. The uptick to 2003 is due to the phased roll-out of the technology.</p><p>In fact, the actual losses look rather different (solid line in <xref ref-type="fig" rid="fig8">Figure 8</xref>). The anticipated explosion of fraud in the early 2000s did not materialize; strikingly, the full adoption of EMV (completed in 2005) did not significantly alter the fraud totals. Instead, a slow but steady increase was observed, both before and after EMV adoption.</p><p>Digging a little deeper, we can see that the switch to EMV did significantly alter attacker strategy, even if it did not significantly shift the aggregate fraud rates. Instead, as some types of fraud diminished, other techniques quickly filled the gap. For instance, EMV has caused a dramatic drop in face-to-face retail fraud, since forging a signature is easier than guessing the right PIN. In 2004, face-to-face fraud totaled &#163;219 million; in 2006, after EMV became mandatory, it fell to &#163;72 million (see <xref ref-type="fig" rid="fig9">Figure 9</xref>). However, card-not-present (CNP) fraud (where only the card number is used, as in online transactions) has sharply risen since the introduction of EMV, from &#163;150 million in 2004 to &#163;328 million in 2008, before falling modestly and reaching a new high of &#163;332 million in 2014. This is not surprising, since PINs are not verified for CNP transactions.</p><p>Another example of attackers moving to weaker links can be found by looking at where ATM fraud takes place. With the adoption of EMV, ATMs in the UK stopped verifying PINs using magnetic stripes, requiring the PIN be verified using the more secure chip. However, many ATMs outside the UK continued to allow the less secure verification via magnetic stripe. As UK ATMs switched over during 2006, fraudsters immediately adapted to cashing out via less secure international ATMs. <xref ref-type="fig" rid="fig1">Figure 1</xref>0 shows how this transformation happened. In December 2005, when most UK ATMs still allowed magnetic stripe PIN verification, &#163;6 million out of the total &#163;6.5 million stolen from ATMs took place within the UK. By the end of the year, after the switch to more secure verification, the total monthly fraud increased to over &#163;9 million, with nearly 75% of the losses occurring overseas. The shift to overseas fraud that is easier to carry out has continued since the EMV rollout. In <xref ref-type="fig" rid="fig1">Figure 1</xref>1, we see that the share of the total fraud occurring overseas rose from &#163;93M (18% of the total) in 2004 to a peak of &#163;230M (37% of the total) in 2008. In fact, the share of overseas-originated fraud on UK cards in 2008 exceeded the total UK-originated fraud in 2004, just prior to the EMV deployment. This is compelling evidence of how quickly attackers can shift to find the next-weakest link once the biggest hole has been plugged.</p><p>The EMV standard actually provides several options for implementation that vary in the cost and security achieved. While the UK EMV implementation was certainly not inexpensive, its designers did opt for many of the lower-cost implementations offered by the standard. For instance, PIN verification is normally done offline, be- tween the card’s chip and the PIN entry device (PED). This enables a relay attack whereby a small, legitimate transaction authorized by a compromised terminal can be used to approve a simultaneous, much larger fraudulent</p><fig id="fig8"  position="float"><label><xref ref-type="fig" rid="fig8">Figure 8</xref></label><caption><title> Ten-year fraud projections made in 2000 comparing whether EMV is adopted (marked dashed lines), plus actual fraud rates (solid line) (Source: [<xref ref-type="bibr" rid="scirp.65271-ref22">22</xref>] )</title></caption><graphic mimetype="image"   position="float"  xlink:type="simple"  xlink:href="http://html.scirp.org/file/5-7800361x240.png"/></fig><fig id="fig9"  position="float"><label><xref ref-type="fig" rid="fig9">Figure 9</xref></label><caption><title> Fraud losses for UK face-to-face (F2F) retail transactions protected by EMV and for card-not-present (CNP) transactions not protected by EMV (Source: [<xref ref-type="bibr" rid="scirp.65271-ref23">23</xref>] )</title></caption><graphic mimetype="image"   position="float"  xlink:type="simple"  xlink:href="http://html.scirp.org/file/5-7800361x241.png"/></fig><fig id="fig10"  position="float"><label><xref ref-type="fig" rid="fig1">Figure 1</xref>0</label><caption><title> Shifting attacker strategy following EMV adoption. The bar graph shows how ATM fraud has moved overseas to ATMs which have not made the switch to chip verification, but still rely on less secure magnetic stripes (Source: [<xref ref-type="bibr" rid="scirp.65271-ref22">22</xref>] , trend lines fitted with ordinary least squares)</title></caption><graphic mimetype="image"   position="float"  xlink:type="simple"  xlink:href="http://html.scirp.org/file/5-7800361x242.png"/></fig><p>transaction elsewhere [<xref ref-type="bibr" rid="scirp.65271-ref25">25</xref>] . Furthermore, the communications within the PED between the card’s chip and the PED’s processor are not encrypted. Combined with some shoddy tamper-proofed devices, this enables PINs to be read using a paper clip tapped inside the PED [<xref ref-type="bibr" rid="scirp.65271-ref26">26</xref>] . The same team later discovered an attack on the protocol that could enable a criminal to use a genuine card without knowing the PIN [<xref ref-type="bibr" rid="scirp.65271-ref24">24</xref>] [<xref ref-type="bibr" rid="scirp.65271-ref27">27</xref>] . While entirely practical, there is no evidence that these attacks are being used by attackers at present. Instead, they seem to be focusing on the more obvious weak links of card-not-present transactions and magnetic stripe verification at foreign</p><fig id="fig11"  position="float"><label><xref ref-type="fig" rid="fig1">Figure 1</xref>1</label><caption><title> Total fraud losses split according to whether the fraud took place in the UK or not (Source: [<xref ref-type="bibr" rid="scirp.65271-ref23">23</xref>] )</title></caption><graphic mimetype="image"   position="float"  xlink:type="simple"  xlink:href="http://html.scirp.org/file/5-7800361x243.png"/></fig><p>ATMs. If (and when) these holes are plugged<sup>5</sup>, one might expect these attacks to be deployed, which would trigger defensive countermeasures by the banks.</p></sec><sec id="s5_3"><title>5.3. Attack Profiles for the Case Studies</title><p><xref ref-type="fig" rid="fig1">Figure 1</xref>2 plots the expected and realized costs of different attacks for the case studies just presented. <xref ref-type="fig" rid="fig1">Figure 1</xref>2(a) plots a sequence of top-level domains that potentially targeted by the rock-phish gang. First, many Chinese domains were registered by the gang, followed by domains from Hong Kong (as shown in <xref ref-type="fig" rid="fig6">Figure 6</xref>). The next top-level domain targeted―Austria―came as a surprise. Austria has an extensive Internet security community, and its law enforcement has long cooperated with cyber investigations from other countries. None- theless, the rock-phish gang registered many .at domains, and they were not removed for a very long time. It turns out that the Austrian domain registrar nic.at balked at removing the illicit domains without more extensive evidence documenting their illegality. The domains were only removed following a public row between the e-mail-blacklist operator Spamhaus and nic.at [<xref ref-type="bibr" rid="scirp.65271-ref29">29</xref>] . Finally, after .at domains began getting removed promptly, the Turkish top-level domain .tk was targeted.</p><p>Meanwhile, many top-level domains have not been targeted by the gang. This includes domains such as Paraguay (.py), which we might have expected to be an easy target for attackers<sup>6</sup>, as well as domains such as .se, .edu, and .gov that are harder to register.</p><p>The many threats to payment card security, along with their expected and actual costs, are shown in <xref ref-type="fig" rid="fig1">Figure 1</xref>2(b). Face-to-face retail fraud might reasonably be seen as the weakest link in the payment card environment; the reduction in face-to-face retail fraud following the adoption of EMV supports this view. Similarly, the banks correctly anticipated that losses due to credit cards lost or stolen inside the UK (L&amp;S in the figure) would drop once PINs were required for use. By contrast, fraud rates due to cards stolen outside the UK were lower than the banks expected. Card fraud at UK ATMs is a bit harder than retail fraud since a PIN is required. One area where the banks’ expectations were not met is with ATM fraud on UK cards outside the UK. It turns out that fraudsters can easily clone stolen UK cards and use them in foreign ATMs; hence the true cost of attack is lower than expected.</p><p>The banks’ losses due to card-not-present fraud were much higher than forecast; unsurprisingly, many banks have now decided to deploy readers that verify PINs in order to carry out online banking. Meanwhile, uncer- tainty remains regarding the attacks on PIN entry devices uncovered in [<xref ref-type="bibr" rid="scirp.65271-ref25">25</xref>] and [<xref ref-type="bibr" rid="scirp.65271-ref26">26</xref>] , though it is apparent that the costs are higher than for card-not-present fraud and foreign ATM fraud.</p></sec></sec><sec id="s6"><title>6. Related Work</title><p>The relevance of developing quantitative models of information security has been widely recognized in account- ing [<xref ref-type="bibr" rid="scirp.65271-ref6">6</xref>] [<xref ref-type="bibr" rid="scirp.65271-ref30">30</xref>] , information security [<xref ref-type="bibr" rid="scirp.65271-ref10">10</xref>] [<xref ref-type="bibr" rid="scirp.65271-ref31">31</xref>] , and dependable computing [<xref ref-type="bibr" rid="scirp.65271-ref32">32</xref>] - [<xref ref-type="bibr" rid="scirp.65271-ref35">35</xref>] . Of this and subsequent</p><fig-group id="fig12"><label><xref ref-type="fig" rid="fig1">Figure 1</xref>2</label><caption><title> Hypothetical attack profiles (derived ex post from predictions and actual attacks). (a) Rock-phish domain costs; (b) EMV attack costs.</title></caption><fig id ="fig12_1"><label> (b)</label><graphic mimetype="image"   position="float"  xlink:type="simple"  xlink:href="http://html.scirp.org/file/5-7800361x245.png"/></fig></fig-group><p>literature, we briefly describe several works with similarities to our model.<sup>7</sup></p><p>Gordon et al.’s “wait-and-see approach” comes closest to our mode l [<xref ref-type="bibr" rid="scirp.65271-ref30">30</xref>] [<xref ref-type="bibr" rid="scirp.65271-ref39">39</xref>] . The authors explain deferred security spending in the framework of real option theory and conclude that “it is economically rational to ini- tially invest a portion of the information security budget and defer remaining investments until security breaches actually occur”. Similar to our argument, Gordon et al. [<xref ref-type="bibr" rid="scirp.65271-ref30">30</xref>] name uncertainty about the attack surface as main reason why one should “expect organizations to use security breaches as a critical determinant of their actual […] expenditures on information security.” In this sense, our model can be regarded as a substantial extension of the two-period case study they discuss. Gordon et al.’s work differs from our approach in that they treat security spending as an allocation problem of a fixed security budget rather than seeing it as capital investment to be put into relation to the assets at risk. Also, the weakest link attacker model is unique to our work. We and Gordon et al. back our claims with empirical evidence. While they draw on cross-sectional survey data collected from senior information officers, we cite time series of actual attacks in Section 5 to emphasize the iterated dimen- sion.</p><p>Herath and Herath [<xref ref-type="bibr" rid="scirp.65271-ref40">40</xref>] have transferred Gordon et al.’s [<xref ref-type="bibr" rid="scirp.65271-ref30">30</xref>] real option approach (ROA) to a case study of e-mail spam filtering. They compare net present values (NPV), which imply now-or-never investments, to ROA. Their results concur with our comparison between the static and dynamic solution: for their selected parameters, NPV suggests no security spending whereas ROA indicates positive returns for deferred partial security investment. Franqueira et al. [<xref ref-type="bibr" rid="scirp.65271-ref41">41</xref>] discuss a conceptual framework and tool support for implementing ROA in corporate security decision making.</p><p>Real options are in fact another tool to model uncertainty, learning, and sequential investment, so it is both plausible(and reassuring that models based on them come to similar conclusions. Both ROA and our iterated weakest link (IWL) have specific merits. While ROA is more general and builds on mainstream financial mathematics, IWL is more specific to information security and avoids the complexity of nested option contracts and abstract parameters, such as project volatility, which are difficult to interpret and even harder to estimate in practice. Both approaches are compatible, which allows a CISO to use IWL to make his decisions and express it in terms of ROA to convince his CFO.</p><p>Besides real options, the optimal timing of security investments has also been analyzed with other tools. [<xref ref-type="bibr" rid="scirp.65271-ref42">42</xref>] propose a graphical model for scenarios where defenders can learn from observed attacker behavior. The model shows the superiority of reactive defenses with concepts from online learning algorithms. Ogut et al. [<xref ref-type="bibr" rid="scirp.65271-ref43">43</xref>] use stochastic dynamic programming for the special case of reacting to signals from intrusion detection systems, which are notorious for false alarms. They compare a myopic strategy, which prescribes a fixed dynamic reac- tion, to the optimal adaptive response. In this setting, the difficulty of finding the optimal adaptive response does not outweigh the security benefit of a fixed dynamic response. One step closer to practice, Zhu et al. [<xref ref-type="bibr" rid="scirp.65271-ref44">44</xref>] simu- late reactive defense strategies based on reinforced learning algorithms for scenarios inspired by the discovery of the Heartbleed vulnerability in 2014. Kwon and Johnson [<xref ref-type="bibr" rid="scirp.65271-ref45">45</xref>] present the only empirical study we are aware of that specifically investigates proactive versus reactive security investment. Notably, their result contrasts the tenor of most analytical models! Proactive security investment was found to be more cost effective that reactive investment, and this effect is further amplified if indirect costs from breach disclosure are taken into account. It remains for future work to verify if these findings are due to the specific characteristics of the US healthcare sector, the subject of this study, or if they apply more broadly. In any case, it would be interesting to identify the driving factor behind this effect and tie it to the IWL model.</p><p>Recall that our model is technically not a “game”, but a decision or optimization problem. Over the past couple of years, information security has become a rich application area for game theory [<xref ref-type="bibr" rid="scirp.65271-ref46">46</xref>] . Bier et al. [<xref ref-type="bibr" rid="scirp.65271-ref47">47</xref>] use a non-cooperative game-theoretic setting to study strategic interaction between a single attacker and a defender who optimizes the allocation of defenses to multiple targets (two in their formal model). Unlike in our model, only a single period is modeled; the model is designed to capture terrorism threats. Uncertainty of the defender is a common element in both models, in which the defender has to cope with uncertainty about an assumed hidden preference of the attacker to target a particular target. If our notion of asset is interpreted as a distributed system in which each target potentially gives the attacker access to the entire system (similar to our case study in Section 5.1), then targets can be interpreted as threats and (hidden) attack costs as preferences. A topic that has no counterpart to our work is Bier et al.’s reference to signaling theory to study whether the defense configuration should be kept secret or made public. The model by Cremonini and Nizovtsev [<xref ref-type="bibr" rid="scirp.65271-ref48">48</xref>] ex- plains security investment decisions with uncertainty of the attacker. They too draw on signaling theory and conclude that a defense is good enough if, and only if, it looks strong enough to divert the attackers’ attention towards other, seemingly weaker targets. In this sense, their work can be regarded as a kind of mirror image to our work, which deals with the uncertainty on the defender’s side. Finally, Dijk et al. [<xref ref-type="bibr" rid="scirp.65271-ref49">49</xref>] have devised a con- tinuous-time dynamic game of attacker-defender interaction, which increasingly attracts the attention of security researchers interested in game theory. Unlike in our setup, the game does not capture security investment in a narrow sense, but models the timing of cleanup operations. As it is formulated as a strategic game rather than an inter-temporal optimization problem against a probabilistic attacker, it becomes very hard to find stable equi- libria for realistic strategy spaces. So far, we are only aware of partial solutions that are difficult to interpret in practice.</p><p>This article is an extended and updated version of our workshop version [<xref ref-type="bibr" rid="scirp.65271-ref50">50</xref>] . As a follow-up, [<xref ref-type="bibr" rid="scirp.65271-ref51">51</xref>] have studied a variant of this model which allows the defender to commission penetration tests that might reveal the next weakest link without risking the consequences of a successful attack.</p></sec><sec id="s7"><title>7. Summary and Possible Extensions</title><p>We have presented an economic model that explains why and under which conditions under-investment in security can be rational, even against known threats for which defenses exist. Under-investment might reasonably occur when a) reactive investment is possible, b) uncertainty exists about the attacker’s relative capability to exploit different threats, c) successful attacks are not catastrophic, and d) the costs to upgrade the defense configuration are largely recoverable.</p><p>Unlike in other work explaining security under-investment with market failures, the ingredients to our model solely draw on the relation between defender and attacker, and do not involve actions of other market participants. Our results do not contradict or invalidate the well-known explanations of market failure. It rather complements the picture and highlights that market failure is a sufficient, but not always necessary, cause for security under-investment.</p><p>We believe that an iterated weakest link model accurately captures the challenges facing many information security threats today. We discussed two timely examples in the article. First, miscreants committing high- volume online crime exploit the Internet’s global, distributed architecture by compromising insecure machines and defrauding uninformed registrars, wherever they are located. Second, the security of payment cards has evolved over time by reacting to fraudster’s actions. Empirical data on losses show how the introduction of EMV in the UK has simply diverted attacker strategy to other methods, notably card-not-present and foreign ATM fraud.</p><p>As with any stylized model, ideas for extensions are abundant and implementation should be guided by the principle of parsimony, especially in the absence of reliable data to validate model assumptions. Nevertheless, a handful of extensions appear reasonable to make the model more applicable. One is to let the cost of attacks decrease over time to reflect learning and the creation of automated tools. Another direction could be to allow more ways for reducing uncertainty. This can be done either by including information gathering as an option for security investment (e.g., penetration testing or information sharing), or by relaxing the independence assumption between the stochastic realizations of the attack profile. The latter would allow the defender to infer knowledge about the probability of other threats from observed attacks, a phenomenon exploited by some technical early warning systems. If updates cause substantial unrecoverable costs, this opens new strategies of bundled investment in new defenses to better amortize the cost. Lastly, it may be of―at least academic―interest to consider other attack strategies. For example, attackers might not choose the weakest link to confuse the defender and trigger misallocations of security spending. Anecdotal evidence for such behavior can be found in the actions of some spammers, who send waves of messages with no other apparent purpose than to wear out self- learning spam filters.</p><p>One key future challenge is to find a case study where enough information is available to calibrate the model to empirical data. More generally, it may be worthwhile to explore further the question of when to deal with a problem. When is it better to move first and take proactive measures, and when is it better to defer and respond to other’s actions?</p></sec><sec id="s8"><title>Acknowledgements</title><p>We thank Chad Heitzenrater, the anonymous reviewers and participants of the 2009 Workshop on the Economics of Information Security (WEIS), and the anonymous reviewers of this special issue on Cybersecurity Investment for valuable comments and suggestions on earlier versions of this paper. All errors and omissions are the authors’.</p></sec><sec id="s9"><title>Cite this paper</title><p>Rainer B&#246;hme,Tyler Moore, (2016) The “Iterated Weakest Link” Model of Adaptive Security Investment. Journal of Information Security,07,81-102. doi: 10.4236/jis.2016.72006</p></sec><sec id="s10"><title>NOTES</title></sec></body><back><ref-list><title>References</title><ref id="scirp.65271-ref1"><label>1</label><mixed-citation publication-type="other" xlink:type="simple">Anderson, R. and Moore, T. (2006) The Economics of Information Security. Science, 314, 610-613. http://dx.doi.org/10.1126/science.1130992</mixed-citation></ref><ref id="scirp.65271-ref2"><label>2</label><mixed-citation publication-type="book" xlink:type="simple">Varian, H.R. (2004) System Reliability and Free Riding. In: Camp, L.J. and Lewis, S., Eds., Economics of Information Security, Springer Verlag, New York, 1-15. http://dx.doi.org/10.1007/1-4020-8090-5_1</mixed-citation></ref><ref id="scirp.65271-ref3"><label>3</label><mixed-citation publication-type="other" xlink:type="simple">Kunreuther, H. and Heal, G. (2003) Interdependent Security. Journal of Risk and Uncertainty, 26, 231-249. http://dx.doi.org/10.1023/A:1024119208153</mixed-citation></ref><ref id="scirp.65271-ref4"><label>4</label><mixed-citation publication-type="other" xlink:type="simple">Bauer, J.M. and van Eeten, M. (2009) Cybersecurity: Stakeholder Incentives, Externalities, and Policy Options. Telecommunications Policy, 33, 706-719. http://dx.doi.org/10.1016/j.telpol.2009.09.001</mixed-citation></ref><ref id="scirp.65271-ref5"><label>5</label><mixed-citation publication-type="other" xlink:type="simple">Bohme, R. and Moore, T. (2010) The Iterated Weakest Link. IEEE Security &amp; Privacy, 8, 53-55. http://dx.doi.org/10.1109/MSP.2010.51</mixed-citation></ref><ref id="scirp.65271-ref6"><label>6</label><mixed-citation publication-type="other" xlink:type="simple">Gordon, L.A. and Loeb, M.P. (2002) The Economics of Information Security Investment. ACM Transactions on Information and System Security, 5, 438-457. http://dx.doi.org/10.1145/581271.581274</mixed-citation></ref><ref id="scirp.65271-ref7"><label>7</label><mixed-citation publication-type="other" xlink:type="simple">Collins, M., Gates, C. and Kataria, G. (2006) A Model for Opportunistic Network Exploits: The Case of P2P Worms. Proc. of Workshop on the Economics of Information Security (WEIS), Cambridge, 26-28 June 2006. http://weis2006.econinfosec.org/docs/30.pdf</mixed-citation></ref><ref id="scirp.65271-ref8"><label>8</label><mixed-citation publication-type="other" xlink:type="simple">Major, J.A. (2002) Advanced Techniques for Modelling Terrorism Risk. Journal of Risk Finance, 4, 15-24. http://dx.doi.org/10.1108/eb022950</mixed-citation></ref><ref id="scirp.65271-ref9"><label>9</label><mixed-citation publication-type="other" xlink:type="simple">Thomas, K., Huang, D.Y., Wang, D., Bursztein, E., Grier, C., Holt, T.J., et al. (2015) Framing Dependencies Introduced by Underground Commoditization. Workshop on the Economics of Information Security (WEIS), Delft, 22-23 June 2015.</mixed-citation></ref><ref id="scirp.65271-ref10"><label>10</label><mixed-citation publication-type="other" xlink:type="simple">Hoo, K.J.S. (2002) How Much Is Enough? A Risk-Management Approach to Computer Security. Workshop on Economics and Information Security (WEIS), Berkeley, 16-17 May 2002. http://www.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/</mixed-citation></ref><ref id="scirp.65271-ref11"><label>11</label><mixed-citation publication-type="other" xlink:type="simple">Purser, S.A. (2004) Improving the ROI of the Security Management Process. Computers &amp; Security, 23, 542-546. http://dx.doi.org/10.1016/j.cose.2004.09.004</mixed-citation></ref><ref id="scirp.65271-ref12"><label>12</label><mixed-citation publication-type="other" xlink:type="simple">Gal-Or, E. and Ghose, A. (2005) The Economic Incentives for Sharing Security Information. Information Systems Research, 16, 186-208. http://dx.doi.org/10.1287/isre.1050.0053</mixed-citation></ref><ref id="scirp.65271-ref13"><label>13</label><mixed-citation publication-type="other" xlink:type="simple">Laube, S. and Bohme, R. (2015) Mandatory Security Information Sharing with Authorities: Implications on Investments in Internal Controls. 2nd ACM Workshop on Information Sharing and Collaborative Security, Denver, 12-16 October 2015, 31-42. http://dx.doi.org/10.1145/2808128.2808132</mixed-citation></ref><ref id="scirp.65271-ref14"><label>14</label><mixed-citation publication-type="other" xlink:type="simple">The Economist (2007) A Walk on the Dark Side. http://www.economist.com/displayStory.cfm?story_id=9723768</mixed-citation></ref><ref id="scirp.65271-ref15"><label>15</label><mixed-citation publication-type="other" xlink:type="simple">Krebs, B. (2008) Major Source of Online Scams and Spams Knocked Offline. Washington Post, 11 November 2008. http://voices.washingtonpost.com/securityfix/2008/11/major_source_of_online_scams_a.html</mixed-citation></ref><ref id="scirp.65271-ref16"><label>16</label><mixed-citation publication-type="other" xlink:type="simple">Krebs, B. (2008) EstDomains: A Sordid History and a Storied CEO. Washington Post, 8 September 2008. http://voices.washingtonpost.com/securityfix/2008/09/estdomains_a_sordid_history_an.html</mixed-citation></ref><ref id="scirp.65271-ref17"><label>17</label><mixed-citation publication-type="other" xlink:type="simple">ICANN (2008) Termination of Registrar EstDomains to Go Ahead. http://www.icann.org/en/announcementsannouncement-12nov08-en.htm</mixed-citation></ref><ref id="scirp.65271-ref18"><label>18</label><mixed-citation publication-type="other" xlink:type="simple">Moore, T. and Clayton, R. (2007) Examining the Impact of Website Take-Down on Phishing. Proceedings of the Anti-Phishing Working Groups 2nd Annual eCrime Researchers Summit, Pittsburgh, 4-5 October 2007, 1-13. http://www.cl.cam.ac.uk/~rnc1/ecrime07.pdf http://dx.doi.org/10.1145/1299015.1299016</mixed-citation></ref><ref id="scirp.65271-ref19"><label>19</label><mixed-citation publication-type="book" xlink:type="simple">Day, O., Palmen, B. and Greenstadt, R. (2008) Reinterpreting the Disclosure Debate for Web Infections. In: Johnson, M.E., Ed., Managing Information Risk and the Economics of Security, Springer, New York, 179-197.</mixed-citation></ref><ref id="scirp.65271-ref20"><label>20</label><mixed-citation publication-type="other" xlink:type="simple">Liu, H., Levchenko, K., Felegyházi, M., Kreibich, C., Maier, G., Voelker, G.M. and Savage, S. (2011) On the Effects of Registrar-Level Intervention. Proceedings of the 4th USENIX Conference on Large-Scale Exploits and Emergent Threats, LEET’11, Berkeley, 5.</mixed-citation></ref><ref id="scirp.65271-ref21"><label>21</label><mixed-citation publication-type="other" xlink:type="simple">McCoy, D., Dharmdasani, H., Kreibich, C., Voelker, G.M. and Savage, S. (2012) Priceless: The Role of Payments in Abuse-Advertised Goods. Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS’12, Raleigh, 16-18 October 2012, 845-856. http://dx.doi.org/10.1145/2382196.2382285</mixed-citation></ref><ref id="scirp.65271-ref22"><label>22</label><mixed-citation publication-type="other" xlink:type="simple">APACS (2007) 2007 UK Chip and PIN Report. http://cryptome.org/UK-Chip-PIN-07.pdf</mixed-citation></ref><ref id="scirp.65271-ref23"><label>23</label><mixed-citation publication-type="other" xlink:type="simple">The UK Cards Association. Card Fraud Figures. Retrieved on 29 December 2015. http://www.theukcardsassociation.org.uk/plastic_fraud_figures/</mixed-citation></ref><ref id="scirp.65271-ref24"><label>24</label><mixed-citation publication-type="other" xlink:type="simple">LLC EMVCo. EMV 4.1, June 2004. http://www.emvco.com</mixed-citation></ref><ref id="scirp.65271-ref25"><label>25</label><mixed-citation publication-type="other" xlink:type="simple">Drimer, S. and Murdoch, S.J. (2007) Keep Your Enemies Close: Distance Bounding against Smartcard Relay Attacks. Proceedings of 16th USENIX Security Symposium, Boston, 6-10 August 2007, Article No. 7.</mixed-citation></ref><ref id="scirp.65271-ref26"><label>26</label><mixed-citation publication-type="other" xlink:type="simple">Drimer, S., Murdoch, S.J. and Anderson, R. (2008) Thinking Inside the Box: System-Level Failures of Tamper Proofing. IEEE Symposium on Security &amp; Privacy, Oakland, 18-22 May 2008, 281-295. http://dx.doi.org/10.1109/sp.2008.16</mixed-citation></ref><ref id="scirp.65271-ref27"><label>27</label><mixed-citation publication-type="other" xlink:type="simple">Murdoch, S.J., Drimer, S., Anderson, R. and Bond, M. (2010) Chip and PIN Is Broken. 2010 IEEE Symposium on Security and Privacy (SP), Oakland, 16-19 May 2010, 433-446. http://dx.doi.org/10.1109/sp.2010.33</mixed-citation></ref><ref id="scirp.65271-ref28"><label>28</label><mixed-citation publication-type="book" xlink:type="simple">Drimer, S., Murdoch, S.J. and Anderson, R. (2009) Optimised to Fail: Card Readers for Online Banking. In: Dingledine, R. and Golle, P., Eds., Financial Cryptography and Data Security, Lecture Notes in Computer Science, Vol. 5628, Springer, Berlin, 184-200. http://dx.doi.org/10.1007/978-3-642-03549-4_11</mixed-citation></ref><ref id="scirp.65271-ref29"><label>29</label><mixed-citation publication-type="other" xlink:type="simple">Spamhaus (2007) Report on the Criminal “Rock Phish” Domains Registered at Nic.at (Press Release). http://www.spamhaus.org/organization/statement.lasso?ref=7</mixed-citation></ref><ref id="scirp.65271-ref30"><label>30</label><mixed-citation publication-type="other" xlink:type="simple">Gordon, L.A., Loeb, M.P. and Lucyshyn, W. (2003) Information Security Expenditures and Real Options: A Wait-and-See Approach. Computer Security Journal, 14, 1-7.</mixed-citation></ref><ref id="scirp.65271-ref31"><label>31</label><mixed-citation publication-type="other" xlink:type="simple">Schechter, S.E. (2005) Toward Econometric Models of the Security Risk from Remote Attacks. IEEE Security and Privacy, 3, 40-44. http://dx.doi.org/10.1109/MSP.2005.30</mixed-citation></ref><ref id="scirp.65271-ref32"><label>32</label><mixed-citation publication-type="other" xlink:type="simple">Littlewood, B., Brocklehurst, S., Fenton, N., Mellor, P., Page, S., Wright, D., et al. (1994) Towards Operational Measures of Computer Security. Journal of Computer Security, 2, 211-229.</mixed-citation></ref><ref id="scirp.65271-ref33"><label>33</label><mixed-citation publication-type="book" xlink:type="simple">Jonsson, E. and Andersson, M. (1996) On the Quantitative Assessment of Behavioural Security. In: Pieprzyk, J. and Seberry, J., Eds., Information Security and Privacy, Lecture Notes in Computer Science, Vol. 1172, Springer-Verlag, Berlin, 228-241. http://dx.doi.org/10.1007/bfb0023302</mixed-citation></ref><ref id="scirp.65271-ref34"><label>34</label><mixed-citation publication-type="other" xlink:type="simple">Jonsson, E. and Olovsson, T. (1997) A Quantitative Model of the Security Intrusion Process Based on Attacker Behaviour. IEEE Transactions on Software Engineering, 23, 235-245. http://dx.doi.org/10.1109/32.588541</mixed-citation></ref><ref id="scirp.65271-ref35"><label>35</label><mixed-citation publication-type="other" xlink:type="simple">Avizienis, A., Laprie, J.-C., Randell, B. and Landwehr, C. (2004) Basic Concepts and Taxonomy of Dependable and Secure Computing. IEEE Transactions on Dependable and Secure Computing, 1, 11-33. http://dx.doi.org/10.1109/TDSC.2004.2</mixed-citation></ref><ref id="scirp.65271-ref36"><label>36</label><mixed-citation publication-type="other" xlink:type="simple">Anderson, R. (2001) Why Information Security Is Hard—An Economic Perspective. Annual Computer Security Applications Conference (ACSAC), New Orleans, 10-14 December 2001, 358-365. http://www.cl.cam.ac.uk/~rja14/econsec.html http://dx.doi.org/10.1109/acsac.2001.991552</mixed-citation></ref><ref id="scirp.65271-ref37"><label>37</label><mixed-citation publication-type="other" xlink:type="simple">Bohme, R. and Schwartz, G. (2010) Modeling Cyber-Insurance: Towards a Unifying Framework. Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, 7-8 June 2010.</mixed-citation></ref><ref id="scirp.65271-ref38"><label>38</label><mixed-citation publication-type="other" xlink:type="simple">Yue, W.T. and Cakanyildirim, M. (2007) Intrusion Prevention in Information Systems: Reactive and Proactive Responses. Journal of Management Information Systems, 24, 329-353. http://dx.doi.org/10.2753/MIS0742-1222240110</mixed-citation></ref><ref id="scirp.65271-ref39"><label>39</label><mixed-citation publication-type="other" xlink:type="simple">Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Zhou, L. (2015) The Impact of Information Sharing on Cybersecurity Underinvestment: A Real Options Perspective. Journal of Accounting and Public Policy, 34, 509-519. http://dx.doi.org/10.1016/j.jaccpubpol.2015.05.001</mixed-citation></ref><ref id="scirp.65271-ref40"><label>40</label><mixed-citation publication-type="other" xlink:type="simple">Herath, H.S.B. and Herath, T.C. (2008) Investments in Information Security: A Real Options Perspective with Bayesian Postaudit. Journal of Management Information Systems, 25, 337-375. http://dx.doi.org/10.2753/MIS0742-1222250310</mixed-citation></ref><ref id="scirp.65271-ref41"><label>41</label><mixed-citation publication-type="book" xlink:type="simple">Franqueira, V.N.L., Houmb, S.H. and Daneva, M. (2010) Using Real Option Thinking to Improve Decision Making in Security Investment. In: Meersman, R., Dillon, T.S. and Herrero, P., Eds., On the Move to Meaningful Internet Systems: OTM, Lecture Notes in Computer Science, Vol. 6426, Springer, Berlin, 619-638. http://dx.doi.org/10.1007/978-3-642-16934-2_46</mixed-citation></ref><ref id="scirp.65271-ref42"><label>42</label><mixed-citation publication-type="book" xlink:type="simple">Barth, A., Rubinstein, B.I.P., Sundararajan, M., Mitchell, J.C., Song, D. and Bartlettm, P.L. (2010) A Learning-Based Approach to Reactive Security. In: Radu, S., Ed., Financial Cryptography and Data Security, Lecture Notes in Computer Science, Vol. 6052, Springer, Berlin, 192-206. http://dx.doi.org/10.1007/978-3-642-14577-3_16</mixed-citation></ref><ref id="scirp.65271-ref43"><label>43</label><mixed-citation publication-type="other" xlink:type="simple">Ogut, H., Cavusoglu, H. and Raghunathan, S. (2008) Intrusion Detection Policies for It Security Breaches. INFORMS Journal on Computing, 20, 112-123. http://dx.doi.org/10.1287/ijoc.1070.0222</mixed-citation></ref><ref id="scirp.65271-ref44"><label>44</label><mixed-citation publication-type="other" xlink:type="simple">Zhu, M., Hu, Z. and Liu, P. (2014) Reinforcement Learning Algorithms for Adaptive Cyber Defense against Heartbleed. Proceedings of the 1st ACM Workshop on Moving Target Defense, Scottsdale, 3-7 November 2014, 51-58. http://dx.doi.org/10.1145/2663474.2663481</mixed-citation></ref><ref id="scirp.65271-ref45"><label>45</label><mixed-citation publication-type="other" xlink:type="simple">Kwon, J. and Johnson, M.E. (2014) Proactive versus Reactive Security Investments in the Healthcare Sector. MIS Quarterly, 38, 451-471.</mixed-citation></ref><ref id="scirp.65271-ref46"><label>46</label><mixed-citation publication-type="other" xlink:type="simple">Manshaei, M.H., Zhu, Q., Alpcan, T., Basar, T. and Hubeaux, J.-P. (2013) Game Theory Meets Network Security and Privacy. ACM Computing Surveys, 45, Article No. 25. http://dx.doi.org/10.1145/2480741.2480742</mixed-citation></ref><ref id="scirp.65271-ref47"><label>47</label><mixed-citation publication-type="other" xlink:type="simple">Bier, V., Oliveros, S. and Samuelson, L. (2007) Choosing What to Protect: Strategic Defensive Allocation against an Unknown Attacker. Journal of Public Economic Theory, 9, 563-587. http://dx.doi.org/10.1111/j.1467-9779.2007.00320.x</mixed-citation></ref><ref id="scirp.65271-ref48"><label>48</label><mixed-citation publication-type="other" xlink:type="simple">Cremonini, M. and Nizovtsev, D. (2006) Understanding and Influencing Attackers’ Decisions: Implications for Security Investment Strategies. Workshop on the Economics of Information Security (WEIS), Robinson College, University of Cambridge, 26-28 June 2006. http://weis2006.econinfosec.org/docs/3.pdf</mixed-citation></ref><ref id="scirp.65271-ref49"><label>49</label><mixed-citation publication-type="other" xlink:type="simple">van Dijk, M., Juels, A., Oprea, A. and Rivest, R.L. (2013) FlipIt: The Game of “Stealthy Takeover”. Journal of Cryptology, 26, 655-713. http://dx.doi.org/10.1007/s00145-012-9134-5</mixed-citation></ref><ref id="scirp.65271-ref50"><label>50</label><mixed-citation publication-type="other" xlink:type="simple">Bohme, R. and Moore, T. (2009) The Iterated Weakest Link: A Model of Adaptive Security Investment. Workshop on the Economics of Information Security (WEIS), University College London, 24-25 June 2009. http://weis09.infosecon.net/files/152/paper152.pdf</mixed-citation></ref><ref id="scirp.65271-ref51"><label>51</label><mixed-citation publication-type="book" xlink:type="simple">Bohme, R. and Felegyházi, M. (2010) Optimal Information Security Investment with Penetration Testing. In: Alpcan, T., Buttyán, L. and Baras, J.S., Eds., Decision and Game Theory for Security, Lecture Notes in Computer Science, Vol. 6442, Springer, Berlin, 21-37. http://dx.doi.org/10.1007/978-3-642-17197-0_2</mixed-citation></ref></ref-list></back></article>