The Iterated Weakest Link - A Model of Adaptive Security Investment
نویسندگان
چکیده
We devise a model for security investment that reflects dynamic interaction between a defender, who faces uncertainty, and an attacker, who repeatedly targets the weakest link. Using the model, we derive and compare optimal security investment over multiple periods, exploring the delicate balance between proactive and reactive security investment. We show how the best strategy depends on the defender’s knowledge about prospective attacks and the sunk costs incurred when upgrading defenses reactively. Our model explains why security underinvestment is sometimes rational even when effective defenses are available and can be deployed independently of other parties’ choices. Finally, we connect the model to real-world security problems by examining two case studies where empirical data is available: computers compromised for use in online crime and payment card security.
منابع مشابه
The “Iterated Weakest Link” Model of Adaptive Security Investment
We devise a model for security investment that reflects dynamic interaction between a defender, who faces uncertainty, and an attacker, who repeatedly targets the weakest link. Using the model, we derive and compare optimal security investment over multiple periods, exploring the delicate balance between proactive and reactive security investment. We show how the best strategy depends on the de...
متن کاملThe Days Before Zero Day: Investment Models for Secure Software Engineering
While the majority of security practice — and spending — is focused on post-development products and enterprise approaches, some have sought to change the focus of security from the networks we manage to the systems we build. The burgeoning Secure Software Engineering (SSE) community has sought to identify and espouse activities, built upon traditional software engineering, that address the int...
متن کاملOptimal Information Security Investment with Penetration Testing
Penetration testing, the deliberate search for potential vulnerabilities in a system by using attack techniques, is a relevant tool of information security practitioners. This paper adds penetration testing to the realm of information security investment. Penetration testing is modeled as an information gathering option to reduce uncertainty in a discrete time, finite horizon, player-versus-nat...
متن کاملAirport security human factors: From the weakest to the strongest link in airport security screening
Airport security screening is a challenging task. In fact, according to several experts, the human operator is often the weakest link of the security system. In this article, the results of human factor studies conducted over the last five years involving several international airports in four European countries are summarized. It is shown how human operators can in fact become the strongest li...
متن کاملSecurity Investment (Failures) in Five Economic Environments: A Comparison of Homogeneous and Heterogeneous User Agents
Security interactions in networked systems, and the associated user choices, due to their complexity, are notoriously difficult to predict, and sometimes even harder to rationalize. We argue that users often underestimate the strong mutual dependence between their security strategies and the economic environment (e.g., threat model) in which these choices are made and evaluated. This misunderst...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2009