This Article 
 Bibliographic References 
 Add to: 
The Iterated Weakest Link
January/February 2010 (vol. 8 no. 1)
pp. 53-55
Rainer Böhme, International Computer Science Institute
Tyler Moore, Harvard University
We outline a model for security investment that reflects dynamic interaction between a defender, who faces uncertainty, and an attacker, who repeatedly targets the weakest link. Using the model, we derive and compare optimal security investment over multiple periods, exploring the delicate balance between proactive and reactive security investment.

1. R.J. Anderson and T. Moore, "The Economics of Information Security," Science, vol. 314, no. 5799, 2006, pp. 610–613.
2. H.R. Varian, "System Reliability and Free Riding," Economics of Information Security, L.J. Camp, and S. Lewis eds., Springer-Verlag, 2004, pp. 1–15.
3. T. Moore, and R. Clayton, "Examining the Impact of Website Take-Down on Phishing," Proc. Anti-Phishing Working Group eCrime Researchers Summit, ACM Press, 2007, pp. 1–13;
4. O. Day, B. Palmen, and R. Greenstadt, "Reinterpreting the Disclosure Debate for Web Infections," Managing Information Risk and the Economics of Security, M.E. Johnson ed., Springer, 2008, pp. 179–197.
5. L.A. Gordon, and M.P. Loeb, "The Economics of Information Security Investment," ACM Trans. Information and System Security, vol. 5, no. 4, 2002, pp. 438–457.
6. R. Böhme and T. Moore, "The Iterated Weakest Link: A Model of Adaptive Security Investment," Workshop on the Economics of Information Security (WEIS), 2009;
7. L.A. Gordon, M.P. Loeb, and W. Lucyshyn, "Information Security Expenditures and Real Options: A Wait-and-See Approach," Computer Security J., vol. 14, no. 2, 2003, pp. 1–7.

Index Terms:
economics, security, optimal security investment under uncertainty, ROSI
Rainer Böhme, Tyler Moore, "The Iterated Weakest Link," IEEE Security & Privacy, vol. 8, no. 1, pp. 53-55, Jan.-Feb. 2010, doi:10.1109/MSP.2010.51
Usage of this product signifies your acceptance of the Terms of Use.