A stochastic Gordon-Loeb model for optimal cybersecurity investment under clustered attacks

TL;DR

This paper introduces a stochastic model for cybersecurity investment that accounts for clustered cyberattacks using a Hawkes process, improving decision-making over traditional static or Poisson-based models.

Contribution

It extends the Gordon-Loeb model by incorporating attack clustering via a Hawkes process, providing a more realistic framework for optimal cybersecurity investment.

Findings

Clustering in attacks significantly impacts optimal investment strategies.

Dynamic policies outperform static and Poisson-based benchmarks.

Incorporating attack clustering leads to more effective cybersecurity investments.

Abstract

We develop a continuous-time stochastic model for optimal cybersecurity investment under the threat of cyberattacks. The arrival of attacks is modeled using a Hawkes process, capturing the empirically relevant feature of clustering in cyberattacks. Extending the Gordon-Loeb model, each attack may result in a breach, with breach probability depending on the system's vulnerability. We aim at determining the optimal cybersecurity investment to reduce vulnerability. The problem is cast as a two-dimensional Markovian stochastic optimal control problem and solved using dynamic programming methods. Numerical results illustrate how accounting for attack clustering leads to more responsive and effective investment policies, offering significant improvements over static and Poisson-based benchmark strategies. Our findings underscore the value of incorporating realistic threat dynamics into cybersecurity risk management.