A stochastic Gordon-Loeb model for optimal cybersecurity investment under clustered attacks

Imagine you own a very valuable castle (your company's data). You know that bandits (cybercriminals) are trying to break in. The old way of thinking about security was like buying a single, giant, expensive gate and hoping it holds forever. You'd calculate: "If I spend $100 on this gate, how much money will I save if a bandit tries to climb over?"

This paper says that approach is outdated. It's too static. In the real world, bandits don't just knock on the door once and leave. They work in packs. If one bandit finds a weak spot in the wall, they signal their friends, and suddenly, 50 bandits are swarming that same spot in the next hour. This is called a "clustered attack."

The authors of this paper built a new, smarter "security calculator" that accounts for these packs. Here is how they did it, explained simply:

1. The "Alarm System" That Gets Louder (The Hawkes Process)

In the old models, attacks were like raindrops falling randomly. You might get one drop, then wait an hour, then get another. It was predictable and boring.

In this new model, attacks are like a rowdy crowd at a concert.

The Old Way: People arrive one by one, randomly.
The New Way: When one person starts a mosh pit (an attack), it excites everyone else. The crowd gets louder, more energetic, and more likely to push harder. The more attacks happen, the more likely the next attack is to happen immediately after.

The authors use a mathematical tool called a Hawkes Process to describe this. Think of it as an alarm system that doesn't just ring; it gets louder every time it rings, telling you, "Hey, they are coming in waves! Brace yourself!"

2. The "Smart Security Guard" (Dynamic Investment)

The old model told you: "Buy a gate today, and that's it. Don't touch it again."
The new model tells you: "Be a smart security guard who reacts in real-time."

When things are quiet: You spend a little on maintenance. You don't need to build a fortress.
When the alarm gets loud (a cluster starts): Your guard sees the intensity of the threat spike. Instead of panicking, the guard instantly spends more money to reinforce the walls right now.
When the crowd settles: The guard stops spending so much and goes back to maintenance.

This is called an adaptive strategy. You aren't just buying a gate; you are buying a security team that knows exactly when to sprint and when to walk.

3. The "Rotten Apple" Problem (Depreciation)

The paper also notes that security tech rots fast. A firewall you bought five years ago is like a rusted lock; it doesn't work well anymore.

The Model: Every day, your security level naturally drops (like a fruit rotting).
The Solution: You have to keep "watering the plant" (investing) just to stay at the same level, and even more to get stronger. If you stop investing, your security crumbles.

4. Why This Matters: The "Mosh Pit" vs. The "Drizzle"

The authors ran simulations to see what happens if you use the old "random rain" model versus their new "mosh pit" model.

The Result: If you use the old model, you are under-prepared for the big waves. You think the bandits are just a few scattered individuals, so you don't spend enough when they actually swarm.
The Gain: By using the new model, organizations can save a massive amount of money. The paper found that using this smart, reactive strategy can reduce your total losses (and insurance costs) by about 65% compared to just doing nothing or using the old static rules.

5. The Insurance Angle

Finally, the paper looks at this from an insurance company's perspective.

Old View: Insurance is just paying for the damage after the fire.
New View: Insurance is a partnership. If you (the business) show you have a "smart guard" who reacts to clusters, the insurance company knows you are less risky.
The Benefit: Because you are actively preventing the worst damage, your insurance premiums (the price you pay) go down significantly. It's like getting a discount on car insurance because you have a great anti-theft system that alerts the police instantly.

The Big Takeaway

Cybersecurity isn't about buying a static shield and hoping for the best. It's about having a dynamic defense system that knows when the enemy is gathering in a pack and reacts instantly to that specific threat.

By understanding that attacks come in "clusters" (like a mosh pit) rather than random "drops" (like rain), companies can stop wasting money on the wrong things and start spending money exactly when and where it saves them the most.

Here is a detailed technical summary of the paper "A stochastic Gordon-Loeb model for optimal cybersecurity investment under clustered attacks."

1. Problem Statement

The paper addresses the challenge of determining the optimal cybersecurity investment policy for an organization facing cyberattacks. While the seminal Gordon-Loeb (GL) model provides a static framework for balancing investment costs against expected breach losses, it fails to account for two critical real-world dynamics:

Temporal Clustering: Cyberattacks often occur in bursts (e.g., following a vulnerability disclosure or malware propagation), a phenomenon not captured by memoryless Poisson processes.
Dynamic Adaptation: Organizations need to adjust their security posture in real-time as the threat landscape evolves, rather than relying on a single static investment decision.

The authors aim to develop a continuous-time stochastic model that incorporates attack clustering via Hawkes processes and determines an adaptive investment strategy that minimizes net losses (breach costs + investment costs) over a planning horizon.

2. Methodology

A. Modeling Framework

The authors extend the static Gordon-Loeb model into a two-dimensional stochastic optimal control problem.

Attack Arrival (Hawkes Process): Instead of a Poisson process, the arrival of cyberattacks $N_t$ $N_{t}$ is modeled as a Hawkes process. This captures the "self-exciting" nature of cyber-risk, where an attack increases the probability of subsequent attacks.
- The stochastic intensity $\lambda_t$ evolves as:
  $d\lambda_t = \xi(\alpha - \lambda_t)dt + \beta dN_t$
  where $\alpha$ is the long-term mean, $\xi$ is the decay rate, and $\beta$ determines the magnitude of self-excitation.
Vulnerability and Breach:
- The system has a baseline vulnerability $v$ .
- Cybersecurity investment $z_t$ (a rate process) builds a cybersecurity level $H_t^z$ , which decays over time due to technological obsolescence (depreciation rate $\rho$ ).
- The breach probability at an attack time $\tau_i$ is given by a function $S(H_{\tau_i}^z, v)$ , satisfying the properties of the original GL model (decreasing and convex in investment).
Losses: If a breach occurs, the entity incurs a random loss $\eta_i$ . The cumulative loss is a marked Hawkes process.

B. Optimization Problem

The objective is to maximize the Expected Net Benefit of Investment (ENBIS) over a horizon $[0, T]$ . The decision maker chooses an investment rate process $z = (z_t)$ to maximize:
$\sup_{z \in \mathcal{Z}} \mathbb{E} \left[ \int_0^T \left( \bar{\eta}(v - S(H_t^z, v))\lambda_t - z_t - \frac{\gamma}{2}z_t^2 \right) dt + U(H_T^z) \right]$

Benefit: Reduction in expected losses ( $\bar{\eta}$ is the mean loss, $\lambda_t$ is the attack intensity).
Cost: A non-linear cost function ( $z_t + \frac{\gamma}{2}z_t^2$ ) penalizes irregular or highly concentrated spending, encouraging smooth investment.
Terminal Utility: $U(H_T^z)$ accounts for the residual value of the security level at the end of the horizon.

C. Solution via Dynamic Programming

The problem is solved using Dynamic Programming techniques for Piecewise Deterministic Markov Processes (PDMP).

The Value Function $V(t, \lambda, h)$ represents the maximum expected net benefit given current time $t$ , intensity $\lambda$ , and security level $h$ .
The solution satisfies a Hamilton-Jacobi-Bellman Partial Integro-Differential Equation (HJB-PIDE):
$\frac{\partial V}{\partial t} + \xi(\alpha - \lambda)\frac{\partial V}{\partial \lambda} - \rho h \frac{\partial V}{\partial h} + \lambda(V(t, \lambda+\beta, h) - V(t, \lambda, h)) + \bar{\eta}(v - S(h, v))\lambda + \frac{(\frac{\partial V}{\partial h} - 1)_+^2}{2\gamma} = 0$
The Optimal Investment Rate is derived explicitly as:
$z_t^* = \frac{1}{\gamma} \left( \frac{\partial V}{\partial h}(t, \lambda_t, H_t^z) - 1 \right)_+$
This implies investment occurs only when the marginal benefit of increasing the security level exceeds the marginal cost.

D. Numerical Implementation

Since an analytical solution is intractable, the authors employ the Method of Lines:

Discretize the spatial domain $(\lambda, h)$ using finite differences.
Convert the PIDE into a system of Ordinary Differential Equations (ODEs).
Solve the ODE system backward in time using an implicit Runge-Kutta method (Radau IIA).
Simulate trajectories of the Hawkes process to compute the adaptive investment path.

3. Key Contributions

Stochastic Extension of Gordon-Loeb: The first continuous-time stochastic extension of the GL model that explicitly models attack clustering via Hawkes processes.
Adaptive Policy Derivation: Derivation of a real-time, state-dependent optimal investment policy $z_t^*$ that reacts to the stochastic intensity $\lambda_t$ .
Quantification of Clustering Impact: Demonstration that ignoring attack clustering (using Poisson models) leads to suboptimal investment decisions, even if the average attack frequency is correctly estimated.
Actuarial Implications: A novel link between dynamic cybersecurity investment and cyber-insurance pricing, showing how optimal prevention reduces both expected losses and loss variance, thereby lowering insurance premiums.

4. Key Results

Superiority of Dynamic Policy: The optimal dynamic strategy consistently outperforms static (constant) investment strategies. The relative gain is highest when the initial security level is low and the attack intensity is high (up to ~15% improvement in net benefit).
Impact of Clustering (Hawkes vs. Poisson):
- Compared to a Poisson model with the same baseline intensity, the Hawkes model yields significantly higher investment rates and value functions because it correctly anticipates higher future risk during clusters.
- Even compared to a Poisson model calibrated to the same expected total number of attacks, the Hawkes model yields higher investment rates during high-intensity periods. This highlights that timing matters: static models fail to ramp up investment when attacks cluster.
Parameter Sensitivity:
- Decay Rate ( $\xi$ ): Lower $\xi$ (slower decay, more clustering) leads to significantly higher optimal investment rates.
- Obsolescence ( $\rho$ ): Higher depreciation rates reduce the incentive to invest, as the security level decays rapidly.
Insurance Premium Reduction: Under the optimal dynamic prevention strategy, the study finds:
- A ~65% reduction in expected aggregate losses (pure premium).
- A ~55% reduction in loss standard deviation.
- A ~63% reduction in total insurance premiums (calculated via the standard deviation principle).

5. Significance and Implications

For Risk Managers: The paper provides a quantitative framework to justify adaptive, real-time investment strategies. It argues that cybersecurity budgets should not be static but should respond dynamically to threat intelligence (e.g., increasing spend immediately after a detected breach or vulnerability disclosure).
For Insurers: The model offers a rigorous method to calculate risk-based premiums. It demonstrates that "prevention" (investment) is a form of self-insurance that reduces both the frequency/severity of claims and the volatility of the insurer's portfolio. This supports the design of incentive-based contracts where premiums are tied to measurable security levels.
Theoretical Advancement: By integrating Hawkes processes into optimal control for cyber-risk, the paper bridges the gap between empirical observations of attack clustering and rigorous financial engineering models.

In conclusion, the paper establishes that accounting for the temporal clustering of cyberattacks is critical for effective risk management. Static or memoryless models systematically underestimate the need for rapid, responsive investment during attack bursts, leading to suboptimal financial outcomes and higher insurance costs.