A stochastic Gordon-Loeb model for optimal cybersecurity investment under clustered attacks
Giorgia Callegaro, Claudio Fontana, Caroline Hillairet, Beatrice Ongarato
TL;DR
This paper develops a dynamic, stochastic extension of the Gordon–Loeb framework by modeling cyberattack arrivals with a Hawkes process, capturing clustering effects. The authors formulate a two-dimensional stochastic control problem with state variables for attack intensity $\lambda_t$ and cybersecurity level $H_t$, deriving a Hamilton–Jacobi–Bellman equation (HJB-PIDE) and the optimal investment rule $z^*=(\partial V/\partial h-1)^+ / \gamma$. Numerical solution via the method of lines and Radau IIA yields adaptive, real-time investment policies that outperform static and Poisson-based benchmarks, especially in high-clustering regimes. The results demonstrate that accounting for threat clustering substantially improves risk management by enabling timely and scale-sensitive cybersecurity investments, with practical implications for dynamic risk budgeting and policy design.
Abstract
We develop a continuous-time stochastic model for optimal cybersecurity investment under the threat of cyberattacks. The arrival of attacks is modeled using a Hawkes process, capturing the empirically relevant feature of clustering in cyberattacks. Extending the Gordon-Loeb model, each attack may result in a breach, with breach probability depending on the system's vulnerability. We aim at determining the optimal cybersecurity investment to reduce vulnerability. The problem is cast as a two-dimensional Markovian stochastic optimal control problem and solved using dynamic programming methods. Numerical results illustrate how accounting for attack clustering leads to more responsive and effective investment policies, offering significant improvements over static and Poisson-based benchmark strategies. Our findings underscore the value of incorporating realistic threat dynamics into cybersecurity risk management.
