Games of Timing for Security in Dynamic Environments Benjamin Johnson 1 , Aron Laszka 2 , and Jens Grossklags 3 1 CyLab, Carnegie Mellon University, Pittsburgh, USA 2 Institute for Software Integrated Systems, Vanderbilt University, Nashville, USA 3 College of Information Sciences and Technology, Pennsylvania State University, University Park, USA Abstract. Increasing concern about insider threats, cyber-espionage, and other types of attacks which involve a high degree of stealthiness has renewed the desire to better understand the timing of actions to au- dit, clean, or otherwise mitigate such attacks. However, to the best of our knowledge, the modern literature on games shares a common lim- itation: the assumption that the cost and effectiveness of the players’ actions are time-independent. In practice, however, the cost and suc- cess probability of attacks typically vary with time, and adversaries may only attack when an opportunity is present (e.g., when a vulnerability has been discovered). In this paper, we propose and study a model which captures dynamic en- vironments. More specifically, we study the problem faced by a defender who has deployed a new service or resource, which must be protected against cyber-attacks. We assume that adversaries discover vulnerabili- ties according to a given vulnerability-discovery process which is modeled as an arbitrary function of time. Attackers and defenders know that each found vulnerability has a basic lifetime, i.e., the likelihood that a vul- nerability is still exploitable at a later date is subject to the efforts by ethical hackers who may rediscover the vulnerability and render it useless for attackers. At the same time, the defender may invest in mitigation efforts to lower the impact of an exploited vulnerability. Attackers there- fore face the dilemma to either exploit a vulnerability immediately, or wait for the defender to let its guard down. The latter choice leaves the risk to come away empty-handed. We develop two versions of our model, i.e., a continuous-time and a discrete-time model, and conduct an analytic and numeric analysis to take first steps towards actionable guidelines for sound security invest- ments in dynamic contested environments. Keywords: Security, Game Theory, Games of Timing, Vulnerability Discovery 1 Introduction Since at least the Cold War era there has been a considerable interest in the study of games of timing to understand when to act in security-relevant decision- making scenarios [1]. The recent rise of insider threats, cyber-espionage, and