Abstract. We devise a model for security investment that reflects dynamic interaction between a defender, who faces uncertainty, and an attacker, who repeatedly targets the weakest link. Using the model, we derive and compare optimal security investment over multiple periods, exploring the delicate balance between proactive and reactive security investment. We show how the best strategy depends on the defender’s knowledge about prospective attacks and the sunk costs incurred when upgrading defenses reactively. Our model explains why security underinvestment is sometimes rational even when effective defenses are available and can be deployed independently of other parties’ choices. Finally, we connect the model to real-world security problems by examining two case studies where empirical data is available: computers compromised for use in online crime and payment card security.