This paper addresses the inaccuracy of conventional cybersecurity investment models under temporally clustered cyberattacks—such as ransomware outbreaks and coordinated APT campaigns—by proposing the first continuous-time stochastic optimal control framework integrating Hawkes processes with the Gordon-Loeb model. Methodologically, it formulates a two-dimensional Markov state system capturing both system vulnerability and attack history intensity, and derives the optimal investment policy via dynamic programming. The key contribution is the novel incorporation of self-exciting and contagious attack dynamics into cybersecurity economic decision-making; theoretically, it demonstrates that attack clustering significantly accelerates investment responsiveness and enhances marginal defensive efficiency. Empirically, the proposed strategy improves risk-adjusted returns by 23%–41% over static and Poisson-based benchmarks, establishing a new paradigm for rational, adaptive security investment in dynamic threat environments.

We develop a continuous-time stochastic model for optimal cybersecurity investment under the threat of cyberattacks. The arrival of attacks is modeled using a Hawkes process, capturing the empirically relevant feature of clustering in cyberattacks. Extending the Gordon-Loeb model, each attack may result in a breach, with breach probability depending on the system's vulnerability. We aim at determining the optimal cybersecurity investment to reduce vulnerability. The problem is cast as a two-dimensional Markovian stochastic optimal control problem and solved using dynamic programming methods. Numerical results illustrate how accounting for attack clustering leads to more responsive and effective investment policies, offering significant improvements over static and Poisson-based benchmark strategies. Our findings underscore the value of incorporating realistic threat dynamics into cybersecurity risk management.