This dissertation studies the problem of investing in security mitigations to protect a critical infrastructure system. We consider three different ways a system could be vulnerable to threats, and for each of these cases spend a chapter developing methods to model the deployment of mitigations to optimally protect the system. There exists literature to address the problem of selecting a portfolio of mitigations subject to a budget constraint in each of these cases. However, the literature does not address how to deploy the mitigations in resource-constrained settings over time. We consider the problem of choosing a portfolio of mitigations to implement while considering the time and resources required to implement the mitigations and precedence relationships between the mitigations. The first way we model threats to the system addresses overlapping effects of mitigations on different vulnerabilities of the system, allowing each vulnerability to be covered multiple times for diminishing returns. In the next chapter we consider the possibility of sophisticated attackers, rather than general vulnerabilities. We assume a set of attackers simultaneously work to complete their own project, where the actions they must take to complete these projects can be delayed by the defender's mitigations. The final way we model threats to the system is again by considering sophisticated attackers, but instead assuming the attacker have multiple ways to achieve their goal. While similar to the previous problem, this problem presents its own unique modeling challenges. In each case we introduce integer programming models that extend a resource constrained project scheduling problem (RCPSP) to both select and schedule mitigation tasks over a time horizon with the goal of maximally protecting the system. We additionally develop heuristic methods for each of these problems. We conclude by discussing the benefit we see in this research of considering the deployment of mitigations to protect critical infrastructure systems in resource-constrained settings over time.