The connectivity enabled by modern computer networking technologies introduces vulnerabilities to adversarial attacks. Although it is ideal to be able to prevent all possible cyber attacks, this is not possible or feasible in practice and society must accept that attacks are inevitable. While many works study optimal security policies to minimize the chance of successful attacks, there are many unexplored territories. In this letter, we formulate and investigate a new problem, namely the tradeoff between the effort or resource that should be spent on preventing attacks (i.e., preventive defense) and the effort or resource that should be spent on recovering from attacks (i.e., reactive defense). We formulate the problem as a resource allocation game between the defender and the attacker, where they decide how to allocate resources to defend and attack a set nodes (e.g., computers), respectively. The game unfolds in two phases. (i) Allocate preventive resources to reduce the probabilities that the nodes are successfully compromised by the attacker. (ii) The compromised nodes undergo a recovery process, which can be sped up with the allocation of more reactive defense resources. Our results completely characterize the Nash equilibria of this game, revealing the defender’s optimal allocation of preventive versus reactive resources.