使用具有最大网络安全价值的安防控制组合进行粗略网络安全投资

A rough cut cybersecurity investment using portfolio of security controls with maximum cybersecurity value

International Journal of Production Research · 2021
被引 32
ABS 3

中文导读

本文用随机规划方法优化供应链中的网络安全投资,提出安防控制的网络安全价值概念,通过求解二进制优化问题得到最大总价值的控制组合,从而确定粗略投资额,减少安全漏洞损失。

Abstract

This paper deals with optimisation of cybersecurity investment in supply chains using stochastic programming approach. A classical exponential function of breach probability and the intuitive idea of ‘the expected net benefits’, originally presented in 2002 by Gordon and Loeb, were applied to introduce the concept of cybersecurity value. The cybersecurity value of security control is defined as the value gained by implementing a single control to secure a subset of components. The cybersecurity value of a control can be seen as a measure of its efficiency in reducing vulnerability of a secured system or component. A mixed binary optimisation problem, next transformed into an unconstrained binary program is developed to maximise total cybersecurity value of control portfolio. The optimal solution to the binary program provides a simple formula to immediately obtain the portfolio of security controls with maximum total cybersecurity value and determine a rough cut cybersecurity investment. This study also shows that portfolio of security controls with maximum total cybersecurity value reduces the losses from security breaches and mitigate the impact of cyber risk.

网络安全供应链管理投资优化随机规划