A rough cut cybersecurity investment using portfolio of security controls with maximum cybersecurity value
本文用随机规划方法优化供应链中的网络安全投资,提出安防控制的网络安全价值概念,通过求解二进制优化问题得到最大总价值的控制组合,从而确定粗略投资额,减少安全漏洞损失。
This paper deals with optimisation of cybersecurity investment in supply chains using stochastic programming approach. A classical exponential function of breach probability and the intuitive idea of ‘the expected net benefits’, originally presented in 2002 by Gordon and Loeb, were applied to introduce the concept of cybersecurity value. The cybersecurity value of security control is defined as the value gained by implementing a single control to secure a subset of components. The cybersecurity value of a control can be seen as a measure of its efficiency in reducing vulnerability of a secured system or component. A mixed binary optimisation problem, next transformed into an unconstrained binary program is developed to maximise total cybersecurity value of control portfolio. The optimal solution to the binary program provides a simple formula to immediately obtain the portfolio of security controls with maximum total cybersecurity value and determine a rough cut cybersecurity investment. This study also shows that portfolio of security controls with maximum total cybersecurity value reduces the losses from security breaches and mitigate the impact of cyber risk.