City Research Online - Cyber Risk Assessment and Optimization: A Small Business Case Study

Cyber Risk Assessment and Optimization: A Small Business Case Study

Tsiodra, M., Panda, S., Chronopoulos, M. ORCID: 0000-0002-3858-2021 & Panaousis, E. (2023). Cyber Risk Assessment and Optimization: A Small Business Case Study. IEEE Access, 11, pp. 44467-44481. doi: 10.1109/access.2023.3272670

Abstract

Assessing and controlling cyber risk is the cornerstone of information security management, but also a formidable challenge for organisations due to the uncertainties associated with attacks, the resulting risk exposure, and the availability of scarce resources for investment in mitigation measures. In this paper, we propose a cybersecurity decision-support framework, called CENSOR, for optimal cyber security investment. CENSOR accounts for the serial nature of a cyber attack, the uncertainty in the time required to exploit a vulnerability, and the optimisation of mitigation measures in the presence of a limited budget. First, we evaluate the cost that an organisation incurs due to a cyber security breach that progresses in stages and derive an analytical expression for the distribution of the present value of the cost. Second, we adopt a Set Covering and a Knapsack formulation to derive and compare optimal strategies for investment in mitigation measures. Third, we validate CENSOR via a case study of a small business (SB) based on: (i) the 2020 Common Weakness Enumeration (CWE) top 25 most dangerous software weaknesses; and (ii) the Center for Internet Security (CIS) Controls. Specifically, we demonstrate how the Knapsack formulation provides solutions that are both more affordable and entail lower risk compared to those of the Set Covering formulation. Interestingly, our results confirm that investing more in cybersecurity does not necessarily lead to an analogous cyber risk reduction, which indicates that the latter decelerates beyond a certain point of security investment intensity.

Publication Type:	Article
Additional Information:	This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see https://creativecommons.org/licenses/by-nc-nd/4.0/
Publisher Keywords:	Cybersecurity, operational research, set covering, knapsack, software weaknesses, control optimisation
Subjects:	H Social Sciences > HD Industries. Land use. Labor Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Departments:	Bayes Business School > Actuarial Science & Insurance
SWORD Depositor:	Symplectic Administrator

[thumbnail of Cyber_Risk_Assessment_and_Optimization_A_Small_Business_Case_Study.pdf]

Preview

Text - Published Version
Available under License Creative Commons Attribution Non-commercial No Derivatives.
Download (1MB) | Preview

Export

Downloads

Downloads per month over past year

View more statistics

Metadata

Altmetric

Funder Information

CORE (COnnecting REpositories)

Actions (login required)

Admin Login

Creators:	Tsiodra, M. Panda, S. Chronopoulos, M. ORCID: 0000-0002-3858-2021 Panaousis, E.
Status:	Published
Refereed:	Yes
Journal or Publication Title:	IEEE Access
Publisher:	Institute of Electrical and Electronics Engineers (IEEE)
ISSN:	2169-3536
e-ISSN:	2169-3536
URI:	https://openaccess.city.ac.uk/id/eprint/31225
Date available in CRO:	08 Sep 2023 08:52
Date deposited:	4 September 2023
Dates:	Date Event 25 April 2023 Accepted 3 May 2023 Published Online 3 May 2023 Published