City Research Online

Cyber Risk Assessment and Optimization: A Small Business Case Study

Tsiodra, M., Panda, S., Chronopoulos, M. ORCID: 0000-0002-3858-2021 & Panaousis, E. (2023). Cyber Risk Assessment and Optimization: A Small Business Case Study. IEEE Access, 11, pp. 44467-44481. doi: 10.1109/access.2023.3272670


Assessing and controlling cyber risk is the cornerstone of information security management, but also a formidable challenge for organisations due to the uncertainties associated with attacks, the resulting risk exposure, and the availability of scarce resources for investment in mitigation measures. In this paper, we propose a cybersecurity decision-support framework, called CENSOR, for optimal cyber security investment. CENSOR accounts for the serial nature of a cyber attack, the uncertainty in the time required to exploit a vulnerability, and the optimisation of mitigation measures in the presence of a limited budget. First, we evaluate the cost that an organisation incurs due to a cyber security breach that progresses in stages and derive an analytical expression for the distribution of the present value of the cost. Second, we adopt a Set Covering and a Knapsack formulation to derive and compare optimal strategies for investment in mitigation measures. Third, we validate CENSOR via a case study of a small business (SB) based on: (i) the 2020 Common Weakness Enumeration (CWE) top 25 most dangerous software weaknesses; and (ii) the Center for Internet Security (CIS) Controls. Specifically, we demonstrate how the Knapsack formulation provides solutions that are both more affordable and entail lower risk compared to those of the Set Covering formulation. Interestingly, our results confirm that investing more in cybersecurity does not necessarily lead to an analogous cyber risk reduction, which indicates that the latter decelerates beyond a certain point of security investment intensity.

Publication Type: Article
Additional Information: This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see
Publisher Keywords: Cybersecurity, operational research, set covering, knapsack, software weaknesses, control optimisation
Subjects: H Social Sciences > HD Industries. Land use. Labor
Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Departments: Bayes Business School > Actuarial Science & Insurance
SWORD Depositor:
[thumbnail of Cyber_Risk_Assessment_and_Optimization_A_Small_Business_Case_Study.pdf]
Text - Published Version
Available under License Creative Commons Attribution Non-commercial No Derivatives.

Download (1MB) | Preview


Add to AnyAdd to TwitterAdd to FacebookAdd to LinkedinAdd to PinterestAdd to Email


Downloads per month over past year

View more statistics

Actions (login required)

Admin Login Admin Login