Cyber Risk Assessment and Optimization: A Small Business Case Study

Assessing and controlling cyber risk is the cornerstone of information security management, but also a formidable challenge for organisations due to the uncertainties associated with attacks, the resulting risk exposure, and the availability of scarce resources for investment in mitigation measures. In this paper, we propose a cybersecurity decision-support framework, called CENSOR, for optimal cyber security investment. CENSOR accounts for the serial nature of a cyber attack, the uncertainty in the time required to exploit a vulnerability, and the optimisation of mitigation measures in the presence of a limited budget. First, we evaluate the cost that an organisation incurs due to a cyber security breach that progresses in stages and derive an analytical expression for the distribution of the present value of the cost. Second, we adopt a Set Covering and a Knapsack formulation to derive and compare optimal strategies for investment in mitigation measures. Third, we validate CENSOR via a case study of a small business (SB) based on: (i) the 2020 Common Weakness Enumeration (CWE) top 25 most dangerous software weaknesses; and (ii) the Center for Internet Security (CIS) Controls. Specifically, we demonstrate how the Knapsack formulation provides solutions that are both more affordable and entail lower risk compared to those of the Set Covering formulation. Interestingly, our results confirm that investing more in cybersecurity does not necessarily lead to an analogous cyber risk reduction, which indicates that the latter decelerates beyond a certain point of security investment intensity.

Automated summary

This paper proposes a cybersecurity decision-support framework called CENSOR for optimal cyber security investment. CENSOR takes into account the continuous nature of cyber attacks, uncertainty in vulnerability exploitation time, and optimization of mitigation measures under a limited budget. It evaluates the cost incurred by an organization due to a cyber security breach and derives an analytical expression for the distribution of present value of the cost. It also compares optimal strategies for investment using Set Covering and Knapsack formulations, validating the effectiveness of CENSOR through a case study.