A rough cut cybersecurity investment using portfolio of security controls with maximum cybersecurity value

Abstract

This paper deals with optimisation of cybersecurity investment in supply chains using stochastic programming approach. A classical exponential function of breach probability and the intuitive idea of ‘the expected net benefits’, originally presented in 2002 by Gordon and Loeb, were applied to introduce the concept of cybersecurity value. The cybersecurity value of security control is defined as the value gained by implementing a single control to secure a subset of components. The cybersecurity value of a control can be seen as a measure of its efficiency in reducing vulnerability of a secured system or component. A mixed binary optimisation problem, next transformed into an unconstrained binary program is developed to maximise total cybersecurity value of control portfolio. The optimal solution to the binary program provides a simple formula to immediately obtain the portfolio of security controls with maximum total cybersecurity value and determine a rough cut cybersecurity investment. This study also shows that portfolio of security controls with maximum total cybersecurity value reduces the losses from security breaches and mitigate the impact of cyber risk.