Risk management for cyber-infrastructure protection: A bi-objective integer programming approach

• Published in: Reliability engineering & system safety Vol. 205; p. 107093
• Main Authors: Schmidt, Adam, Albert, Laura A., Zheng, Kaiyue
• Format: Journal Article
• Language: English
• Published: Barking Elsevier Ltd 01.01.2021; Elsevier BV
• Subjects: Bi-objective optimization; Budgets; Computer applications; Cyber-security; Information and communication technology security; Integer programming; Optimization; Reliability engineering; Risk levels; Risk management; Risk reduction; Risk threshold; Security; Stochastic models; Supply chain security; Supply chains; Cyber-security; Supply chain security; Bi-objective optimization; Risk management; Information and communication technology security; Risk threshold
• ISSN: 0951-8320; 1879-0836
• DOI: 10.1016/j.ress.2020.107093

•Information and communication technology supply chains present risks that are complex and difficult to manage.•We present new optimization models to support supply chain risk management.•Optimization models with two risk reduction objectives select a portfolio of security controls subject to a budget constraint.•The stochastic model informs security investment decisions under uncertainty.•The computational results highlight how to construct a portfolio of security controls that is effective across multiple criteria. Information and communication technology supply chains present risks that are complex and difficult for organizations to manage. The cost and benefit of proposed security controls must be assessed to best match an organizational risk tolerance and direct the use of security resources. In this paper, we present integer and stochastic optimization models for selecting a portfolio of security controls within an organizational budget. We consider two objectives: to maximize the risk reduction across all potential attacks and to maximize the number of attacks whose risk levels are lower than a risk threshold after security controls are applied. Deterministic and stochastic bi-objective budgeted difficulty-threshold control selection problems are formulated for selecting mitigating controls to reflect an organization’s risk preference. In the stochastic problem, we consider uncertainty as to whether the selected controls can reduce the risks associated with attacks. We demonstrate through a computational study that the trade-off between the two objectives is important to consider for certain risk preferences and budgets. We demonstrate the value of the stochastic model when a relatively high number of attacks are desired to be secured past a risk threshold and show the deterministic solution provides near optimal solutions otherwise. We provide an analysis of model solutions.