A budgeted maximum multiple coverage model for cybersecurity planning and management

• Published in: IIE transactions Vol. 51; no. 12; pp. 1303 - 1317
• Main Authors: Zheng, Kaiyue, Albert, Laura A., Luedtke, James R., Towle, Eli
• Format: Journal Article
• Language: English
• Published: Abingdon Taylor & Francis 02.12.2019; Taylor & Francis Ltd
• Subjects: Algorithms; Approximation; Bending machines; coverage models; critical infrastructure protection; Cyber-security; Cybersecurity; Failure; Greedy algorithms; Optimization; submodular optimization
• ISSN: 2472-5854; 2472-5862
• DOI: 10.1080/24725854.2019.1584832

This article studies how to identify strategies for mitigating cyber-infrastructure vulnerabilities. We propose an optimization framework that prioritizes the investment in security mitigations to maximize the coverage of vulnerabilities. We use multiple coverage to reflect the implementation of a layered defense, and we consider the possibility of coverage failure to address the uncertainty in the effectiveness of some mitigations. Budgeted Maximum Multiple Coverage (BMMC) problems are formulated, and we demonstrate that the problems are submodular maximization problems subject to a knapsack constraint. Other variants of the problem are formulated given different possible requirements for selecting mitigations, including unit cost cardinality constraints and group cardinality constraints. We design greedy approximation algorithms for identifying near-optimal solutions to the models. We demonstrate an optimal (1-1/e)-approximation ratio for BMMC and a variation of BMMC that considers the possibility of coverage failure, and a 1/2-approximation ratio for a variation of BMMC that uses a cardinality constraint and group cardinality constraints. The computational study suggests that our models yield robust solutions that use a layered defense and provide an effective mechanism to hedge against the risk of possible coverage failure. We also find that the approximation algorithms efficiently identify near-optimal solutions, and that a Benders branch-and-cut algorithm we propose can find provably optimal solutions to the vast majority of our test instances within an hour for the variations of the proposed models that consider coverage failures.