Skip navigation

Cyber risk assessment and optimization: a small business case study

Cyber risk assessment and optimization: a small business case study

Tsiodra, Maria, Panda, Sakshyam ORCID: 0000-0001-7274-0073, Chronopoulos, Michail and Panaousis, Emmanouil ORCID: 0000-0001-7306-4062 (2023) Cyber risk assessment and optimization: a small business case study. IEEE Access, 11. pp. 44467-44481. ISSN 2169-3536 (Online) (doi:

PDF (Publisher VoR)
43450_PANDA_Cyber_Risk_Assessment_and_Optimization_A_Small_Business_Case_Study.pdf - Published Version
Available under License Creative Commons Attribution Non-commercial No Derivatives.

Download (1MB) | Preview


Assessing and controlling cyber risk is the cornerstone of information security management, but also a formidable challenge for organisations due to the uncertainties associated with attacks, the resulting risk exposure, and the availability of scarce resources for investment in mitigation measures. In this paper, we propose a cybersecurity decision-support framework, called CENSOR, for optimal cyber security investment. CENSOR accounts for the serial nature of a cyber attack, the uncertainty in the time required to exploit a vulnerability, and the optimisation of mitigation measures in the presence of a limited budget. First, we evaluate the cost that an organisation incurs due to a cyber security breach that progresses in stages and derive an analytical expression for the distribution of the present value of the cost. Second, we adopt a Set Covering and a Knapsack formulation to derive and compare optimal strategies for investment in mitigation measures. Third, we validate CENSOR via a case study of a small business (SB) based on: (i) the 2020 Common Weakness Enumeration (CWE) top 25 most dangerous software weaknesses; and (ii) the Center for Internet Security (CIS) Controls. Specifically, we demonstrate how the Knapsack formulation provides solutions that are both more affordable and entail lower risk compared to those of the Set Covering formulation. Interestingly, our results confirm that investing more in cybersecurity does not necessarily lead to an analogous cyber risk reduction, which indicates that the latter decelerates beyond a certain point of security investment intensity.

Item Type: Article
Uncontrolled Keywords: cybersecurity; operational research; set covering; knapsack; software weaknesses; control optimisation
Subjects: H Social Sciences > HD Industries. Land use. Labor > HD61 Risk Management
Q Science > QA Mathematics > QA75 Electronic computers. Computer science
T Technology > T Technology (General)
Faculty / School / Research Centre / Research Group: Faculty of Engineering & Science
Faculty of Engineering & Science > Internet of Things and Security Research Centre (ISEC)
Faculty of Engineering & Science > School of Computing & Mathematical Sciences (CMS)
Related URLs:
Last Modified: 28 Jul 2023 08:45

Actions (login required)

View Item View Item


Downloads per month over past year

View more statistics