In a bulleted list, write complete sentences about three things you have learned from the article.
INTERNATIONAL JOURNAL OF PRODUCTION RESEARCH
2022, VOL. 60, NO. 2, 766–782
https://doi.org/10.1080/00207543.2021.1914356
Balancing cybersecurity in a supply chain under direct and indirect cyber risks
Tadeusz Sawik
a,b
a Department of Engineering, Reykjavik University, Reykjavik, Iceland; b Department of Operations Research, AGH University of Science &
Technology, Kraków, Poland
ABSTRACT
ARTICLE HISTORY
Cybersecurity is an essential requirement for the sustainability of global supply chains. In this paper,
a stochastic programming formulation is presented for optimisation of cybersecurity investment
and selection of security controls to mitigate and balance the impact of direct and indirect (propagated) cyber risks in a multi-tier supply chain. Using a network transformation combined with the
first-order Taylor series approximation of natural logarithm to linearise the nonlinear constraints, a
nonlinear stochastic combinatorial optimisation model is approximated by its linear equivalent. The
problem objective is to determine an optimal cybersecurity investment under limited budget and
portfolio of security controls for each supply chain node to balance the cybersecurity over the entire
supply chain. The minmax objective functions are applied to minimise either the maximum breach
probability or the maximum loss of supply chain nodes. Alternatively, maxmin objectives are used to
maximise either the minimum non-breach probability or the minimum saving of loss. The proposed
integrated modelling approach is illustrated with results of computational study and a comparison
of approximated and exact solution values is presented. The decision-making insights are provided
and discussed.
Received 28 January 2021
Accepted 30 March 2021
1. Introduction
The objective of a cybersecurity investment in supply
chains is to protect critical assets such as servers, applications, data bases, etc., against a compromise in the area of
confidentiality, control, integrity, authenticity, availability
and utility (the Parkerian hexad, e.g. Falco et al. 2019).
In order to prevent intrusions or to mitigate the impact
of successful breaches and information flow disruptions,
various mitigation mechanisms, called safequards, countermeasures or security controls are developed. Since new
attack profiles proliferate, even the most sophisticated
controls cannot be expected to completely block cyberattacks. For example, in 2018 there were 1244 data breaches
in the United States with more than 446.5 million records
exposed, costing globally up to $575 billion annually,
Identity Theft Resource Center (2018).
The cyber-physical manufacturing and information
technology have significantly transformed contemporary
global supply chains, e.g.Ghadge et al. (2020). They are
increasingly at risk of a disruption of their information
and control systems. Successful cyberattacks on a supply chain node may lead to supply chain disruptions.
For example, cyberattacks on suppliers can disrupt their
operations leading to a propagation of negative impact on
CONTACT Tadeusz Sawik
sawik@ru.is, ghsawik@cyf-kr.edu.pl
University of Science & Technology, Kraków 30-059, Poland
© 2021 Informa UK Limited, trading as Taylor & Francis Group
KEYWORDS
Cyber risk management;
cybersecurity investment;
portfolio of security controls;
mixed integer linear
programming ; supply chain
cybersecurity
the entire supply chain, e.g. Li et al. (2020). The greater
degree of interdependence of supply chain nodes, the
higher can be the losses from security breaches. Thus,
cyber risks of supply chain nodes can no longer be managed in isolation, rather the cybersecurity investment
should be addressed for the entire supply chain.
The objective of optimisation a cybersecurity investment in the supply chain is to determine a portfolio of
security controls for implementation at different supply chain nodes to mitigate the impact of cyber risks
over the entire supply chain. In order to support the
decision-making, efficient optimisation tools should be
developed.
This study, which is a continuation of the recently
reported research (Sawik 2020b), develops an efficient
linear optimisation model to simultaneously mitigate the
impact of both direct and indirect (propagated) cyber
risks in a multi-tier supply chain. To this end, a network
transformation (Sawik 2020b) is combined with the firstorder Taylor series approximation of natural logarithm to
linearise the nonlinear constraints. The problem objective is to determine an optimal cybersecurity investment
under limited budget and portfolio of security controls
to balance the cybersecurity over the entire supply chain.
Department of Engineering, Reykjavik University, ReykjavikIS-101, Iceland; AGH
INTERNATIONAL JOURNAL OF PRODUCTION RESEARCH
The minmax objective functions are applied to minimise
either the maximum breach probability or the maximum
loss of supply chain nodes. Alternatively, maxmin objectives are used to maximise the minimum non-breach
probability or the minimum saving of loss. The proposed
integrated approach is illustrated with results of computational study, a comparison of approximated and exact
solution values is presented and decision-making insights
are provided.
The paper is organised as follows. The review of relevant literature is presented in Section 2 and the problem description in Section 3. In Section 4, mixed integer linear programs for optimisation of cybersecurity
investment are developed to balance cybersecurity in the
supply chains. Numerical examples and computational
results are presented in Section 5. Finally, conclusions
and the decision-making implications, as well as directions for further research are reported in Section 6.
2. Literature review
The most significant study on optimisation of cybersecurity investment was reported by Gordon and Loeb (2002),
who applied risk analysis to suggest an optimal budget
for a risk-neutral decision maker. The authors compared
the loss caused by security incidents to the investment
required to reduce the vulnerability. Using the exponential breach probability functions they found that the
amount to invest is much lower than the expected loss
and never exceeds 37% of the expected loss. However, in a
later study (Hausken 2006), four additional types of security breach functions were examined and the amount to
invest was no longer limited by 37%.
A review of literature on managing cyber risks in supply chains was recently presented by Ghadge et al. (2020).
For instance, a stylised model under several simplified
assumptions was presented by Simon and Omar (2020)
to determine the cybersecurity investment made by each
supply chain node separately or by a central planner,
without any budget constraints and with attack probability independent of node. The authors investigated
strategic versus non-strategic type of attackers and the
coordinated versus non-coordinated supply chains.
The most popular quantitative methods used to support decision-making on selection of security controls to block or mitigate security attacks are stochastic and combinatorial optimisation and game theory.
Stochastic mixed integer programs were developed by
Deane et al. (2009), Rakes, Deane, and Rees (2012) and
Sawik (2013), where both expected and worst-case cyberattack scenarios were considered. Deane et al. (2009)
proposed a linear network flow model under several
definitions of optimality: minimising upstream risk,
767
minimising downstream risk, and minimising global
supply chain risk. Rakes, Deane, and Rees (2012)
developed an integer programming model to select a subset of optimal controls under expected and under worstcase threat levels. Sawik (2013), developed a scenariobased stochastic MIP model, similar to the network flow
model of Deane et al. (2009). The cybersecurity investment problem was formulated as a single- or bi-objective
optimisation problem and a conditional value-at-risk
was applied to control the risk of worst-case losses due
to operational disruptions. The proposed bi-objective
trade-off model provided the decision maker with a simple tool for balancing expected and worst-case losses and
for shaping of the resulting cost distribution through
the selection of optimal subset of countermeasures for
implementation. A nonlinear MIP model for selection of
security controls, linearised using the natural logarithm
was proposed by Schilling and Werners (2016) where
each cyber threat was described by the preset criticality coefficient and variable criticality index. However, the
objective function, system criticality index to be minimised, which is based on threats criticality indices, gives
no indication on how secure the system is on an absolute scale. Recently (Sawik 2020b), a mixed integer linear
programming formulation was developed for optimisation of cybersecurity investment in Industry 4.0 supply
chains. A complex nonlinear stochastic combinatorial
optimisation model with a classical exponential function of breach probability was transformed into its linear
equivalent. The obtained linear optimisation model is
capable of selecting optimal portfolio of security controls to minimise cybersecurity investment and expected
cost of losses from security breaches in a supply chain. In
addition, the proposed linear model has been enhanced
for the Hurwicz-type, best-worst criterion to minimise
a convex combination of the minimal and the maximal
supply chain node vulnerability, under limited budget.
A game-theoretic model was proposed, for example by Fielder et al. (2016) and Khouzani, Liu, and
Malacaria (2019). In the latter paper, a multi-objective
optimisation problem was formulated for selection security controls to defend a multi-stage attack modelled
using probabilistic attack graphs. The objectives were to
minimise the highest probability of a successful cyberattack across all attack scenarios, the direct costs of implementation security controls and the indirect costs of controls, which represent the negative impact on the organisation deploying the controls, e.g. server downtimes. A
nonlinear integer programming formulation with a product form in the objective function was converted into a
mixed integer linear program with maximisation the logarithm of the objective. The approach is computationally
efficient owing to an embedded network flow structure
768
T. SAWIK
(a shortest path problem), however, the attack graph is
assumed to be known ahead of time. In another gametheoretic paper, Li and Xu (2021) investigated cybersecurity investments with third-party risk propagation in a
two-echelon supply chain consisting of one retailer and
multiple suppliers. The optimal investments are analysed
and discussed considering a one-stage risk propagation.
The above brief review of relevant literature on quantitative approaches, indicates a lack of sophisticated, yet
computationally efficient, optimisation tools for cybersecurity investment in the multi-tier supply chain networks
under direct and indirect (propagated) cyber risks. An
efficient tool is needed to simultaneously select an optimal portfolio of security controls for all supply chain
nodes to mitigate the impact of both types of risks and
balance the cybersecurity over the entire supply chain.
Such an integrated approach may help to eliminate some
negative issues such as prisoner’s dilemma and freeriding among supply chain nodes with interdependent
risks (e.g. Li and Xu 2021).
This study extends the previous research along the
four dimensions:
• in addition to direct cyber risks, the indirect (propagated) risks in a multi-tier supply chain is simultaneously considered and modelled;
• the classical additive objective functions have been
replaced by minmax or maxmin objectives to balance
cybersecurity over the entire supply chain, thereby
hardening the weaker supply chain nodes;
• in order to linearise the nonlinear constraints with
products of direct and indirect probability breaches,
the first-order Taylor series approximation of natural
logarithm is applied;
• the accuracy of the proposed linear approximation has
been verified by detailed computational analysis.
Moreover, the proposed integrated approach, which aims
at balancing the cybersecurity over the entire supply
chain with both direct and indirect risks accounted
for, may help to eliminate prisoner’s dilemma and freeriding that arise, if the investments are determined independently for single nodes and propagated risks are
neglected.
3. Problem description
Denote by I = {1, . . . , m}, be the index set of m nodes of
a supply chain to be protected and by J = {1, . . . , n}, the
index set of n security controls (for definition of problem parameters, see Table 1). Each security control can be
implemented at different level of intensity. The higher the
implementation level, the greater the degree to which the
Table 1. Problem parameters
Indices
i
j
k
=
=
=
B
=
cjk
=
di
ej ∈ (0, 1)
pi
q
Vi
=
=
=
=
=
rijk
=
supply chain node, i ∈ I = {1, . . . , m}
security control, j ∈ J = {1, . . . , n}
control implementation level, k ∈ Kj = {0, . . . , gj }, j ∈ J
Input parameters
total budget available for cybersecurity investment in
supply chain
investment cost for security control j ∈ J implemented at
level k ∈ Kj
(cost of) loss caused by security breach of node i ∈ I
efficiency coefficient of security control j ∈ J
probability of cyberattack on node i ∈ I
risk propagation probability
intrinsic vulnerability of node i ∈ I, defined as the
probability of an unsecured node i ∈ I, being
successfuly attacked
ej cjk
Vi , reduction factor of breach probability for node i
secured by a single control j implemented at level k
control is implemented, the greater the implementation
cost and the vulnerability reduction. Let Kj = {0, . . . , gj }
be the index set of, gj , implementation levels available for
control j ∈ J, where level k = 0, denotes no implementation of a control. The cost of implementation control
j ∈ J at level k ∈ Kj is denoted by cjk , where cj0 = 0 and
cj,k−1 < cjk .
Each supply chain node, i ∈ I, is characterised by the
(cost of) loss, di , caused by a security breach and the
intrinsic vulnerability, Vi ∈ (0, 1), defined as the probability of an unsecured node i being successfully attacked.
Parameter di represents the total cost of losses over entire
supply chain resulting from a successful attack on node i.
In this study the exponential function of breach probability is applied (Gordon and Loeb 2002) for which the
breach probability is determined by the product of attack
probability and intrinsic vulnerability raised to the power
of cybersecurity investment. To reduce a node vulnerability, the cybersecurity investment is required to implement appropriate security controls. For the exponential
security breach function, the vulnerability of node, i ∈ I,
secured by control, j ∈ J, implemented at level k ∈ Kj is
reduced to
(1+ej cjk )
Vi
= Vi rijk ,
(1)
where ej ∈ (0, 1), is the efficiency coefficient of security
control j ∈ J, and rijk , is the vulnerability reduction factor
for node i secured by control j implemented at level k
ej cjk
rijk = Vi
= 1, if k = 0
< 1, otherwise.
(2)
While a positive cybersecurity investment can reduce
breach probability, it cannot completely eliminate the
cyber risks, which is influenced by the law of diminishing
marginal returns (e.g. Li and Xu 2021).
INTERNATIONAL JOURNAL OF PRODUCTION RESEARCH
Each supply chain node i ∈ I is characterised by a
direct cyberattack probability, pi , i.e. a direct attack
episode on each node i occurs with probability pi , or not
at all with probability (1 − pi ), independently of attacks
on the other nodes. In addition to direct cyberattacks,
each supply chain node i ∈ I can be subject to indirect
security breach with third-party risk propagation, when
the attackers first break into an adjacent node h ∈ Hi ,
where, Hi , is the subset of supply chain nodes adjacent
to node i. Then the risks may spread to node i via their
mutual trust interfaces, with a constant risk propagation
probability, q, independent of the cybersecurity investment. The leading cause of risk propagation is interdependence between supply chain nodes of a multi-tier
supply chain, e.g. between the first-tier suppliers and the
manufacturer or between different suppliers at adjacent
tiers. The risk propagation probability is decided by the
degree of mutual trust and authorisation among interdependent supply chain nodes. The indirect breach probability of each node, i ∈ I, caused by the risk propagation
of its adjacent node h ∈ Hi is equal to the propagation
probability, q, multiplied by direct breach probability of
node h. The total, direct and indirect, breach probability
of each node, i ∈ I, in an unsecured supply chain can be
expressed as
1 − (1 − pi Vi )
(1 − qph Vh );
i ∈ I,
(3)
h∈Hi
where, pi Vi , is the direct breach probability of unsecured
node i and, qph Vh , is the indirect breach probability
of unsecured node i by the risk propagation from an
adjacent unsecured node, h ∈ Hi .
In this paper the objective of the decision maker is to
decide which security controls to select for each supply
chain node to optimise cybersecurity investment under
limited budget such that the breach probabilities or losses
from security breaches are balanced over the entire supply chain and hence the supply chain cybersecurity is
balanced.
769
Figure 1. Optimisation of cybersecurity investment in a supply
chain.
functions are used to maximise the minimum nonbreach probability or the minimum expected saving of
loss, see Figure 1.
4.1. Balancing cybersecurity using minmax
objective functions
In this subsection, a minmax stochastic nonlinear program, SCybsec_N(minmax), and its linear equivalents,
SCybsec_L(Pmax ) and SCybsec_L(Lmax ), are presented
for selection of security control portfolio. The objective of
SCybsec_L(Pmax ) and SCybsec_L(Lmax ) is to minimise
the maximum breach probability and the maximum loss
for supply chain nodes, respectively (see, Figure 1). The
linear models were developed by applying a network
transformation (see, Sawik 2020b) for computing the
reduced vulnerabilities of secured supply chain nodes,
and the first-order Taylor series approximation of natural logarithm for linearising the nonlinear constraints of
model SCybsec_N(minmax) (for definition of problem
variables, see Table 2).
4. Linear models for balanced mitigation of
cyber risks
Table 2. Problem variables.
In this section stochastic mixed integer linear programming models are presented for optimisation of cybersecurity investment and portfolio of security controls to
balance cybersecurity over a supply chain under limited budget. In Section 4.1, the minmax objective functions are applied to minimise either the maximum breach
probability or the maximum expected loss of supply
chain nodes and in Section 4.2, the maxmin objective
uijk
=
vijk
=
Wi
=
Pmax
Lmax
Qmin
Smin
=
=
=
=
Decision variables
1, if control j ∈ J is selected at implementation level k ∈ Kj to
secure node i ∈ I; otherwise uijk = 0
Auxiliary variables
vulnerability of node i secured by controls in {1, . . . , j − 1} ⊆ J
to be secured by control j implemented at level k
vulnerability of secured node i
Objective functions
maximum breach probability
maximum expected loss
minimum non-breach probability
minimum expected saving of loss
770
T. SAWIK
SCybsec_N(minmax). Minmax optimisation of
Supply chain Cybersecurity investment: Stochastic Mixed
Binary Nonlinear Program (minimise Pmax or Lmax )
Minimise maximum breach probability
Pmax
(4)
or
Minimise maximum expected loss
Lmax
(5)
subject to
(1) Control selection constraints
– for each node i, each control j can be implemented
at exactly one level (if k > 0) or not at all (if k = 0),
uijk = 1; i ∈ I, j ∈ J
(6)
k∈Kj
uijk ∈ {0, 1};
i ∈ I, j ∈ J, k ∈ Kj
(7)
i∈I j∈J k∈Kj
(3) Maximum breach probability constraints
– the breach probability of each node cannot be greater
than the maximum breach probability, Pmax , to be minimised in (4),
j∈J
k∈Kj ej cjk uijk +1
1 − 1 − pi Vi
×
1 − qph Vh
j∈J
k∈Kj ej cjk uhjk +1
i∈I
(9)
Pmax ≥ 0
(10)
or
(3) Maximum expected loss constraints
– the expected loss of each breached node cannot be
greater than the maximum loss, Lmax , to be minimised
in (5),
⎛
j∈J
k∈Kj ej cjk uijk +1
⎝
di 1 − 1 − pi Vi
×
1 − qph Vh
j∈J
⎞
k∈Kj ej cjk uhjk +1
i∈I
Proposition 4.1: The nonlinear constraints (9) and (11)
can be approximated by linear constraints, respectively
pi Wi +
qph Wh ≤ Pmax ; i ∈ I,
(13)
h∈Hi
and
pi Wi +
qph Wh ≤ Lmax /di ;
i ∈ I,
(14)
where, Wi , is vulnerabilty of secured node i.
The vulnerability can be expressed as
Wi = Vi
= Vi
j∈J
j∈J
k∈Kj ej cjk uijk +1
⎛
⎝
= Vi
⎞
rijk uijk ⎠ ;
uijk
rijk
j∈J k∈Kj
i ∈ I,
⎠
ej cjk
where rijk = Vi , (2), and constraints (6) and (7) imply
that
uijk
rijk =
rijk uijk ; j ∈ J.
k∈Kj
Proof: First, constraints (13) are derived.
The total breach probability, Pi , (direct and indirect)
of secured supply chain node i ∈ I, is (cf. (3))
Pi = 1 − (1 − pi Wi )
(1 − qph Wh ),
(16)
h∈Hi
where (1 − pi Wi ), is the probability that node i is not
directly breached and, h∈Hi (1 − qph Wh ), is the probability that node i is not indirectly breached by the security
propagation from adjacent nodes, h ∈ Hi .
The last equation can be rewritten as
(1 − pi Wi )
(1 − qpk Wk ) = 1 − Pi ; i ∈ I. (17)
Taking the natural logarithm of both sides
ln(1 − pi Wi ) +
ln(1 − qph Wh )
(11)
(15)
k∈Kj
h∈Hi
h∈Hi
≤ Lmax ;
The objective functions (4) and (5) aim at levelling
from above, respectively the breach probabilites and the
expected losses, while the smallest probability and loss
are constrained by available cybersecurity budget. In particular, the maximum expected loss cannot be greater
then the maximum loss, i.e.Lmax ≤ maxi∈I di .
The nonlinear constraints (9) and (11) can be
approximated by linear constraints using the results of
Proposition 4.1.
k∈Kj
h∈Hi
≤ Pmax ;
(12)
h∈Hi
(2) Budget constraint
– total cost of cybersecurity investment cannot exceed
available budget,
cjk uijk ≤ B.
(8)
Lmax ≥ 0
h∈Hi
INTERNATIONAL JOURNAL OF PRODUCTION RESEARCH
= ln(1 − Pi );
i ∈ I.
(18)
Notice that breach probabilities, pi Wi and qph Wh , are
products of very small fractional parameters (cyberattack and risk propagation probabilities, pi and q) and
variables (vulnerabilties of secured nodes, Wi ), typically
much less than 1. Pi is small and less than 1, too. Since,
Taylor series expansion of ln(1 − x) for small x leads to
linear approximation, ln(1 − x) ≈ −x, Equation (18) can
be approximated by
pi Wi +
qph Wh = Pi ; i ∈ I.
(19)
h∈Hi
The maximum breach probability, Pmax , satisfies
inequalities
Pi ≤ Pmax ;
i ∈ I.
(20)
Combining Equations (19) and (20), finally leads to the
maximum breach probability constraints (13).
Constraints (14) are derived in a similar way. First,
introduce the expected loss,
Li = di (1 − (1 − pi Wi )
(1 − qph Wh )); i ∈ I
h∈Hi
(21)
for each supply chain node, i ∈ I, and then, replace Pi by
Li /di in (17)–(20), and Pmax by Lmax in (20).
Proposition 4.2: The reduced vulnerability, Wi (15), of
each secured supply chain node, i ∈ I, can be computed
applying the network transformation defined by the set of
linear equations:
vi1k = Vi ; i ∈ I
(22)
k∈Kj
k∈Kj
rijk vijk =
vi,j+1,k ;
i ∈ I, j ∈ J : j < n
(23)
771
Minimise (4) subject to
(1) Control selection constraints: (6)
(2) Budget constraint: (8)
(3) Maximum breach probability constraints: (13)
(4) Vulnerability balance constraints: (22)–(25)
(5) Non-negativity and integrality conditions: (7), (10)
vijk ≥ 0;
i ∈ I, j ∈ J, k ∈ Kj
(26)
Wi ≥ 0;
i ∈ I.
(27)
SCybsec_L(Lmax ). Minmax Optimisation of Supply
chain Cybersecurity investment: Stochastic Mixed Integer
Linear Program (minimising Lmax )
Maximise (5) subject to
(1) Control selection constraints: (6)
(2) Budget constraint: (8)
(3) Maximum expected loss constraints: (14)
(4) Vulnerability balance constraints: (22)–(25)
(5) Non-negativity and integrality conditions: (7), (12),
(26), (27).
Notice that the actual breach probability, Pi (16), (as well
as the associated expected loss, Li (21)) can be smaller
than its linear approximation value, i.e.
1 − (1 − pi Wi )
(1 − qph Wh )
h∈Hi
≤ pi Wi +
qph Wh ;
i ∈ I.
(28)
h∈Hi
As a result the linear models SCybsec_L(Pmax ) and
SCybsec_L(Lmax ) may lead to higher solution values
and, in particular, the cybersecurity investment can be
overestimated.
k∈Kj
rink vink = Wi ;
i∈I
(24)
i ∈ I, j ∈ J, k ∈ Kj ,
(25)
k∈Kn
vijk ≤ uijk ;
where auxiliary variables vijk are defined in Table 2.
Proof: see, Sawik (2020b).
The linear equivalents, SCybsec_L(Pmax ) and
SCybsec_L(Lmax ) of the nonlinear model SCybsec_
N(minmax), respectively minimising Pmax and Lmax are
presented below.
SCybsec_L(Pmax ). Minmax optimisation of Supply
chain Cybersecurity investment: Stochastic Mixed Integer
Linear Program (minimising Pmax )
4.2. Balancing cybersecurity using maxmin
objective functions
In this subsection, a maxmin stochastic nonlinear program, SCybsec_N(maxmin), and its linear equivalents,
SCybsec_L(Qmin ) and SCybsec_L(Smin ), are presented
for selection of security control portfolio. The objective
of Cybsec_L(Qmin ) and Cybsec_L(Smin ) is to maximise
minimum non-breach probability, Qmin , and maximise
minimum expected saving of loss, Smin , respectively (see,
Figure 1). Accordingly, the maximum breach probability and the maximum expected loss constraints (9), (13)
and (11), (14) are replaced by the minimum non-breach
probability and the minimum expected saving of loss
constraints, (31), (35) and (33), (36), respectively.
772
T. SAWIK
SCybsec_N(maxmin). Maxmin optimisation of
Supply chain Cybersecurity investment: Stochastic Mixed
Binary Nonlinear Program (maximise Qmin or Smin )
Maximise minimum non-breach probability
Proposition 4.3: The nonlinear constraints (31) and (33)
can be approximated by linear constraints, respectively
pi Wi +
qph Wh ≤ 1 − Qmin ; i ∈ I,
(35)
h∈Hi
Qmin
(29)
or
and
pi Wi +
Maximise minimum expected saving of loss
qph Wh ≤ 1 − Smin /di ;
i ∈ I,
(36)
h∈Hi
Smin
(30)
where the vulnerabilty of secured node i, Wi , is defined
in (15).
subject to
Proof: The total probability, Qi , (direct and indirect) that
secured supply chain node, i ∈ I, is not breached is, 1 −
Pi , (17), and hence can be expressed as
(1 − qph Wh ) = Qi ; i ∈ I.
(37)
(1 − pi Wi )
(1) Control selection constraints: (6), (7)
(2) Budget constraint: (8)
(3) Minimum non-breach probability constraints
– the probability that each supply chain node is not
breached cannot be less than the minimum probability,
Qmin , to be maximised in (29),
j∈J
k∈Kj ej cjk uijk +1
1 − pi Vi
×
1 − qph Vh
j∈J
k∈Kj ej cjk uhjk +1
h∈Hi
To reformulate Equation (37) we take the natural logarithm of both sides and eliminate the multiplication of
the variables
ln(1 − pi Wi ) +
ln(1 − qph Wh ) = ln(Qi ); i ∈ I.
h∈Hi
(38)
h∈Hi
≥ Qmin ;
i∈I
(31)
Qmin ≥ 0.
(32)
or
(3) Minimum expected saving loss constraints
– the expected saving loss of each not breached node
cannot be less than the minimum saving, Smin , to be
maximised in (30),
j∈J
k∈Kj ej cjk uijk +1
di 1 − pi Vi
×
1 − qph Vh
j∈J
k∈Kj ej cjk uhjk +1
Smin ≥ 0.
i∈I
h∈Hi
and finally by
pi Wi +
qph Wh = 1 − Qi ;
i ∈ I.
(40)
h∈Hi
The minimum non-breach probability, Qmin , satisfies
inequalities
h∈Hi
≥ Smin ;
Taylor series expansion of ln(1 − x) for small x leads to
linear approximation, ln(1 − x) ≈ −x. Moreover, since
Qi is small and close to 1 and the expansion of ln(x) for x
small and close to 1, leads to ln(x) ≈ x − 1, Equation (38)
can be approximated by
− pi Wi −
qph Wh = Qi − 1; i ∈ I,
(39)
(33)
(34)
The objective functions (29) and (30) aim at levelling
from below, respectively the non-breach probability and
the saving of losses, while the largest probability and saving are constrained by available cybersecurity budget. In
particular, the minimum expected saving of loss cannot
be greater then the minimum loss, i.e. Smin ≤ di ; i ∈ I.
The nonlinear constraints (31) and (33) can be
approximated by linear constraints using the results of
Proposition 4.3.
Qmin ≤ Qi ;
i ∈ I.
(41)
Combining Equations (40) and (41), finally leads to the
minimum non-breach probability constraints (35).
Constraints (36) are derived in a similar way. First,
for each supply chain node, i ∈ I, introduce the expected
saving of loss,
di (1 − pi Wi )
(1 − qph Wh ) = Si ; i ∈ I,
(42)
h∈Hi
and then, replace Qi by Si /di in (37)–(41) and Qmin by
Smin /di in (42).
INTERNATIONAL JOURNAL OF PRODUCTION RESEARCH
The linear equivalents, SCybsec_L(Qmin ) and
SCybsec_L(Smin ) of the nonlinear model SCybsec_N
(maxmin), respectively maximising Qmin and Smin , are
presented below.
SCybsec_L(Qmin ). Maxmin optimisation of Supply
chain Cybersecurity investment: Stochastic Mixed Integer
Linear Program (maximising Qmin )
Maximise (29) subject to
(1) Control selection constraints: (5)
(2) Budget constraint: (8)
(3) Minimum non-breach probability constraints: (35)
(4) Vulnerability balance constraints: (22)–(25)
(5) Non-negativity and integrality conditions: (7), (26),
(27), (32).
SCybsec_L(Smin ). Maxmin Optimisation of Supply
chain Cybersecurity investment: Stochastic Mixed Integer
Linear Program (maximising Smin )
Maximise (30) subject to
(1) Control selection constraints: (6)
(2) Budget constraint: (8)
(3) Minimum expected saving loss constraints: (36)
(4) Vulnerability balance constraints: (22)–(25)
(5) Non-negativity and integrality conditions: (7), (26),
(27), (34).
Notice that the actual non-breach probability, Qi (37), (as
well as the associated expected saving of loss, Si (42)) can
be greater than its linear approximation value, cf. (28),
(1 − pi Wi )
(1 − qph Wh )
h∈Hi
⎛
≥ 1 − ⎝pi Wi +
⎞
qph Wh ⎠ ;
i ∈ I.
(43)
h∈Hi
As a result the linear models SCybsec_L(Qmin ) and
SCybsec_L(Smin ) may lead to lower solution values and,
in particular, the required cybersecurity investment can
be underestimated.
4.3. Model limitations and possible enhancements
The proposed models have been formulated under various simplified assumptions that are summarised below.
• The cybersecurity investment is an incremental
investment beyond security controls already in place.
• The cyber risks of each supply chain member are
closely related and to mitigate their impact, the cybersecurity information is shared in the supply chain.
773
• A joint decision-making can optimally choose the
cybersecurity investments for all supply chain nodes.
• The greater the implementation cost and efficiency
coefficient of a selected security control, the greater its
overall efficiency and the vulnerability reduction of a
supply chain node.
• Each control is capable of securing every supply chain
node with node-independent efficiency coefficient.
• Each supply chain node is considered as a single component of a supply chain, characterised by its intrinsic vulnerability, total cost of losses over the entire
supply chain, direct cyberattack probability, and risk
propagation probability.
• A one-stage risk propagation between immediately
adjacent supply chain nodes is considered only and the
risk propagation probability is node- and investmentindependent.
The above assumptions are primarily applied to simplify presentation of the developed mathematical formulations. While the simplified model might not be
directly applicable in a general case, most of the simplified
assumptions can be easily relaxed without changing the
model structure and the optimal solution properties. In
addition, the proposed models can be further enhanced
and possible enhancements are listed below.
(1) The models can be enhanced for node-specific controls, characterised by node-dependent efficiency
coefficients with different subsets of controls, capable of protecting each supply chain node.
(2) The models can be enhanced to capture multicomponent supply chain nodes, where each node
consists of many components each characterised
by individual intrinsic vulnerability and individual
attack probability.
(3) The model can be enhanced for optimisation of
cybersecurity investments under individual budget
constraints for each supply chain node.
Moreover, the cybersecurity investments achieved
by solving the proposed models without budget constraint (8) can be used as thresholds for the highest, yet
profitable total budget level for the entire supply chain
and individual budget levels for each supply chain node.
5. Computational examples
This section presents results of computational experiments with the developed mixed integer linear programs
for optimisation of cybersecurity investment. For illustrative purposes, a simplified multi-tier supply chain network is considered. Basic input parameters are provided
774
T. SAWIK
Table 3. Input parameters
I = {1, . . . 10}
J = {1, . . . 20}
L = {0, 1, 2, 3}
10 supply chain nodes
20 security controls
3 implementation levels of security controls
Intrinsic vulnerability of nodes:
Vi = (0.6713, 0.7705, 0.6691, 0.5067, 0.7799, 0.5282, 0.8976, 0.8821, 0.9772, 0.9939)
Implementation cost of security controls (in $1000):
light implementation level, cj = (10, 20, 10, 35, 20, 10, 50, 45, 10, 30, 15, 40, 10, 60,
62, 58, 20, 40, 26, 10)
medium implementation level (5× light implementation cost), cj = (50, 100, 50,
175, 100, 50, 250, 225, 50, 150, 75, 200, 50, 300, 310, 290, 100, 200, 130, 50)
strong implementation level (10× light implementation cost), cj = (100, 200, 100,
350, 200, 100, 500, 450, 100, 300, 150, 400, 100, 600, 620, 580, 200, 400, 260, 100)
Control efficiency coefficients (×10−5 )
ej = (6.09209, 1.89873, 9.21892, 9.57156, 1.05726, 7.14106, 5.51532, 2.63135, 3.49604, 4.07247,
6.65212, 5.75807, 9.42022, 3.63525, 0.0308876, 7.55598, 4.50103, 1.70122, 7.87748, 8.37808)
Probabilities of cyberattacks on supply chain nodes
pi = (0.35, 0.40, 0.35, 0.25, 0.40, 0.25, 0.55, 0.55, 0.75, 0.75)
Costs of losses due to security breaches of supply chain nodes (in $1000):
di = (450, 1500, 550, 300, 1200, 350, 2500, 2500, 10000, 10000)
Figure 2. A supply chain network.
in Table 3 (see, Sawik 2020b). The supply chain contains
m = 10 critical nodes (see, Figure 2). The nodes with
the highest expected total cost of loss due to security
breaches are assembly plants, i = 9, 10, where sensitive
data of customers and of the entire supply chain can be
compromised. Some of those data are also shared with
tier 1 suppliers, i = 7, 8. Thus, nodes i = 9, 10, followed
by nodes i = 7, 8, are more vulnerable and more likely
to be attacked than the other nodes. Next, key suppliers of tier 3 and 2, nodes i = 2, 5, are more likely than
the other remaining nodes, to be chosen by an attacker
as potential targets. Accordingly, all supply chain nodes
can be ordered according to non increasing cyberattack
probability, pi (see, Table 3)
p9 ≥ p10 ≥ p7 ≥ p8 ≥ p2 ≥ p5 ≥ p1 ≥ p3 ≥ p4 ≥ p6 .
5.1. Balancing cybersecurity from above
The solution results for models SCybsec_L(Pmax ) and
SCybsec_L(Lmax ) are presented in Tables 4 and 5, respectively. In the computational experiments, the four budget
levels, B = 1, 000, 000, 5, 000, 000, 10, 000, 000, 15,
000, 000, are considered, and for a comparison, solution results without budget constraint (8) are provided.
The budget levels were set to millions to maintain real
INTERNATIONAL JOURNAL OF PRODUCTION RESEARCH
Table 4. Solution results for model SCybsec_L(Pmax )
Table 5. Solution results for model SCybsec_L(Lmax ).
Cybersecurity budget ($1000)
B = 1000
B = 5000
B = 10, 000
B = 15, 000
Cybersecurity budget ($1000)
B = ∞a
B = 1000
Cybersecurity investments ($1000)b
Node 1:
Node 2:
Node 3:
Node 4:
Node 5:
Node 6:
Node 7:
Node 8:
Node 9:
Node 10:
Cc
0
0
0
0
0
0
135
110
155
600
1000
10
35
10
0
30
0
325
275
910
3400
4995
26
55
20
10
46
10
700
600
3340
5190
9997
55
76
110
0
110
10
1635
1300
5810
5810
14,916
0.260
0.422
0.261
0.199
0.425
0.204
0.422
0.432
0.681
0.684
0.684
0.188
0.212
0.187
0.163
0.192
0.168
0.135
0.137
0.158
0.217
0.217
0.118
0.132
0.129
0.093
0.134
0.095
0.068
0.068
0.033
0.144
0.144
680
680
1300
450
680
450
2450
1800
5810
5810
20,110
Node 1:
Node 2:
Node 3:
Node 4:
Node 5:
Node 6:
Node 7:
Node 8:
Node 9:
Node 10:
Cc
0
0
0
0
0
0
135
110
155
600
1000
0.254
0.384
0.254
0.188
0.387
0.195
0.359
0.366
0.596
0.599
0.599
0.184
0.200
0.183
0.158
0.187
0.163
0.128
0.129
0.153
0.212
0.212
0.117
0.127
0.127
0.091
0.132
0.094
0.066
0.066
0.033
0.144
0.144
B = 10, 000
B = 15, 000
B = ∞a
0
0
0
0
0
0
275
275
910
3450
5000
0
0
0
0
0
0
759
650
3400
5190
9999
0
0
0
0
10
0
1725
1550
5810
5810
14,905
680
680
1300
450
680
450
2200
1825
5810
5810
19,885
Expectedlosses ($1000)d
0.093
0.105
0.020
0.140
0.036
0.073
0.059
0.048
0.030
0.143
0.143
0
0
0
0
0
0
0.029
0.029
0.030
0.143
0.143
Node 1:
Node 2:
Node 3:
Node 4:
Node 5:
Node 6:
Node 7:
Node 8:
Node 9:
Node 10:
Lmax , (5)
117
634
143
60
510
72
1056
1080
6812
6843
6843
Exact breach probabilities, (16)
Node 1:
Node 2:
Node 3:
Node 4:
Node 5:
Node 6:
Node 7:
Node 8:
Node 9:
Node 10:
e
Pmax
B = 5000
Cybersecurityinvestments ($1000)b
Breach probabilitiesd
Node 1:
Node 2:
Node 3:
Node 4:
Node 5:
Node 6:
Node 7:
Node 8:
Node 9:
Node 10:
Pmax , (4),
775
0.091
0.102
0.020
0.138
0.036
0.073
0058
0.048
0.030
0.143
0.143
117
634
143
54
460
64
440
415
1590
2137
2137
117
634
143
52
448
63
294
296
328
1440
1440
117
616
143
52
378
63
262
265
300
1432
1432
0
0
0
0
0
0
72
72
300
1432
1432
Exactexpected losses ($1000), (21)
0
0
0
0
0
0
0.029
0.029
0.030
0.143
0.143
Node 1:
Node 2:
Node 3:
Node 4:
Node 5:
Node 6:
Node 7:
Node 8:
Node 9:
Node 10:
Lemax
114
577
140
57
465
68
898
915
5960
5990
5990
114
577
140
52
433
62
411
390
1535
2077
2077
114
577
140
50
425
60
283
286
326
1439
1439
114
565
140
50
359
60
254
256
300
1432
1432
0
0
0
0
0
0
72
72
300
1432
1432
a Model SCybsec_L(P
max ) without budget constraint (8).
bC =
cjl uijk ; i ∈ I.
i
j∈J k∈K
cC =
cjl uijk .
i∈I
j∈J k∈K
dp W +
i i
h∈Hi qph Wh ; i ∈ I.
e max (1 − (1 − p W )
i∈I
i i
h∈Hi (1 − qph Wh )).
a Model SCybsec_L(L
relations to cost of implementation security controls and
losses caused by security breaches, over the entire supply
chain. For instance, costs (per year) of different security controls taken from The Australian Signals Directorate (2017) and applied for computational analysis by
Bentley et al. (2020) are ranging between $150,000 and
$300,000. Similar cost levels are also presented by Deane
et al. (2009) or Rakes, Deane, and Rees (2012).
For each budget level, B, and for the examples with
unlimited budget, Tables
4 and 5 show cybersecurity investment, Ci = j∈J k∈K cjl uijk , at each supply
chain
node,i ∈ I, as well as the total investment, C =
i∈I
j∈J
k∈K cjl uijk , for the entire supply chain.
The impact of linear approximation of the natural logarithm in the nonlinear constraints (9) and (11)
is additionally illustrated by comparison of solution
results with their exact
values. Table 4 compares breach
probability, pi Wi + h∈Hi qph Wh , of each supply chain
node, i ∈ I, with its exact value, (16), Pi = 1 − (1 −
pi Wi ) h∈Hi (1 − qph Wh ). In a similar
way Table 5 com
pares expected loss, di (pi Wi + h∈Hi qph Wh ), at each
supply chain node, i ∈ I, with its exact value, (21),
Li = di (1 − (1 − pi Wi ) h∈Hi (1 − qph Wh )). The comparison clearly shows that linear approximation leads to
greater values of expected losses and breach probabilities,
which may result in a higher level of required cybersecurity investment, see also (28). The difference between
linear approximations and exact values decreases with
the budget level and disappears, when budget constraint
(8) is removed. The above results are obvious since breach
probabilities are decreasing with the budget level and
then the linear approximations are more accurate.
max ) without budget constraint (8).
bC =
cjl uijk ; i ∈ I.
i
j∈J k∈K
cC =
cjl uijk .
i∈I
j∈J k∈K
d d (p W +
i i i
h∈Hi qph Wh ); i ∈ I.
e max (d (1 − (1 − p W )
i∈I i
i i
h∈Hi (1 − qph Wh ))).
776
T. SAWIK
The solution results are additionally illustrated with
Figures 3–5. For each supply chain node, i ∈ I, and different budget levels, B, Figure 3 compares the intrinsic vulnerability, Vi , with reduced vulnerability Wi , achieved by
implementing security controls obtained using minmax
models SCybsec_L(Pmax ) and SCybsec_L(Lmax ). Figure
3 shows a significant reduction of vulnerability of highly
vulnerable nodes, i = 7, 8, 9, for all budget levels, and
less significant reduction for node, i = 10, with the highest intrinsic vulnerability, V10 = 0.9939. Similar results
are observed for the two minmax models. However,
model SCybsec_L(Lmax ), which focuses mainly on supply chain nodes with the largest potential losses (i.e.nodes
7–10) does not select any cybersecurity investment
for nodes 1–6, with the smallest potential losses (see,
Table 5), except for unlimited budget. In contrast to
results achieved by model SCybsec_L(Lmax ), minimisation of Pmax leads to balanced vulnerability over the
entire supply chain.
Figure 4 shows breach probability and ratio of
expected loss to Lmax , for each supply chain node,
achieved by implementing security controls produced,
Figure 3. Supply chain vulnerability for minmax models SCybsec_L(Pmax ) and SCybsec_L(Lmax ).
INTERNATIONAL JOURNAL OF PRODUCTION RESEARCH
respectively by model SCybsec_L(Pmax ) and SCybsec_L
(Lmax ). While model SCybsec_L(Pmax ) leads to well
balanced breach probabilities over the entire supply
chain, in particular for higher budget levels, model
SCybsec_L(Lmax ) cannot balance so well the expected
losses, because of its focus on nodes, i = 9, 10, with the
largest potential losses.
Finally, for illustrative purposes, Figure 5 presents
portfolios of security controls selected by minmax
model SCybsec_L(Pmax ) for the three budget levels, B = 5, 000, 000, 10, 000, 000, 15, 000, 000. For each
selected security control, (j, k), Figure 5 shows its
total
implementation cost over the entire supply chain,
i∈I cjk uijk . In addition, for each security control, j ∈ J,
777
and implementation level, k ∈ K : k > 0, its overall efficiency, ej cjk is also shown. Figure 5 demonstrates that
the most efficient controls, (j, k), (with the largest values
of ej cjk ) are selected to secure more supply chain nodes,
while the least efficient controls (with the smallest values
of, ej cjk , e.g. (j, k) = (1, 1), (1, 2), (2, 1), (2, 2), . . . are not
selected at all.
5.2. Balancing cybersecurity from below
The solution results for models SCybsec_L(Qmin )
and SCybsec_L(Smin ) are presented in Tables 6 and 7,
respectively.
Figure 4. Breach probability and expected loss for minmax models SCybsec_L(Pmax ) and SCybsec_L(Lmax ).
778
T. SAWIK
The impact of linear approximation of the nonlinear constraints (31) and (33) is illustrated by comparison of solution results with their exact values. For
each supply chain node, i ∈ I, Table
6 compares nonbreach probability, 1 − (pi Wi + h∈Hi qph Wh ), with its
exact value, Qi = (1 − pi Wi ) h∈Hi (1 − qph Wh ) (37).
In a similar way Table7 compares expected saving
of loss, di (1 − (pi Wi + h∈Hi qph Wh )), with its exact
value, Si = di (1 − pi Wi ) h∈Hi (1 − qph Wh ) (42). The
comparison clearly shows that linear approximation leads
to smaller values of non-breach probabilities, which
may be result of a lower cybersecurity investment, see
also (43). The difference between linear approximations
and exact values decreases with the budget level, which is
obvious since breach probabilities are decreasing with the
budget level. Then the linear approximations are more
accurate.
Comparison of solution results for minmax model
SCybsec_L(Pmax ) and maxmin model SCybsec_L(Qmin )
demonstrate that both models yield similar cybersecurity investments, with the largest portion invested in most
vulnerable nodes, 7–10. In contrast to minmax model
SCybsec_L(Lmax ), that balances expected losses from
above, mostly investing in nodes with highest potential losses, the maxmin model SCybsec_L(Smin ), balances
expected losses from below and focuses on nodes with the
smallest losses. For all budget levels, the optimal solution
value, Smin = d4 = 300, is equal to the maximum loss of
supply chain node, i = 4, with the smallest loss. As a consequence, the optimal solutions are nearly independent of
the budget level (see, the results for B = 5, 000, 000, 10,
000, 000, 15, 000, 000 in Table 7).
For illustrative purposes, Figure 6 additionally shows
vulnerability and breach probability for each supply chain
Figure 5. Portfolios of security controls for minmax model SCybsec_L(Pmax ) and three budget levels and overall efficiencies, ej cjk , of
security controls.
INTERNATIONAL JOURNAL OF PRODUCTION RESEARCH
Table 6. Solution results for model SCybsec_L(Qmin ).
Table 7. Solution results for model SCybsec_L(Smin ).
Cybersecurity budget ($1000)
B = 1000 B = 5000 B = 10, 000 B = 15, 000
Cybersecurity budget ($1000)
B = ∞a
B = 1000
B = 5000
Cybersecurity investments ($1000)b
Node 1:
Node 2:
Node 3:
Node 4:
Node 5:
Node 6:
Node 7:
Node 8:
Node 9:
Node 10:
Cc
0
0
0
0
0
0
135
110
155
600
1000
10
35
10
0
35
0
325
275
910
3400
5000
20
50
20
10
46
10
718
626
3310
5190
10,000
260
85
50
0
50
10
1775
815
5810
5810
14,665
0.740
0.578
0.739
0.801
0.575
0.795
0.578
0.568
0.319
0.316
0.316
0.813
0.789
0.806
0.837
0.814
0.831
0.866
0.865
0.842
0.783
0.783
0.860
0.858
0.871
0.908
0.864
0.905
0.933
0.932
0.967
0.856
0.856
0.975
0.902
0.949
0.873
0.896
0.916
0.926
0.936
0.970
0.857
0.857
680
680
1300
450
680
450
3300
1625
5810
5810
20,785
Node 1:
Node 2:
Node 3:
Node 4:
Node 5:
Node 6:
Node 7:
Node 8:
Node 9:
Node 10:
Cc
185
0
0
135
0
36
618
26
0
0
1000
0.746
0.615
0.746
0.812
0.613
0.805
0.641
0.634
0.404
0.401
0.401
0.817
0.801
0.811
0.842
0.819
0.836
0.873
0.872
0.847
0.788
0.788
0.862
0.864
0.873
0.910
0.866
0.906
0.935
0.934
0.967
0.856
0.856
0.975
0.906
0.950
0.873
0.896
0.916
0.928
0.937
0.970
0.857
0.857
B = 15, 000
B = ∞a
540
0
50
608
0
100
2835
50
0
0
4183
540
0
50
608
0
100
2835
50
0
0
4183
540
0
50
608
0
100
2835
50
0
0
4183
680
100
1300
450
950
450
2050
50
680
100
8400
Expected savings of loss ($1000)d
1
1
1
1
1
1
0.971
0.971
0.970
0.857
0.857
Node 1:
Node 2:
Node 3:
Node 4:
Node 5:
Node 6:
Node 7:
Node 8:
Node 9:
Node 10:
Smin , (30)
450
938
419
300
661
300
1602
657
428
327
300
Exact non-breach probabilities, (37)
Node 1:
Node 2:
Node 3:
Node 4:
Node 5:
Node 6:
Node 7:
Node 8:
Node 9:
Node 10:
Qemin
B = 10, 000
Cybersecurity investments ($1000)b
Non-breach probabilitiesd
Node 1:
Node 2:
Node 3:
Node 4:
Node 5:
Node 6:
Node 7:
Node 8:
Node 9:
Node 10:
Qmin , (29),
779
450
944
531
300
687
329
1605
933
643
543
300
450
944
531
300
687
329
1605
933
643
543
300
450
994
531
300
687
329
1605
933
643
543
300
450
1405
550
300
1184
350
2025
2025
6246
2355
300
Exact expected savings of loss ($1000), (42)
1
1
1
1
1
1
0.971
0.971
0.970
0.857
0.857
a Model SCybsec_L(Q
min ) without budget constraint (8).
bC =
cjl uijk ; i ∈ I.
i
j∈J
k∈K
cC =
cjl uijk .
i∈I
j∈J
k∈K
d 1 − (p W +
qp
i i
h Wh ); i ∈ I.
h∈Hi
e max ((1 − p W )
i∈I
i i
h∈Hi (1 − qph Wh )).
node, achieved using maxmin model SCybsec_L(Qmin ).
The reduced vulnerabilities of secured nodes and breach
probabilities are balanced in a way similar to that
achieved for minmax model, SCybsec_L(Pmax ), see Figures 3 and 4.
The computational experiments were performed
using the AMPL programming language and the Gurobi
9.0.2 solver on a MacBookPro laptop with Intel Core i7
processor running at 3.1GHz and with 16GB RAM. The
size of the mixed integer programs for the example problems was relatively small, e.g. 1631 variables, including
800 binary variables and 1241 constraints, including 430
equality constraints for model SCybsec_L(Pmax ). A low
CPU time (from fraction of a second to several seconds)
was required to find proven optimal solutions for the
Node 1:
Node 2:
Node 3:
Node 4:
Node 5:
Node 6:
Node 7:
Node 8:
Node 9:
Node 10:
e
Smin
450
969
420
300
716
302
1700
1059
2102
2009
300
450
973
531
300
733
329
1702
1245
2151
2056
300
450
973
531
300
733
329
1702
1245
2151
2056
300
450
973
531
300
733
329
1702
1245
2151
2056
300
450
1405
550
300
1185
350
2042
2042
6579
2688
300
a Model SCybsec_L(S
min ) without budget constraint (8).
bC =
cjl uijk ; i ∈ I.
i
j∈J
k∈K
cC =
cjl uijk .
i∈I
j∈J
k∈K
d d (1 − (p W +
i
i i
h∈Hi qph Wh )); i ∈ I.
e max (d (1 − p W )
i∈I i
i i
h∈Hi (1 − qph Wh )).
examples without budget constraint (8) or with the smallest budget levels, B = 1,000,000, 5,000,000. For a larger
budget, however, the computation time required to prove
solution optimality was much higher (more than 3600
CPU seconds for B >10,000,000) since LP relaxation of
the proposed mixed integer programs with a knapsack
type constraint (8) is not tight enough to significantly
reduce CPU time. The optimal solutions, however, were
often found at an early stage of the computations.
6. Conclusions
This study extends the existing literature on optimisation
of cybersecurity investment along the four dimensions:
780
T. SAWIK
(i) in addition to direct cyber risks, the indirect (propagated) risks in a multi-tier supply chain is simultaneously considered and modelled; (ii) the classical additive
objective functions have been replaced by minmax or
maxmin objectives to balance the cybersecurity over the
entire supply chain, thereby hardening the weaker nodes
and eliminating some negative issues such as prisoner’s
dilemma and free-riding among supply chain nodes with
interdependent risks; (iii) in order to linearise the nonlinear constraints with products of direct and indirect
probability breaches, the first-order Taylor series approximation of natural logarithm is applied; (iv) the accuracy
of the proposed linear approximation has been verified
by detailed computational analysis.
A major contribution is the development of a new
linear optimisation tool for the integrated cybersecurity
investment in a multi-tier supply chain network under
direct and indirect (propagated) cyber risks to balance
cybersecurity over the entire supply chain. In contrast
to the nonlinear programming models, the linear optimisation models are always computationally much more
efficient and much more useful in practice. The proposed
integrated approach can be particularly relevant for optimisation of cybersecurity investment in vertically integrated supply chains. The approach best fits the multi-tier
supply chains, where a manufacturer owns or controls
its suppliers over many tiers. The optimality criteria proposed in this paper that aim at balancing of breach or
non-breach probabilities over all critical nodes of a supply chain network, and hence aim at balancing the supply
chain cybersecurity, seem to be practical alternatives to
a commonly applied minimisation of total expected cost.
Figure 6. Supply chain vulnerability and breach probability for maxmin model SCybsec_L(Qmin ).
INTERNATIONAL JOURNAL OF PRODUCTION RESEARCH
Table 8. Decision-making insights.
Decision-making issue
Decision-making impact
Minmax vs. maxmin
objective functions
Balancing cybersecurity using linearised models, SCybsec_L(Pmax ) and SCybsec_L(Lmax ),
with minmax objective functions, respectively Pmax (4) and Lmax (5), may overestimate
the required cybersecurity investments,
while models, SCybsec_L(Qmin ) and
SCybsec_L(Smin ), with maxmin objectives,
respectively Qmin (29) and Smin (30), may
underestimate the investments.
For both minmax model SCybsec_L(Pmax )
and maxmin model SCybsec_L(Qmin ), the
cybersecurity investments are similar as well
as the reduced vulnerabilities and breach
probabilities are balanced in a similar way.
However, the minmax model SCybsec_L(Lmax ),
aiming at balancing the expected losses
from above, focuses on and mainly invests
in the nodes with the largest potential
losses, whereas the maxmin model
SCybsec_L(Smin ), that balances losses from
below, focuses on and mainly invest in the
nodes with the smallest losses.
Cybersecurity investment
without budget
constraint
The cybersecurity investments without budget
constraint can be used as thresholds for the
highest, yet profitable total budget level
for the entire supply chain and individual
budget levels for each supply chain node.
Balancing breach
probabilities vs.
balancing expected
losses
When the objective is to balance breach probabilities, a more diversified cybersecurity
investment over the entire supply chain
is achieved. In contrast to balancing the
expected losses, when investment in the
nodes with the largest losses predominates,
in particular for lower budget levels.
Even more so due to the limited availability of basic input
data such as losses caused by security breaches. However, the maxmin and the minmax objective functions
that are applied in the linearised models to mitigate and
balance the impact of cyber risks, may, respectively, overestimate and underestimate the required cybersecurity
investment. While the size of the developed linear optimisation models grows polynomially in the number of
nodes and security controls, the knapsack-type budget
constraint and the propagated cyber risks, violate the
models separability by nodes. As a result the LP relaxations of the proposed mixed integer programs are not
sufficiently tight and CPU time required to find proven
optimal solution may significantly increase for some budget levels. Nevertheless, the unproven optimal solution
is frequently found at an early stage of computations.
The major decision-making insights are summarised in
Table 8.
In the future research various simplified assumptions
can be relaxed (see, Section 4.3). Moreover, the proposed models can be further enhanced for the risk-averse
optimisation of cybersecurity investment, e.g. using Conditional Value-at-Risk as a cyber risk measure (see,
Sawik 2020a, 2021). In addition, a lexicographic minimax
781
optimisation (e.g. Sawik 2015) can be applied to achieve
a fair balancing of cybersecurity investment among supply chain nodes, which may help to totally eliminate the
free-riding issue. Although a number of cyber risk assessment methodologies are described in the literature and
are in use today, e.g. Viduto et al. (2012), basic input
data such as cyberattack and risk propagation probabilities, effectiveness of security controls, and losses caused
by security breaches, may not be easy to obtain in practice. Hence, the development of a cybersecurity decision
support less dependent on availability of those input data
becomes another important area of future research on
cybersecurity investment in supply chains.
Optimisation of cybersecurity in the supply chains
is strongly related with optimisation of critical infrastructure protection. In both areas, creation of sophisticated, yet computationally efficient, optimisation tools
for cybersecurity investment to mitigate the impact of
cyberattacks and to ensure continuity of operation in the
various critical infrastructure sectors, is of the utmost
importance. In cyber-networks, the cyberattacks on critical assets are typically represented by an attack graph (e.g.
Khouzani, Liu, and Malacaria 2019), demonstrating the
potential attacks paths via the most vulnerable components of a critical infrastructure. In contrast to mathematical modelling based on attack graphs, in this paper a onestage risk propagation between adjacent supply chain
nodes is introduced to model cyberattack scenarios and
develop scenario-based stochastic mixed integer linear
programs. The enhancement of the proposed linear optimisation models for protection of cyber-networks against
breaching critical assets such as servers, transformers
in the smart power grid systems, etc., could be another
interesting area of the future research on cybersecurity.
Acknowledgments
The author is grateful to four anonymous reviewers for reading
the manuscript very carefully and providing many constructive
comments which helped to improve this paper.
Disclosure statement
No potential conflict of interest was reported by the author.
Notes on contributor
Tadeusz Sawik is a Professor of Industrial
Engineering and Operations Research in
the Department of Engineering, Reykjavik
University in Reykjavik, Iceland and at
AGH University of Science and Technology in Kraków, Poland. He received the
MS degree in Automation Engineering,
the PhD degree in Operations Engineering and the Habilitation degree in Operations Research, all
782
T. SAWIK
from AGH University. He has been a visiting professor in Germany, Greece, Japan, Portugal, Spain, Sweden and Switzerland
and has served as a research advisor of Motorola for several years. He is a sole author of numerous books, including
Analysis and Synthesis of Multivariable Control Systems, AGH
University Press 1984, Discrete Optimization in Flexible Manufacturing Systems, WNT Publishers 1992, Operations Research
for Industrial Engineers, AGH University Press 1998, Production
Planning and Scheduling in Flexible Assembly Systems, Springer
1998, Scheduling in Supply Chains Using Mixed Integer Programming, Wiley 2011 and Supply Chain Disruption Management
Using Stochastic Mixed Integer Programming, Springer 1st edition 2018, 2nd edition 2020, and more than 150 individual
articles in many prestigious journals. He has been a recipient of
various individual awards for research achievements, including 5 times of Scientific Excellence Award from the Minister
of Science and Higher Education and over 25 times of Scientific Award from the Rector of AGH. In the World’s Top 2%
Scientists list recently released by Stanford University and published in PloS Biology, ranked #167 in Operations Research
until the end of 2019, and #91 in Operations Research and
#87 in Engineering during the single calendar year 2019. His
current research interests include logistics and supply chain
management, supply chain risk management, cyber and homeland security, planning and scheduling, mixed integer programming, stochastic and combinatorial optimisation.
ORCID
Tadeusz Sawik
http://orcid.org/0000-0002-6054-550X
References
The Australian Signals Directorate. 2017. “Strategies to Mitigate
Cyber Security Incidents.” https://www.cyber.gov.au/sites/
default/files/2019-03/Mitigation_Strategies_2017.pdf.
Bentley, M., A. Stephenson, P. Toscas, and Z. Zhu. 2020. “A
Multivariate Model to Quantify and Mitigate Cybersecurity
Risk.” Risks 8: 61. doi:10.3390/risks8020061.
Deane, J. K., C. T. Ragsdale, T. R. Rakes, and L. P. Rees. 2009.
“Managing Supply Chain Risk and Disruption from IT Security Incidents.” Operations Management Research 2: 4–12.
Falco, G., M. Eling, D. Jablanski, M. Weber, V. Miller, L. A.
Gordon, and S. S. Wang, et al. 2019. “Cyber Risk Research
Impeded by Disciplinary Barriers.” Science (New York, N.Y.)
366 (6469): 1066–1069.
Fielder, A., E. Panaousis, P. Malacaria, C. Hankin, and F.
Smeraldi. 2016. “Decision Support Approaches for Cyber
Security Investment.” Decision Support Systems 86: 13–23.
Ghadge, A., M. Weis, N. D. Caldwell, and R. Wilding.
2020. “Managing Cyber Risk in Supply Chains: A Review
and Research Agenda.” Supply Chain Management 25 (2):
223–240.
Gordon, L. A., and M. P. Loeb. 2002. “The Economics of Information Security Investment.” ACM Transactions on Information and System Security 5: 438–457.
Hausken, K. 2006. “Returns to Information Security Investment: The Effect of Alternative Information Security Breach
Functions on Optimal Investment and Sensitivity to Vulnerability.” Information Systems Frontiers 8: 338–349.
Identity Theft Resource Center. 2018. “End-of-Year Data
Breach Report 2018.” https://www.idtheftcenter.org/2018end-of-year-databreach-report/.
Khouzani, M. H. R., Z. Liu, and P. Malacaria. 2019. “Scalable Min-max Multi-objective Cyber-security Optimisation
Over Probabilistic Attack Graphs.” European Journal of
Operational Research 278: 894–903.
Li, Y., K. Chen, S. Collignon, and D. Ivanov. 2020. “Ripple
Effect in the Supply Chain Network: Forward and Backward Disruption Propagation, Network Health and Firm
Vulnerability.” European Journal of Operational Research.
doi:10.1016/j.ejor.2020.09.053.
Li, Y., and L. Xu. 2021. “Cybersecurity Investments in a
Two-echelon Supply Chain with Third-party Risk Propagation.” International Journal of Production Research 59 (4):
1216–1238.
Rakes, T. R., J. K. Deane, and L. P. Rees. 2012. “IT Security Planning Under Uncertainty for High-impact Events.” Omega 40
(1): 79–88.
Sawik, T. 2013. “Selection of Optimal Countermeasure Portfolio in IT Security Planning.” Decision Support Systems 55:
156–164.
Sawik, T. 2015. “On the Fair Optimization of Cost and Customer Service Level in a Supply Chain Under Disruption
Risks.” Omega 53: 58–66.
Sawik, T. 2020a. Supply Chain Disruption Management: Using
Stochastic Mixed Integer Programming. 2nd ed. New York:
Springer.
Sawik, T. 2020b. “A Linear Model for Optimal Cybersecurity
Investment in Industry 4.0 Supply Chains.” International
Journal of Production Research. doi:10.1080/00207543.2020.
1856442.
Sawik, T. 2021. “On the Risk-averse Selection of Resilient Multitier Supply Portfolio.” Omega 101: 102267.
Schilling, A., and B. Werners. 2016. “Optimal Selection of
IT Security Safeguards from an Existing Knowledge Base.”
European Journal of Operational Research 248 (1): 318–327.
Simon, J., and A. Omar. 2020. “Cybersecurity Investments in
the Supply Chain: Coordination and a Strategic Attacker.”
European Journal of Operational Research 282: 161–171.
Viduto, V., C. Maple, W. Huang, and D. Lopez-Perez. 2012. “A
Novel Risk Assessment and Optimisation Model for a Multiobjective Network Security Countermeasure Selection Problem.” Decision Support Systems 53 (3): 599–610.
Copyright of International Journal of Production Research is the property of Taylor & Francis
Ltd and its content may not be copied or emailed to multiple sites or posted to a listserv
without the copyright holder’s express written permission. However, users may print,
download, or email articles for individual use.