Bi-objective Optimisation of Cybersecurity Investment: Reducing Component Vulnerability and Security Breach Risk

Amirhossein Salehi-Amiri; Xiuqin Li; Richard Allmendinger; Elvira Uyarra; James  Mercer

doi:10.1145/3712255.3726610

Bi-objective Optimisation of Cybersecurity Investment: Reducing Component Vulnerability and Security Breach Risk

THG PLC

Research output: Chapter in Book/Conference proceeding › Conference contribution › peer-review

3 Downloads (Pure)

Abstract

Cybersecurity refers to the practice of protecting hardware and software from cyberattacks, unauthorised access, theft, or damage and is becoming an increasing priority for organisations. A key question is the selection of measures (controls) to invest in to reduce the risk of a cybersecurity breach while keeping investments at a minimum. The contributions of this work are to (i) formulate this task as a constrained bi-objective problem, (ii) provide several realistic use cases varying in complexity for algorithm validation, and (iii) investigate the suitability of evolutionary multi-objective optimisation (in our case, MOEA/D) and an augmented epsilon-constraint approach (in CPLEX) to tackle the problem. We find that the augmented epsilon-constraint approach can solve the problem efficiently, capturing a diverse set of Pareto optimal solutions for each scenario. Although the performance of MOEA/D improves as the complexity of the problem increases, it is not able to compete with the augmented epsilon-constraint approach in terms of solutions found and reliability. We hope that the proposed problem and use cases will serve as an interesting test bed to benchmark optimisation algorithms and expand the problem formulation further.

Original language	English
Title of host publication	Genetic and Evolutionary Computation Conference (GECCO'25), July 14 - 18, 2025, Malaga, Spain
DOIs	https://doi.org/10.1145/3712255.3726610
Publication status	Published - 14 Jul 2025

Keywords

Cybersecurity
Bi-objective modelling
Optimisation
Augmented Epsilon-constraint
MOEA/D

Access to Document

10.1145/3712255.3726610

GECCO_Cyber_2025Accepted author manuscript, 1.41 MBLicence: CC BY

Cite this

@inproceedings{95e30f0778d44755b050280189a31fbe,

title = "Bi-objective Optimisation of Cybersecurity Investment: Reducing Component Vulnerability and Security Breach Risk",

abstract = "Cybersecurity refers to the practice of protecting hardware and software from cyberattacks, unauthorised access, theft, or damage and is becoming an increasing priority for organisations. A key question is the selection of measures (controls) to invest in to reduce the risk of a cybersecurity breach while keeping investments at a minimum. The contributions of this work are to (i) formulate this task as a constrained bi-objective problem, (ii) provide several realistic use cases varying in complexity for algorithm validation, and (iii) investigate the suitability of evolutionary multi-objective optimisation (in our case, MOEA/D) and an augmented epsilon-constraint approach (in CPLEX) to tackle the problem. We find that the augmented epsilon-constraint approach can solve the problem efficiently, capturing a diverse set of Pareto optimal solutions for each scenario. Although the performance of MOEA/D improves as the complexity of the problem increases, it is not able to compete with the augmented epsilon-constraint approach in terms of solutions found and reliability. We hope that the proposed problem and use cases will serve as an interesting test bed to benchmark optimisation algorithms and expand the problem formulation further.",

keywords = "Cybersecurity, Bi-objective modelling, Optimisation, Augmented Epsilon-constraint, MOEA/D",

author = "Amirhossein Salehi-Amiri and Xiuqin Li and Richard Allmendinger and Elvira Uyarra and James Mercer",

year = "2025",

month = jul,

day = "14",

doi = "10.1145/3712255.3726610",

language = "English",

booktitle = "Genetic and Evolutionary Computation Conference (GECCO'25), July 14 - 18, 2025, Malaga, Spain",

}

Bi-objective Optimisation of Cybersecurity Investment: Reducing Component Vulnerability and Security Breach Risk. / Salehi-Amiri, Amirhossein ; Li, Xiuqin ; Allmendinger, Richard et al.
Genetic and Evolutionary Computation Conference (GECCO'25), July 14 - 18, 2025, Malaga, Spain. 2025.

Research output: Chapter in Book/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Bi-objective Optimisation of Cybersecurity Investment: Reducing Component Vulnerability and Security Breach Risk

AU - Salehi-Amiri, Amirhossein

AU - Li, Xiuqin

AU - Allmendinger, Richard

AU - Uyarra, Elvira

AU - Mercer, James

PY - 2025/7/14

Y1 - 2025/7/14

N2 - Cybersecurity refers to the practice of protecting hardware and software from cyberattacks, unauthorised access, theft, or damage and is becoming an increasing priority for organisations. A key question is the selection of measures (controls) to invest in to reduce the risk of a cybersecurity breach while keeping investments at a minimum. The contributions of this work are to (i) formulate this task as a constrained bi-objective problem, (ii) provide several realistic use cases varying in complexity for algorithm validation, and (iii) investigate the suitability of evolutionary multi-objective optimisation (in our case, MOEA/D) and an augmented epsilon-constraint approach (in CPLEX) to tackle the problem. We find that the augmented epsilon-constraint approach can solve the problem efficiently, capturing a diverse set of Pareto optimal solutions for each scenario. Although the performance of MOEA/D improves as the complexity of the problem increases, it is not able to compete with the augmented epsilon-constraint approach in terms of solutions found and reliability. We hope that the proposed problem and use cases will serve as an interesting test bed to benchmark optimisation algorithms and expand the problem formulation further.

AB - Cybersecurity refers to the practice of protecting hardware and software from cyberattacks, unauthorised access, theft, or damage and is becoming an increasing priority for organisations. A key question is the selection of measures (controls) to invest in to reduce the risk of a cybersecurity breach while keeping investments at a minimum. The contributions of this work are to (i) formulate this task as a constrained bi-objective problem, (ii) provide several realistic use cases varying in complexity for algorithm validation, and (iii) investigate the suitability of evolutionary multi-objective optimisation (in our case, MOEA/D) and an augmented epsilon-constraint approach (in CPLEX) to tackle the problem. We find that the augmented epsilon-constraint approach can solve the problem efficiently, capturing a diverse set of Pareto optimal solutions for each scenario. Although the performance of MOEA/D improves as the complexity of the problem increases, it is not able to compete with the augmented epsilon-constraint approach in terms of solutions found and reliability. We hope that the proposed problem and use cases will serve as an interesting test bed to benchmark optimisation algorithms and expand the problem formulation further.

KW - Cybersecurity

KW - Bi-objective modelling

KW - Optimisation

KW - Augmented Epsilon-constraint

KW - MOEA/D

U2 - 10.1145/3712255.3726610

DO - 10.1145/3712255.3726610

M3 - Conference contribution

BT - Genetic and Evolutionary Computation Conference (GECCO'25), July 14 - 18, 2025, Malaga, Spain

ER -

Bi-objective Optimisation of Cybersecurity Investment: Reducing Component Vulnerability and Security Breach Risk

Abstract

Keywords

Access to Document

Fingerprint

Cite this