Risk management for cyber-infrastructure protection: A bi-objective integer programming approach

•Information and communication technology supply chains present risks that are complex and difficult to manage.•We present new optimization models to support supply chain risk management.•Optimization models with two risk reduction objectives select a portfolio of security controls subject to a budg...

Celý popis

Uloženo v:
Podrobná bibliografie
Vydáno v:Reliability engineering & system safety Ročník 205; s. 107093
Hlavní autoři: Schmidt, Adam, Albert, Laura A., Zheng, Kaiyue
Médium: Journal Article
Jazyk:angličtina
Vydáno: Barking Elsevier Ltd 01.01.2021
Elsevier BV
Témata:
Bi-objective optimization
Budgets
Computer applications
Cyber-security
Information and communication technology security
Integer programming
Optimization
Reliability engineering
Risk levels
Risk management
Risk reduction
Risk threshold
Security
Stochastic models
Supply chain security
Supply chains
Cyber-security
Supply chain security
Bi-objective optimization
Risk management
Information and communication technology security
Risk threshold
ISSN:0951-8320, 1879-0836
On-line přístup:Získat plný text
Tagy: Přidat tag
Žádné tagy, Buďte první, kdo vytvoří štítek k tomuto záznamu!
Abstract •Information and communication technology supply chains present risks that are complex and difficult to manage.•We present new optimization models to support supply chain risk management.•Optimization models with two risk reduction objectives select a portfolio of security controls subject to a budget constraint.•The stochastic model informs security investment decisions under uncertainty.•The computational results highlight how to construct a portfolio of security controls that is effective across multiple criteria. Information and communication technology supply chains present risks that are complex and difficult for organizations to manage. The cost and benefit of proposed security controls must be assessed to best match an organizational risk tolerance and direct the use of security resources. In this paper, we present integer and stochastic optimization models for selecting a portfolio of security controls within an organizational budget. We consider two objectives: to maximize the risk reduction across all potential attacks and to maximize the number of attacks whose risk levels are lower than a risk threshold after security controls are applied. Deterministic and stochastic bi-objective budgeted difficulty-threshold control selection problems are formulated for selecting mitigating controls to reflect an organization’s risk preference. In the stochastic problem, we consider uncertainty as to whether the selected controls can reduce the risks associated with attacks. We demonstrate through a computational study that the trade-off between the two objectives is important to consider for certain risk preferences and budgets. We demonstrate the value of the stochastic model when a relatively high number of attacks are desired to be secured past a risk threshold and show the deterministic solution provides near optimal solutions otherwise. We provide an analysis of model solutions.
AbstractList •Information and communication technology supply chains present risks that are complex and difficult to manage.•We present new optimization models to support supply chain risk management.•Optimization models with two risk reduction objectives select a portfolio of security controls subject to a budget constraint.•The stochastic model informs security investment decisions under uncertainty.•The computational results highlight how to construct a portfolio of security controls that is effective across multiple criteria. Information and communication technology supply chains present risks that are complex and difficult for organizations to manage. The cost and benefit of proposed security controls must be assessed to best match an organizational risk tolerance and direct the use of security resources. In this paper, we present integer and stochastic optimization models for selecting a portfolio of security controls within an organizational budget. We consider two objectives: to maximize the risk reduction across all potential attacks and to maximize the number of attacks whose risk levels are lower than a risk threshold after security controls are applied. Deterministic and stochastic bi-objective budgeted difficulty-threshold control selection problems are formulated for selecting mitigating controls to reflect an organization’s risk preference. In the stochastic problem, we consider uncertainty as to whether the selected controls can reduce the risks associated with attacks. We demonstrate through a computational study that the trade-off between the two objectives is important to consider for certain risk preferences and budgets. We demonstrate the value of the stochastic model when a relatively high number of attacks are desired to be secured past a risk threshold and show the deterministic solution provides near optimal solutions otherwise. We provide an analysis of model solutions.
Information and communication technology supply chains present risks that are complex and difficult for organizations to manage. The cost and benefit of proposed security controls must be assessed to best match an organizational risk tolerance and direct the use of security resources. In this paper, we present integer and stochastic optimization models for selecting a portfolio of security controls within an organizational budget. We consider two objectives: to maximize the risk reduction across all potential attacks and to maximize the number of attacks whose risk levels are lower than a risk threshold after security controls are applied. Deterministic and stochastic bi-objective budgeted difficulty-threshold control selection problems are formulated for selecting mitigating controls to reflect an organization's risk preference. In the stochastic problem, we consider uncertainty as to whether the selected controls can reduce the risks associated with attacks. We demonstrate through a computational study that the trade-off between the two objectives is important to consider for certain risk preferences and budgets. We demonstrate the value of the stochastic model when a relatively high number of attacks are desired to be secured past a risk threshold and show the deterministic solution provides near optimal solutions otherwise. We provide an analysis of model solutions.
ArticleNumber 107093
Author Zheng, Kaiyue
Albert, Laura A.
Schmidt, Adam
Author_xml – sequence: 1
  givenname: Adam
  orcidid: 0000-0002-7980-9771
  surname: Schmidt
  fullname: Schmidt, Adam
  email: apschmidt2@wisc.edu
  organization: Department of Industrial and Systems Engineering, University of Wisconsin-Madison, 53706, United States
– sequence: 2
  givenname: Laura A.
  surname: Albert
  fullname: Albert, Laura A.
  email: laura@engr.wisc.edu
  organization: Department of Industrial and Systems Engineering, University of Wisconsin-Madison, 53706, United States
– sequence: 3
  givenname: Kaiyue
  surname: Zheng
  fullname: Zheng, Kaiyue
  email: kay.zheng@wisc.edu
  organization: Amazon, Seattle, WA 98121, United States
BookMark eNp9kF1LwzAUhoMouKl_wKuC151p0qateDOGXyAIotcxyU5m6prOk0zYvzdlXnkxchFOeJ8c3mdKjv3ggZDLgs4KWojrboYQwoxRNj7UtOVHZFI0dZvThotjMqFtVeQNZ_SUTEPoKKVlW9UT8vHqwlfWK69W0IOPmR0wMzsNmDtvUYWIWxO3CNkGhwgmusHfZPNMu3zQ3Tj_QOZ8hBXgGFmh6nvnV5napEmZz3NyYtU6wMXffUbe7-_eFo_588vD02L-nBvOmphbYbW2Sw26sqIoQZeNLtOplKDcMMVFq2mqVbbG8rpQ1ras0rSFBqgVSvEzcrX_N6393kKIshu26NNKySpa1Uxw0aRUs08ZHEJAsNK4qMZSEZVby4LK0afs5OhTjj7l3mdC2T90g65XuDsM3e4hSNV_HKAMxoE3sHSY5Mnl4A7hv62Sk4U
CitedBy_id crossref_primary_10_1016_j_ress_2021_108189
crossref_primary_10_1016_j_clscn_2022_100074
crossref_primary_10_1016_j_ress_2022_108642
crossref_primary_10_1016_j_ress_2025_111255
crossref_primary_10_1007_s10479_024_05879_9
crossref_primary_10_1016_j_ress_2023_109212
crossref_primary_10_1002_eng2_12538
crossref_primary_10_1007_s11704_023_1582_6
crossref_primary_10_1016_j_csi_2024_103935
Cites_doi 10.1016/j.cor.2016.05.005
10.1111/risa.13309
10.1111/risa.12536
10.1007/s00158-003-0368-6
10.1002/mcda.4020030204
10.1007/s00158-013-0932-7
10.1002/nav.21859
10.1007/978-3-319-66845-1_22
10.1016/j.ejor.2013.09.001
10.1109/TII.2018.2866445
10.1016/j.ress.2005.11.018
10.1137/S1052623499363220
10.1111/risa.13269
10.1016/j.ejor.2004.08.029
10.1080/24725854.2019.1584832
10.1023/A:1011109625844
10.1016/j.ejor.2013.11.032
10.1061/41170(400)90
ContentType Journal Article
Copyright 2020 Elsevier Ltd
Copyright Elsevier BV Jan 2021
Copyright_xml – notice: 2020 Elsevier Ltd
– notice: Copyright Elsevier BV Jan 2021
DBID AAYXX
CITATION
7ST
7TB
8FD
C1K
FR3
SOI
DOI 10.1016/j.ress.2020.107093
DatabaseName CrossRef
Environment Abstracts
Mechanical & Transportation Engineering Abstracts
Technology Research Database
Environmental Sciences and Pollution Management
Engineering Research Database
Environment Abstracts
DatabaseTitle CrossRef
Engineering Research Database
Technology Research Database
Mechanical & Transportation Engineering Abstracts
Environment Abstracts
Environmental Sciences and Pollution Management
DatabaseTitleList
Engineering Research Database
DeliveryMethod fulltext_linktorsrc
Discipline Engineering
EISSN 1879-0836
ExternalDocumentID 10_1016_j_ress_2020_107093
S0951832020305949
GroupedDBID --K
--M
.~1
0R~
123
1B1
1~.
1~5
29P
4.4
457
4G.
5VS
7-5
71M
8P~
9JN
9JO
AABNK
AACTN
AAEDT
AAEDW
AAFJI
AAIAV
AAIKJ
AAKOC
AALRI
AAOAW
AAQFI
AAQXK
AAXUO
ABEFU
ABFNM
ABJNI
ABMAC
ABMMH
ABTAH
ABXDB
ABYKQ
ACDAQ
ACGFS
ACIWK
ACNNM
ACRLP
ADBBV
ADEZE
ADMUD
ADTZH
AEBSH
AECPX
AEKER
AENEX
AFKWA
AFRAH
AFTJW
AGHFR
AGUBO
AGYEJ
AHHHB
AHJVU
AIEXJ
AIKHN
AITUG
AJBFU
AJOXV
AKYCK
ALMA_UNASSIGNED_HOLDINGS
AMFUW
AMRAJ
AOMHK
ASPBG
AVARZ
AVWKF
AXJTR
AZFZN
BJAXD
BKOJK
BLXMC
CS3
DU5
EBS
EFJIC
EFLBG
EJD
EO8
EO9
EP2
EP3
FDB
FEDTE
FGOYB
FIRID
FNPLU
FYGXN
G-2
G-Q
GBLVA
HVGLF
HZ~
IHE
J1W
JJJVA
KOM
LY7
M41
MO0
N9A
O-L
O9-
OAUVE
OZT
P-8
P-9
P2P
PC.
PRBVW
Q38
R2-
RIG
ROL
RPZ
SDF
SDG
SES
SET
SEW
SPC
SPCBC
SSB
SSO
SST
SSZ
T5K
TN5
WUQ
XPP
ZMT
ZY4
~G-
9DU
AATTM
AAXKI
AAYWO
AAYXX
ABWVN
ACLOT
ACRPL
ACVFH
ADCNI
ADNMO
AEIPS
AEUPX
AFJKZ
AFPUW
AGQPQ
AIGII
AIIUN
AKBMS
AKRWK
AKYEP
ANKPU
APXCP
CITATION
EFKBS
~HD
7ST
7TB
8FD
AGCQF
C1K
FR3
SOI
ID FETCH-LOGICAL-c328t-f6fbbfdbeb5f614eb48b4b4b5a603c2a369b009349cf371aff925b09e8e0f6aa3
ISICitedReferencesCount 10
ISICitedReferencesURI http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000589091300001&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
ISSN 0951-8320
IngestDate Wed Aug 13 02:57:51 EDT 2025
Sat Nov 29 07:08:12 EST 2025
Tue Nov 18 22:08:38 EST 2025
Fri Feb 23 02:46:03 EST 2024
IsPeerReviewed true
IsScholarly true
Keywords Cyber-security
Supply chain security
Bi-objective optimization
Risk management
Information and communication technology security
Risk threshold
Language English
LinkModel OpenURL
MergedId FETCHMERGED-LOGICAL-c328t-f6fbbfdbeb5f614eb48b4b4b5a603c2a369b009349cf371aff925b09e8e0f6aa3
Notes ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ORCID 0000-0002-7980-9771
PQID 2505726368
PQPubID 2045406
ParticipantIDs proquest_journals_2505726368
crossref_citationtrail_10_1016_j_ress_2020_107093
crossref_primary_10_1016_j_ress_2020_107093
elsevier_sciencedirect_doi_10_1016_j_ress_2020_107093
PublicationCentury 2000
PublicationDate January 2021
2021-01-00
20210101
PublicationDateYYYYMMDD 2021-01-01
PublicationDate_xml – month: 01
  year: 2021
  text: January 2021
PublicationDecade 2020
PublicationPlace Barking
PublicationPlace_xml – name: Barking
PublicationTitle Reliability engineering & system safety
PublicationYear 2021
Publisher Elsevier Ltd
Elsevier BV
Publisher_xml – name: Elsevier Ltd
– name: Elsevier BV
References Phillips, Swiler (bib0035) 1998
Rong, Figueira (bib0038) 2014; 236
Duane, Brandenburg, Gruber (bib0007) 2018
2019. [Online: accessed 23-Apr-2020].
Boyens, Paulsen, Bartol, Winkler, Gimbi (bib0002) 2020
Donkers, Melenberg, Van Soest (bib0006) 2001; 22
National Institute of Standards and Technology (bib0034) 2012
Mauw, Oostdijk (bib0027) 2005
Sheyner, Haines, Jha, Lippmann, Wing (bib0041) 2002
Redondo A., Torres-Barrán A., Insua D.R., Domingo J.. Assessing Supply Chain Cyber Risks2019
Wyss, Hinton, Dunphy-Guzman, Clem, Darby, Silva (bib0047) 2011
Edwards, Kao, Hamlet, Bailon (bib0008) 2015
Boyens, Paulsen, Moorthy, Bartol (bib0003) 2015
.
Kao, Hamlet, Helinski, Shakamuri, Lin, Michalski (bib0016) 2015
Vigo, Nielson, Nielson (bib0046) 2014
Lu, Yao, Guo, Zhang, Yang (bib0025) 2015; 2
Kleywegt, Shapiro, Homem-de Mello (bib0017) 2002; 12
Mavrotas, Florios (bib0029) 2013; 219
Zheng, Albert (bib0050) 2019; 39
Fei, Jiang (bib0010) 2018
Kordy, Wideł (bib0021) 2018
Kao, Lin, Eames, Haas, Fisher, Michalski (bib0015) 2014
Kordy, Mauw, Radomirović, Schweitzer (bib0019) 2011
DiMase, Collier, Carlson, Gray Jr, Linkov (bib0005) 2016; 36
Letchford, Vorobeychik (bib0023) 2013
URL
Tang, Wang, Li, Xu (bib0043) 2013; 48
Insua, Vieira, Rubio, Pieters, Labunets, Rasines (bib0013) 2019
Jha, Sheyner, Wing (bib0014) 2002
Marler, Arora (bib0026) 2004; 26
Zheng, Albert, Luedtke, Towle (bib0051) 2019; 51
Ganin, Quach, Panwar, Collier, Keisler, Marchese (bib0011) 2020; 40
Scala, Reilly, Goethals, Cukier (bib0039) 2019; 39
Konak, Coit, Smith (bib0018) 2006; 91
Nandi, Medal, Vadlamani (bib0033) 2016; 75
President’s Commission on Enhancing National Cybersecurity (bib0036) 2016
Boyens, Paulsen, Bartol, Winkler, Gimbi (bib0004) 2020
Shackleford (bib0040) 2015
Laumanns, Thiele, Zitzler (bib0022) 2006; 169
Zheng, Albert (bib0049) 2019; 66
The White House. Securing the Information and Communications Technology and Services Supply Chain, Office of the Press Secretary, Washington, D.C.; 2019. Executive Order No. 13873.
Hubbard, Seiersen (bib0012) 2016
McCrory, Kao, Blair (bib0030) 2015
Microsoft Corporation. Guarding against supply chain attacks–Part 1: The big picture.
Ulungu, Teghem (bib0045) 1994; 3
Enayaty-Ahangar, Albert, DuBois (bib0009) 2020
Mavrotas (bib0028) 2009; 213
Zhang, Reimann (bib0048) 2014; 234
Boyens, Paulsen, Bartol, Shankles, Moorthy (bib0001) 2012
Microsoft Corporation (bib0031) 2017
Kordy B., Widel W.. How well can I secure my system? Research Institute of Computer Science and Random Systems
2017. [Online; accessed 14-Jan-2019].
Li, Zhou, Tian, Qin (bib0024) 2019; 15
Storch (bib0042) 2017
Vigo (10.1016/j.ress.2020.107093_bib0046) 2014
President’s Commission on Enhancing National Cybersecurity (10.1016/j.ress.2020.107093_sbref0034) 2016
Ulungu (10.1016/j.ress.2020.107093_bib0045) 1994; 3
10.1016/j.ress.2020.107093_bib0037
Boyens (10.1016/j.ress.2020.107093_bib0003) 2015
DiMase (10.1016/j.ress.2020.107093_bib0005) 2016; 36
Kao (10.1016/j.ress.2020.107093_bib0015) 2014
10.1016/j.ress.2020.107093_bib0032
Scala (10.1016/j.ress.2020.107093_bib0039) 2019; 39
Konak (10.1016/j.ress.2020.107093_bib0018) 2006; 91
Zheng (10.1016/j.ress.2020.107093_bib0049) 2019; 66
Insua (10.1016/j.ress.2020.107093_bib0013) 2019
Microsoft Corporation (10.1016/j.ress.2020.107093_bib0031) 2017
Zheng (10.1016/j.ress.2020.107093_bib0051) 2019; 51
Boyens (10.1016/j.ress.2020.107093_bib0004) 2020
Enayaty-Ahangar (10.1016/j.ress.2020.107093_sbref0009) 2020
Zhang (10.1016/j.ress.2020.107093_bib0048) 2014; 234
Tang (10.1016/j.ress.2020.107093_bib0043) 2013; 48
Phillips (10.1016/j.ress.2020.107093_bib0035) 1998
10.1016/j.ress.2020.107093_bib0020
Marler (10.1016/j.ress.2020.107093_bib0026) 2004; 26
Kordy (10.1016/j.ress.2020.107093_bib0021) 2018
Mavrotas (10.1016/j.ress.2020.107093_bib0028) 2009; 213
McCrory (10.1016/j.ress.2020.107093_bib0030) 2015
Rong (10.1016/j.ress.2020.107093_bib0038) 2014; 236
Lu (10.1016/j.ress.2020.107093_bib0025) 2015; 2
Zheng (10.1016/j.ress.2020.107093_bib0050) 2019; 39
Edwards (10.1016/j.ress.2020.107093_bib0008) 2015
Boyens (10.1016/j.ress.2020.107093_bib0001) 2012
Mavrotas (10.1016/j.ress.2020.107093_bib0029) 2013; 219
Storch (10.1016/j.ress.2020.107093_bib0042) 2017
Boyens (10.1016/j.ress.2020.107093_bib0002) 2020
Jha (10.1016/j.ress.2020.107093_bib0014) 2002
Letchford (10.1016/j.ress.2020.107093_bib0023) 2013
Shackleford (10.1016/j.ress.2020.107093_bib0040) 2015
Li (10.1016/j.ress.2020.107093_bib0024) 2019; 15
National Institute of Standards and Technology (10.1016/j.ress.2020.107093_sbref0032) 2012
Kleywegt (10.1016/j.ress.2020.107093_bib0017) 2002; 12
Kordy (10.1016/j.ress.2020.107093_bib0019) 2011
Mauw (10.1016/j.ress.2020.107093_bib0027) 2005
Wyss (10.1016/j.ress.2020.107093_bib0047) 2011
Fei (10.1016/j.ress.2020.107093_bib0010) 2018
Duane (10.1016/j.ress.2020.107093_bib0007) 2018
Ganin (10.1016/j.ress.2020.107093_bib0011) 2020; 40
10.1016/j.ress.2020.107093_bib0044
Hubbard (10.1016/j.ress.2020.107093_bib0012) 2016
Donkers (10.1016/j.ress.2020.107093_bib0006) 2001; 22
Laumanns (10.1016/j.ress.2020.107093_bib0022) 2006; 169
Kao (10.1016/j.ress.2020.107093_bib0016) 2015
Sheyner (10.1016/j.ress.2020.107093_bib0041) 2002
Nandi (10.1016/j.ress.2020.107093_bib0033) 2016; 75
References_xml – volume: 213
  start-page: 455
  year: 2009
  end-page: 465
  ident: bib0028
  article-title: Effective implementation of the epsilon-constraint method in multi-objective mathematical programming problems
  publication-title: Appl Math Comput
– start-page: 186
  year: 2005
  end-page: 198
  ident: bib0027
  article-title: Foundations of attack trees
  publication-title: Proceedings of the international conference on information security and cryptology
– year: 2016
  ident: bib0036
  article-title: Report on Securing and Growing the Digital Economy
  publication-title: Tech. Rep.
– year: 2016
  ident: bib0012
  article-title: How to measure anything in cybersecurity risk
– volume: 66
  start-page: 411
  year: 2019
  end-page: 429
  ident: bib0049
  article-title: Interdiction models for delaying adversarial attacks against critical information technology infrastructure
  publication-title: Naval Res Logist (NRL)
– volume: 15
  start-page: 2544
  year: 2019
  end-page: 2554
  ident: bib0024
  article-title: A dynamic decision-making approach for intrusion response in industrial control systems
  publication-title: IEEE Trans Ind Inf
– year: 2015
  ident: bib0030
  article-title: Supply Chain Risk Management: The Challenge in a Digital World
  publication-title: Tech. Rep.
– start-page: 2303
  year: 2018
  end-page: 2306
  ident: bib0010
  article-title: A quantifiable attack-defense trees model for apt attack.
  publication-title: 2018 IEEE 3rd advanced information technology, electronic and automation control conference (IAEAC)
– year: 2020
  ident: bib0004
  article-title: Case Studies in Cyber Supply Chain Risk Management: Summary of Findings and Recommendations
  publication-title: Tech. Rep.
– year: 2015
  ident: bib0016
  article-title: Supply Chain Security Decision Analytics: Macro Analysis.
  publication-title: Tech. Rep.
– volume: 39
  start-page: 2119
  year: 2019
  end-page: 2126
  ident: bib0039
  article-title: Risk and the five hard problems of cybersecurity
  publication-title: Risk Anal
– year: 2019
  ident: bib0013
  article-title: An adversarial risk analysis framework for cybersecurity
  publication-title: Risk Anal
– year: 2002
  ident: bib0014
  article-title: Two formal analyses of attack graphs
  publication-title: Proceedings 15th IEEE computer security foundations workshop. CSFW-15
– year: 2017
  ident: bib0031
  article-title: Securing the Supply Chain with Risk-Based Assessments
  publication-title: Tech. Rep.
– year: 2014
  ident: bib0015
  article-title: Supply Chain Lifecycle Decision Analytics
  publication-title: Tech. Rep.
– volume: 75
  start-page: 118
  year: 2016
  end-page: 131
  ident: bib0033
  article-title: Interdicting attack graphs to protect organizations from cyber attacks: a bi-level defender–attacker model
  publication-title: Comput Oper Res
– start-page: 273
  year: 2002
  end-page: 284
  ident: bib0041
  article-title: Automated generation and analysis of attack graphs
  publication-title: Proceedings 2002 IEEE symposium on security and privacy
– reference: Microsoft Corporation. Guarding against supply chain attacks–Part 1: The big picture.
– volume: 12
  start-page: 479
  year: 2002
  end-page: 502
  ident: bib0017
  article-title: The sample average approximation method for stochastic discrete optimization
  publication-title: SIAM J Optim
– year: 2018
  ident: bib0007
  article-title: When the Going Gets Tough, the Tough Get Going: Overcoming the Cyber Risk Appetite Challenge
  publication-title: Tech. Rep.
– volume: 39
  start-page: 2076
  year: 2019
  end-page: 2092
  ident: bib0050
  article-title: A robust approach for mitigating risks in cyber supply chains
  publication-title: Risk Anal
– volume: 236
  start-page: 85
  year: 2014
  end-page: 99
  ident: bib0038
  article-title: Dynamic programming algorithms for the bi-objective integer knapsack problem
  publication-title: Eur J Oper Res
– year: 2012
  ident: bib0034
  article-title: Guide for Conducting Risk Assessments
  publication-title: Tech. Rep.
– start-page: 738
  year: 2011
  end-page: 745
  ident: bib0047
  article-title: Risk-based cost-benefit analysis for security assessment problems
  publication-title: Vulnerability Uncertain Risk
– year: 2013
  ident: bib0023
  article-title: Optimal interdiction of attack plans
  publication-title: Proceedings of the 12th international conference on autonomous agents and multiagent systems, Saint Paul, MN
– reference: ; URL
– volume: 91
  start-page: 992
  year: 2006
  end-page: 1007
  ident: bib0018
  article-title: Multi-objective optimization using genetic algorithms: a tutorial
  publication-title: Reliab Eng Syst Saf
– year: 2015
  ident: bib0003
  article-title: Supply chain risk management practices for federal information systems and organizations
  publication-title: Special Publication
– year: 2017
  ident: bib0042
  article-title: Toward a Trusted Supply Chain: A Risk Based Approach to Managing Software Integrity
  publication-title: Tech. Rep.
– year: 1998
  ident: bib0035
  article-title: A graph-based system for network-vulnerability analysis
  publication-title: Proceedings of the 1998 workshop on new security paradigms, NSPW ’98
– start-page: 337
  year: 2014
  end-page: 350
  ident: bib0046
  article-title: Automated generation of attack trees
  publication-title: 2014 IEEE 27th computer security foundations symposium
– reference: Redondo A., Torres-Barrán A., Insua D.R., Domingo J.. Assessing Supply Chain Cyber Risks2019;
– year: 2012
  ident: bib0001
  article-title: Notional Supply Chain Risk Management Practices for Federal Information Systems
  publication-title: Tech. Rep.
– year: 2015
  ident: bib0008
  article-title: Supply Chain Decision Analytics: Application and Case Study for Critical Infrastructure Security
  publication-title: Tech. Rep.
– reference: ; 2019. [Online: accessed 23-Apr-2020].
– volume: 169
  start-page: 932
  year: 2006
  end-page: 942
  ident: bib0022
  article-title: An efficient, adaptive parameter variation scheme for metaheuristics based on the epsilon-constraint method
  publication-title: Eur J Oper Res
– volume: 40
  start-page: 1834
  year: 2020
  end-page: 1843
  ident: bib0011
  article-title: Multicriteria decision framework for cybersecurity risk assessment and management
  publication-title: Risk Anal
– volume: 234
  start-page: 15
  year: 2014
  end-page: 24
  ident: bib0048
  article-title: A simple augmented epsilon-constraint method for multi-objective mathematical integer programming problems
  publication-title: Eur J Oper Res
– volume: 3
  start-page: 83
  year: 1994
  end-page: 104
  ident: bib0045
  article-title: Multi-objective combinatorial optimization problems: a survey
  publication-title: J Multi-Criteria Decis Anal
– year: 2020
  ident: bib0009
  article-title: A survey of optimization models and methods for cyberinfrastructure
  publication-title: IISE Trans
– volume: 36
  start-page: 1834
  year: 2016
  end-page: 1843
  ident: bib0005
  article-title: Traceability and risk analysis strategies for addressing counterfeit electronics in supply chains for complex systems
  publication-title: Risk Anal
– volume: 51
  start-page: 1303
  year: 2019
  end-page: 1317
  ident: bib0051
  article-title: A budgeted maximum multiple coverage model for cybersecurity planning and management
  publication-title: IISE Trans
– reference: Kordy B., Widel W.. How well can I secure my system? Research Institute of Computer Science and Random Systems
– volume: 26
  start-page: 369
  year: 2004
  end-page: 395
  ident: bib0026
  article-title: Survey of multi-objective optimization methods for engineering
  publication-title: Struct Multidiscip Optim
– volume: 219
  start-page: 9652
  year: 2013
  end-page: 9669
  ident: bib0029
  article-title: An improved version of the augmented epsilon-constraint method (AUGMECON2) for finding the exact Pareto set in multi-objective integer programming problems
  publication-title: Appl Math Comput
– reference: .
– year: 2015
  ident: bib0040
  article-title: Combatting Cyber Risks in the Supply Chain
  publication-title: Tech. Rep.
– reference: The White House. Securing the Information and Communications Technology and Services Supply Chain, Office of the Press Secretary, Washington, D.C.; 2019. Executive Order No. 13873.
– volume: 48
  start-page: 821
  year: 2013
  end-page: 836
  ident: bib0043
  article-title: Adaptive heuristic search algorithm for discrete variables based multi-objective optimization
  publication-title: Struct Multidiscip Optim
– year: 2020
  ident: bib0002
  article-title: Key Practices in Cyber Supply Chain Risk Management: Observations from Industry
  publication-title: Tech. Rep.
– start-page: 80
  year: 2011
  end-page: 95
  ident: bib0019
  article-title: Foundations of attack–defense trees
– reference: ; 2017. [Online; accessed 14-Jan-2019].
– volume: 22
  start-page: 165
  year: 2001
  end-page: 195
  ident: bib0006
  article-title: Estimating risk attitudes using lotteries: alarge sample approach
  publication-title: J Risk Uncertain
– volume: 2
  start-page: 28
  year: 2015
  end-page: 41
  ident: bib0025
  article-title: A systematic study for ICT supply chain security
  publication-title: J Logist Inform Serv Sci
– start-page: 325
  year: 2018
  end-page: 346
  ident: bib0021
  article-title: On quantitative analysis of attack–defense trees with repeated labels.
  publication-title: International Conference on Principles of Security and Trust
– ident: 10.1016/j.ress.2020.107093_bib0032
– volume: 75
  start-page: 118
  year: 2016
  ident: 10.1016/j.ress.2020.107093_bib0033
  article-title: Interdicting attack graphs to protect organizations from cyber attacks: a bi-level defender–attacker model
  publication-title: Comput Oper Res
  doi: 10.1016/j.cor.2016.05.005
– volume: 39
  start-page: 2119
  issue: 10
  year: 2019
  ident: 10.1016/j.ress.2020.107093_bib0039
  article-title: Risk and the five hard problems of cybersecurity
  publication-title: Risk Anal
  doi: 10.1111/risa.13309
– start-page: 80
  year: 2011
  ident: 10.1016/j.ress.2020.107093_bib0019
– year: 2018
  ident: 10.1016/j.ress.2020.107093_bib0007
  article-title: When the Going Gets Tough, the Tough Get Going: Overcoming the Cyber Risk Appetite Challenge
– start-page: 2303
  year: 2018
  ident: 10.1016/j.ress.2020.107093_bib0010
  article-title: A quantifiable attack-defense trees model for apt attack.
– volume: 2
  start-page: 28
  issue: 1
  year: 2015
  ident: 10.1016/j.ress.2020.107093_bib0025
  article-title: A systematic study for ICT supply chain security
  publication-title: J Logist Inform Serv Sci
– volume: 36
  start-page: 1834
  issue: 10
  year: 2016
  ident: 10.1016/j.ress.2020.107093_bib0005
  article-title: Traceability and risk analysis strategies for addressing counterfeit electronics in supply chains for complex systems
  publication-title: Risk Anal
  doi: 10.1111/risa.12536
– year: 2016
  ident: 10.1016/j.ress.2020.107093_bib0012
– start-page: 325
  year: 2018
  ident: 10.1016/j.ress.2020.107093_bib0021
  article-title: On quantitative analysis of attack–defense trees with repeated labels.
– year: 2015
  ident: 10.1016/j.ress.2020.107093_bib0040
  article-title: Combatting Cyber Risks in the Supply Chain
– year: 2012
  ident: 10.1016/j.ress.2020.107093_sbref0032
  article-title: Guide for Conducting Risk Assessments
– year: 2012
  ident: 10.1016/j.ress.2020.107093_bib0001
  article-title: Notional Supply Chain Risk Management Practices for Federal Information Systems
– volume: 26
  start-page: 369
  issue: 6
  year: 2004
  ident: 10.1016/j.ress.2020.107093_bib0026
  article-title: Survey of multi-objective optimization methods for engineering
  publication-title: Struct Multidiscip Optim
  doi: 10.1007/s00158-003-0368-6
– volume: 3
  start-page: 83
  issue: 2
  year: 1994
  ident: 10.1016/j.ress.2020.107093_bib0045
  article-title: Multi-objective combinatorial optimization problems: a survey
  publication-title: J Multi-Criteria Decis Anal
  doi: 10.1002/mcda.4020030204
– year: 2020
  ident: 10.1016/j.ress.2020.107093_bib0004
  article-title: Case Studies in Cyber Supply Chain Risk Management: Summary of Findings and Recommendations
– year: 2016
  ident: 10.1016/j.ress.2020.107093_sbref0034
  article-title: Report on Securing and Growing the Digital Economy
– year: 2017
  ident: 10.1016/j.ress.2020.107093_bib0031
  article-title: Securing the Supply Chain with Risk-Based Assessments
– volume: 48
  start-page: 821
  issue: 4
  year: 2013
  ident: 10.1016/j.ress.2020.107093_bib0043
  article-title: Adaptive heuristic search algorithm for discrete variables based multi-objective optimization
  publication-title: Struct Multidiscip Optim
  doi: 10.1007/s00158-013-0932-7
– volume: 66
  start-page: 411
  issue: 5
  year: 2019
  ident: 10.1016/j.ress.2020.107093_bib0049
  article-title: Interdiction models for delaying adversarial attacks against critical information technology infrastructure
  publication-title: Naval Res Logist (NRL)
  doi: 10.1002/nav.21859
– ident: 10.1016/j.ress.2020.107093_bib0020
  doi: 10.1007/978-3-319-66845-1_22
– year: 2019
  ident: 10.1016/j.ress.2020.107093_bib0013
  article-title: An adversarial risk analysis framework for cybersecurity
  publication-title: Risk Anal
– volume: 234
  start-page: 15
  issue: 1
  year: 2014
  ident: 10.1016/j.ress.2020.107093_bib0048
  article-title: A simple augmented epsilon-constraint method for multi-objective mathematical integer programming problems
  publication-title: Eur J Oper Res
  doi: 10.1016/j.ejor.2013.09.001
– year: 2020
  ident: 10.1016/j.ress.2020.107093_bib0002
  article-title: Key Practices in Cyber Supply Chain Risk Management: Observations from Industry
– volume: 15
  start-page: 2544
  issue: 5
  year: 2019
  ident: 10.1016/j.ress.2020.107093_bib0024
  article-title: A dynamic decision-making approach for intrusion response in industrial control systems
  publication-title: IEEE Trans Ind Inf
  doi: 10.1109/TII.2018.2866445
– year: 1998
  ident: 10.1016/j.ress.2020.107093_bib0035
  article-title: A graph-based system for network-vulnerability analysis
– volume: 213
  start-page: 455
  issue: 2
  year: 2009
  ident: 10.1016/j.ress.2020.107093_bib0028
  article-title: Effective implementation of the epsilon-constraint method in multi-objective mathematical programming problems
  publication-title: Appl Math Comput
– year: 2014
  ident: 10.1016/j.ress.2020.107093_bib0015
  article-title: Supply Chain Lifecycle Decision Analytics
– volume: 91
  start-page: 992
  issue: 9
  year: 2006
  ident: 10.1016/j.ress.2020.107093_bib0018
  article-title: Multi-objective optimization using genetic algorithms: a tutorial
  publication-title: Reliab Eng Syst Saf
  doi: 10.1016/j.ress.2005.11.018
– volume: 12
  start-page: 479
  issue: 2
  year: 2002
  ident: 10.1016/j.ress.2020.107093_bib0017
  article-title: The sample average approximation method for stochastic discrete optimization
  publication-title: SIAM J Optim
  doi: 10.1137/S1052623499363220
– start-page: 337
  year: 2014
  ident: 10.1016/j.ress.2020.107093_bib0046
  article-title: Automated generation of attack trees
– volume: 219
  start-page: 9652
  issue: 18
  year: 2013
  ident: 10.1016/j.ress.2020.107093_bib0029
  article-title: An improved version of the augmented epsilon-constraint method (AUGMECON2) for finding the exact Pareto set in multi-objective integer programming problems
  publication-title: Appl Math Comput
– volume: 39
  start-page: 2076
  issue: 9
  year: 2019
  ident: 10.1016/j.ress.2020.107093_bib0050
  article-title: A robust approach for mitigating risks in cyber supply chains
  publication-title: Risk Anal
  doi: 10.1111/risa.13269
– year: 2015
  ident: 10.1016/j.ress.2020.107093_bib0008
  article-title: Supply Chain Decision Analytics: Application and Case Study for Critical Infrastructure Security
– volume: 169
  start-page: 932
  issue: 3
  year: 2006
  ident: 10.1016/j.ress.2020.107093_bib0022
  article-title: An efficient, adaptive parameter variation scheme for metaheuristics based on the epsilon-constraint method
  publication-title: Eur J Oper Res
  doi: 10.1016/j.ejor.2004.08.029
– year: 2015
  ident: 10.1016/j.ress.2020.107093_bib0016
  article-title: Supply Chain Security Decision Analytics: Macro Analysis.
– start-page: 273
  year: 2002
  ident: 10.1016/j.ress.2020.107093_bib0041
  article-title: Automated generation and analysis of attack graphs
– volume: 40
  start-page: 1834
  issue: 183–198
  year: 2020
  ident: 10.1016/j.ress.2020.107093_bib0011
  article-title: Multicriteria decision framework for cybersecurity risk assessment and management
  publication-title: Risk Anal
– ident: 10.1016/j.ress.2020.107093_bib0044
– year: 2020
  ident: 10.1016/j.ress.2020.107093_sbref0009
  article-title: A survey of optimization models and methods for cyberinfrastructure
  publication-title: IISE Trans
– volume: 51
  start-page: 1303
  issue: 12
  year: 2019
  ident: 10.1016/j.ress.2020.107093_bib0051
  article-title: A budgeted maximum multiple coverage model for cybersecurity planning and management
  publication-title: IISE Trans
  doi: 10.1080/24725854.2019.1584832
– year: 2015
  ident: 10.1016/j.ress.2020.107093_bib0003
  article-title: Supply chain risk management practices for federal information systems and organizations
– volume: 22
  start-page: 165
  issue: 2
  year: 2001
  ident: 10.1016/j.ress.2020.107093_bib0006
  article-title: Estimating risk attitudes using lotteries: alarge sample approach
  publication-title: J Risk Uncertain
  doi: 10.1023/A:1011109625844
– year: 2017
  ident: 10.1016/j.ress.2020.107093_bib0042
  article-title: Toward a Trusted Supply Chain: A Risk Based Approach to Managing Software Integrity
– ident: 10.1016/j.ress.2020.107093_bib0037
– volume: 236
  start-page: 85
  issue: 1
  year: 2014
  ident: 10.1016/j.ress.2020.107093_bib0038
  article-title: Dynamic programming algorithms for the bi-objective integer knapsack problem
  publication-title: Eur J Oper Res
  doi: 10.1016/j.ejor.2013.11.032
– start-page: 738
  year: 2011
  ident: 10.1016/j.ress.2020.107093_bib0047
  article-title: Risk-based cost-benefit analysis for security assessment problems
  publication-title: Vulnerability Uncertain Risk
  doi: 10.1061/41170(400)90
– year: 2013
  ident: 10.1016/j.ress.2020.107093_bib0023
  article-title: Optimal interdiction of attack plans
– year: 2015
  ident: 10.1016/j.ress.2020.107093_bib0030
  article-title: Supply Chain Risk Management: The Challenge in a Digital World
– year: 2002
  ident: 10.1016/j.ress.2020.107093_bib0014
  article-title: Two formal analyses of attack graphs
– start-page: 186
  year: 2005
  ident: 10.1016/j.ress.2020.107093_bib0027
  article-title: Foundations of attack trees
SSID ssj0004957
Score 2.4061987
Snippet •Information and communication technology supply chains present risks that are complex and difficult to manage.•We present new optimization models to support...
Information and communication technology supply chains present risks that are complex and difficult for organizations to manage. The cost and benefit of...
SourceID proquest
crossref
elsevier
SourceType Aggregation Database
Enrichment Source
Index Database
Publisher
StartPage 107093
SubjectTerms Bi-objective optimization
Budgets
Computer applications
Cyber-security
Information and communication technology security
Integer programming
Optimization
Reliability engineering
Risk levels
Risk management
Risk reduction
Risk threshold
Security
Stochastic models
Supply chain security
Supply chains
Title Risk management for cyber-infrastructure protection: A bi-objective integer programming approach
URI https://dx.doi.org/10.1016/j.ress.2020.107093
https://www.proquest.com/docview/2505726368
Volume 205
WOSCitedRecordID wos000589091300001&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
journalDatabaseRights – providerCode: PRVESC
  databaseName: Elsevier SD Freedom Collection Journals 2021
  customDbUrl:
  eissn: 1879-0836
  dateEnd: 99991231
  omitProxy: false
  ssIdentifier: ssj0004957
  issn: 0951-8320
  databaseCode: AIEXJ
  dateStart: 19950101
  isFulltext: true
  titleUrlDefault: https://www.sciencedirect.com
  providerName: Elsevier
link http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwtV3db9MwELdg4wEeEJ9iYyA_8BZ5SuzEsXmL0BDwMCEYUt-C7dii1ZpNbUHrf79z7HyowARIqFIUubVd-X65nM93v0PolTNMGO0YcY3MiWfAIpqmcMelc05o1ijVFZsoT0_FbCY_Rq_SuisnULatuLqSl_9V1NAGwvaps38h7mFQaIB7EDpcQexw_SPBf_LB4sshqqWLIzRbbVcERl-pQBjrjw0iRUMM7qgSPScXehEUYKCRsKs-fmvZ5TJG_vGpQetDmgPV9zaxI7dhh6jAEp2slYtkI-HE59ty3gSyg0YtB8B5rq1Nn6mtkup4dGnbqI_UfPvdTt0UNNtxUwz5M2OwUnBCZgR0SjiZsUEFi1J2nNlTHU273Oyf9X1wPSyOvWsCNvvUN5VpqLm4w6P92U_m56Jex8lc3kb7tCwkaPP96v3J7MOYTisDQWz_52KuVQgL3J3pd_bMzpu9M1fOHqD7cZ-Bq4CPh-iWbR-hexP2ycfoq0cKHpGCASn4V0jBI1Je4wpPcYIjTvAEJ7jHyRP05e3J2Zt3JBbcIIZRsSGOO61do60uHJhtVudC5_ApFE-ZoYpxz6ApWS6NY2WmnJO00Km0wqaOK8Weor32orXPEM4MTW3OqcuEyJ3i0JdbGAcM2LKUShygrF-22kQ2el8U5bzuww4XtV_q2i91HZb6ACVDn8vAxXLjr4teGnW0JoOVWAN4bux31Iuujo81fO_38ZQzLg7_cdjn6O74WByhPRChfYHumB-b-Xr1MkLwGtM3p3s
linkProvider Elsevier
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Risk+management+for+cyber-infrastructure+protection%3A+A+bi-objective+integer+programming+approach&rft.jtitle=Reliability+engineering+%26+system+safety&rft.au=Schmidt%2C+Adam&rft.au=Albert%2C+Laura+A.&rft.au=Zheng%2C+Kaiyue&rft.date=2021-01-01&rft.pub=Elsevier+Ltd&rft.issn=0951-8320&rft.eissn=1879-0836&rft.volume=205&rft_id=info:doi/10.1016%2Fj.ress.2020.107093&rft.externalDocID=S0951832020305949
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0951-8320&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0951-8320&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0951-8320&client=summon