Strengthening the weak links: bringing operational research to cybersecurity

By Tom Ziemer

Originally published online by College of Engineering, University of Wisconsin

In an age of data breaches and malware attacks, cybersecurity is paramount to organisations that store troves of customer and employee information. But companies, government entities and other large institutions have to consider more than just their centralised information technology infrastructures and policies to protect their data and cyber infrastructures, which rely on global supply chains comprised of third-party vendors and contractors. And any weak link in the chain can invite threats, as companies like Target or Home Depot or the United States Office of Personnel Management can attest. All have experienced major data breaches over the past six years from attacks that started with third-party vendors.

So how do organisations effectively safeguard their IT supply chains without completely exhausting their budgets?

Laura Albert, professor of industrial and systems engineering at the University of Wisconsin-Madison, is among the pioneers in bringing operational research to cybersecurity. She’s examining supply chains to help organisations weigh the options — and trade-offs — in these complex decisions. Albert and former graduate student Kaiyue Zheng have published a series of recent papers — in the journals Risk AnalysisNaval Research Logistics and IISE Transactions — in which they propose optimisation models to guard against worst-case risks and deal with adversarial attacks, where cyber assailants adapt to defensive measures. The National Science Foundation supported the research.

“A lot of the research out there focuses on real-time decisions, which addresses the response side but not the planning side,” says Albert, who likens establishing longer-term cybersecurity strategies and policies to building a fence. “It turns out with cybersecurity and infrastructure protection, you have to make many strategic defensive decisions over a long period of time. There are some real-time decisions, but frequently there are some really big decisions that you have to make about your infrastructure. These are not trivial decisions you can make on the fly.”

Those protective tactics can range from physical measures such as replacing vulnerable hardware or requiring tamper-evident packaging to broader initiatives like training employees, regularly assessing vendors or tightening security requirements. But all organisations run up against budgetary ceilings and finite employee resources, and there is uncertainty about the effectiveness of all strategies. Some potential actions are also incompatible with each other or have overlapping capabilities, meaning decisions can’t be made in isolation.

Albert’s models provide decision-makers with a quantitative way to assess their options and identify a portfolio of security controls that may work best for their organisation.

Now, Albert is using a new two-year grant from the National Science Foundation to study how to protect critical IT infrastructure and university research systems in partnership with UW-Madison’s Division of Information Technology. She’s excited to apply her work in such a complex decision-making environment, with IT managers scattered across campus in different schools, colleges and units. The project represents yet another challenge within the larger emerging area of operations research on cybersecurity.

“I can’t just take my previous models and apply them,” she says. “We have to come up with these models. How do we take this real thing that I can observe in the IT center at UW-Madison and turn that into a mathematical abstraction that would tell me something useful? That’s really humbling and challenging, but it feels good. It’s fun research.”

Professor of Industrial and Systems Engineering James Luedtke and recent graduate Eli Towle were also authors on Albert and Zheng’s paper in IISE Transactions.