Cyber Risk Management and Mitigation via Controlled Stochastic SIS Dynamics: An Optimal Control Approach
Shize Na, Zhuo Jin, Ran Xu, Hailiang Yang
TL;DR
The paper addresses cyber risk propagation by casting cyber risk management as a stochastic optimal control problem on a controlled SIS diffusion, introducing two controls $\eta_t$ (proactive) and $\rho_t$ (reactive). It derives the Hamilton–Jacobi–Bellman equation and proves the value function $V$ is the unique increasing viscosity solution, then develops a Policy Improvement Algorithm (PIA) with BSDE-based convergence to solve the infinite-horizon problem and demonstrates its effectiveness via a benchmark and sensitivity analyses. The results show that proactive risk management delivers robust benefits across infection levels, while reactive mitigation is crucial when infections are widespread, offering practical guidance on resource allocation in cyber defense. Overall, the work provides a rigorous, computationally viable framework for optimizing cyber risk control under stochastic contagion, with clear avenues for extending to jumps, regime-switching, and network-heterogeneity settings.
Abstract
In this paper, we formulate cyber risk management and mitigation as a stochastic optimal control problem under a stochastic Susceptible-Infected-Susceptible (SIS) epidemic model. To capture the dynamics and interplay of management and mitigation strategies, we introduce two stochastic controls: (i) a proactive risk management control to reduce external cyber attacks and internal contagion effects, and (ii) a reactive mitigation control to accelerate system recovery from cyber infection. The interplay between these controls is modeled by minimizing the expected discounted running costs, which balance proactive management expenses against reactive mitigation expenditures. We derive the associated Hamilton-Jacobi-Bellman (HJB) equation and characterize the value function as its unique viscosity solution. For numerical solutions, we propose a Policy Improvement Algorithm (PIA) and prove its convergence via Backward Stochastic Differential Equations (BSDEs). Finally, we present a comprehensive numerical analysis through a benchmark example, suboptimal control analysis, sensitivity analysis, and comparative statics.