Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Cyber Risk Scoring with QUBO: A Quantum and Hybrid Benchmark Study

Remo Marini, Riccardo Arpe

TL;DR

The paper presents a quantitative cyber risk scoring framework based on Quadratic Unconstrained Binary Optimization (QUBO), applicable to classical and quantum solvers. It formulates a tunable Hamiltonian with five components to model local risk, neighbor effects, connectivity, and high-risk node influence, tested on layered IT infrastructures up to 1000 nodes. Comparative results show classical solvers perform well at scale, quantum annealing is impeded by embedding in densely connected graphs, and hybrid quantum–classical approaches strike a practical balance with robust, stable solutions. The work demonstrates the framework’s flexibility and provides guidance on when and why hybrid methods offer the most value for large-scale cyber-risk analysis.

Abstract

Assessing cyber risk in complex IT infrastructures poses significant challenges due to the dynamic, interconnected nature of digital systems. Traditional methods often fall short, relying on static and largely qualitative models that do not scale with system complexity and fail to capture systemic interdependencies. In this work, we introduce a novel quantitative approach to cyber risk assessment based on Quadratic Unconstrained Binary Optimization (QUBO), a formulation compatible with both classical computing and quantum annealing. We demonstrate the capabilities of our approach using a realistic 255-nodes layered infrastructure, showing how risk spreads in non-trivial patterns that are difficult to identify through visual inspection alone. To assess scalability, we further conduct extensive experiments on networks up to 1000 nodes comparing classical, quantum, and hybrid classical-quantum workflows. Our results reveal that although quantum annealing produces solutions comparable to classical heuristics, its potential advantages are significantly hindered by the embedding overhead required to map the densely connected cyber-risk QUBO onto the limited connectivity of current quantum hardware. By contrast, hybrid quantum-classical solvers avoid this bottleneck and therefore emerge as a promising option, combining competitive scaling with an improved ability to explore the solution space and identify more stable risk configurations. Overall, this work delivers two main advances. First, we present a rigorous, tunable, and generalizable mathematical model for cyber risk that can be adapted to diverse infrastructures and domains through flexible parameterization. Second, we provide the first comparative study of classical, quantum, and hybrid approaches for cyber risk scoring at scale, highlighting the emerging potential of hybrid quantum-classical methods for large-scale infrastructures.

Cyber Risk Scoring with QUBO: A Quantum and Hybrid Benchmark Study

TL;DR

The paper presents a quantitative cyber risk scoring framework based on Quadratic Unconstrained Binary Optimization (QUBO), applicable to classical and quantum solvers. It formulates a tunable Hamiltonian with five components to model local risk, neighbor effects, connectivity, and high-risk node influence, tested on layered IT infrastructures up to 1000 nodes. Comparative results show classical solvers perform well at scale, quantum annealing is impeded by embedding in densely connected graphs, and hybrid quantum–classical approaches strike a practical balance with robust, stable solutions. The work demonstrates the framework’s flexibility and provides guidance on when and why hybrid methods offer the most value for large-scale cyber-risk analysis.

Abstract

Assessing cyber risk in complex IT infrastructures poses significant challenges due to the dynamic, interconnected nature of digital systems. Traditional methods often fall short, relying on static and largely qualitative models that do not scale with system complexity and fail to capture systemic interdependencies. In this work, we introduce a novel quantitative approach to cyber risk assessment based on Quadratic Unconstrained Binary Optimization (QUBO), a formulation compatible with both classical computing and quantum annealing. We demonstrate the capabilities of our approach using a realistic 255-nodes layered infrastructure, showing how risk spreads in non-trivial patterns that are difficult to identify through visual inspection alone. To assess scalability, we further conduct extensive experiments on networks up to 1000 nodes comparing classical, quantum, and hybrid classical-quantum workflows. Our results reveal that although quantum annealing produces solutions comparable to classical heuristics, its potential advantages are significantly hindered by the embedding overhead required to map the densely connected cyber-risk QUBO onto the limited connectivity of current quantum hardware. By contrast, hybrid quantum-classical solvers avoid this bottleneck and therefore emerge as a promising option, combining competitive scaling with an improved ability to explore the solution space and identify more stable risk configurations. Overall, this work delivers two main advances. First, we present a rigorous, tunable, and generalizable mathematical model for cyber risk that can be adapted to diverse infrastructures and domains through flexible parameterization. Second, we provide the first comparative study of classical, quantum, and hybrid approaches for cyber risk scoring at scale, highlighting the emerging potential of hybrid quantum-classical methods for large-scale infrastructures.

Paper Structure

This paper contains 10 sections, 2 equations, 8 figures.

Table of Contents

  1. Introduction
  2. Methods
  3. Infrastructure Model
  4. Problem Formulation
  5. Solution Techniques
  6. Results
  7. Classical Simulations
  8. Quantum and hybrid simulations
  9. Discussion
  10. Conclusion

Figures (8)

  • Figure 1: Test network topology. Nodes are grouped into four layers: workstations, network, servers, and databases. Color and size depend on the initial risk score, while numbers reflects the node identification
  • Figure 2: Realistic network topology. Nodes are grouped into seven layers: workstations, network, servers, databases and security layers in between the previous ones. Color and size depend on the initial risk score, while numbers reflects the node identification.
  • Figure 3: Result of the QUBO minimisation on the IT infrastructure in figure \ref{['fig:big IT']}. Figure a shows the aggregated results, depicting for every node type a transition matrix, while b shows a detailed snapshot of the network risks after the optimization.
  • Figure 4: Result of the QUBO minimisation after increasing the inflence of the high-risk exception (node 143). Figure a shows the aggregated results, depicting for every node type a transition matrix, while b shows a detailed snapshot of the network risks after the optimization.
  • Figure 5: Performance and accuracy comparison across classical, quantum, and hybrid solvers, the latter have been repeated for three different durations: minimum, 30 seconds and 180 seconds. The upper plot displays the log-scaled execution time versus problem size, revealing differences in scalability. The lower plot reports the percentage deviation of the quantum and hybrid solutions from the classical reference as the size of the IT infrastructure increases.
  • ...and 3 more figures