Cyber Risk Scoring with QUBO: A Quantum and Hybrid Benchmark Study
Pith reviewed 2026-05-16 20:59 UTC · model grok-4.3
The pith
A QUBO formulation turns cyber risk assessment into an optimizable problem, with hybrid solvers scaling better than quantum annealing on networks up to 1000 nodes.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
We formulate cyber risk assessment as a Quadratic Unconstrained Binary Optimization problem that encodes risk states and interdependencies through tunable parameters and binary variables. On a 255-node realistic infrastructure the model identifies non-trivial risk propagation patterns invisible to visual inspection. Comparative benchmarks across networks up to 1000 nodes show quantum annealing yields solutions similar to classical heuristics yet suffers from embedding overhead on current hardware; hybrid solvers avoid this bottleneck and combine competitive scaling with improved identification of stable risk configurations.
What carries the argument
The QUBO formulation of cyber risk, which converts risk propagation and interdependencies into a quadratic unconstrained binary optimization problem solvable by classical, quantum, or hybrid methods.
If this is right
- Cyber risk scoring shifts from qualitative checklists to a tunable quantitative optimization framework usable across different infrastructures.
- For densely connected QUBO instances like this one, hybrid solvers are the practical choice on present hardware because they eliminate embedding overhead.
- The model produces more stable risk configurations than pure quantum annealing when applied at scale.
- Parameter flexibility allows adaptation to new domains or changing infrastructure topologies without reformulating the entire problem.
- Scalability to 1000 nodes demonstrates that hybrid workflows can handle realistic enterprise sizes where pure quantum approaches currently cannot.
Where Pith is reading between the lines
- The same QUBO structure could be repurposed for risk assessment in other highly interdependent systems such as supply chains or financial networks.
- Improvements in quantum hardware connectivity would narrow the performance gap between pure annealing and hybrid methods for this class of problems.
- Validating the tunable parameters against historical incident logs could turn the model into a predictive tool rather than a static scoring method.
- Integration with existing network monitoring systems might enable periodic re-optimization of risk scores as the infrastructure evolves.
Load-bearing premise
The chosen QUBO parameterization and binary variable representation accurately capture the dynamic and interconnected nature of cyber risks in real IT infrastructures.
What would settle it
Running the model on a live production network and finding that its computed risk scores show no statistical correlation with observed incidents or vulnerability data over time would falsify the claim that the formulation accurately represents real cyber risk.
Figures
read the original abstract
Assessing cyber risk in complex IT infrastructures poses significant challenges due to the dynamic, interconnected nature of digital systems. Traditional methods often fall short, relying on static and largely qualitative models that do not scale with system complexity and fail to capture systemic interdependencies. In this work, we introduce a novel quantitative approach to cyber risk assessment based on Quadratic Unconstrained Binary Optimization (QUBO), a formulation compatible with both classical computing and quantum annealing. We demonstrate the capabilities of our approach using a realistic 255-nodes layered infrastructure, showing how risk spreads in non-trivial patterns that are difficult to identify through visual inspection alone. To assess scalability, we further conduct extensive experiments on networks up to 1000 nodes comparing classical, quantum, and hybrid classical-quantum workflows. Our results reveal that although quantum annealing produces solutions comparable to classical heuristics, its potential advantages are significantly hindered by the embedding overhead required to map the densely connected cyber-risk QUBO onto the limited connectivity of current quantum hardware. By contrast, hybrid quantum-classical solvers avoid this bottleneck and therefore emerge as a promising option, combining competitive scaling with an improved ability to explore the solution space and identify more stable risk configurations. Overall, this work delivers two main advances. First, we present a rigorous, tunable, and generalizable mathematical model for cyber risk that can be adapted to diverse infrastructures and domains through flexible parameterization. Second, we provide the first comparative study of classical, quantum, and hybrid approaches for cyber risk scoring at scale, highlighting the emerging potential of hybrid quantum-classical methods for large-scale infrastructures.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper introduces a QUBO formulation for quantitative cyber risk scoring in IT networks, demonstrates its use on a realistic 255-node layered infrastructure to identify non-trivial risk propagation patterns, and reports benchmarks of classical heuristics, quantum annealing, and hybrid solvers on instances up to 1000 nodes. It concludes that hybrid quantum-classical approaches avoid embedding overheads on current hardware and thereby combine competitive scaling with an improved ability to explore the solution space and identify more stable risk configurations.
Significance. If the QUBO parameterization is shown to be robust and the benchmark comparisons are augmented with quantitative stability metrics, the work would supply a tunable optimization-based framework for cyber risk that is directly compatible with quantum and hybrid solvers. This could inform practical deployment decisions for large-scale infrastructure risk assessment and highlight concrete engineering trade-offs in mapping dense QUBO instances to near-term quantum devices.
major comments (3)
- [Abstract / Benchmark section] Abstract and benchmark results: the claim that hybrid solvers provide an 'improved ability to explore the solution space and identify more stable risk configurations' is not supported by any reported quantitative metrics such as variance across runs, number of distinct low-energy solutions, or convergence statistics comparing hybrids to classical heuristics on the 255-node or 1000-node instances.
- [Model and Experiments] Model formulation and experiments: no sensitivity analysis or error bars are presented for the chosen risk parameters, so it is unclear whether the reported non-trivial risk patterns on the 255-node network are robust to reasonable variations in parameterization.
- [Results / Discussion] Validation: the demonstrations on 255-node and 1000-node networks contain no comparison against documented real-world cyber incidents or ground-truth risk data, which is required to substantiate that the QUBO captures dynamic and interconnected risk behavior beyond synthetic construction.
minor comments (2)
- [Methods] Notation for the QUBO objective function and binary variables should be introduced with an explicit equation early in the methods section to improve readability for readers unfamiliar with cyber-risk modeling.
- [Figures] Figure captions for the network visualizations and solver scaling plots would benefit from explicit statements of the parameter values used and the number of independent runs performed.
Simulated Author's Rebuttal
We appreciate the referee's detailed and constructive feedback on our manuscript. We address each major comment point by point below, indicating where revisions will be made to strengthen the paper.
read point-by-point responses
-
Referee: [Abstract / Benchmark section] Abstract and benchmark results: the claim that hybrid solvers provide an 'improved ability to explore the solution space and identify more stable risk configurations' is not supported by any reported quantitative metrics such as variance across runs, number of distinct low-energy solutions, or convergence statistics comparing hybrids to classical heuristics on the 255-node or 1000-node instances.
Authors: We acknowledge that the claim regarding hybrid solvers' improved exploration and stability is currently qualitative. In the revised manuscript, we will augment the benchmark section with quantitative metrics, including variance of solution energies across multiple independent runs, the count of distinct low-energy solutions per solver, and convergence statistics (e.g., iteration counts or time-to-convergence). These will be presented for the 255-node and 1000-node instances to enable direct, evidence-based comparison with classical heuristics. revision: yes
-
Referee: [Model and Experiments] Model formulation and experiments: no sensitivity analysis or error bars are presented for the chosen risk parameters, so it is unclear whether the reported non-trivial risk patterns on the 255-node network are robust to reasonable variations in parameterization.
Authors: We agree that sensitivity analysis is needed to establish robustness. We will add a new subsection in the experiments that systematically varies key parameters (propagation probabilities, impact weights, and connectivity thresholds) over plausible ranges. Results will include error bars or standard deviations on the identified risk patterns for the 255-node network, with discussion of which patterns remain stable. revision: yes
-
Referee: [Results / Discussion] Validation: the demonstrations on 255-node and 1000-node networks contain no comparison against documented real-world cyber incidents or ground-truth risk data, which is required to substantiate that the QUBO captures dynamic and interconnected risk behavior beyond synthetic construction.
Authors: We recognize that external validation against real-world incident data would strengthen the claims. However, detailed, anonymized ground-truth data at the required scale and granularity is not publicly available due to confidentiality constraints in the cybersecurity domain. Our networks are constructed as realistic synthetic models following documented enterprise layered topologies and standard risk propagation assumptions. In revision, we will expand the discussion to explicitly acknowledge this limitation, clarify the synthetic-yet-realistic basis of the benchmarks, and identify incorporation of real incident data as an important direction for future work. revision: partial
Circularity Check
No significant circularity in QUBO cyber-risk model or benchmarks
full rationale
The paper introduces a new QUBO formulation with explicit flexible parameterization for cyber risk and performs direct empirical benchmarks of classical, quantum, and hybrid solvers on generated 255-node and 1000-node instances. No derivation step reduces a claimed prediction or result to a fitted parameter or self-defined quantity by construction. No self-citation is load-bearing for the central claims about embedding overhead or hybrid exploration; the model is presented as tunable without invoking prior author uniqueness theorems or ansatzes. Benchmark outcomes are reported as comparative scaling and solution quality metrics, not as outputs forced by the paper's own equations.
Axiom & Free-Parameter Ledger
free parameters (1)
- risk parameters
axioms (1)
- domain assumption Cyber risks in interconnected systems can be represented as a QUBO without significant loss of dynamic behavior
Lean theorems connected to this paper
-
IndisputableMonolith/Cost/FunctionalEquation.leanwashburn_uniqueness_aczel unclear?
unclearRelation between the paper passage and the cited Recognition theorem.
H = λ1H1 + λ2H2 + λ3H3 + λ4H4 + λ5H5 … H1 = Σ ISi(ISi − FSi)² … H2 = −Σ Sij FSi FSj …
-
IndisputableMonolith/Foundation/RealityFromDistinction.leanreality_from_one_distinction unclear?
unclearRelation between the paper passage and the cited Recognition theorem.
hybrid quantum-classical solvers avoid the embedding overhead … improved ability to explore the solution space
What do these tags mean?
- matches
- The paper's claim is directly supported by a theorem in the formal canon.
- supports
- The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
- extends
- The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
- uses
- The paper appears to rely on the theorem as machinery.
- contradicts
- The paper's claim conflicts with a theorem or certificate in the canon.
- unclear
- Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.
Reference graph
Works this paper leans on
-
[1]
P. Spyridopoulos, A. Nurse, S. Creese, and M. Goldsmith. A framework for cyber security risk assessment using quantitative metrics.International Journal of Information Security, 15(6):1–15, 2016. Available via Springer
work page 2016
-
[2]
M. Salter and A. Phillips. Limitations of qualitative cyber risk assessments in critical infrastructures.Journal of Cybersecurity, 8(1):tyac002, 2022
work page 2022
- [3]
-
[4]
G. Kavallieratos, C. Alcaraz, and J. Lopez. Cyber-physical systems and cyberattacks: security challenges for a new age of digital infrastructure.Computers & Security, 92:101760, 2020
work page 2020
-
[5]
G. Kavallieratos, C. Alcaraz, and J. Lopez. Cyber risk propagation and optimal selection of mitigation strategies in cyber-physical systems.Sensors, 21(5):1691, 2021
work page 2021
-
[6]
X. Da, M. Govindarasu, and D. Kim. Joint cyber risk assessment of network systems with heterogeneous components.arXiv preprint, 2020
work page 2020
- [7]
-
[8]
S. Yarkoni, F. Neukart, and T. Bäck. Quantum annealing for industry applications: Introduction and review. Algorithms, 14(11):346, 2021
work page 2021
-
[9]
D. Carney. Cutting medusa’s path – tackling kill-chains with quantum computing.arXiv preprint, 2022
work page 2022
- [10]
-
[11]
Reinhardt.A Survey of Programming Tools for D-Wave Quantum-Annealing Processors, page 103–122
Scott Pakin and Steven P. Reinhardt.A Survey of Programming Tools for D-Wave Quantum-Annealing Processors, page 103–122. Springer International Publishing, 2018
work page 2018
-
[12]
Tabu search—part i.ORSA Journal on Computing, 1(3):190–206, August 1989
Fred Glover. Tabu search—part i.ORSA Journal on Computing, 1(3):190–206, August 1989
work page 1989
-
[13]
Tabu search—part ii.ORSA Journal on Computing, 2(1):4–32, February 1990
Fred Glover. Tabu search—part ii.ORSA Journal on Computing, 2(1):4–32, February 1990
work page 1990
-
[14]
Atanu Rajak, Sei Suzuki, Amit Dutta, and Bikas K. Chakrabarti. Quantum annealing: an overview.Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences, 381(2241), December 2022
work page 2022
-
[15]
Minor embedding in broken chimera and derived graphs is np-complete
Elisabeth Lobe and Annette Lutz. Minor embedding in broken chimera and derived graphs is np-complete. Theoretical Computer Science, 989:114369, March 2024
work page 2024
-
[16]
Shuntaro Okada, Masayuki Ohzeki, Masayoshi Terabe, and Shinichiro Taguchi. Improving solutions by embedding larger subproblems in a d-wave quantum annealer.Scientific Reports, 9(1), February 2019. 14 Cyber Risk Scoring with QUBO: A Quantum and Hybrid Benchmark Study Appendix: Additional Experimental Results This appendix presents supplementary analyses th...
work page 2019
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.