pith. sign in

arxiv: 2512.18305 · v2 · submitted 2025-12-20 · 🪐 quant-ph · cs.CR

Cyber Risk Scoring with QUBO: A Quantum and Hybrid Benchmark Study

Pith reviewed 2026-05-16 20:59 UTC · model grok-4.3

classification 🪐 quant-ph cs.CR
keywords cyber riskQUBOquantum annealinghybrid solversIT infrastructurerisk propagationbinary optimizationscalability
0
0 comments X

The pith

A QUBO formulation turns cyber risk assessment into an optimizable problem, with hybrid solvers scaling better than quantum annealing on networks up to 1000 nodes.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces a QUBO model that represents cyber risks in IT infrastructures as binary variables in a quadratic optimization problem, allowing quantitative tracking of how risks propagate through interconnected systems. Tests on a realistic 255-node layered network reveal non-obvious spread patterns, and scaling experiments compare classical, quantum, and hybrid solvers up to 1000 nodes. Pure quantum annealing produces comparable solutions but is slowed by the need to embed the dense QUBO graph onto hardware with limited connectivity. Hybrid quantum-classical solvers sidestep this embedding step and deliver competitive performance with better exploration of stable risk configurations. A reader would care because existing cyber risk methods stay qualitative and fail to scale with system complexity.

Core claim

We formulate cyber risk assessment as a Quadratic Unconstrained Binary Optimization problem that encodes risk states and interdependencies through tunable parameters and binary variables. On a 255-node realistic infrastructure the model identifies non-trivial risk propagation patterns invisible to visual inspection. Comparative benchmarks across networks up to 1000 nodes show quantum annealing yields solutions similar to classical heuristics yet suffers from embedding overhead on current hardware; hybrid solvers avoid this bottleneck and combine competitive scaling with improved identification of stable risk configurations.

What carries the argument

The QUBO formulation of cyber risk, which converts risk propagation and interdependencies into a quadratic unconstrained binary optimization problem solvable by classical, quantum, or hybrid methods.

If this is right

  • Cyber risk scoring shifts from qualitative checklists to a tunable quantitative optimization framework usable across different infrastructures.
  • For densely connected QUBO instances like this one, hybrid solvers are the practical choice on present hardware because they eliminate embedding overhead.
  • The model produces more stable risk configurations than pure quantum annealing when applied at scale.
  • Parameter flexibility allows adaptation to new domains or changing infrastructure topologies without reformulating the entire problem.
  • Scalability to 1000 nodes demonstrates that hybrid workflows can handle realistic enterprise sizes where pure quantum approaches currently cannot.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same QUBO structure could be repurposed for risk assessment in other highly interdependent systems such as supply chains or financial networks.
  • Improvements in quantum hardware connectivity would narrow the performance gap between pure annealing and hybrid methods for this class of problems.
  • Validating the tunable parameters against historical incident logs could turn the model into a predictive tool rather than a static scoring method.
  • Integration with existing network monitoring systems might enable periodic re-optimization of risk scores as the infrastructure evolves.

Load-bearing premise

The chosen QUBO parameterization and binary variable representation accurately capture the dynamic and interconnected nature of cyber risks in real IT infrastructures.

What would settle it

Running the model on a live production network and finding that its computed risk scores show no statistical correlation with observed incidents or vulnerability data over time would falsify the claim that the formulation accurately represents real cyber risk.

Figures

Figures reproduced from arXiv: 2512.18305 by Remo Marini, Riccardo Arpe.

Figure 1
Figure 1. Figure 1: Test network topology. Nodes are grouped into four layers: workstations, network, servers, and databases. [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Realistic network topology. Nodes are grouped into seven layers: workstations, network, servers, databases [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Result of the QUBO minimisation on the IT infrastructure in figure 2. Figure a shows the aggregated results, [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Result of the QUBO minimisation after increasing the inflence of the high-risk exception (node 143). Figure a [PITH_FULL_IMAGE:figures/full_fig_p009_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Performance and accuracy comparison across classical, quantum, and hybrid solvers, the latter have been [PITH_FULL_IMAGE:figures/full_fig_p010_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Mean risk trend across iterative application of QUBO on the 255-nodes IT infrastructure, the different lines [PITH_FULL_IMAGE:figures/full_fig_p012_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Result of the QUBO minimisation after flagging of the high-risk exception (node 143) as exposed to the [PITH_FULL_IMAGE:figures/full_fig_p016_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Result of the QUBO minimisation on the realistic IT infrastructure depicted in Fig. 2. Aggregated results [PITH_FULL_IMAGE:figures/full_fig_p017_8.png] view at source ↗
read the original abstract

Assessing cyber risk in complex IT infrastructures poses significant challenges due to the dynamic, interconnected nature of digital systems. Traditional methods often fall short, relying on static and largely qualitative models that do not scale with system complexity and fail to capture systemic interdependencies. In this work, we introduce a novel quantitative approach to cyber risk assessment based on Quadratic Unconstrained Binary Optimization (QUBO), a formulation compatible with both classical computing and quantum annealing. We demonstrate the capabilities of our approach using a realistic 255-nodes layered infrastructure, showing how risk spreads in non-trivial patterns that are difficult to identify through visual inspection alone. To assess scalability, we further conduct extensive experiments on networks up to 1000 nodes comparing classical, quantum, and hybrid classical-quantum workflows. Our results reveal that although quantum annealing produces solutions comparable to classical heuristics, its potential advantages are significantly hindered by the embedding overhead required to map the densely connected cyber-risk QUBO onto the limited connectivity of current quantum hardware. By contrast, hybrid quantum-classical solvers avoid this bottleneck and therefore emerge as a promising option, combining competitive scaling with an improved ability to explore the solution space and identify more stable risk configurations. Overall, this work delivers two main advances. First, we present a rigorous, tunable, and generalizable mathematical model for cyber risk that can be adapted to diverse infrastructures and domains through flexible parameterization. Second, we provide the first comparative study of classical, quantum, and hybrid approaches for cyber risk scoring at scale, highlighting the emerging potential of hybrid quantum-classical methods for large-scale infrastructures.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper introduces a QUBO formulation for quantitative cyber risk scoring in IT networks, demonstrates its use on a realistic 255-node layered infrastructure to identify non-trivial risk propagation patterns, and reports benchmarks of classical heuristics, quantum annealing, and hybrid solvers on instances up to 1000 nodes. It concludes that hybrid quantum-classical approaches avoid embedding overheads on current hardware and thereby combine competitive scaling with an improved ability to explore the solution space and identify more stable risk configurations.

Significance. If the QUBO parameterization is shown to be robust and the benchmark comparisons are augmented with quantitative stability metrics, the work would supply a tunable optimization-based framework for cyber risk that is directly compatible with quantum and hybrid solvers. This could inform practical deployment decisions for large-scale infrastructure risk assessment and highlight concrete engineering trade-offs in mapping dense QUBO instances to near-term quantum devices.

major comments (3)
  1. [Abstract / Benchmark section] Abstract and benchmark results: the claim that hybrid solvers provide an 'improved ability to explore the solution space and identify more stable risk configurations' is not supported by any reported quantitative metrics such as variance across runs, number of distinct low-energy solutions, or convergence statistics comparing hybrids to classical heuristics on the 255-node or 1000-node instances.
  2. [Model and Experiments] Model formulation and experiments: no sensitivity analysis or error bars are presented for the chosen risk parameters, so it is unclear whether the reported non-trivial risk patterns on the 255-node network are robust to reasonable variations in parameterization.
  3. [Results / Discussion] Validation: the demonstrations on 255-node and 1000-node networks contain no comparison against documented real-world cyber incidents or ground-truth risk data, which is required to substantiate that the QUBO captures dynamic and interconnected risk behavior beyond synthetic construction.
minor comments (2)
  1. [Methods] Notation for the QUBO objective function and binary variables should be introduced with an explicit equation early in the methods section to improve readability for readers unfamiliar with cyber-risk modeling.
  2. [Figures] Figure captions for the network visualizations and solver scaling plots would benefit from explicit statements of the parameter values used and the number of independent runs performed.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We appreciate the referee's detailed and constructive feedback on our manuscript. We address each major comment point by point below, indicating where revisions will be made to strengthen the paper.

read point-by-point responses
  1. Referee: [Abstract / Benchmark section] Abstract and benchmark results: the claim that hybrid solvers provide an 'improved ability to explore the solution space and identify more stable risk configurations' is not supported by any reported quantitative metrics such as variance across runs, number of distinct low-energy solutions, or convergence statistics comparing hybrids to classical heuristics on the 255-node or 1000-node instances.

    Authors: We acknowledge that the claim regarding hybrid solvers' improved exploration and stability is currently qualitative. In the revised manuscript, we will augment the benchmark section with quantitative metrics, including variance of solution energies across multiple independent runs, the count of distinct low-energy solutions per solver, and convergence statistics (e.g., iteration counts or time-to-convergence). These will be presented for the 255-node and 1000-node instances to enable direct, evidence-based comparison with classical heuristics. revision: yes

  2. Referee: [Model and Experiments] Model formulation and experiments: no sensitivity analysis or error bars are presented for the chosen risk parameters, so it is unclear whether the reported non-trivial risk patterns on the 255-node network are robust to reasonable variations in parameterization.

    Authors: We agree that sensitivity analysis is needed to establish robustness. We will add a new subsection in the experiments that systematically varies key parameters (propagation probabilities, impact weights, and connectivity thresholds) over plausible ranges. Results will include error bars or standard deviations on the identified risk patterns for the 255-node network, with discussion of which patterns remain stable. revision: yes

  3. Referee: [Results / Discussion] Validation: the demonstrations on 255-node and 1000-node networks contain no comparison against documented real-world cyber incidents or ground-truth risk data, which is required to substantiate that the QUBO captures dynamic and interconnected risk behavior beyond synthetic construction.

    Authors: We recognize that external validation against real-world incident data would strengthen the claims. However, detailed, anonymized ground-truth data at the required scale and granularity is not publicly available due to confidentiality constraints in the cybersecurity domain. Our networks are constructed as realistic synthetic models following documented enterprise layered topologies and standard risk propagation assumptions. In revision, we will expand the discussion to explicitly acknowledge this limitation, clarify the synthetic-yet-realistic basis of the benchmarks, and identify incorporation of real incident data as an important direction for future work. revision: partial

Circularity Check

0 steps flagged

No significant circularity in QUBO cyber-risk model or benchmarks

full rationale

The paper introduces a new QUBO formulation with explicit flexible parameterization for cyber risk and performs direct empirical benchmarks of classical, quantum, and hybrid solvers on generated 255-node and 1000-node instances. No derivation step reduces a claimed prediction or result to a fitted parameter or self-defined quantity by construction. No self-citation is load-bearing for the central claims about embedding overhead or hybrid exploration; the model is presented as tunable without invoking prior author uniqueness theorems or ansatzes. Benchmark outcomes are reported as comparative scaling and solution quality metrics, not as outputs forced by the paper's own equations.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain assumption that cyber risk interdependencies can be faithfully encoded as a quadratic binary optimization problem and that benchmark performance on synthetic networks generalizes; one general class of tunable risk parameters is implied but not enumerated.

free parameters (1)
  • risk parameters
    Flexible parameterization is used to adapt the model to diverse infrastructures, implying multiple tunable values for node risks and connection impacts.
axioms (1)
  • domain assumption Cyber risks in interconnected systems can be represented as a QUBO without significant loss of dynamic behavior
    Invoked when the authors state the formulation captures systemic interdependencies and non-trivial risk spread patterns.

pith-pipeline@v0.9.0 · 5578 in / 1276 out tokens · 24931 ms · 2026-05-16T20:59:43.391663+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

16 extracted references · 16 canonical work pages

  1. [1]

    Spyridopoulos, A

    P. Spyridopoulos, A. Nurse, S. Creese, and M. Goldsmith. A framework for cyber security risk assessment using quantitative metrics.International Journal of Information Security, 15(6):1–15, 2016. Available via Springer

  2. [2]

    Salter and A

    M. Salter and A. Phillips. Limitations of qualitative cyber risk assessments in critical infrastructures.Journal of Cybersecurity, 8(1):tyac002, 2022

  3. [3]

    Aditya, R

    S. Aditya, R. Baldwin, and C. Healey. Riskwriter: Predicting cyber risk of an enterprise. InInternational Conference on Security, Privacy and Anonymity in Computation, Communication and Storage, pages 57–70. Springer, 2018

  4. [4]

    Kavallieratos, C

    G. Kavallieratos, C. Alcaraz, and J. Lopez. Cyber-physical systems and cyberattacks: security challenges for a new age of digital infrastructure.Computers & Security, 92:101760, 2020

  5. [5]

    Kavallieratos, C

    G. Kavallieratos, C. Alcaraz, and J. Lopez. Cyber risk propagation and optimal selection of mitigation strategies in cyber-physical systems.Sensors, 21(5):1691, 2021

  6. [6]

    X. Da, M. Govindarasu, and D. Kim. Joint cyber risk assessment of network systems with heterogeneous components.arXiv preprint, 2020

  7. [7]

    Hauke, H

    P. Hauke, H. Katzgraber, W. Lechner, H. Nishimori, and W. Oliver. Perspectives of quantum annealing: Methods and implementations.arXiv preprint, 2019

  8. [8]

    Yarkoni, F

    S. Yarkoni, F. Neukart, and T. Bäck. Quantum annealing for industry applications: Introduction and review. Algorithms, 14(11):346, 2021

  9. [9]

    D. Carney. Cutting medusa’s path – tackling kill-chains with quantum computing.arXiv preprint, 2022

  10. [10]

    Carney, J

    D. Carney, J. Martinis, and H. Neven. Solving cyber risk qubos with quantum annealing: Empirical scalability and propagation patterns. InProceedings of the IEEE International Conference on Quantum Computing and Engineering (QCE), pages 1–9, 2023

  11. [11]

    Reinhardt.A Survey of Programming Tools for D-Wave Quantum-Annealing Processors, page 103–122

    Scott Pakin and Steven P. Reinhardt.A Survey of Programming Tools for D-Wave Quantum-Annealing Processors, page 103–122. Springer International Publishing, 2018

  12. [12]

    Tabu search—part i.ORSA Journal on Computing, 1(3):190–206, August 1989

    Fred Glover. Tabu search—part i.ORSA Journal on Computing, 1(3):190–206, August 1989

  13. [13]

    Tabu search—part ii.ORSA Journal on Computing, 2(1):4–32, February 1990

    Fred Glover. Tabu search—part ii.ORSA Journal on Computing, 2(1):4–32, February 1990

  14. [14]

    Chakrabarti

    Atanu Rajak, Sei Suzuki, Amit Dutta, and Bikas K. Chakrabarti. Quantum annealing: an overview.Philosophical Transactions of the Royal Society A: Mathematical, Physical and Engineering Sciences, 381(2241), December 2022

  15. [15]

    Minor embedding in broken chimera and derived graphs is np-complete

    Elisabeth Lobe and Annette Lutz. Minor embedding in broken chimera and derived graphs is np-complete. Theoretical Computer Science, 989:114369, March 2024

  16. [16]

    Improving solutions by embedding larger subproblems in a d-wave quantum annealer.Scientific Reports, 9(1), February 2019

    Shuntaro Okada, Masayuki Ohzeki, Masayoshi Terabe, and Shinichiro Taguchi. Improving solutions by embedding larger subproblems in a d-wave quantum annealer.Scientific Reports, 9(1), February 2019. 14 Cyber Risk Scoring with QUBO: A Quantum and Hybrid Benchmark Study Appendix: Additional Experimental Results This appendix presents supplementary analyses th...