Qubo Enables Scalable Cyber Risk Assessment for Complex 255-Node Infrastructures

Assessing cyber risk in increasingly complex digital systems presents a major challenge for organisations worldwide, and traditional methods often struggle to keep pace with evolving threats. Remo Marini from Assicurazioni Generali S. p. A. and F3RM1 Foundation, along with Riccardo Arpe from Rewrite Technology, addresses this problem by introducing a new quantitative approach to cyber risk assessment based on Quadratic Unconstrained Binary Optimisation, a technique suited to both conventional and quantum computing. The team demonstrates this method on a realistic model of a complex network, revealing how risk propagates in subtle patterns that are difficult to detect using conventional techniques. This research delivers a rigorous and adaptable mathematical model for cyber risk, and importantly, provides the first comprehensive comparison of conventional, quantum, and hybrid computational strategies for assessing risk at scale, suggesting that hybrid methods offer the most promising path towards securing large-scale infrastructures.

The study pioneers a method that encodes cyber risk as a mathematical problem, combining node-specific risk factors, including patching status and internet exposure, with penalties based on network connectivity. This formulation allows researchers to model how vulnerabilities propagate and interact, generating a dynamic view of systemic risk at the network level.

QUBO Reveals Systemic Cyber Risk Patterns

Scientists demonstrated the capabilities of this approach on a realistic 255-node layered infrastructure, revealing how risk spreads in patterns difficult to identify through visual inspection. Experiments extended to networks of up to 1000 nodes, allowing for comprehensive scalability testing of different computational workflows. Results demonstrate that risk concentrates on central, highly interconnected nodes, spreading along complex pathways within the network.

QUBO Models Systemic Cyber Risk Propagation

By formulating risk propagation as a mathematical problem and employing various solvers, researchers demonstrate how systemic vulnerabilities within complex IT infrastructures can be evaluated more effectively. The resulting model offers considerable flexibility, allowing adaptation to diverse infrastructures through customizable network topology and node attributes. Results demonstrate that the QUBO formulation accurately captures essential systemic behaviours, including how networks absorb or amplify vulnerabilities and how structural dependencies drive risk propagation. Analysis of different computational approaches reveals qualitative differences in the stability of solutions, with hybrid quantum-classical workflows consistently converging to more stable and resilient configurations compared to purely classical approaches.

While classical solvers remain efficient at moderate scales, scalability analysis indicates that quantum annealing is currently constrained by the challenges of embedding complex problems onto existing hardware. Hybrid methods, by offloading selected components to quantum processing units, circumvent this bottleneck and emerge as a promising option for large-scale infrastructures. This research delivers a rigorous, tunable, and generalizable mathematical model for cyber risk, adaptable to diverse infrastructures and domains through flexible parameterization, representing a substantial advancement in the field. The team’s work provides the first comparative study of classical, quantum, and hybrid approaches for cyber risk scoring at scale, establishing a benchmark for future research and development in this critical field.