Cyber Risk Scoring with QUBO: A Quantum and Hybrid Benchmark Study

TL;DR

This paper introduces a QUBO-based quantitative method for cyber risk assessment, comparing classical, quantum, and hybrid approaches on large networks, highlighting hybrid methods' scalability and potential advantages.

Contribution

It presents a new flexible mathematical model for cyber risk and offers the first comparative analysis of classical, quantum, and hybrid solutions for large-scale cyber risk scoring.

Findings

Quantum annealing solutions are comparable to classical heuristics.

Embedding overhead limits quantum advantage on current hardware.

Hybrid quantum-classical methods show promising scalability and stability.

Abstract

Assessing cyber risk in complex IT infrastructures poses significant challenges due to the dynamic, interconnected nature of digital systems. Traditional methods often fall short, relying on static and largely qualitative models that do not scale with system complexity and fail to capture systemic interdependencies. In this work, we introduce a novel quantitative approach to cyber risk assessment based on Quadratic Unconstrained Binary Optimization (QUBO), a formulation compatible with both classical computing and quantum annealing. We demonstrate the capabilities of our approach using a realistic 255-nodes layered infrastructure, showing how risk spreads in non-trivial patterns that are difficult to identify through visual inspection alone. To assess scalability, we further conduct extensive experiments on networks up to 1000 nodes comparing classical, quantum, and hybrid classical-quantum workflows. Our results reveal that although quantum annealing produces solutions comparable to classical heuristics, its potential advantages are significantly hindered by the embedding overhead required to map the densely connected cyber-risk QUBO onto the limited connectivity of current quantum hardware. By contrast, hybrid quantum-classical solvers avoid this bottleneck and therefore emerge as a promising option, combining competitive scaling with an improved ability to explore the solution space and identify more stable risk configurations. Overall, this work delivers two main advances. First, we present a rigorous, tunable, and generalizable mathematical model for cyber risk that can be adapted to diverse infrastructures and domains through flexible parameterization. Second, we provide the first comparative study of classical, quantum, and hybrid approaches for cyber risk scoring at scale, highlighting the emerging potential of hybrid quantum-classical methods for large-scale infrastructures.