Purdue University Graduate School
Making the Most of Limited Cybersecurity Budgets with AnyLogic Modeling.pdf (1.97 MB)

Making the Most of Limited Cybersecurity Budgets with AnyLogic Modeling

Download (1.97 MB)
posted on 2022-07-26, 03:06 authored by George Joseph HamiltonGeorge Joseph Hamilton

In an increasingly interconnected world, technology is now central to the operations of most businesses. In this environment, businesses of all sizes face an ever-growing threat from cyberattacks. Successful cyberattacks can result in data breaches, which may lead to financial loss, business interruptions, regulatory fines, and reputational damage. In 2021, the losses from cyber attacks in the United States were estimated at $6.9 Billion.

Confronting the threat of cyberattacks can be particularly challenging for small businesses, which must defend themselves using a smaller budget and less in-house talent while balancing the pursuit of growth. Risk assessments are one method for organizations to determine how to best use their cybersecurity budgets. However, for small businesses, a risk assessment may require a significant portion of the budget which could otherwise be used to implement cybersecurity controls.

This research builds on existing research from Lerums et al. for simulating a phishing attack to present a model that very small businesses may use in place of or as a precursor to a risk assessment. The updated model includes sensible default values for the cost and effectiveness of cybersecurity controls as well as the number of cyberattacks expected per year. Default values are based on academic literature, technical reports, and vendor estimates, but they may all be changed by organizations using the model. The updated model can also be tailored by non-technical users to reflect their network, relevant threat actors, and budget. Lastly, the updated model can output an optimized control set that yields the maximum annual net return and the single control with the greatest annual return on investment based on a user's inputs.

After construction, the updated model is tested on organizations with 5, 25, and 50 employees facing varied sets of threat actors and attacks per year. Key takeaways include the high net return of all security controls tested, benefits of defense-in-depth strategies for maximizing return across multiple attack types, and the role of threat actors in tempering high estimates of security control effectiveness.


All code and releases are open source and available from: https://github.com/gjhami/AttackSimulation.


Degree Type

  • Master of Science


  • Computer and Information Technology

Campus location

  • West Lafayette

Advisor/Supervisor/Committee Chair

J. Eric Dietz

Additional Committee Member 2

Baijian Yang

Additional Committee Member 3

Tahir Khan

Usage metrics



    Ref. manager