Assessing cyber risk in complex IT infrastructures poses significant challenges due to the dynamic, interconnected nature of digital systems. Traditional methods often fall short, relying on static and largely qualitative models that do not scale with system complexity and fail to capture systemic interdependencies. In this work, we introduce a novel quantitative approach to cyber risk assessment based on Quadratic Unconstrained Binary Optimization (QUBO), a formulation compatible with both classical computing and quantum annealing. We demonstrate the capabilities of our approach using a realistic 255-nodes layered infrastructure, showing how risk spreads in non-trivial patterns that are difficult to identify through visual inspection alone. To assess scalability, we further conduct extensive experiments on networks up to 1000 nodes comparing classical, quantum, and hybrid classical-quantum workflows. Our results reveal that although quantum annealing produces solutions comparable to classical heuristics, its potential advantages are significantly hindered by the embedding overhead required to map the densely connected cyber-risk QUBO onto the limited connectivity of current quantum hardware. By contrast, hybrid quantum-classical solvers avoid this bottleneck and therefore emerge as a promising option, combining competitive scaling with an improved ability to explore the solution space and identify more stable risk configurations. Overall, this work delivers two main advances. First, we present a rigorous, tunable, and generalizable mathematical model for cyber risk that can be adapted to diverse infrastructures and domains through flexible parameterization. Second, we provide the first comparative study of classical, quantum, and hybrid approaches for cyber risk scoring at scale, highlighting the emerging potential of hybrid quantum-classical methods for large-scale infrastructures.

翻译：评估复杂IT基础设施中的网络安全风险，由于数字系统的动态性和互联性而面临重大挑战。传统方法往往存在不足，它们依赖静态且主要定性的模型，这些模型无法随系统复杂性扩展，也难以捕捉系统性相互依赖关系。在本工作中，我们提出一种基于二次无约束二元优化（QUBO）的网络安全风险定量评估新方法，该形式化表达同时兼容经典计算和量子退火。我们通过一个包含255个节点的真实分层式基础设施展示了该方法的能力，揭示了风险以难以通过肉眼检查识别的非平凡模式蔓延。为评估可扩展性，我们进一步在多达1000个节点的网络上开展广泛实验，比较了经典、量子以及混合经典-量子工作流程。结果表明，尽管量子退火产生的解与经典启发式方法相当，但其潜在优势因嵌入开销而显著受限——这种开销源于将紧密耦合的网络安全风险QUBO映射到当前量子硬件有限连接性的需求。相比之下，混合量子-经典求解器避免了这一瓶颈，因此成为一种有前景的选择，既具备与经典方法相当的可扩展性，又增强了解空间探索能力，能够识别更稳定的风险配置。总体而言，本工作取得两项主要进展。首先，我们提出一个严谨、可调且可推广的网络安全风险数学模型，通过灵活的参数化可适用于不同基础设施和领域。其次，我们首次开展了面向大规模网络安全风险评分的经典、量子及混合方法的比较研究，凸显了混合量子-经典方法在大规模基础设施中的新兴潜力。