Muriel Figueredo Franco,Fabian Künzler,Jan von der Assen,Chao Feng,Burkhard Stiller

2023-07-21

Abstract:Digitization increases business opportunities and the risk of companies being victims of devastating cyberattacks. Therefore, managing risk exposure and cybersecurity strategies is essential for digitized companies that want to survive in competitive markets. However, understanding company-specific risks and quantifying their associated costs is not trivial. Current approaches fail to provide individualized and quantitative monetary estimations of cybersecurity impacts. Due to limited resources and technical expertise, SMEs and even large companies are affected and struggle to quantify their cyberattack exposure. Therefore, novel approaches must be placed to support the understanding of the financial loss due to cyberattacks. This article introduces the Real Cyber Value at Risk (RCVaR), an economical approach for estimating cybersecurity costs using real-world information from public cybersecurity reports. RCVaR identifies the most significant cyber risk factors from various sources and combines their quantitative results to estimate specific cyberattacks costs for companies. Furthermore, RCVaR extends current methods to achieve cost and risk estimations based on historical real-world data instead of only probability-based simulations. The evaluation of the approach on unseen data shows the accuracy and efficiency of the RCVaR in predicting and managing cyber risks. Thus, it shows that the RCVaR is a valuable addition to cybersecurity planning and risk management processes.

Cryptography and Security,Computers and Society,Information Retrieval

Raisa Dzhamtyrova,Carsten Maple

DOI: https://doi.org/10.1007/s10618-021-00814-z

Abstract:The increasing value of data held in enterprises makes it an attractive target to attackers. The increasing likelihood and impact of a cyber attack have highlighted the importance of effective cyber risk estimation. We propose two methods for modelling Value-at-Risk (VaR) which can be used for any time-series data. The first approach is based on Quantile Autoregression (QAR), which can estimate VaR for different quantiles, i. e. confidence levels. The second method, we term Competitive Quantile Autoregression (CQAR), dynamically re-estimates cyber risk as soon as new data becomes available. This method provides a theoretical guarantee that it asymptotically performs as well as any QAR at any time point in the future. We show that these methods can predict the size and inter-arrival time of cyber hacking breaches by running coverage tests. The proposed approaches allow to model a separate stochastic process for each significance level and therefore provide more flexibility compared to previously proposed techniques. We provide a fully reproducible code used for conducting the experiments.

Muriel Figueredo Franco,Aiatur Rahaman Mullick,Santosh Jha

2024-05-06

Abstract:Quantifying cyber risks is essential for organizations to grasp their vulnerability to threats and make informed decisions. However, current approaches still need to work on blending economic viewpoints to provide insightful analysis. To bridge this gap, we introduce QBER approach to offer decision-makers measurable risk metrics. The QBER evaluates losses from cyberattacks, performs detailed risk analyses based on existing cybersecurity measures, and provides thorough cost assessments. Our contributions involve outlining cyberattack probabilities and risks, identifying Technical, Economic, and Legal (TEL) impacts, creating a model to gauge impacts, suggesting risk mitigation strategies, and examining trends and challenges in implementing widespread Cyber Risk Quantification (CRQ). The QBER approach serves as a guided approach for organizations to assess risks and strategically invest in cybersecurity.

Cryptography and Security,Computational Engineering, Finance, and Science

Frank Cremer,Barry Sheehan,Michael Fortmann,Arash N Kia,Martin Mullins,Finbarr Murphy,Stefan Materne

DOI: https://doi.org/10.1057/s41288-022-00266-6

Abstract:Cybercrime is estimated to have cost the global economy just under USD 1 trillion in 2020, indicating an increase of more than 50% since 2018. With the average cyber insurance claim rising from USD 145,000 in 2019 to USD 359,000 in 2020, there is a growing necessity for better cyber information sources, standardised databases, mandatory reporting and public awareness. This research analyses the extant academic and industry literature on cybersecurity and cyber risk management with a particular focus on data availability. From a preliminary search resulting in 5219 cyber peer-reviewed studies, the application of the systematic methodology resulted in 79 unique datasets. We posit that the lack of available data on cyber risk poses a serious problem for stakeholders seeking to tackle this issue. In particular, we identify a lacuna in open databases that undermine collective endeavours to better manage this set of risks. The resulting data evaluation and categorisation will support cybersecurity researchers and the insurance industry in their efforts to comprehend, metricise and manage cyber risks. Supplementary information: The online version contains supplementary material available at 10.1057/s41288-022-00266-6.

Farshid Javadnejad,Ahmed M. Abdelmagid,Cesar A. Pinto,Michael Mcshane,Rafael Diaz

DOI: https://doi.org/10.1080/17517575.2024.2369952

2024-06-25

Enterprise Information Systems

Abstract:This study comprehensively assesses ransomware/malware risks using the Advisen cyber loss dataset. It classifies malware types by frequency and financial impact, revealing that low-frequency attacks can cause significant economic damage. Some malware types incur extensive losses despite their rarity. The analysis highlights cybersecurity technologies like AI-based tools and Zero Trust Architecture (ZTA) for combating attacks. Large organizations and small businesses can adopt these defensive approaches across various industries. The study underscores the need for robust cybersecurity measures to prevent or mitigate future attacks, offering valuable insights into malware and ransomware patterns and trends, stressing adherence to frameworks, policies, and regulations.

computer science, information systems

Jan von der Assen,Muriel F. Franco,Muyao Dong,Burkhard Stiller

DOI: https://doi.org/10.48550/arXiv.2402.14140

2024-02-22

Abstract:Threat modeling has emerged as a key process for understanding relevant threats within businesses. However, understanding the importance of threat events is rarely driven by the business incorporating the system. Furthermore, prioritization of threat events often occurs based on abstract and qualitative scoring. While such scores enable prioritization, they do not allow the results to be easily interpreted by decision-makers. This can hinder downstream activities, such as discussing security investments and a security control's economic applicability. This article introduces QuantTM, an approach that incorporates views from operational and strategic business representatives to collect threat information during the threat modeling process to measure potential financial loss incurred by a specific threat event. It empowers the analysis of threats' impacts and the applicability of security controls, thus supporting the threat analysis and prioritization from an economic perspective. QuantTM comprises an overarching process for data collection and aggregation and a method for business impact analysis. The performance and feasibility of the QuantTM approach are demonstrated in a real-world case study conducted in a Swiss SME to analyze the impacts of threats and economic benefits of security controls. Secondly, it is shown that employing business impact analysis is feasible and that the supporting prototype exhibits great usability.

Cryptography and Security

Alberto Redondo,Alberto Torres-Barrán,David Ríos Insua,Jordi Domingo

DOI: https://doi.org/10.48550/arXiv.1911.11652

IF: 5.414

2019-11-26

Machine Learning

Abstract:Risk assessment is a major challenge for supply chain managers, as it potentially affects business factors such as service costs, supplier competition and customer expectations. The increasing interconnectivity between organisations has put into focus methods for supply chain cyber risk management. We introduce a general approach to support such activity taking into account various techniques of attacking an organisation and its suppliers, as well as the impacts of such attacks. Since data is lacking in many respects, we use structured expert judgment methods to facilitate its implementation. We couple a family of forecasting models to enrich risk monitoring. The approach may be used to set up risk alarms, negotiate service level agreements, rank suppliers and identify insurance needs, among other management possibilities.

Daniel Celeny,Loïc Maréchal,Evgueni Rousselot,Alain Mermoud,Mathias Humbert

2024-02-07

Abstract:Along with the increasing frequency and severity of cyber incidents, understanding their economic implications is paramount. In this context, listed firms' reactions to cyber incidents are compelling to study since they (i) are a good proxy to estimate the costs borne by other organizations, (ii) have a critical position in the economy, and (iii) have their financial information publicly available. We extract listed firms' cyber incident dates and characteristics from newswire headlines. We use an event study over 2012--2022, using a three-day window around events and standard benchmarks. We find that the magnitude of abnormal returns around cyber incidents is on par with previous studies using newswire or alternative data to identify cyber incidents. Conversely, as we adjust the standard errors accounting for event-induced variance and residual cross-correlation, we find that the previously claimed significance of abnormal returns vanishes. Given these results, we run a horse race of specifications, in which we test for the marginal effects of type of cyber incidents, target firm sector, periods, and their interactions. Data breaches are the most detrimental incident type with an average loss of -1.3\% or (USD -1.9 billion) over the last decade. The health sector is the most sensitive to cyber incidents, with an average loss of -5.21\% (or USD -1.2 billion), and even more so when these are data breaches. Instead, we cannot show any time-varying effect of cyber incidents or a specific effect of the type of news as had previously been advocated.

General Finance

S. Meng,W. Schmitz,Bo Hu,F. Schultmann,S. Pickl,M. Wiens

Abstract:study RiKoV deals with mitigating risks of a terrorist attack against the German public railway system. The research method and first results will be presented and discussed in this paper. In the project, a scenario-based risk assessment method was developed tailored to intelligent, rationally acting attackers. We consider risk as a function of the system’s vulnerability, the threat to the system, and the consequences of an attack. In particular, we apply three complementary ways to deal with the problem of fundamental uncertainty with respect to the terrorists’ motivation. In a first approach, the input parameters “intention” and “capability” are regarded as fuzzy parameters which are measured in qualitative categories. The second approach is the derivation of optimal rules in a multi-criteria framework for decisions under uncertainty. Finally, we complement our elaborated risk analysis with game-theoretic arguments.

Political Science,Business,Engineering

Taylor Reynolds,Sarah Scheffler,Daniel J. Weitzner,Angelina Wu

2024-02-07

Abstract:There are two strategic and longstanding questions about cyber risk that organizations largely have been unable to answer: What is an organization's estimated risk exposure and how does its security compare with peers? Answering both requires industry-wide data on security posture, incidents, and losses that, until recently, have been too sensitive for organizations to share. Now, privacy enhancing technologies (PETs) such as cryptographic computing can enable the secure computation of aggregate cyber risk metrics from a peer group of organizations while leaving sensitive input data undisclosed. As these new aggregate data become available, analysts need ways to integrate them into cyber risk models that can produce more reliable risk assessments and allow comparison to a peer group. This paper proposes a new framework for benchmarking cyber posture against peers and estimating cyber risk within specific economic sectors using the new variables emerging from secure computations. We introduce a new top-line variable called the Defense Gap Index representing the weighted security gap between an organization and its peers that can be used to forecast an organization's own security risk based on historical industry data. We apply this approach in a specific sector using data collected from 25 large firms, in partnership with an industry ISAO, to build an industry risk model and provide tools back to participants to estimate their own risk exposure and privately compare their security posture with their peers.

Cryptography and Security,Computers and Society,General Economics,Applications

Edmir Xhoxhi,Vincent Albert Wolff

2024-04-23

Abstract:According to the World Health Organization, the involvement of Vulnerable Road Users (VRUs) in traffic accidents remains a significant concern, with VRUs accounting for over half of traffic fatalities. The increase of automation and connectivity levels of vehicles has still an uncertain impact on VRU safety. By deploying the Collective Perception Service (CPS), vehicles can include information about VRUs in Vehicle-to-Everything (V2X) messages, thus raising the general perception of the environment. Although an increased awareness is considered positive, one could argue that the awareness ratio, the metric used to measure perception, is only implicitly connected to the VRUs' safety. This paper introduces a tailored metric, the Risk Factor (RF), to measure the risk level for the interactions between Connected Automated Vehicles (CAVs) and VRUs. By evaluating the RF, we assess the impact of V2X communication on VRU risk mitigation. Our results show that high V2X penetration rates can reduce mean risk, quantified by our proposed metric, by up to 44%. Although the median risk value shows a significant decrease, suggesting a reduction in overall risk, the distribution of risk values reveals that CPS's mitigation effectiveness is overestimated, which is indicated by the divergence between RF and awareness ratio. Additionally, by analyzing a real-world traffic dataset, we pinpoint high-risk locations within a scenario, identifying areas near intersections and behind parked cars as especially dangerous. Our methodology can be ported and applied to other scenarios in order to identify high-risk areas. We value the proposed RF as an insightful metric for quantifying VRU safety in a highly automated and connected environment.

Networking and Internet Architecture

Matteo Malavasi,Gareth W. Peters,Pavel V. Shevchenko,Stefan Trück,Jiwook Jang,Georgy Sofronov

DOI: https://doi.org/10.1016/j.insmatheco.2022.05.003

2022-09-01

Insurance: Mathematics and Economics

Abstract:In this study an exploration of insurance risk transfer is undertaken for the cyber insurance industry in the United States of America, based on the leading industry dataset of cyber events provided by Advisen. We seek to address two core unresolved questions. First, what factors are the most significant covariates that may explain the frequency and severity of cyber loss events and are they heterogeneous over cyber risk categories? Second, is cyber risk insurable in regards to the required premiums, risk pool sizes and how would this decision vary with the insured companies industry sector and size? We address these questions through a combination of regression models based on the class of Generalized Additive Models for Location Shape and Scale (GAMLSS) and a class of ordinal regressions. These models will then form the basis for our analysis of frequency and severity of cyber risk loss processes. We investigate the viability of insurance for cyber risk using a utility modeling framework with premiums calculated by classical certainty equivalence analysis utilizing the developed regression models. Our results provide several new key insights into the nature of insurability of cyber risk and rigorously address the two insurance questions posed in a real data driven case study analysis.

English Else

Lampis Alevizos,Vinh-Thong Ta

2024-09-06

Abstract:In the dynamic cyber threat landscape, effective decision-making under uncertainty is crucial for maintaining robust information security. This paper introduces the Cyber Resilience Index (CRI), a threat-informed probabilistic approach to quantifying an organisation's defence effectiveness against cyber-attacks (campaigns). Building upon the Threat-Intelligence Based Security Assessment (TIBSA) methodology, we present a mathematical model that translates complex threat intelligence into an actionable, unified metric similar to a stock market index, that executives can understand and interact with while teams can act upon. Our method leverages Partially Observable Markov Decision Processes (POMDPs) to simulate attacker behaviour considering real-world uncertainties and the latest threat actor tactics, techniques, and procedures (TTPs). This allows for dynamic, context-aware evaluation of an organization's security posture, moving beyond static compliance-based assessments. As a result, decision-makers are equipped with a single metric of cyber resilience that bridges the gap between quantitative and qualitative assessments, enabling data-driven resource allocation and strategic planning. This can ultimately lead to more informed decision-making, mitigate under or overspending, and assist in resource allocation.

Cryptography and Security

Martin Eling,Werner Schnell

DOI: https://doi.org/10.1080/10920277.2019.1641416

2019-10-30

North American Actuarial Journal

Abstract:Cyber risk is becoming more significant for insurance companies in both underwriting and operational risk terms, but the characteristics of cyber risk are still not yet well understood. We contribute to the literature by analyzing the role of cyber risk in insurance regulation frameworks. The aggregated cyber risk exposure of an insurer is estimated by fitting different marginal distributions and dependence models to historical cyber losses. This aggregated cyber exposure allows us to derive the insurer's survival probability and compare it with the goals of regulatory frameworks, such as the U.S. Risk Based Capital (RBC) or Solvency II (SII). Our findings indicate that regulatory models underestimate the potential risks associated with cyber threats. This is especially true for small cyber insurance portfolios, which are predominant in practice today. Regulatory models should be adapted to account for the heavy tails and dependence structure specific to cyber risks, instead of assuming "one size fits all."

English Else

Chiara Crovini,Pier Luigi Marchini

DOI: https://doi.org/10.3280/fr2023-001004

2023-07-01

FINANCIAL REPORTING

Abstract:Purpose: This article focuses on cyber risk as an emerging issue within the risk management process and the internal control system in the financial sector. It in-vestigates whether cyber risk management (CRM) is (dis)integrated into traditional enterprise risk management (ERM) and analyzes the external dynamics affecting the CRM design. Design/methodology/approach: This article draws upon institutional theory and the concept of boundary objects. The research examines a listed Italian bank and gathers the data from semi-structured interviews, direct observations, meet-ings, and archival sources. Findings: The findings underline that cyber risk rationale plays a crucial role in the CRM process. The interplay between institutional complexity and the need to manage cyber risk is critical for a bank to have a stable and flexible infrastructure. The knowledge boundaries related to the cyber risk culture require further cyber risk talk. Originality/value: This research furthers the understanding of cyber risk and CRM as an integral part of the ERM and internal control systems in the financial sector, in which there is a shortage of case studies. The financial sector is highly regulated, and managing cyber risk has become crucial as banks usually deal with enormous amounts of personal and sensitive data stored on networks and in the cloud. Practical implications: This case study emphasizes the crucial role of CRM in the identification and reporting of cyber risk information in annual reports.

D.A. Kurmanova,D.R. Sultangareev,L.R. Khabibullina,,,

DOI: https://doi.org/10.17122/2541-8904-2020-2-32-82-91

2020-01-01

Bulletin USPTU Science education economy Series economy

Abstract:Cyber incidents continue to move up in the rating of possible threats and occupy the second position in the ranking of risks in the activities of companies (40 %). Five years ago, they were on the fifteenth line. Like a natural disaster or pandemic, a cyber attack can have a negative impact on hundreds of companies, and the number of such incidents is growing. So-called "cyber incidents",when hackers interfere with the activities of a large number of companies, using the dependencies of their shared Internet infrastructure, occur more often. This reflects the fact that today's world of risk management is more volatile than ever. At the same time, with the upcoming entry into force of the General data protection regulation (GDPR), which has been in effect throughout Europe since may 2018, the prospects of imposing more and larger fines on companies that do not comply with it have already become real. Actions taken by the company in light of a data integrity violation directly affect the final cost of such a violation. Reputational damage is inevitable if the response to a cyber incident is inadequate. New risks require new tools to respond to their potential impacts and mitigate them. This article discusses the possible risks of financial technologies, draws attention to cyber threats, the frequency of which is increasing, and offers a model for identifying and evaluating cyber risks.

Zhengming Li,Jianxi Su,Maochao Xu,Jimmy Yuen

2024-08-30

Abstract:The remarkable growth of digital assets, starting from the inception of Bitcoin in 2009 into a 1 trillion market in 2024, underscores the momentum behind disruptive technologies and the global appetite for digital assets. This paper develops a framework to enhance actuaries' understanding of the cyber risks associated with the developing digital asset ecosystem, as well as their measurement methods in the context of digital asset insurance. By integrating actuarial perspectives, we aim to enhance understanding and modeling of cyber risks at both the micro and systemic levels. The qualitative examination sheds light on blockchain technology and its associated risks, while our quantitative framework offers a rigorous approach to modeling cyber risks in digital asset insurance portfolios. This multifaceted approach serves three primary objectives: i) offer a clear and accessible education on the evolving digital asset ecosystem and the diverse spectrum of cyber risks it entails; ii) develop a scientifically rigorous framework for quantifying cyber risks in the digital asset ecosystem; iii) provide practical applications, including pricing strategies and tail risk management. Particularly, we develop frequency-severity models based on real loss data for pricing cyber risks in digit assets and utilize Monte Carlo simulation to estimate the tail risks, offering practical insights for risk management strategies. As digital assets continue to reshape finance, our work serves as a foundational step towards safeguarding the integrity and stability of this rapidly evolving landscape.

Applications,Computational Engineering, Finance, and Science

Qiwei Zhang,Fangxing Li

DOI: https://doi.org/10.1109/tsg.2021.3066398

IF: 10.275

2021-07-01

IEEE Transactions on Smart Grid

Abstract:With the rapid advancement and integration of communication and sensor technologies, power system operation is becoming more vulnerable to cyberattacks, particularly attacks in which malicious data could induce catastrophic consequences on market operations. Financial risks, as well as the potential physical damages, raise growing concerns about the reliable operation of the electricity market. Existing market-targeting cybersecurity research has focused on developing attack strategies or detection schemes. However, the lack of cyber-vulnerability analysis (CVA) hinders operators from systematically evaluating the real-time (RT) market-clearing model and identifying potential threats from a cybersecurity perspective. This article proposes a comprehensive CVA model for delivering a detailed analysis of four aspects of vulnerability: highly probable cyberattack targets, devastating attack targets, risky load levels, and mitigation ability under different degrees of defense. Users can simulate interactions between attackers and defending operators under different attack events, and the corresponding market settlements are also obtained. The proposed bilevel model is recast into mixed-integer linear programming through Karush–Kuhn–Tucker (KKT) conditions. A simulation study on an IEEE-30 bus system demonstrates the accuracy and effectiveness of the proposed CVA model.

engineering, electrical & electronic

Michail Smyrlis,Evangelos Floros,Ioannis Basdekis,Dumitru-Bogdan Prelipcean,Aristeidis Sotiropoulos,Herve Debar,Apostolis Zarras,George Spanoudakis

DOI: https://doi.org/10.1007/s10207-024-00820-4

2024-03-03

International Journal of Information Security

Abstract:Recent cyber-attacks targeting healthcare organizations underscore the growing prevalence of the sector as a prime target for malicious activities. As healthcare systems manage and store sensitive personal health information, the imperative for robust cyber security and privacy protocols becomes increasingly evident. Consequently, healthcare institutions are compelled to actively address the intricate cyber security risks inherent in their digital ecosystems. In response, we present RAMA, a risk assessment solution designed to evaluate the security status of cyber systems within critical domain, such as the healthcare one. By leveraging RAMA, both local stakeholders, such as the hospital's IT personnel, and global actors, including external parties, can assess their organization's cyber risk profile. Notably, RAMA goes beyond risk quantification; it facilitates a comparative analysis by enabling organizations to measure their performance against average aggregated mean scores, fostering a culture of continuous improvement in cyber security practices. The practical efficacy of RAMA is demonstrated through its deployment across four real-world healthcare IT infrastructures. This study not only underscores the significance of addressing cyber security risks within healthcare but also highlights the value of innovative solutions like RAMA in safeguarding sensitive health information and enhancing the sector's overall cyber resilience.

computer science, information systems, theory & methods, software engineering

Kwangmin Jung,Chanjin Kim,Jiyeon Yun

DOI: https://doi.org/10.1057/s41288-024-00326-z

2024-05-23

The Geneva Papers on Risk and Insurance Issues and Practice

Abstract:We examine how corporate risk management can be used to address a firm's vulnerability to cyber risk. We use a large, novel dataset on cyber risk and corporate risk management to analyse US insurers' cyber loss events during the period of 2000–2021. Our analysis includes information on whether insurers have implemented an enterprise risk management (ERM) programme and whether they report applying cyber risk management (CRM). The results illustrate that the implementation of CRM measures may have no significant effect on cyber risk mitigation. However, we determine that the likelihood (frequency) of a cyber loss event decreases by 3.9% (6.8%) as ERM programmes mature year on year. We also find that an insurer can benefit from implementing both CRM and ERM through a lowered event likelihood (frequency) of 3.8 percentage points on average (3.7 percentage points) per year compared to solely implementing an ERM programme.

business, finance