What problem does this paper attempt to address?

The main problems that this paper attempts to solve are two major challenges in current network risk management: **cybersecurity assessment** and **capital allocation**. Specifically: 1. **Difficulties in Cybersecurity Assessment**: - There is a lack of comprehensive quantitative tools to assess cybersecurity risks. Although there have been many efforts to quantify certain aspects of cybersecurity risks, such as the impact of data breaches, network systems contain multiple types of physical and virtual components, which may have very different risk exposures. In order to guide enterprises' decision - making regarding cybersecurity management, a comprehensive and quantitative risk assessment method is required, but such a tool is lacking in the current literature. - The adaptive nature of network risks. Network risks are dynamic, and adversaries in cyberspace are constantly developing new strategies and attack means to overcome or bypass existing defense mechanisms. Therefore, an ideal cybersecurity assessment framework must consider both internal factors (such as security measures) and external factors (such as popular attack techniques), and the latter are often overlooked in many existing risk assessment methods. - Related losses. Due to the interconnectivity of cyberspace, network risks are correlated. A single cybersecurity event may lead to multiple failure points, and each failure point may lead to losses. The dependencies between these losses may not be obvious and are easily overlooked by risk managers. 2. **Difficulties in Capital Allocation**: - When enterprises conduct cybersecurity management, they need to prioritize and combine different risk management tools, including risk reduction, transfer, and retention, which further leads to purchase decisions in the implementation stage of the risk management plan. In order to reduce network risks, companies should implement cybersecurity controls, which usually involve purchasing cybersecurity solutions and hiring security experts. In order to transfer the reduced risks, companies should consider purchasing cyber - insurance coverage for specific disasters and losses. In order to retain the reduced but uncovered risks, companies need to establish contingency funds to mitigate the impact of events and ensure business continuity. These risk management options all incur costs, but the capital available for managing network risks is usually limited. Therefore, developing a cost - effective capital allocation strategy to effectively manage network risks is a complex task for enterprises. In order to address the above challenges, the paper proposes a **two - pillar network risk management framework**: - The first pillar is **cybersecurity assessment**, which combines the frequency - severity model in the insurance field and the cascading model in the cybersecurity field to capture the unique characteristics of network risks. - The second pillar is **network capital management**, which provides decision - making information on balancing cybersecurity management strategies, including cybersecurity investment, insurance coverage, and reserves. Through case studies, this framework demonstrates the importance of comprehensive cost - benefit analysis for budget - constrained companies under competing goals. Sensitivity analysis also shows that the optimal strategy depends on multiple factors, such as the amount of cybersecurity investment and the effectiveness of cybersecurity controls.