Threat-Vulnerability Model for Cyber Risk Assessment

Cyber risk is an omnipresent risk in the increasingly digitized world that is known to be difficult to quantify and assess. Even though cyber risk shows distinct characteristics from conventional risks, most existing models in the insurance industry have been based on frequency-severity analysis which was developed for classic property and casualty risks. In contrast, the cybersecurity engineering literature employs different approaches under which cyber incidents are viewed as threats or hacker attacks acting on a particular set of vulnerabilities. There appears a gap in cyber risk modeling between engineering and actuarial science literature. This paper presents a novel vulnerability-threat model to capture these unique dynamics of cyber risk and to predict loss distributions given a particular cybersecurity profile.

By the vulnerability-threat model being proposed, this paper further extends the novel holistic risk aggregation and capital allocation principle recently developed in [Chong, Feng, and Jin, 2020], by taking the cyberinfrastructure vulnerability investment into account. Such an extension answers the most frequently asked question in the industry regarding cyber risk. “Should we invest and allocate capital to protect us from cyber losses? If so, how much should it be?” Via solving a single optimization problem, which considers various conflicting objectives, the pre-incident capital for vulnerability and post-incident capital for protecting assets are obtained.

Analysis of Cyber Incident Categories Based on Losses

We proposed to categorize cyber risks based on their consequential loss types, such as damage to physical assets, civil penalties, legal costs. By reviewing several representative legal cases and studies on cyber insurance coverage, we argued that distinguishing those loss types is important under the insurance context. In addition, we studied the distributions of the occurrences of various loss types as well as their interdependence. We found that there are different dependence structures between losses of different types, which can possibly affect insurers’ assessment of their own risk exposures. 

Based on our findings, we make recommendations to different stakeholders. For prospective cyber insurance buyers and current policyholders, it is important to understand the loss types associated with different cyber risks, in the sense that they will affect the acceptance or denial of claims regarding specific coverages. For insurers, as aforementioned, they could review their current practices to see if the risk of correlated occurrences of risk types is properly priced. For insurance industry leaders and policymakers, our study provides some guidelines on how to distinguish different types of cyber risks, which can be helpful for creating a standard terminology of cyber risk and cyber insurance and raising public awareness. We also suggested that there could be public/private collaborations on both information and risk-sharing. To summarize, this work is helpful for businesses and insurers to improve risk assessment, and it also gives advice on improving the cyber risk literacy of the public at the policy level.

This paper has been accepted by the journal ACM Transactions on Management Information Systems (TMIS) and is forthcoming.

Incident-Specific Cyber Insurance for Market Substantiality and Potential Growth

While the business world takes substantial benefits in this cyber era, the cyber risk associated with such a technological dependence due to any potential internal and external disturbance should not be overlooked. Cyber insurance is deemed one of the most crucial risk mitigation strategies. In the current market practice, most of the cyber insurance policies solely provide coverages for particular types of cyber losses, without any scientific foundation. This project explores the possibility of introducing incident-specific cyber insurance policies. In order to do so, a thorough cyber risk assessment is necessary, in terms of the multi-class classification problem for cyber incident type given incident characteristics, and conditional severity modeling.

Following  Kesan and Zhang (2020), cyber incident types are treated as exogeneous mutually exclusive risks in this project. For the multi-class classification problem, we will explore most of the commonly used machine learning models, including but not limited to SVM, neural network, KNN, decision tree, random forest, and Naive Bayes, and the goal is to make good estimations on the probabilities of different incident types. With the estimated probabilities and conditional loss distributions, we can further study the problem of designing optimal cyber insurance contracts based on the idea proposed in Asimit et al. (2020).

This paper provides a data-driven justification for providing such incident-specific cyber insurance contracts for the market substantiality and potential growth.