Publications & Reports

An Empirical Investigation of the Relationship between Local Government Budgets, IT Expenditures and Cyber Losses

Information technology (IT) is the key component of e-government infrastructures, but at the same time, it makes governments more exposed to cyber risk. In this study, we take an empirical approach to investigate cyber risk in the public sector. We describe the most common cyber threats facing local governments and build linear models to explain the relationships between cyber losses, local government budgets, and IT expenditures. We find that local governments are affected by cyber incidents more frequently, and disruption incidents that lead to the malfunction of e-government services are on the rise. In addition, the magnitude of cyber losses used to have a strong positive relationship with the affected governments’ budget size…

READ MORE: Kesan, J. P., & Zhang, L. 2019. An Empirical Investigation of the Relationship between Local Government Budgets, IT Expenditures and Cyber Losses. IEEE Transactions on Emerging Topics in Computing. 9(2), pp. 582-596.
Holistic Principle for Risk Aggregation and Capital Allocation

Risk aggregation and capital allocation are of paramount importance in business, as they play critical roles in pricing, risk management, project financing, performance management, regulatory supervision, etc. The state-of-the-art practice often includes two steps: (i) determine standalone capital requirements for individual business lines and aggregate them at a corporate level; and (ii) allocate the total capital back to individual lines of business or at more granular levels. There are three pitfalls with such a practice, namely, lack of consistency, negligence of cost of capital, and disentanglement of allocated capitals from standalone capitals. In this paper, we introduce a holistic approach that aims to strike a balance between competing interests for various stakeholders and conflicting priorities in a corporate hierarchy. This paper is the predecessor for determining pre-incident and post-incident cyber risk capital allocation, which is being extended in the threat-vulnerability cyber risk model framework.

READ MORE: Chong, W. F., Feng, R., and Jin, L. 2021. Holistic Principle for Risk Aggregation and Capital Allocation. Annals of Operations Research.
Cyber Risk Assessment for Capital Management

Cyber risk is an omnipresent risk in the increasingly digitized world that is known to be difficult to quantify and assess. Despite the fact that cyber risk shows distinct characteristics from conventional risks, most existing models in the insurance industry have been based on frequency-severity analysis which was developed for classic property and casualty risks. In contrast, the cybersecurity engineering literature employs different approaches under which cyber incidents are viewed as threats or hacker attacks acting on a particular set of vulnerabilities. There appears a gap in cyber risk modeling between engineering and actuarial science literature. This paper presents a novel vulnerability-threat model to capture these unique dynamics of cyber risk and to predict loss distributions given a particular cybersecurity profile.

By the vulnerability-threat model being proposed, this paper further extends the novel holistic risk aggregation and capital allocation principle recently developed in [Chong, Feng, and Jin, 2020], by taking the cyberinfrastructure vulnerability investment into account. Such an extension answers the most frequently asked question in the industry regarding cyber risk. “Should we invest and allocate capital to protect us from cyber losses? If so, how much should it be?” Via solving a single optimization problem, which takes various conflicting objectives into consideration, the pre-incident capital for vulnerability and post-incident capital for protecting assets are obtained.

DEVELOPING: Chong, W. F., Feng, R., Hu, Z., and Zhang, L. 2020. Cyber Risk Assessment for Capital Management.
Analysis of Cyber Incident Categories Based on Losses

The fact that “cyber risk” is indeed a collective term for various distinct risks creates great difficulty in communications. For example, policyholders of “cyber insurance” contracts often have a limited or inaccurate understanding of the coverage that they have. To address this issue, we propose a cyber risk categorization method using clustering techniques. This method classifies cyber incidents based on their consequential losses for insurance and risk management purposes. As a result, it also reveals the relationship between the causes and the outcomes of incidents. Our results show that similar cyber incidents, which are often not properly distinguished, can lead to very different losses. We hope that our work can clarify the differences between cyber risks and provide a set of risk categories that is feasible in practice and for future studies.

READ MORE: Kesan, J. P., & Zhang, L. 2020 . Analysis of Cyber Incident Categories Based on Losses. ACM Transactions on Management Information Systems. 11(4), pp. 1-28.
Risk Sharing with Multiple Indemnity Environments

Optimal risk sharing arrangements have been substantially studied in the literature, from the aspects of generalizing objective functions, incorporating more business constraints, and investigating different optimality criteria. This paper proposes an industry-based set-up with multiple risk environments, with suitable application to cyber risk. We study the case where the two agents are endowed with the Value-at-Risk or the Tail Value-at-Risk, or when both agents are risk-neutral but have heterogeneous beliefs regarding the underlying probability distribution. We show that layer-type indemnities are Pareto optimal, which may be environment-specific. From Pareto optimality, we get that the premium can be chosen in a given interval, and we propose to allocate the gains from risk sharing equally between the buyer and seller. Following Kesan and Zhang (2020), cyber incident types are the exogeneous mutually exclusive risks proposed in this paper. This paper proposes that instead of sharing the total cyber loss among the cyber insurance buyer and seller, sharing cyber losses by cyber incident types are more effective and efficient. The Pareto optimal layer-type indemnities justify the usually observed deductibles and caps on coverages on various cyber incident types.

READ MORE: Asimit, A. V., Boonen, T. J., Chi, Y., and Chong, W. F. 2021. Risk Sharing with Multiple Indemnity Environments. European Journal of Operational Research. 295(2), pp. 587-603.
Incident-Specific Cyber Insurance for Market Substantiality and Potential Growth

While the business world takes substantial benefits in this cyber era, the cyber risk associated with such a technological dependence due to any potential internal and external disturbance should not be overlooked. Cyber insurance is deemed one of the most crucial risk mitigation strategies. In the current market practice, most of the cyber insurance policies solely provide coverages for particular types of cyber losses, without any scientific foundation. This paper explores the possibility of introducing incident-specific cyber insurance policies. In order to do so, a thorough cyber risk assessment is necessary, in terms of the multi-class classification problem for cyber incident type given incident characteristics, and conditional severity modeling. Extending Asimit et al. (2020), this paper provides a data-driven justification for providing such incident-specific cyber insurance contracts for the market substantiality and potential growth.

DEVELOPING: Chong, W. F., Linders, D., Quan, Z., and Zhang, L. 2020. Incident-Specific Cyber Insurance for Market Substantiality and Potential Growth.
When Is A Cyber Incident Likely to Be Litigated and How Much Will It Cost? An Empirical Study

Numerous cyber incidents have shown that there are substantial legal risks associated with these events. However, empirical analysis of the legal aspects of cyber risk is largely missing in the existing literature. Based on a dataset of historical cyber incidents and cyber-related litigation cases, we provide one of the earliest quantitative studies on the likelihood of cyber incidents being litigated and the cost of settling a cyber-related case. Using regression models, we showed that some company and incident characteristics play an important role in determining the litigation probability and settlement costs for which our models propose a useful explanation. Our findings show that the lack of Article III standing is commonplace in cyber-related cases and that solely relying on the common law system makes it difficult for victims of malicious data breaches to sue and receive legal remedies. In addition, we demonstrate that our findings have valuable implications for enterprise risk management in terms of how the legal risk associated with different types of cyber risk should be properly addressed.

READ MORE: Kesan, J. P., & Zhang, L. 2021. Incident-Specific Cyber Insurance for Market Substantiality and Potential Growth. Connecticut Insurance Law Journal. Forthcoming.