Insights: Modelling and Management of Cyber Risk
The Summary is completely based on research paper by Martin Eling & Jan Hendrik Wirfs.
I read the paper so I summarized it and you’ll find examples with Youtube videos(wherever possible) so as to make sure the approaches they have used are understandable to everyone. The paper contains total of 24 pages which you can download from here. I have just provided the summary of beginning and not appendix. If you’ve interest and probably you should, Discuss it in the forums
The aim of the paper is to test whether models which prove to be useful for operational risk can also be applied to an analysis of cyber risk or whether other tools are needed. We are interested in the question whether cyber risks are structurally identical to other operational risks or exhibit distinct characteristics. Our results show that human behavior is the main source of cyber risk and that cyber risks are very different compared to other operational risk from an actuarial point of view
For the academic audience we present effective and contemporary modeling and solution approaches for the novel application area of cyber risk.
1. Information on cyber risk is not publicly available
2. Absence of a clear-cut definition
Cyber risk as “operational risks to information and technology assets that have consequences affecting the confidentiality, availability or integrity of information or information systems”
Having defined cyber risk as a subgroup of operational risk, we use the world’s largest collection of publicly reported operational losses – the SAS OpRisk Global data – and extract cyber risk events using the search and identification strategy described in Appendix 1. The database consists of 30’173 observations between March 1971 and March 2014. All losses are given in USD and adjusted for inflation to make them comparable.
To analyze the statistical properties of cyber risk and to identify the model that describes the data best we use the standard toolbox from actuarial science. After presenting descriptive statistics, we fit the cyber loss data using extreme value theory. In particular, we implement the loss distribution approach (e.g., peak-over-threshold method), which is standard in modelling operational risk. We also present an extended version of this approach where the loss data depends on covariates (following Chavez-Demoulin, Embrechts, and Hofert, 2013) and fit the loss data to various other distributions which have proven to be useful for actuarial loss analysis (e.g., the g-and-h family of distributions, the Generalized Beta distribution of the second kind, and skewed distributions; see, e.g., Dutta and Perry, 2007, and Eling, 2012). To identify the model that works best, we apply standard goodness of fit tests and also more tailored tests for the advanced measurement approaches.
The results of the paper might thus offer important insights for the management of cyber risks, about their insurability and might also provide guidance for the pricing of cyber insurance policies. They are relevant for policymakers and regulators that need to develop sound policies for the treatment of this new, dynamic risk category. For the academic audience we present effective and contemporary modeling and solution approaches for the novel application area of cyber risk.
As I find the necessary info, I’ll keep updating it until then you can express thoughts or any findings here on Cyber Insurance forum.