2.1 Existing surveys

Selected cyber risk prediction methods have been reviewed in a few survey papers. Ahmed and Zaman (Reference Ahmed and Zaman2017) review various approaches for attack intention prediction including causal networks, path analysis, graphical analysis, and dynamic Bayesian network. Sun et al. (Reference Sun, Zhang, Rimba, Gao, Zhang and Xiang2018) survey papers on data-driven cyber incident prediction schemes. The surveyed works are subsumed under six categories according to their utilized datasets: organization reports and datasets, network datasets, synthetic datasets, webpage data, social media data, and mixed-type data. Leau and Manickam (Reference Leau and Manickam2015) group existing research on network security situation prediction into three categories according to the prediction method used, namely, machine learning, Markov models, and Grey theory. Husák et al. (Reference Husák, Komárková, Bou-Harb and Čeleda2018) divide prediction methods into four categories: discrete models, continuous models, machine learning and data mining, and other approaches such as evolutionary computing and similarity-based approaches.

In this paper, we divide risk prediction approaches into three groups according to the theories and methods applied: graph models, time series models, and machine learning. This grouping is adopted, as time-series models and machine learning are two broad categories of modeling approaches that are often used in insurance and actuarial science. However, it is noteworthy that the vast majority of these publications come from journals in the disciplines of computer science and engineering, with scant contributions from statistics (Xu et al., Reference Xu, Hua and Xu2017), RMI (Zängerle & Schiereck, Reference Zängerle and Schiereck2022), and social behaviors (Shu et al., Reference Shu, Sliva, Sampson and Liu2018).

2.2 Graph models

A graph model is a discrete model that depicts attack scenarios graphically and typically predicts the probability of a sequence of actions or attack path (Husák et al., Reference Husák, Komárková, Bou-Harb and Čeleda2018). Attack graphs and some graphical models that are based on Bayesian networks or Markov models fall into the category of graph models.

2.3 Time-series models

Cyber incidents data are inherently stochastic and can be formulated as point processes (Daley et al., Reference Daley and Vere-Jones2003; Zhan et al., Reference Zhan, Xu and Xu2013), suggesting that time-series models are suitable for predicting cyber risks. A time-series model allows for a straightforward examination of the time-series data and its temporal trends, making interpretation easier compared to other complex predictive models. Time-series techniques that are frequently used for modeling cyber risk include the families of integrated autoregressive moving average (ARIMA) models, fractionally autoregressive integrated moving average (FARIMA) models, and generalized autoregressive conditional heteroskedasticity (GARCH) models.

Park et al. (Reference Park, Jung, Lee and In2012) use a moving average model (a special case of ARIMA) and linear regression to alert and predict worm propagation in a university campus network. The method estimates the remaining time to infection and identifies the branch point when the worm emerges.

Zhan et al. (Reference Zhan, Xu and Xu2013) propose a statistical framework for predicting future attack rates from cyber attack data captured by honeypots. The framework incorporates long-range dependence (LRD) through a FARIMA model, which is demonstrated by the authors to produce better predictive power compared to processes that disregard LRD. Notably, The LRD-aware FARIMA process can predict network-level attack rates up to five hours in advance. Zhan et al. (Reference Zhan, Xu and Xu2015) further improve the framework of Zhan et al. (Reference Zhan, Xu and Xu2013) by considering the extreme value theory and gray-box time series theory. This extension is suited for predicting attack rates in the presence of extreme values and LRD.

Bakdash et al. (Reference Bakdash, Hutchinson, Zaroukian, Marusich, Thirumuruganathan, Sample, Hoffman and Das2018) claim that a time-series forecasting method featuring a Bayesian state-space model with a negative binomial distribution and a one-week lag has better predictive power over traditional time-series models due to the presence of overdispersion and bursts in the data. The Bayesian state-space model decomposes the process into states (observed number of attacks for a week) and observations (forecasts) with the transition between them defined. A Markov model of transition intensities is employed to identify and quantify bursts. Although the model produces reasonable forecasts for the majority of data, the prediction regarding bursts is unsatisfactory.

Fang et al. (Reference Fang, Xu, Xu and Hu2021) propose a framework to model and predict enterprise-level cyber risk utilizing sparse time-series data. The authors use a logit model to describe the probability of no breach in an entity at a specific time, an approach which inherently accommodates temporal trends and heterogeneities. They model the breach size using the peaks-over-threshold method with a generalized Pareto distribution for the upper tail. Temporal dependence is captured using a D-vine copula with pairwise dependence captured by the Frank copula. With the fitted model, the authors predict the probability of a breach in the entity within the next time interval and the corresponding breach size distribution. Simulation results and experiments based on the PRC data show the proposed approach has satisfactory prediction accuracy according to the ranked probability score and the uniform test.

Zängerle and Schiereck (Reference Zängerle and Schiereck2022) extend the framework of Fang et al. (Reference Fang, Xu, Xu and Hu2021) to include all types of cyber risk, and apply the extended framework to a novel dataset known as the Öffentliche Schadenfälle OpRisk (ÖffSchOR) database. The database records publicly disclosed losses over 100,000 Euros in the European financial sector and offers free access. Due to the geographical and industrial constraints, the dataset is even more sparse than the global PRC data at the enterprise level. The authors demonstrate that the framework generates valid forecasts according to the ranked probability score measure. Their results are in line with the findings of Fang et al. (Reference Fang, Xu, Xu and Hu2021).

While most of the existing research focuses on prediction methods, Chen et al. (Reference Chen, Huang, Xu and Lai2015) assess the predictability of attack frequency time series. They uncover the intrinsic spatiotemporal patterns of cyber attacks, challengeing the prevalent view of attacker behavior as being completely random and unpredictable. By dividing spatiotemporal characteristics into deterministic and stochastic patterns, with the former implying predictability in attack frequency time series and the latter being analyzed by the flux-fluctuation relation, the authors successfully quantify the predictability of cyber attacks by the information entropy defined on the basis of the state transitions in the coarse-grained time series of attack frequencies. The attack patterns within a honeypot IP block are observed to be stably similar to each other, suggesting only a small number of sensors are required to capture the attack patterns in the whole cyberspace.

Another aspect of risk prediction is raised by Xu et al. (Reference Xu, Hua and Xu2017), who assess the effectiveness of cyber defense early-warning systems by considering a four-dimensional time series quantifying the number of attacks/victims with/without early warning mechanisms. The data used was obtained from the Center for Applied Internet Data Analysis at the University of California San Diego. The authors measure the effectiveness of an early warning mechanism by the reduction in the joint probability of certain numbers of attacks and victims post implementation. The required probabilities are calculated using Monte Carlo simulations and a copula-GARCH model, where the marginal distributions are captured by ARMA-GARCH models and the dependence is modeled by a copula. The results suggest the proposed copula-GARCH models outperforms the independence model and certain other copula models in terms of predicting the effectiveness of early warning mechanisms.

2.4 Machine learning

Machine learning has prevailed in many scientific fields, let alone the recent study of cyber risk borne by the development of computer science. It possesses the ability to learn from data and make predictions based on such learning. The quantity and quality of data used to train a machine learning algorithm are decisive factors in determining the accuracy and efficacy of the model. In situations where data is scarce, as is the case with cyber risk, researchers often resort to data mining to extract information from various sources, which can be integrated with existing datasets such as vulnerability databases and incidents reports, to create their own data for analysis.

Machine learning methods are characterized by their high fault tolerance, self-learning and organizing capability compared to traditional modeling approaches (Leau & Manickam, Reference Leau and Manickam2015). In studying cyber risk, they are often combined with other modeling methods to capture various attributes of the risk. Machine learning methods that are often used in cyber risk modeling include classification techniques, which aim to classify or predict discrete variables such as the risk class or attack type, and regression techniques, which aim to predict continuous values such as the probability of breach and the frequency of attacks in a given period. In our survey, all works implement classification techniques to predict a risk class (secure or risky) for a network system based on its input features, except for Fang et al. (Reference Fang, Xu, Xu and Zhao2019) and Zhang Wu et al. (Reference Zhang Wu, Luo, Fang, Xu and Zhao2023) that employ regression techniques to predict the attack rates.

2.5 Discussion

In this section, we review the literature on the prediction of cyber risk. We present the works under three broad categories, namely graph models, time series models, and machine learning, and further divide them into subcategories. Machine learning approaches constitute the most prominent segment of the literature surveyed surrounding cyber risk prediction. Machine learning in the context of cyber risk has been studied extensively especially in the past five years, with more than half of the cyber risk predictive algorithms developed being based on machine learning models.

Our review finds the most common use cases of these predictive mechanisms are to forecast the likelihood of encountering an attack, the time remaining to the next attack, and the number of attacks expected in a given time frame. Regrettably, prediction for the sizes of attacks is overlooked. Severity prediction can offer valuable insights for insurers with respect to pricing and capital considerations. Severity prediction hinges not only on features related to the underlying network system but also on the value of information stored in the system. The latter is likely confidential and difficult to estimate. It is possible to assimilate insights from severity models in the literature, as surveyed in Section 3, to supplement the current predictive framework.

More works from the perspective of attackers could provide a new angle to the subject. Previous studies that consider hackers’ perspectives include those of Shu et al. (Reference Shu, Sliva, Sampson and Liu2018) who analyze the social media data related to a hacktivist group, and Sarkar et al. (Reference Sarkar, Almukaynizi, Shakarian and Shakarian2019) who analyze the mentions in dark web hacker forums. These studies establish a connection between the behaviors of potential attackers and the occurrence of attacks. However, the statistical relationship between features or actions of an organization and attacker behaviors is not explored. Understanding the link could help risk managers prevent attacks by avoiding operations that may provoke attackers. Achieving this understanding requires inputs from experts in social science and even first-hand data collected from attackers themselves.

Another avenue for future research is the development of metrics to evaluate prediction accuracy (Husák et al., Reference Husák, Komárková, Bou-Harb and Čeleda2018). Since most models typically predict the binary risk class of a system with the input features, the results are often evaluated using the confusion matrix. In the presence of imbalanced data, common in cyber datasets (Sun et al., Reference Sun, Wu, Wang, Lv and Hu2019), the confusion matrix can be biased. The use of precision or recall values instead of the confusion matrix could alleviate the problem. Furthermore, a binary decision is often made by sorting the predicted value, such as the probability of breach or a risk score, through the use of a threshold value. Hence, the evaluation made by the confusion matrix also depends on the choice of the threshold, which could be selected through an optimization algorithm or set as a fixed value. These make prediction results hardly comparable across different models. To overcome this limitation, more accurate and robust evaluation metrics are needed to ensure fair and reliable comparisons between different models.

3.1 Standard distributions

A conventional approach to risk modeling is to model the frequency and severity separately using standard distributions. When there is sufficient information about the timing and sizes of incidents but a lack of information on the attributes of breached entities, standard distributions can prove valuable in describing the statistical properties of cyber risk. As previously mentioned, negative binomial distributions are often used for modeling the frequency of cyber incidents, while lognormal and gamma distributions are typically devised for modeling cyber loss severity. For instance, in developing a Bayesian generalized linear model for modeling data breach trends, Edwards et al. (Reference Edwards, Hofmeyr and Forrest2016) assume that the prior distribution of data breach frequency is a negative binomial with a skewness parameter that is gamma distributed and a location parameter that is specified as a function of time. The authors also recognize that losses in cyber incidents are typically heavy tailed. As such, in their Bayesian generalized linear modeling work, the prior distributions of malicious breach sizes and number of records lost in a negligent incident are assumed to be lognormal and log-skew-normal, respectively.

Similar distributional assumptions are adopted by Eling and Loperfido (Reference Eling and Loperfido2017) in their PRC data breach analysis that is based on a multidimensional scaling (MDS) and a multiple factor analysis for contingency tables (MFACT). The MDS is used to investigate differences between companies that experience data breaches and differences between types of breaches, whereas the MFACT provides a joint analysis of multiple contingency tables containing cyber incident frequencies. The results reveal that both lognormal and log-skew-normal distributions provide a promising fit to the original (unscaled) data. However, the log-skew-normal distribution performs better in predicting insurance premiums.

Riek and Böhme (Reference Riek and Böhme2018) study the characteristics of loss distributions for different types of cyber crimes using data concerning direct cyber losses and protection expenses in a victimization survey of adult internet users from six selected EU nations. The authors report that cyber loss distributions are typically skewed and zero-inflated, due to the presence of zero-losses and abundant small losses. To counter the issue of positive skewness and zero inflation, they consider the harmonized loss indicator (HLI) as an indicator for the unconditional losses inferred from the conditional losses. The HLI scales the distribution median by the probability of a loss, such that $\text{HLI} = \hat{q} \rho _{50}$ , where $\hat{q}$ is the empirical relative frequency of loss events and $\rho _{50}$ is the median of the conditional distribution of loss severity given a loss has occurred. The total loss is then estimated as

\begin{equation*}\mathfrak {L}=\sum _{i \in \{I\}} \hat {p}_i (M_i +\alpha T_i),\end{equation*}

where $I$ is the set of cybercrime types, $\alpha$ is a conversion factor that converts time to monetary values, and $\hat{p}_i$ , $M_i$ , and $T_i$ represent the probability of being victimized, the monetary loss summarized by the HLI, and the time taken to deal with an incident for cybercrime type $i$ , respectively. The authors notice deviations from the fitted lognormal distribution in the tails. While overestimation of small losses may be acceptable, underestimation in the upper tail may lead to dire consequences.

Woods et al. (Reference Woods, Moore and Simpson2021) suggest aggregating individual parameterized distributions, including polynomial, lognormal, Pareto, Burr, gamma, and Weibull, into a “county fair cyber loss distribution.” They devise an iterative optimization process that is built on a particle swarm optimization of parameters of candidate distributions to infer loss distributions from insurance prices offered by each insurer. By applying the iterative optimization algorithm to 6,828 observed prices from regulatory filings of 26 insurers in California, the authors find gamma distributions are most suited for predicting individual insurance liability prices. The county fair cyber loss distribution is derived by averaging the optimal loss distributions across all insurers.

3.2 Copula-based approaches

Classical approaches to risk modeling using standard distributions rely on the assumption of risk independence. However, researchers have recognized the presence of interdependence among cyber risks (Biener et al., Reference Biener, Eling and Wirfs2015; Eling & Schnell, Reference Eling and Schnell2016; Marotta et al., Reference Marotta, Martinelli, Nanni, Orlando and Yautsiukhin2017), which should be adequately addressed in the mathematical modeling process. Copula-based approaches are useful in modeling cyber risk due to their ability to address nonlinear risk dependency, which could exist in frequency (Mukhopadhyay et al., Reference Mukhopadhyay, Chatterjee, Saha, Mahanti and Sadhukhan2006, Reference Mukhopadhyay, Chatterjee, Saha, Mahanti and Sadhukhan2013; Bentley et al., Reference Bentley, Stephenson, Toscas and Zhu2020), severity (Böhme & Kataria, Reference Böhme and Kataria2006; Eling & Jung, Reference Eling and Jung2018; Liu et al., Reference Liu, Li and Daly2022), or attack rates (Peng et al., Reference Peng, Xu, Xu and Hu2018). A copula-based approach expresses the joint distribution of multiple random variables as a multivariate function of their marginal distributions (Aas et al., Reference Aas, Czado, Frigessi and Bakken2009), without requiring more data compared to the standard distribution approach. For an $n$ -dimensional random vector $\vec{X} =(X_1,\dots,X_n)$ with marginal distribution functions $F_1,\dots,F_n$ , Sklar’s theorem (Sklar, Reference Sklar1959) states that the multivariate distribution $F$ for the random vector can be expressed in terms of a certain appropriate $n$ -dimensional copula $C$ as follows:

\begin{equation*}F(x_1,\dots,x_n ) = C(F_1 (x_1),\dots,F_n (x_n)).\end{equation*}

Mukhopadhyay et al. (Reference Mukhopadhyay, Chatterjee, Saha, Mahanti and Sadhukhan2006) propose a copula-aided Bayesian belief network for cyber vulnerability assessment and expected loss quantification. In this modeling approach, the loss frequency in each node is modeled by a normal distribution, while the dependence across nodes is described by a copula. With the joint distribution, the conditional distribution for each node is derived and then fed into a Bayesian belief network, which outputs the frequency of a cyber incident. This modeling approach is revisited by Mukhopadhyay et al. (Reference Mukhopadhyay, Chatterjee, Saha, Mahanti and Sadhukhan2013) who specify a Bayesian belief network with a multivariate Gaussian copula and normal marginals for risk assessment and quantification purposes.

Bentley et al. (Reference Bentley, Stephenson, Toscas and Zhu2020) support the use of a Gaussian copula, but they suggest using negative binomial marginals. In addition to a copula-based multivariate distribution, the authors propose a mitigation model, modified from the economic model of Gordon and Loeb (Reference Gordon and Loeb2002) for optimal cyber security investment, to quantify the effect of risk mitigation strategies on the costs of cyber attacks. In the mitigation model, the probability of a successful attack given a certain mitigation measure is estimated by multiplying a baseline probability, which specifies the probability of a successful attack when there is no spending on mitigation, for the attack type in question by the scaling factor calibrated for the mitigation measure in question. The effect of risk mitigation spending on loss severity is modeled in a similar manner. This approach enables a separate modeling of loss frequency and severity and demonstrates the diminishing mitigating effects of increased security spending. However, as illustrated in the authors’ numerical experiment, which involves analyzing tickets submitted by security engineers at an anonymous company, the modeling outcomes are notably sensitive to the underlying dependence assumption.

Böhme and Kataria (Reference Böhme and Kataria2006) propose using a t-copula, which may be more suitable for modeling the correlation for extreme events. In more detail, the authors use a twin-tier approach to describe correlations in data breaches and demonstrate that a firm’s decision to purchase insurance is based on the intra-firm risk correlation while the global risk correlation influences the premium level set by insurers. The intra-firm risk correlation is characterized by a correlation measure under a beta-binomial assumption for the number of failed nodes in an incident, while the global correlation is modeled by a t-copula. An insurability analysis is conducted through simulation, and the correlation estimation is demonstrated through a numerical example based on honeypot data.

Herath and Herath (Reference Herath and Herath2007) use Archimedean copulas to model the dependence between the number of computers affected (denoted by $X$ ) and the dollar value of losses (denoted by $Y$ ) in a firm. Archimedean copulas enable asymmetric tail dependence, the degree of which can be adjusted through a single dependence parameter $\theta$ . The Archimedean copulas considered by the authors include Clayton and Gumbel, which can be expressed as

\begin{equation*}C_\theta (u,v) = (u^{-\theta } +v^{-\theta } -1)^{-\frac {1}{\theta }}\end{equation*}

and

\begin{equation*}C_\theta (u,v) = \exp \Big \{-\big [ (- \log u)^\theta +(- \log v)^\theta \big ] ^{\frac {1}{\theta }} \Big \}, \end{equation*}

respectively, where $u=F_X^{-1} (x)$ and $v=F_Y^{-1}(y)$ . Pricing using the proposed framework is illustrated through a numerical example with data from the International Computer Security Association (ICSA).

Eling and Jung (Reference Eling and Jung2018) propose another alternative, the R-vine pair copula construction (PCC), to model nonzero pair dependence between data breach risks in both cross-industry and cross-breach settings using the PRC datasets from 2005 to 2016. The R-vine PCC resolves the problem of multivariate dependence present in the Archimedean model and transforms a high-dimensional copula analysis to a bivariate analysis. It encompasses the process of tractable tree building: the first tree consists of random variables, the second tree is built on the basis of conditional variables estimated from the previous tree, and so forth. The R-vine model does not specify a particular structure, thereby offering more flexibility. To compare risk measurements and pricing of aggregate loss distributions across different loss dependence models, the authors employ a simulation study. The R-vine PCC produces empirical results that are consistent with those of Böhme and Kataria (Reference Böhme and Kataria2006), which reveal a high internal correlation between hacking attacks and insider attacks.

The use of a R-vine PCC is supported by Peng et al. (Reference Peng, Xu, Xu and Hu2018). Peng et al. (Reference Peng, Xu, Xu and Hu2018) use a combination of a time-series process and a vine copula to model multivariate dependent cyber attacks. In more detail, the authors model the marginal attack rate (number of attacks per unit time) on a server over time with an ARMA-GARCH process, and accommodate the high-dimensional dependence across multivariate cyber attack time series with a truncated R-vine copula. The truncation of the R-vine copula is achieved such that all pair-copulas in trees higher than a certain order are set to be bivariate independent copulas. Parameters in the model are estimated using the inference function of margins method with maximum likelihood estimation. The findings of both simulation and an empirical study with honeypot data indicate ignoring dependence across the attack time series can underestimate the value-at-risk measure, leading to falsely optimistic assessments of cyber risk.

Building on Eling and Jung (Reference Eling and Jung2018), Liu et al. (Reference Liu, Li and Daly2022) propose a Bayesian framework that selects the margins and copulas of different types of data breach losses simultaneously. The marginal distribution of loss severity is modeled by the generalized beta type II distribution, which nests a family of distributions commonly used to model loss sizes, including the lognormal, gamma, Weibull, and Pareto distributions. The vine copula tree structure and pairwise copulas are identified through Bayesian selection based on different posterior probabilities that serve different purposes of an analysis. Through experimentation with the PRC data and data collected by the U.S. Department of Health and Human Services, as well as a series of sensitivity tests, this study confirms the robustness of the Bayesian framework to prior distribution settings, and reveals the significance of incorporating parameter and model uncertainties.

3.3 Extreme value theory

Extreme tails of cyber losses reported by numerous studies can be addressed using standard distributions like lognormal and Pareto distributions (Edwards et al., Reference Edwards, Hofmeyr and Forrest2016; Eling & Loperfido, Reference Eling and Loperfido2017; Eling & Wirfs, Reference Eling and Wirfs2019). However, standard distributions inherently assume specific tail behaviors, which may not accurately reflect the actual data characteristics. In light of this, a more flexible tool for modeling extreme events is the Extreme Value Theory (EVT). Since Beirlant and Teugels (Reference Beirlant and Teugels1992) discussed the relevance of EVT to modeling extreme insurance losses, EVT has flourished in the insurance world. The peaks-over-threshold (POT) technique from EVT is prevalent in modeling the severity of cyber losses. This technique assumes that exceedances (observations that lie below or above a specific threshold) follow a certain extreme value distribution. Early applications of EVT to cyber risk modeling include that of Maillart and Sornette (Reference Maillart and Sornette2010) who consider data from the Open Security Foundation and the PRC and report that a stable heavy-tail power-law distribution is suited for modeling the number of identity losses per data breach incident.

Following Maillart and Sornette (Reference Maillart and Sornette2010), Wheatley et al. (Reference Wheatley, Maillart and Sornette2016) apply EVT to modeling 619 data breach incidents recorded by PRC and the Open Security Foundation between 2007 and 2015 that involved more than 50,000 personal identity losses. Specifically, the authors use a Poisson generalized linear model with an identity link to regress the breach frequency per month, and observe that the occurrence of data breaches is relatively stable globally. With respect to the severity of data breaches, the POT method is implemented to determine if a maximum exists. To achieve this objective, the authors quantify the severity of large breaches by an extreme heavy-tail doubly-truncated Pareto, which is transformed to a doubly-truncated exponential by taking the natural log of the data for convenience. They posit a finite maximum for the size of breach $X$ , which is formulated as $v(t)=u-\beta (t)/\xi \lt \infty$ , where $u$ is the threshold, $\xi$ is the extreme value index, and $\beta (t)$ is a time-dependent scale parameter. The authors observe a significant upward growth in the maximum of natural log of breach sizes, and therefore propose to further model the time-dependent scale parameter as $\beta (t) = \beta _0 +\beta _1 \ln (t)$ , where $\beta _0$ and $\beta _1$ are the scale intercept and scale slope, respectively.

Eling and Wirfs (Reference Eling and Wirfs2019) study the actual monetary loss for all types of cyber risk using the SAS OpRisk global operational risk dataset and acknowledge the need to differentiate between daily cyber risks and extreme cyber risks. They use a dynamic EVT approach, which models the aggregate loss with frequency following a Poisson generalized linear model with a log-link function and severity following a POT with a generalized Pareto tail. The scale parameter of the generalized Pareto distribution is orthogonally transformed to ensure convergence. The authors notice an increasing trend in the number of attacks per year while the probability of extreme losses decreases over time, a result that appears to contradict that of Wheatley et al. (Reference Wheatley, Maillart and Sornette2016) who argue that the rate of large data breach events increases outside US.

Malavasi et al. (Reference Malavasi, Peters, Shevchenko, Trück, Jang and Sofronov2022) implement EVT with an extension of the generalized linear model, called generalized additive models for location shape and scale (GAMLSS). The authors describe the risk frequency with a Poisson distribution and severity with the POT approach under the GAMLSS framework. To better identify the influential factors in the tail behavior, the GAMLSS identifies and addresses risk drivers in not only the mean and variance but also the higher moments of the frequency and severity processes. The authors further apply a rank-based ordinal regression to remove the distortion of the significance of covariates in GAMLSS that is caused by extreme cyber events. By fitting the models on the Advisen cyber loss data, the authors confirm that the modeling results are mainly driven by extreme losses, a conclusion that does not support the insurability of cyber risk.

Sun et al. (Reference Sun, Xu and Zhao2021) study the hacking data breach records from the PRC dataset over 2010–2019. In this study, frequency is modeled with a hurdle Poisson model. Severity for each company is defined as the log-transformed average number of exposed records, and, similar to the proposal of Eling and Wirfs (Reference Eling and Wirfs2019), modeled with the POT approach that results in a mixed model with a generalized Pareto distribution for the tail and a non-parametric distribution for observations below the threshold. The joint density function of frequency and severity is then captured by a bivariate copula. The authors find the positive non-linear dependency between frequency and breach size is best captured by a Gumbel copula. Finally, conversion from the predicted loss that is based on the number of breached records to monetary impact is performed using the following linear formula adopted from Jacobs (Reference Jacobs2014) and Romanosky (Reference Romanosky2016):

\begin{equation*}\log (\mbox {impact}) = 7.68 + 0.76 \log (\mbox {records}).\end{equation*}

The formula is derived by means of fitting the Ponemon cost of data breach reports data in 2013 and 2014, which might not be representative to the PRC data from 2010 to 2019, and the formula may be too simplistic as it only considers the number of breached records as the determinant. However, the linear relationship is used here to compare the rating performance of the proposed dependence model and the independence model directly, with no bearing on the actual losses.

The POT technique is combined with regression trees by Farkas et al. (Reference Farkas, Lopez and Thomas2021) to classify and predict different parts of the loss distribution. The central part of the PRC data is fed into regression trees that iteratively split the observations into classes according to predefined partitioning rules set by different modeling objectives. From the maximal tree built, an optimal subtree is selected according to a pruning algorithm. The tail part is fed into generalized Pareto regression trees, which use the generalized Pareto loglikelihood as a split function. The regression tree approach allows the identification of characteristics that create heterogeneity in cyber events. Additionally, the dissemblance between the central regression tree and a tree obtained from the global set of observations implies the heaviness of the tail.

The POT technique relies on the choice of a threshold, whose optimal value is hard to identify. To mitigate this problem, Jung (Reference Jung2021) proposes to model maxima cyber loss data obtained from Cowbell Cyber with a generalized extreme value distribution that features the block maxima method. In this method, the probable maximum loss for data breach risk, $\xi _p$ , based on the value-at-risk at the $1-p$ quantile satisfies

\begin{equation*}\text {P}({\tilde {M}_n} \leq \xi _p)= 1-p,\end{equation*}

where $\{\tilde{M}_n\}$ is the series of loss maxima that follows

\begin{equation*}\text {P} \!\left ( \frac {\tilde {M}_n - b_n }{a_n} \leq x \right) \rightarrow G^{\theta } (x),\end{equation*}

with $n$ being the size of the time frame, $b_n$ being the number of blocks, $a_n\gt 0$ being a constant, and $G^{\theta }$ being the limiting generalized extreme value distribution with an extremal index $\theta$ that quantifies the degree of dependency in extremes. The maximum loss estimates obtained by Jung (Reference Jung2021) are significantly higher than those produced by Wheatley et al. (Reference Wheatley, Maillart and Sornette2016), a result which could indicate the model’s potential to approximate a systemic risk event or a dragon king loss event.

3.4 Stochastic processes

The aforementioned methods are effective in describing the statistical features of cyber events, but they do not fully capture the temporal evolution of these events. To incorporate temporal dynamics and reveal dependencies and trends over time, stochastic processes are often devised to model cyber risk. Correlations between inter-arrival times and between breach sizes discovered by Xu et al. (Reference Xu, Schweitzer, Bateman and Xu2018) suggest that stochastic processes are better suited than standard distributions for the purpose of describing cyber events. In order to apply a stochastic process model, data must be organized into a time-series format. This is a straightforward task when dealing with established databases, as they typically record incident occurrence times.

Peng et al. (Reference Peng, Xu, Xu and Hu2017) propose using a marked point process to model the extreme value phenomenon relating to the time series of cyber attack rates collected from the network telescope and honeypots. In more detail, the authors model the magnitude of extreme attack rates with the POT technique and describe the arrival of extreme attack rates with an autoregressive conditional duration (ACD) approach, which is analogous to a GARCH model but accommodates additionally both a slow decay of autocorrelation and bursts of extreme value clusters. The marked point process has a conditional intensity that is dependent on time, past information about occurrence times and marks (extreme values), and functions of past durations modeled by an ACD or log-ACD that accommodates the correlated inter-exceedance times. They measure intense risk by value-at-risk, a metric that describes the extreme cyber attack rates that can lead to potentially catastrophic consequences under inadequate defense. It is demonstrated that the model has accurate in-sample fitting and out-of-sample prediction.

Xu et al. (Reference Xu, Schweitzer, Bateman and Xu2018) model the PRC data from 2005 to 2017 with stochastic processes along with copula and EVT methods. The authors use an autoregressive conditional mean point process for modeling inter-arrival times that indicate frequency and sizes of data-hacking breach attacks, and an ARMA-GARCH process for modeling the evolution of breach sizes. Innovations from the processes are modeled by a mixed extreme value distribution with a generalized Pareto distribution for exceedances and a normal distribution for other realizations. They discover an increasing trend in hacking frequency, but no significant change in breach sizes. The authors further use a Gumbel copula to account for the positive dependence between inter-arrival times and breach sizes.

Similar to Xu et al. (Reference Xu, Schweitzer, Bateman and Xu2018), Ma et al. (Reference Ma, Chu and Jin2022) use ARMA-GARCH to describe the severity of cyber incidents between 2012 and 2018 reported by PRC and apply spatial clustering to address the geographical dependence. Individual severity models for each state in the United States are built using the ARMA-GARCH process, which are then combined in the K-means clustering process and reestimated on a cluster-based level. The inter-arrival times of incidents in each cluster are described by ACD models. By applying the clustering method, the statistical correlation between inter-arrival time and severity of cyber incidents across clusters is successfully removed, making the pricing process less complicated than the copula approach for insurers.

Zeller and Scherer (Reference Zeller and Scherer2022) propose a comprehensive model that is based on marked point processes for idiosyncratic incidents and systemic events. In the model, the arrival of idiosyncratic incidents at each firm is assumed to follow a Poisson process with a time- and covariate-dependent rate, and the arrival of systemic incidents follows a separate non-homogeneous Poisson process. Each arrival time point is equipped with a mark space, formed by the set of event strengths and the affected subsets, such that the resulting process is a marked point process. The severities of both idiosyncratic incidents and systemic events are modeled by a mixed distribution with a generalized Pareto distribution for exceedances and a truncated lognormal for other observations. Through fictitious insurance portfolios, the authors demonstrate the necessity to consider systemic events so that potential accumulation risk can be captured.

The presence of the accumulation phenomena is also internalized in the model of Bessy-Roland et al. (Reference Bessy-Roland, Boumezoued and Hillairet2021), who use multivariate Hawkes processes with specific kernel choices to describe the frequency of cyber attacks in the PRC data between 2010 and 2019. The Hawkes processes are able to reproduce clustering and autocorrelation between inter-arrival times, and they capture both shocks and persistence after shocks through their self-exciting property. The Hawkes process for the number of data breaches for group $i$ in time interval $[0,t]$ features an intensity process $\lambda _t^{(i)}$ , which has a baseline intensity $\mu _t^{(i)}$ and kernels $\phi _{i,j}(t)$ that quantify the contagion in group $i$ caused by a data breach in group $j$ . The intensity process is specified as

\begin{equation*}\lambda _t^{(i)} = \mu _t^{(i)}+\sum _{j=1}^d \int _{[0,t]} \phi _{i,j}(t-s)dN_s^{(j)}.\end{equation*}

3.5 Epidemic models

Although the previously discussed methods can capture statistical properties and temporal trends of cyber losses, they fall short in accounting for the propagation phase of the risk. Studying the spread of cyber risk enables us to pinpoint critical factors that influence the epidemic size and the final losses, thus enhancing the design of risk assessment and mitigation strategies accordingly. The approach necessitates interdisciplinary collaboration, as it may require knowledge about system vulnerability, network engineering, social behaviors, and natural disease spreading. Epidemiology naturally lends itself to the study of cyber risk propagation, since both epidemics and cyber attacks exhibit contagiousness, interdependence of exposure, and dynamic evolution.

Inspired by techniques for analyzing associations between gene mutations and diseases in genetic epidemiology, Gil et al. (Reference Gil, Kott and Barabási2014) introduce a statistical framework for studying the susceptibility of a single node. The authors treat the network services running on a host as the defining risk factor on its susceptibility to certain cyber threats, a concept that is borrowed from a dominant model of genetic penetrance, which presumes that the presence of a dominant variant of a gene is sufficient to produce an associated phenotype, regardless of the number of copies present.

Barracchini and Addessi (Reference Barracchini and Addessi2014) modify the multistate models for health insurance to capture characteristics of cyber risk. They classify the possible states of a computer damage as nd (no damage), rd (repairable damage), prd (partially repairable damage), and nrd (not repairable damage), and further divide the prd state into $n$ levels, $\text{prd}^{(i)}$ for $i = 1, \ldots, n$ , to indicate different levels of partially repairable damage (a higher $i$ corresponds to a higher level of damage). This classification leads to a state space of $S=\{\text{nd},\text{rd},\text{prd}^{(1)},\dots,\text{prd}^{(n)},\text{nrd} \}$ , formulating a Markov process from which the dynamic probability that a computer moves from one state to another can be inferred.

Liu et al. (Reference Liu, Liu, Liu, Cui and Huang2016a) apply concepts in epidemiology to devise a novel compartmental mathematical model for malware propagation. The authors argue that susceptible computers in a network should be viewed as heterogeneous rather than homogeneous with respect to the level of protection. Depending on its level of protection, a computer being modeled can be either weakly protected susceptible (a W-node), strongly-protected susceptible (an S-node), or infected (an I-node). A W-node has a higher probability of infection compared to an S-node, and these two types of nodes can communicate with each other. The infection probabilities of a W-node and an S-node in a unit time are specified as

\begin{equation*}P_W=1-(1-\beta _W )^{I(t)}\end{equation*}

and

\begin{equation*}P_S=1-(1-\beta _S )^{I(t)},\end{equation*}

respectively, where $\beta _W \text{ and } \beta _S$ are the assumed infection rates for W-nodes and S-nodes, respectively, and $I(t)$ is the number of infected nodes at time $t$ . The average number of secondary infections by an infectious computer over its infectious period can be calculated as

\begin{equation*}R_0=\frac {\beta _W \alpha +\beta _S \epsilon }{\gamma (\alpha +\epsilon )},\end{equation*}

where $\alpha$ is the probability of an S-node converting to a W-node, $\epsilon$ is the probability of a W-node converting to an S-node, and $\gamma$ is the probability that an infected node recovers to an S-node. The authors propose that there exists a unique malware equilibrium if $R_0 \gt 1$ . If $R_0\leq 1$ , then the malware-free equilibrium is globally asymptotically stable. Their results are similar to those produced by Mishra and Pandey (Reference Mishra and Pandey2014), who use a susceptible-exposed-infectious-susceptible-with-vaccination epidemic transmission model to describe worm propagation in a network.

Fahrenwaldt et al. (Reference Fahrenwaldt, Weber and Weske2018) model the spread of cyber infections with an interacting Markov chain and claims with a marked point process. In their framework, the spread process is of a pure jump-type with exponential waiting times between jumps, whereas transitions are described by the susceptible-infected-susceptible (SIS) network model. Dependence is modeled by an undirected network where each node represents a firm, a system of computers, or a single device, and each edge represents a possible transmission channel. The authors apply tractable mean-field approximations for the Markov process and higher order polynomial approximations for claim functions, allowing computation of expected aggregate losses and hence cyber contract prices. Through a simulation study, the authors demonstrate that network topology plays an important role in determining insurance prices and designing risk management strategies.

Xu and Hua (Reference Xu and Hua2019) study cyber risk using the SIS network model with nonzero exogenous infection rates. In their modeling approach, the dynamics of an epidemic spread over the internet are captured by Markov and non-Markov processes, whereas risk dependence is addressed with copulas. In the Markov model, the following Poisson processes are used to capture infection and recovery for node $v$ , respectively:

\begin{align*} I_v(t) &\;:\; 0 \rightarrow 1 \text{ at a infection rate of } \beta \sum _{j=1}^{n} a_{vj} I_j (t) + \epsilon _v,\\ I_v(t) &\;:\; 1 \rightarrow 0 \text{ at a recovery rate of } \delta _v, \end{align*}

where $\beta$ and $\epsilon _v$ are the rates of infection due to threats inside and outside the network, respectively, $I_j(t)$ is an indicator function which equals 1 if node $j$ is infected at time $t$ and 0 otherwise, and $a_{vj}$ is another indicator function which equals 1 if nodes $v$ and $j$ can attack each other and 0 otherwise. From the Markov model, the authors obtain a dynamic upper bound for the infection probability and a stationary probability that can be used as a proxy to estimate infection probabilities in practice. On the other hand, in the non-Markov model, the authors assume that there exist $D_v$ infected neighbors around each node $v$ and that attacks on a node will stop if the node becomes infected. Time to internal infection is modeled by random variables $Y_{v_1},\dots,Y_{v_{D_v}}$ with the same marginal distribution, whereas time to external infection is described by another random variable $Z_v$ . The expected time to infection for node $v$ is the expected minimum of time to internal infection from the $D_v$ infected neighbors and the time to external infection. The authors further employ copulas to model the joint survival function in order to account for multivariate dependence among risks. Ultimately, an upper bound for the infection probability under the non-Markov model is also obtained. Their simulation shows dependence among infection processes affects the propagation of the epidemic and the resulting loss. Additionally, through experimentation with the Enron email network, the authors demonstrate that the recovery rate has a substantial impact on insurance premiums.

The Markov-based model developed by Xu and Hua (Reference Xu and Hua2019) is enriched by Antonio et al. (Reference Antonio, Indratno and Saputro2021), who introduce a clustering coefficient factor into the SIS process with nonzero exogenous infection rates. The network structure is characterized by the individual-level clustering coefficients, which influence the efficiency of epidemic spreading. This inhibitory effect is described by incorporating different epidemic inhibition functions in the transition probability of the Markov process. The dynamic equation for the infection probability with clustering structure is obtained using N-intertwined mean-field approximation, and the dynamic upper bound is solved to be used as a conservative estimate in pricing. They adopt the cost function proposed by Xu and Hua (Reference Xu and Hua2019) to price cyber risk based on losses caused by infection and losses caused by system downtime. Experiments on simulated regular network and real email-Enron network validate the improvement in premiums when considering the clustering structure with inhibition.

Jevtić and Lanchier (Reference Jevtić and Lanchier2020) model cyber risk propagation in small- and medium-sized enterprises with a bond percolation process. In their model, the aggregate loss up to any given time is recorded as a continuous-time Markov chain with contagion times following a Poisson process, contagions in the physical layer are modeled with a homogeneous bond percolation process on a random tree that depicts the network infrastructure, and losses in each breached node are described by a heterogeneous loss topology. Using simulations, the authors demonstrate the robustness of their model in the context of cyber insurance pricing.

Chen (Reference Chen2019) investigates the differences between discrete-time and continuous-time epidemic models for modeling malware propagation and information dissemination. The author finds that real-life malware propagation is more aligned with discrete-time epidemic models, as worms usually take some time to spread. The author further focuses on the susceptible-infectious model and identifies three key drivers of model performance: time intervals, spatial dependence among nodes, and linearization. Small time intervals often lead to an overestimation of propagation speed and need to be accompanied by spatial dependence assumption. Consequently, continuous-time epidemic models do not provide accurate forecasts as they ignore both time intervals and spatial dependence.

Hillairet and Lopez (Reference Hillairet and Lopez2021) propose a framework to design accumulation scenarios, each of which represents a global failure of the portfolios in question. The authors use the Gaussian approximation theory to approximate the evolution of the number of infected policyholders through time, and a susceptible-infected-removed (SIR) model to describe the spread of an attack at a global level. Specifically, for a population of size $N_t=s_t + i_t + r_t$ at time $t$ , where $s_t$ is the number of susceptible individuals in the population, $i_t$ is the number of infected individuals, and $r_t$ is the number of recovered ones, the SIR model is characterized by the following set of differential equations:

\begin{align*} \frac{\partial s_t}{\partial t} &= -\beta s_t i_t,\\[5pt] \frac{\partial i_t}{\partial t} &= \beta s_t i_t - \gamma i_t,\\[5pt] \frac{\partial r_t}{\partial t} &= \gamma i_t, \end{align*}

where $\beta$ and $\gamma$ represent the contagion rate and the recovery rate, respectively. The centered processes of the cumulative number of the infected, the recovered, and the infected and not yet recovered converge in distribution toward Gaussian processes with time-dependent covariance structures. The authors hence derive the asymptotic distributions of the cost functions and illustrate through a simulation study that the insurer’s response strategy has a crucial impact on the insurer’s cost.

In the continuity of Hillairet and Lopez (Reference Hillairet and Lopez2021), Hillairet et al. (Reference Hillairet, Lopez, d’Oultremont and Spoorenberg2022) develop a multigroup SIR process to describe the contagion dynamic by segmenting the whole population into groups. The model further integrates digital dependence using a contagion matrix, which also contains information on the network topology formed by the multigroup population. Reaction to the crisis by taking countermeasures is also modeled, taking into account reactions to both in-group and out-group warnings. The simulation of a Wannacry episode is conducted, on the basis of model parameters that are calibrated from the OECD data. The simulation results show that the speed of infection and the final epidemic size in each sector are affected by the network connectivity patterns and group reaction strategies.

A growing interest in the use of epidemic models in cyber risk modeling can be observed in recent years, but the paucity of data limits the practical application and renders the field almost entirely theoretical. It is challenging, if not impossible, to obtain the building blocks of epidemic models, such as states, state transition probabilities, the evolution of the number of individuals in each state, and the underlying network structure. Consequently, current studies rely heavily on simulations.

3.6 Discussion

This section presents a review of methods used to model the empirical properties of cyber risk, where actuarial contribution is substantial. Cyber study within actuarial science has undergone a shift in focus toward more elaborate techniques including copula models, EVT approaches, stochastic processes, and epidemic models, to compensate for the insufficiency of the conventional approach using standard distributions in representing and pricing cyber risk. In particular, over a third of papers published within the past five years surveyed in this section are dedicated to epidemic models (Chen, Reference Chen2019; Xu & Hua, Reference Xu and Hua2019; Jevtić & Lanchier, Reference Jevtić and Lanchier2020; Antonio et al., Reference Antonio, Indratno and Saputro2021; Hillairet & Lopez, Reference Hillairet and Lopez2021; Hillairet et al., Reference Hillairet, Lopez, d’Oultremont and Spoorenberg2022). These techniques have proven useful in drawing a more complete picture of cyber risk, but their implementation demands more comprehensive incident datasets. For example, the copula-based dependence structures and the EVT models derived from fitting the number of breached records (such as the PRC data) may be significantly different when applied to actual severity data. The issue of data scarcity is most prominent in the epidemic modeling approach, as the currently available cyber data is insufficient for identifying the network structure and inferring the state transition rates in an epidemic model. Validation of models based on simulation using real data can be an interesting path to take.

Different from risk prediction methods that focus on the prediction of risk at an individual level, risk modeling mostly considers losses at a collective level. Enterprise-level modeling is paramount to collective modeling, as it provides implications for risk management with respect to budget allocation, as well as the underwriting for cyber policies. Sparsity of enterprise-level data poses a challenge for individual loss estimation using models surveyed in this section. This difficulty might be surmounted through integrating statistical modeling approaches with prediction techniques surveyed in Section 2.

Lastly, interdisciplinary collaboration can be instrumental in advancing the mathematical and statistical modeling of cyber risk. Insights from computer science and engineering experts could help identify additional key factors in technological aspects that impact the resulting losses and risk dependencies. The identification of such factors could assist risk managers to better understand what risks are inherent in the system and may not be eliminated, thereby making more informed insurance decisions. Moreover, in regard to data scarcity at both individual and collective levels, data mining could be leveraged to support numerical investigation. Effective interpretation and processing of the raw data obtained through mining often require collaboration between actuarial researchers and information technology specialists.

4.1 Risk assessment

Risk assessment is a crucial step in any sort of risk management. Conventionally, risk is assessed by the probability of the risk event and the magnitude of the loss event (Kaplan & Garrick, Reference Kaplan and Garrick1981). This way of risk assessment is referred to as the pure premium approach in an insurance context. However, this risk assessment approach might not be adequate for cyber risk, as the risk is not straightforward to be modeled mathematically. Therefore, alternative risk assessment methods for cyber risk are in demand.

Mateski et al. (Reference Mateski, Trevino, Veitch, Michalski, Harris, Maruoka and Frye2012) design a generic threat matrix which assigns a threat level between 1 (most capable) to 8 (least capable) against some attributes to different categories of cyber threats. The attributes used to score a threat are related to the commitment level and the resources that are readily available to pursue the goal of the threat.

Schatz and Bashroush (Reference Schatz and Bashroush2017) divide economic approaches to risk assessment into nine categories: analytic hierarchy processes,Footnote 4 decision support systems, game theory, net present value (NPV), return on attack,Footnote 5 return on investment (ROI),Footnote 6 a mix of ROI and NPV, real options theory,Footnote 7 and utility maximization. Both ROI and NPV approaches emphasize the ‘benefit and cost’ element, whereas game theory approaches exhibit a high reliance on the ‘function’ element.

Akinrolabu et al. (Reference Akinrolabu, Nurse, Martin and New2019) propose a novel risk assessment method called the cyber supply chain cloud risk assessment (CSCCRA) for cloud service providers. The CSCCRA method consists of three components: a cloud supply chain mapping that graphically represents the cloud service through the lens of the supply chain, a cloud supplier security assessment that provides a quantitative measurement of cloud suppliers security according to certain criteria, and a cloud quantitative risk analysis that estimates a probability distribution for the variable of interest.

Yamashita et al. (Reference Yamashita, Ten, Rho, Wang, Wei and Ginter2020) construct a framework to measure the systemic risk of switching attacks in a cyber-physical system based on security technologies deployed using Petri net models. The framework uses four models to depict the coordinated attack against IP-based substations: modified firewall model, modified password model, extended password model on intelligent electronic device, and honeynet models. The detailed statuses and state transitions within each component are described by Markov processes, and the steady-state probabilities for a cyber-physical attack at any substation are derived as a means to assess security risks.

Besides cyber losses resulting from cyber events, non-cyber losses triggered by cyber activities that are not explicitly excluded from insurance clauses should also be considered. This type of risk is referred to as non-affirmative risk, or “silent” cyber risk by insurance practitioners (Lemnitzer, Reference Lemnitzer2021). Recognizing the fact that insurers often fail to adequately address their silent exposure to IT-related threats when pricing non-cyber contracts, Cartagena et al. (Reference Cartagena, Gosrani, Grewal and Pikinska2020) propose a three-phase framework that aims to provide a consistent non-affirmative cyber risk assessment prototype for organizations. In the first phase, underwriters define exposure, evaluate wordings of clauses, and review policy levels. In the second phase, the organization contextualizes the defined exposure into possible scenarios to establish a comprehensive understanding of non-affirmative risk it encounters. In the last phase, the management develops a risk appetite relating to non-affirmative risk and monitors the implementation of the framework.

In addition to technological vulnerability, human factors may also give rise to cyber risk. Georgiadou et al. (Reference Georgiadou, Mouzakitis and Askounis2022) identify insider threat types and contributing factors through a meta analysis, and link the contributing factors to a cyber security culture framework for assessing and evaluating the current security readiness of an entity’s workforce. The framework encompasses an organizational level and an individual level. The former considers dimensions including assets, continuity, access and trust, operations, defense, and security governance, whereas the latter includes dimensions such as attitude, awareness, behavior, and competency.

Ganin et al. (Reference Ganin, Quach, Panwar, Collier, Keisler, Marchese and Linkov2020) present a multi-criteria decision-analysis-based approach to bridge the gap between risk assessment and risk management pertaining to cyber security. The criteria include three components: threats, vulnerabilities, and consequences. The first component describes the ease of attack and benefits of a successful attack. The second component considers vulnerabilities in the targeted system, including the hardware, software, and personnel-related levels. The third component considers consequences that pertain to violations of confidentiality, integrity, and availability. Apart from risk assessment, the authors implement a countermeasure scoring system that could assess the effectiveness of risk management.

4.2 Risk mitigation

Organizations may take technical and internal controls to reduce the likelihood of cyber security breaches and/or constrain the severity of losses from attacks. Böhme and Schwartz (Reference Böhme and Schwartz2010) describe the probability that a node in an organization incurs a loss in an accident by a function of the network environment and the security level. Their model implies that the effectiveness of a firm’s technical controls over its network environment is directly related to its exposure to cyber risk. Technical controls can be either detective or preventative. The former alarms users of security violations, whereas the latter proactively defends specific vulnerabilities from attacks (Cavusoglu et al., Reference Cavusoglu, Mishra and Raghunathan2004b).

An organization may not necessarily have control over technical vulnerabilities, because software is often supplied by external vendors (Böhme et al., Reference Böhme, Laube and Riek2019). However, there are some actions that can be taken within the organization’s reach, such as frequent backup of information, installation of security technology, and constant renewal of antivirus systems (Liu et al., Reference Liu, Liu, Liu, Cui and Huang2016a). An effective control technique is to install software that is designed to detect and prevent attacks. For example, Liu et al. (Reference Liu, Dong, Ota and Liu2016b) propose a detection scheme named ActiveTrust that can effectively avoid black hole attacks, which can result in incoming and/or outgoing traffic being silently discarded. Furthermore, an appropriate use of technology is as important as an installation of relevant systems. Bilge et al. (Reference Bilge, Han and Dell’Amico2017) find that in general, software and files signed by rarely known vendors as well as rarely updated machines tend to have a higher probability of malware infection.

The amount of investment on technical controls is also of great substance. Cavusoglu et al. (Reference Cavusoglu, Mishra and Raghunathan2004b) use a game theoretic approach to describe the strategic investment decisions of an organization. Their results suggest that given the quality parameters of each technology and the organization-specific parameters, an organization should select the security technology that maximizes the cost saving, which is defined as the difference between the cost with the technology chosen implemented and the cost without security technology. This conclusion is in line with that of Gordon and Loeb (Reference Gordon and Loeb2002), which indicates that the optimal level of security investment is where the difference between benefit and cost is maximized. Gordon and Loeb (Reference Gordon and Loeb2002) also demonstrate that for a given threat level, the optimal investment in information security does not necessarily increase with the system’s vulnerability and the amount generally does not exceed 37% of expected loss.

Krutilla et al. (Reference Krutilla, Alexeev, Jardine and Good2021) provide a dynamic extension of the investment model formulated by Gordon and Loeb (Reference Gordon and Loeb2002), incorporating discounting and depreciation effects in the benefit–cost analysis of cyber security investment decisions over the long run. The economically efficient maximum level of cyber security capital in the dynamic setting is found to be $\frac{37\%}{r+\delta }$ , where $r$ is the discount rate and $\delta$ is the depreciation rate. On the contrary, Maillart and Sornette (Reference Maillart and Sornette2010) come up with a view that all entities are evenly vulnerable irrespective of their level of information security. They advocate the size effect, which states that the severity of a breach is largely affected by the size of the organization in question.

Risk mitigation from the suppliers’ side is considered by Böhme and Kataria (Reference Böhme and Kataria2006) and August et al. (Reference August, Dao and Kim2019). Böhme and Kataria (Reference Böhme and Kataria2006) suggest that the government should promote competition, because an increasing diversity of software products could effectively reduce both local and global correlation of cyber risk. August et al. (Reference August, Dao and Kim2019) point out that the majority of users do not update their systems in a timely manner because the deployment of system patches is not an economically optimal option for them. They argue that a potential incentive structure is for suppliers to charge for patching rights, so that consumers who elect to relinquish patching rights and have their systems automatically patched pay less than those who choose to retain the rights. Such a price differentiation may reduce the unpatched population, thereby nurturing a safer network environment.

Restraining the impact of cyber crises with technical controls should be complemented by inputs from the management and operational level. Cyber risk management in enterprises ranges from a single centralized department to an all-level framework. An organization can take a top-down or bottom-up approach to manage cyber risk, depending on whether the organization focuses on the risk management process or risk identification and quantification (Böhme et al., Reference Böhme, Laube and Riek2019). Stoneburner et al. (Reference Stoneburner, Goguen and Feringa2002) highlight the importance of technical training, risk ownership, periodic reviews, and audits in the prevention of security breaches on the management level. Controls on the operational level, such as regular data backup and physical securities, are overseen by the management level.

Organizational control in insurance companies is investigated by Egan et al. (Reference Egan, Cartagena, Mohamed, Gosrani, Grewal, Acharyya, Dee, Bajaj, Jaeger and Katz2019), who develop a framework based on the Chief Risk Office Forum cyber incident taxonomy (CRO Forum, 2016) and the National Institute of Standards and Technology framework (National Institute of Standards and Technology, 2014). The authors carry out three case studies that are representative of the current risk landscape of the industry: insider leaks at a general insurer, cyber extortion at a life insurer, and telematics device hack at a motor insurer. They determine that protective actions should be taken on information assets to prevent successful insider attacks, cyber extortion can be mitigated by installing defense and detection mechanisms, and hacking attacks could be eliminated by constant upgrading, access monitoring, and regular security testing.

Eling and Schnell (Reference Eling and Schnell2020) take a different perspective on cyber risk mitigation by considering the capital requirement regime within the applicable regulatory framework. The authors consider three regulatory capital models: Solvency II, U.S. risk-based capital standards, and Swiss Solvency Test. They find that regulatory models in general underestimate cyber risk since they do not reflect heavy tails and interdependence of the risk appropriately. All three regulatory models exhibit insufficient capital requirements to ensure solvency, particularly for small cyber insurance portfolios and high policy limits. However, the authors argue that increasing capital requirements may hinder the growth of an immature cyber insurance market rather than maintaining solvency of insurers. They therefore suggest building sufficiently large portfolios in developing markets and increasing capital requirements in developed markets.

Eling and Jung (Reference Eling and Jung2022) also examine the capital implications for firms when considering cyber risk as part of their operational risk frameworks. They analyze the cyber loss data in the financial industry documented in the SAS OpRisk database. Specifically, they fit a Tweedie model to the data and subsequently perform a regression analysis through the generalized linear model to determine the key drivers of cyber loss severity. The results show individual heterogeneity, particularly concerning firm size, interconnectivity, and legal liability level, could largely impact the capital requirement of a financial institution. As a consequence, the authors suggest firm-specific risks should be reflected in insurance prices as well as capital requirement, and a loss-distribution-based approach is better suited for achieving this goal.

4.3 Risk retention

Risks that cannot be reduced or transferred are retained by organizations. Hence, in addition to preventive measures, responsive schemes are important in containing the aftermath of a cyber crisis. Cavusoglu et al. (Reference Cavusoglu, Mishra and Raghunathan2004a) find evidence that within two days of a security breach announcement, the breached firm faces an average decrease of 2.1% in market value and an average loss of $1.65 billion in market capitalization. Similar views are held by Campbell et al. (Reference Campbell, Gordon, Loeb and Zhou2003), Spanos and Angelis (Reference Spanos and Angelis2016), Rosati et al. (Reference Rosati, Cummins, Deeney, Gogolin, van der Werff and Lynn2017) and Rosati et al. (Reference Rosati, Deeney, Cummins, Van der Werff and Lynn2019). Furthermore, Kamiya et al. (Reference Kamiya, Kang, Kim, Milidonis and Stulz2020) discover that a successful external attack could affect the entire industry if it reveals personal financial information. Their finding reinforces the indispensability of post-incident controls.

Knight and Nurse (Reference Knight and Nurse2020) construct a corporate communication framework to limit the loss arising from a data breach incident. The proposed decision making process for an organization has two stages: before crisis and after crisis. Before a data breach incident, the organization should establish the goals they aim to achieve post-breach, maintain the relevant knowledge base, involve corporate partners in the process, and ensure security basics are in place. When a crisis happens, the organization has to decide whether, what, when, and how to disclose the breach. The authors suggest that accepting responsibility rather than pointing fingers at external parties can reduce reputational damage. The organization should also cater to different demographic groups by making their announcement easy to understand. Although there exist conflicting views that suggest the market does not necessarily penalize firms victimized by cyber attacks (Hovav & D’Arcy, Reference Hovav and D’Arcy2003, Reference Hovav and D’Arcy2004), the framework provides practical guidelines on damage control.

A more comprehensive system considering preventive, supportive, and responsive measures is proposed by Onwubiko and Ouazzane (Reference Onwubiko and Ouazzane2020), who argue that there are three key elements in an effective ERM framework: incident governance command, incident sharing, escalation and reporting, and incident management. The first element involves a hierarchical structure that allocates responsibility to different management levels. In the second element, organizations are recommended to establish a sharing partnership with all sectors to ensure consistent communication. The third component is consonant with the second, emphasizing the fact that enterprise cyber risk management is a cooperative task rather than independent work.

4.4 Discussion

In this section, works pertaining to the assessment, mitigation, and retention of cyber risk have been reviewed. The surveyed works approach the topic from different viewpoints, including those of technology suppliers, organizational users, and insurance providers. Based on the review, several gaps in cyber risk management research are identified.

First, we notice a lack of works on the assessment of the spillover effect of cyber risk. A firm may face cyber threats or endure cyber losses as a result of a security breach in another organization. The risk arises from associations with external parties, which cannot be measured internally within the entity. Therefore, it is imperative to design a risk assessment framework at the industry level to provide an indicative estimation. The process will require industry cooperation that may be coordinated and overseen by authorities.

Second, the quantification of the impact of risk mitigation measures is understudied. A fundamental contribution is made by Gordon and Loeb (Reference Gordon and Loeb2002), who develop a mathematical model to measure the loss reduction resulting from technical security investments and determine the optimal level to invest. Their work is among one of the most referenced papers about cyber risk mitigation, and it continues to be adopted and enriched in recent papers (Bentley et al., Reference Bentley, Stephenson, Toscas and Zhu2020; Dou et al., Reference Dou, Tang, Wu, Qi, Xu, Zhang and Hu2020; Krutilla et al., Reference Krutilla, Alexeev, Jardine and Good2021). Testing of these quantitative models using real data, and formulating a more comprehensive framework that incorporates a broader range of security enhancement tools and risk reduction metrics, are interesting directions to follow.

Lastly, integrating cyber risk management into the existing ERM framework is a pressing issue (McShane et al., Reference McShane, Eling and Nguyen2021). The integration is complicated by the underdevelopment of reliable quantification methods for estimating the likelihood and magnitude of the risk when compared to other operational risks. More accurate measurement of cyber risk can be achieved by using prediction and modeling techniques surveyed in Sections 2 and 3. In turn, these models can benefit from the integrated risk management framework, in a way that the framework helps identify risk determinants from the management side. Additionally, the interdependence between cyber risk and other components of the ERM framework poses another challenge. For instance, credit risk could be affected in the case of a security breach, even though it is listed as a separate element (Stine et al., Reference Stine, Quinn, Witte and Gardner2020). Such interdependence should be thoroughly considered and addressed when adapting the ERM framework to incorporate cyber risk.

5.1 Status quo

Verizon (2021) reports a total of 29,207 incidents in 2020, among which 5,258 were confirmed data breaches that were mostly caused by external actors. The entertainment sector was the most targeted industry, followed by the public administration sector (Verizon, 2021). The rising number of incidents is accompanied by an expansion of the cyber insurance market. The number of cyber insurance providers increased from less than 50 in 2015 to more than 150 in 2018 (Daffron et al., Reference Daffron, Ruffle, Andrew, Copic and Quantrill2019). Munich RE (2020) envisions that the size of the global cyber insurance market will reach US$20 billion in 2025, with strong growth expected in Asia and Europe.

However, the rise in supply does not translate to a mature market. Although the insurance industry perceives the new product category as lucrative and abundant in growth opportunities, insurers and reinsurers do not strive their utmost to promote the sector due to uncertainty about their knowledge in the risk and its drivers (Lemnitzer, Reference Lemnitzer2021). According to Böhme et al. (Reference Böhme, Laube and Riek2019), the underdevelopment of the cyber insurance market is chiefly ascribed to the lack of demand and claims in the 1990s. The lack of claims is an indication of cumulative risk, also known as “cyber hurricane,” causing reinsurers to cease providing protection for cyber insurers in the early 2000s (Böhme & Schwartz, Reference Böhme and Schwartz2010).

To gain insights into the industry, Marotta et al. (Reference Marotta, Martinelli, Nanni, Orlando and Yautsiukhin2017) survey cyber insurance policies available on the market in 2017. The authors outline the approaches used by insurers and group them according to their emphases: risk/security level specification and game theoretic approaches for premium specification. They also identify the peculiarities in underwriting and claim handling processes that set cyber insurance apart from conventional insurance policy writing.

Romanosky et al. (Reference Romanosky, Ablon, Kuehn and Jones2019) perform a thematic analysis of 235 cyber insurance products that are filed with state insurance commissioners in New York, Pennsylvania, and California from 2007 to 2017. The authors compare the coverage and exclusions, risk assessment processes, and premium determination methods among the products under consideration. They find that most insurance policies are consistent in terms of coverage, but different sublimits are often applied to different coverage areas. More variations are observed in the policy exclusions. In line with the findings of Gordon et al. (Reference Gordon, Loeb and Sohail2003), most of the cyber insurance policies under consideration cover first-partyFootnote 8 and/or third-partyFootnote 9 losses arising from a firm’s cyber-related operations. The authors find that during the process of underwriting, insurance providers are mostly interested in the amount and type of data, particularly sensitive data related to debit and credit card transactions, managed by an organization; little attention is given to the technical infrastructure, the business environment, and the security budget. However, the sample may not be representative for the current condition of national and global cyber insurance markets. A lack of regulatory standards and guidelines governing capital requirements is another impediment for market growth (Eling & Schnell, Reference Eling and Schnell2020).

5.2 Pricing cyber insurance

Underwriting risk is one of the most significant risks underlying cyber insurance products for insurers (Eling & Schnell, Reference Eling and Schnell2016). To maintain solvency and profitability, an insurer should always charge adequate premiums in the first place. On the other hand, an overly high premium may not be economically effective for the insured organization (Böhme et al., Reference Böhme, Laube and Riek2019). Due to a lack of reinsurers and heavy tails of cyber losses, extant cyber insurance products tend to charge high premiums to compensate for the extreme risk, thereby discouraging entities from buying cyber insurance. To establish a balance between adequate premiums and business volume, reliable pricing methods for cyber insurance are demanded.

Böhme and Kataria (Reference Böhme and Kataria2006) model the insurer’s cost in a single period by the aggregate amount of the expected loss, sum of all administrative costs, and the interest on the safety capital required to settle all claims in the worst-case scenario considering ruin. They show by simulation the viability of cyber insurance in managing risks with high internal and low global correlation.

Herath and Herath (Reference Herath and Herath2011) propose to model the net premium for the first party loss excluding profits and expenses by the discounted value of the sum insured multiplied by the probability of a cyber incident. The discount period is the time between policy issuance and security breach, modeled by a Poisson process. In the absence of historical records on frequency of claims or annual claims paid by the insurer, the authors propose an integrated copula-based simulation algorithm to price the first-party loss.

Romanosky et al. (Reference Romanosky, Ablon, Kuehn and Jones2019) identify five main factors in insurance pricing: external sources, estimation, competitor behavior, experience, and reference to prices from other insurance lines. Out of the policies surveyed by the authors, insurers typically price their policies either on a flat rate basis or using the base rate approach. The flat rate premium can deviate across different groups of risks, whereas the base premium is calculated as a product of a firm’s annual revenue or assets and modification factors reflecting the firm’s risk level. For both approaches, the firm’s asset value or revenue seems to be the most important determinant of insurance premiums, as it can be regarded as a proxy for the firm’s size and hence risk level.

Utility-based approaches are often used in insurance pricing. Carfora et al. (Reference Carfora, Martinelli, Mercaldo and Orlando2019) estimate cyber insurance premiums using nonlife insurance pricing principles and assess the insured’s acceptable prices using the indifference principle in utility theory. In a similar vein, Böhme et al. (Reference Böhme, Laube and Riek2019) suggest that from a utility-theory perspective, with optional market insurance, a risk averse firm will choose an optimal security investment $s^*$ and a sum insured $x^*$ to maximize its expected utility. An insurer would price their policies such that the premium to charge for losses up to a limit $x$ is $\pi x$ , where $\pi =D(s^*) (1+\lambda )$ and

\begin{equation*}(s,x)_{\sigma }^*=\textrm {argmax}_{s,x} \Big ( D(s) U_{\sigma } \big (w-l-s+(1-\pi )x\big ) + \big (1-D(s)\big )U_{\sigma } (w-s-\pi x) \Big ).\end{equation*}

In the formula above, $\sigma \gt 0$ reflects the risk aversion of the firm, $U_{\sigma } (\cdot )$ is the utility function, $w$ is the firm’s initial wealth, $ D(s)$ is the defense function mapping a security investment $s$ to a probability of loss, $l$ is the monetary loss, and $\lambda$ is the loading factor. Dou et al. (Reference Dou, Tang, Wu, Qi, Xu, Zhang and Hu2020) also design an insurance pricing scheme that is based on expected utility theory.

Eling et al. (Reference Eling, Jung and Shim2022) point out that an aspect of cyber risk that traditional pricing principles do not consider is the heterogeneous relationship between the cost of cyber risk events and firm-specific factors. The authors unravel such heterogeneity through a quantile regression model, which can capture non-central locations of the cost distribution that the ordinary linear regression method cannot, on the severity data provided by Cowbell Cyber Incorporation. The dataset used contains firm-specific security information that enables identifying the effect of individual security measures on cyber costs. Compared to insurance prices computed from a Tweedie model and a two-part GLM, quantile-based pure premiums are generally larger as they embed the heterogeneous impact of firm size, industry and security level.

Lau et al. (Reference Lau, Wei, Wang, Liu and Ten2020) argue that traditional actuarial insurance principles are inadequate in dependence consideration that could expose insurers to insolvency situations. They propose a probabilistic and game-theoretic approach to calculate premium principles. A Stackelberg security game, in which the system owner as the defender moves first, and the attacker follows, is devised to obtain the optimal stochastic allocation of defense resources across target substations. The optimal defense resource allocation is used to evaluate the potential monetary loss of a cyber attack. Ultimately, cyber insurance premiums via value-at-risk or tail value-at-risk based on total loss are derived and then allocated to individual transmission companies, thus mitigating the insolvency risk.

Yang et al. (Reference Yang, Liu, Campbell, Ten, Rho, Wang and Wei2020) propose to price cyber insurance for cyber-physical power systems considering ruin of the insurer. The probability distribution of the claim size, which incorporates the expected mean time to restore power to normal steady-state conditions for each substation, of hypothesized substation outage is computed based on the cyber-reliability assessment. The ruin probability of the insurance company is formulated using the distribution of claim sizes and a lump sum premium calculated from the expectation principle, which employs a feasible loading factor identified in the ruin probability calculation.

Another premium structure that could mitigate insolvency issues is designed by Lau et al. (Reference Lau, Wang, Wei, Liu and Ten2022) for protecting power systems against cyber attacks. A stochastic epidemic network model tailored to the reliability-based load loss estimation is built to describe the risk spreading in a cyber-physical system. The reliability results are used in the estimation of the Shapley mutual insurance premium principle, which utilizes the solution of a Shapley cooperative game to guarantee a lower cost with mutual insurance than the cost without. The affordability and efficiency in restraining insolvency risk are verified in case studies.

Most policies only cover first- and third-party losses. Böhme and Schwartz (Reference Böhme and Schwartz2010) point out that not covering secondary lossesFootnote 10 could be problematic, as firms may choose not to disclose breaches if the expected secondary costs exceed the sum insured for primary losses. Bandyopadhyay and Mookerjee (Reference Bandyopadhyay and Mookerjee2019) expand the scope of cyber insurance policies to include the impact of secondary losses. They observe that a cyber event often comes with a significant damage to reputation and loss of investor confidence, but these secondary losses are often excluded from the policy coverage. The insured may choose to abstain from claim disclosure in fear of reputational loss, a behavior that is described as a hidden action problem of information asymmetry by Moore (Reference Moore2005). In this case, the operationalized deductible (the contracted deductible plus the secondary loss) is higher than the contracted deductible. The authors argue that incorporating this off-contract hidden behavior can reduce overpricing and hence improve the efficiency of a cyber insurance contract.

While the mainstream research community considers risk dependence as a major obstacle for cyber insurance, Khalili et al. (Reference Khalili, Liu and Romanosky2019) propose an alternative view. The authors suggest that the best strategy for a cyber insurer is to insure both the service provider and its customers. Rather than applying the base premium approach that is widely adopted by cyber insurers, they develop their own risk-adjusted model which contains an incentive factor. On the basis of this model, a service provider is offered a premium discount (a larger incentive factor) if it agrees to invest more in its security posture. The probability of breach decreases with the incentive factor, an outcome that directly affects all of the service provider’s customers. As a result, a cyber insurer may enjoy a greater reduction in risk if it insures both the service provider and its customers at the same time. The authors argue that their proposed approach not only increases the insurer’s profit but also enhances social welfare as a result of a safer network overall.

5.3 Challenges

Multiple concerns have been raised regarding the development of the cyber insurance industry. Gordon et al. (Reference Gordon, Loeb and Sohail2003) underline moral hazard and adverse selection faced by insurers offering cyber insurance. Böhme and Schwartz (Reference Böhme and Schwartz2010) suggest insurers’ lack of experience and insufficient historical data for competitive premium pricing hinder the development of the cyber insurance market. Biener et al. (Reference Biener, Eling and Wirfs2015) assess the insurability of cyber risk on the basis of the insurability criteria set out by Berliner (Reference Berliner1982). They identify data scarcity, risk dependence, moral hazard, adverse selection, and insufficient insurance coverage as factors that may impair the insurability of cyber risk. Marotta et al. (Reference Marotta, Martinelli, Nanni, Orlando and Yautsiukhin2017) also find that randomness of loss occurrence, information asymmetry, and coverage limits are the most significant issues hampering the development of the cyber insurance market. The dual impact of cyber risk on cyber insurers through their channels of policy underwriting and IT system operations is another handicap to overcome (Eling, Reference Eling2020). In what follows, we discuss three most recognized challenges: information asymmetry, underinvestment in self-protection, and risk dependency.

5.4 Discussion

In this subsection, works on pricing mechanisms and the cyber insurance market are reviewed. Although the subject of insurance is rooted in actuarial science, inputs from the realm of computer science are found to be substantial. There is an agreement among the referenced papers that classical premium structures based on mean and variance of losses are inapplicable to cyber risk. In the past five years, there is a growing number of publications focusing on the development of more advanced pricing principles, including utility-based models (Böhme et al., Reference Böhme, Laube and Riek2019; Carfora et al., Reference Carfora, Martinelli, Mercaldo and Orlando2019; Dou et al., Reference Dou, Tang, Wu, Qi, Xu, Zhang and Hu2020), game theoretic approaches (Lau et al., Reference Lau, Wei, Wang, Liu and Ten2020, Reference Lau, Wang, Wei, Liu and Ten2022), and premiums with an incentive factor (Khalili et al., Reference Khalili, Liu and Romanosky2019). Notwithstanding the considerable scholarly attention it has received, cyber insurance research is still in its formative stages. Despite the need for more accurate risk quantification methods, potential directions of future study on cyber insurance are discussed here.

Certainly, government intervention could play an important role in facilitating the growth of the cyber insurance market. Similar to legislative regulation of data breach notification, government oversight may be needed in data collection and data sharing in the industry. Implementing standardized protocols for information gathering in the insurance underwriting process and establishing a knowledge sharing platform for insurers could foster a more transparent and competitive cyber insurance market. Furthermore, regulatory efforts could be made to reduce moral hazard through mandating minimal standards of risk mitigation (Eling & Schnell, Reference Eling and Schnell2016). Such regulatory intervention has the potential to alleviate information asymmetry between insurers and policyholders, promoting a healthier insurance environment and more efficient market.

Additionally, the dual impact of cyber risk on insurers has not been adequately investigated (Eling, Reference Eling2020). Cyber risk insurers face cyber risk arising from not only their policyholders but also their own information systems. The dual impact of cyber risk requires a careful assessment of insurers’ security investment and capital requirement. In future research, it would be interesting to investigate how the dual impact of cyber risk may be mitigated through some sort of governmental support (e.g., provision of coverage for the cyber risk entailed in insurers’ internal systems) or reinsurance mechanisms.