Cyber Risk Taxonomies: Statistical Analysis of Cybersecurity Risk Classifications

TL;DR

It is suggested that cyber risk types provide limited forecasting ability concerning cyber event severity distribution, and cyber insurance ratemakers should utilize cyber risk types only when modeling the cyber event frequency distribution.

Abstract

Cyber risk classifications are widely used in the modeling of cyber event distributions, yet their effectiveness in out of sample forecasting performance remains underexplored. In this paper, we analyse the most commonly used classifications and argue in favour of switching the attention from goodness-of-fit and in-sample predictive performance, to focusing on the out-of sample forecasting performance. We use a rolling window analysis, to compare cyber risk distribution forecasts via threshold weighted scoring functions. Our results indicate that business motivated cyber risk classifications appear to be too restrictive and not flexible enough to capture the heterogeneity of cyber risk events. We investigate how dynamic and impact-based cyber risk classifiers seem to be better suited in forecasting future cyber risk losses than the other considered classifications. These findings suggest that cyber risk types provide limited forecasting ability concerning cyber event severity distribution, and cyber insurance ratemakers should utilize cyber risk types only when modeling the cyber event frequency distribution. Our study offers valuable insights for decision-makers and policymakers alike, contributing to the advancement of scientific knowledge in the field of cyber risk management.

Figures (8)

• Figure 1: This figure shows the yearly averages of rCRPS for different classification for four different weighting functions on the log-scale. The Random and None classifications are included for comparison. No clear winner among the considered classifications can be identified, and often the None and Random classifications yield better distributional forecasts for future losses from cyber events in comparison to the commonly used classifications. FS and TY refer to the Frequency & Severity and Type & Importance classification, respectively.
• Figure 2: This figure shows the yearly averages of rES for the different classifications for four different weighting functions on the log-scale. The Random and None classifications are included for comparison. No clear winner among the considered classifications can be identified, and often the None and Random classifications yield better results in forecasting the severity distribution of future cyber events than commonly used classifications.
• Figure 3: This figure shows the test statistics corresponding to rCRPS for different classifications, under different weighting schemes. The trimmed quantiles are 50%, 60%, 70%, 80%,and 90%. For completeness, the test statistic corresponding to the full sample is included as well. The red dashed line corresponds to the critical values for the one sided test at the 5% level of significance.
• Figure 4: This figure shows the test statistics corresponding to rES for different classifications, under different weighting schemes. The trimmed quantiles are 50%, 60%, 70%, 80%,and 90%. For completeness, the test statistic corresponding to the full sample is included as well. The red dashed line corresponds to the critical values for the one sided test at the 5% level of significance.
• Figure 5: This figure shows the test statistics corresponding to rCRPS for different classifications, under different weighting schemes in the in-sample period. The trimmed quantiles are 50%, 60%, 70%, 80%,and 90%. For completeness, the test statistic corresponding to the full sample is included as well. The red dashed line corresponds to the critical values for the one sided test at the 5% level of significance.