Cyber risk modeling within the SIR epidemic framework: a comparative analysis of frequency and severity methods

Cybersecurity & Cyber-Finance Risk Management: Strategies, Tactics, Operations, &, Intelligence: Enterprise Risk Management to Model Risk Management: Understanding Vulnerabilities, Threats, & Risk Mitigation (Presentation Slides)

Internet-of-Things (IoT) refers to low-memory connected devices used in various new technologies, including drones, autonomous machines, and robotics. The article aims to understand better cyber risks in low-memory devices and the challenges in IoT risk management. The article includes a critical reflection on current risk methods and their level of appropriateness for IoT. We present a dependency model tailored in context toward current challenges in data strategies and make recommendations for the cybersecurity community. The model can be used for cyber risk estimation and assessment and generic risk impact assessment. The model is developed for cyber risk insurance for new technologies (e.g., drones, robots). Still, practitioners can apply it to estimate and assess cyber risks in organizations and enterprises. Furthermore, this paper critically discusses why risk assessment and management are crucial in this domain and what open questions on IoT risk assessment and risk management remain areas for further research. The paper then presents a more holistic understanding of cyber risks in the IoT. We explain how the industry can use new risk assessment, and management approaches to deal with the challenges posed by emerging IoT cyber risks. We explain how these approaches influence policy on cyber risk and data strategy. We also present a new approach for cyber risk assessment that incorporates IoT risks through dependency modeling. The paper describes why this approach is well suited to estimate IoT risks.

The problem of fast-rising cyber-risks become very important in the era of the Fourth Industrial Revolution. Cyber-risks cause not only high losses but also break the chain of economic relations between companies and their customers. Besides, cyber risks change their form and structure rapidly, so the tools of risk management must be adequate. That is why the problem of cyber-risk identification and assessment has gotten attention and become so actual. The purpose of this study is to outline new approaches to identifying and estimating cyber-risks based on the dates of the World International Property Organization (WIPO). In order to conduct our study, we will use various tools and techniques such as: citation analysis, cluster analysis, and visualization. We have analyzed the patent information from the groups of “Electric digital data processing”, “Transmission of digital information” and data processing systems or methods, specially adapted for financial purposes. In our findings, we analyze the technical and economic significance of patents.Our work has led us to conclude that the number of methods of cyber risk identification that were the objects of applications granted by WIPO has a strong connection with the number of cyber-attacks from 2010 to 2017. That is why the innovative methods that were granted have a wide spectrum of influence and could be used in different stages of risk management. We selected patents that based on cyber risk identification and assessment from the data of WIPO and divided these patents into clusters. This helps us in understanding the trends and characters of innovative activities directed to successful management of cyber risks.

Cyber Operational Risk: Cyber risk is routinely cited as one of the most important sources of operational risks facing organisations today, in various publications and surveys. Further, in recent years, cyber risk has entered the public conscience through highly publicised events involving affected UK organisations such as TalkTalk, Morrisons and the NHS. Regulators and legislators are increasing their focus on this topic, with General Data Protection Regulation (“GDPR”) a notable example of this. Risk actuaries and other risk management professionals at insurance companies therefore need to have a robust assessment of the potential losses stemming from cyber risk that their organisations may face. They should be able to do this as part of an overall risk management framework and be able to demonstrate this to stakeholders such as regulators and shareholders. Given that cyber risks are still very much new territory for insurers and there is no commonly accepted practice, this paper describes a proposed framework in which to perform such an assessment. As part of this, we leverage two existing frameworks – the Chief Risk Officer (“CRO”) Forum cyber incident taxonomy, and the National Institute of Standards and Technology (“NIST”) framework – to describe the taxonomy of a cyber incident, and the relevant cyber security and risk mitigation items for the incident in question, respectively.Summary of Results: Three detailed scenarios have been investigated by the working party: ∙ Employee leaks data at a general (non-life) insurer: Internal attack through social engineering, causing large compensation costs and regulatory fines, driving a 1 in 200 loss of £210.5m (c. 2% of annual revenue). ∙ Cyber extortion at a life insurer: External attack through social engineering, causing large business interruption and reputational damage, driving a 1 in 200 loss of £179.5m (c. 6% of annual revenue). ∙ Motor insurer telematics device hack: External attack through software vulnerabilities, causing large remediation / device replacement costs, driving a 1 in 200 loss of £70.0m (c. 18% of annual revenue). Limitations: The following sets out key limitations of the work set out in this paper: ∙ While the presented scenarios are deemed material at this point in time, the threat landscape moves fast and could render specific narratives and calibrations obsolete within a short-time frame. ∙ There is a lack of historical data to base certain scenarios on and therefore a high level of subjectivity is used to calibrate them. ∙ No attempt has been made to make an allowance for seasonality of renewals (a cyber event coinciding with peak renewal season could exacerbate cost impacts) ∙ No consideration has been given to the impact of the event on the share price of the company. ∙ Correlation with other risk types has not been explicitly considered. Conclusions: Cyber risk is a very real threat and should not be ignored or treated lightly in operational risk frameworks, as it has the potential to threaten the ongoing viability of an organisation. Risk managers and capital actuaries should be aware of the various sources of cyber risk and the potential impacts to ensure that the business is sufficiently prepared for such an event. When it comes to quantifying the impact of cyber risk on the operations of an insurer there are significant challenges. Not least that the threat landscape is ever changing and there is a lack of historical experience to base assumptions off. Given this uncertainty, this paper sets out a framework upon which readers can bring consistency to the way scenarios are developed over time. It provides a common taxonomy to ensure that key aspects of cyber risk are considered and sets out examples of how to implement the framework. It is critical that insurers endeavour to understand cyber risk better and look to refine assumptions over time as new information is received. In addition to ensuring that sufficient capital is being held for key operational risks, the investment in understanding cyber risk now will help to educate senior management and could have benefits through influencing internal cyber security capabilities.

Purpose: This article focuses on cyber risk as an emerging issue within the risk management process and the internal control system in the financial sector. It in-vestigates whether cyber risk management (CRM) is (dis)integrated into traditional enterprise risk management (ERM) and analyzes the external dynamics affecting the CRM design. Design/methodology/approach: This article draws upon institutional theory and the concept of boundary objects. The research examines a listed Italian bank and gathers the data from semi-structured interviews, direct observations, meet-ings, and archival sources. Findings: The findings underline that cyber risk rationale plays a crucial role in the CRM process. The interplay between institutional complexity and the need to manage cyber risk is critical for a bank to have a stable and flexible infrastructure. The knowledge boundaries related to the cyber risk culture require further cyber risk talk. Originality/value: This research furthers the understanding of cyber risk and CRM as an integral part of the ERM and internal control systems in the financial sector, in which there is a shortage of case studies. The financial sector is highly regulated, and managing cyber risk has become crucial as banks usually deal with enormous amounts of personal and sensitive data stored on networks and in the cloud. Practical implications: This case study emphasizes the crucial role of CRM in the identification and reporting of cyber risk information in annual reports.

The cyber risk insurance market is rapidly developing in consideration of the potentially huge losses attributed to cyberattacks. This requires the insurance business to have a valuation and risk management framework that will enable cyber insurance policy issuers to fulfil their future obligations. We present such a framework for cyber risk modelling, wherein the cyberattacks’ occurrences as well as their inter-arrival and duration are captured by a regime-switching Markov model (RSMM). In this customised RSMM, the transition probabilities of the Markov chain are governed by another hidden Markov chain representing the various states of the cyber security environment. A self-calibrating mechanism is provided via filtering and a cyber kill chain is built based on the stages of the cyberattack. With the aid of change of reference probability measures and the EM algorithm, the estimators for the transition matrix are derived. Our main point of interest is the random losses from cyberattacks, which are assumed to follow a doubly-truncated Pareto distribution. The Vasiček model is utilised to describe the interest rate process for the discounting of losses. The premium for a cyber security insurance contract is calculated with the use of a simulated data set based on two pricing principles. Our methodology featuring dynamic parameter estimation and flexible adjustments in modelling various risk factors widens the available tools for pricing and cyber risk management.

This seminar series is jointly organized by [***World Salon***](https://www.world-salon.com/) and [***Risk Science***](https://www.keaipublishing.com/en/journals/risk-sciences/) Prof. Dr. Martin Eling is Full Professor of Insurance Economics and holds the Chair for Insurance Management at the University of St. Gallen, where he also serves as Director of the Institute of Insurance Economics. His empirical research spans insurance management, mathematics, and economics, focusing in recent years on cyber risk, risk measurement, regulation, digitalization, and systemic vulnerabilities in financial and insurance markets. He earned his doctorate in 2005 at the University of Münster and has held appointments in Ulm and as a visiting professor in the USA, among others. Prof. Eling is a prolific author, advisor, and speaker, widely recognized for his work on the insurability of emerging risks, regulatory frameworks like Solvency II, and the quantitative modeling of risk in interconnected systems. Dr. Petar Jevtic is an Associate Professor in the School of Mathematical and Statistical Sciences at Arizona State University, with affiliations in the Center for Biodiversity Outcomes. He holds a Ph.D. in Economics with specialization in Applied Mathematics and Statistics from the University of Turin, along with degrees in Economics and Computer Science and Engineering from Belgrade. His research spans longevity risk, property casualty insurance, cyber risk, smart contract and autonomous systems risk, and climate‑induced risk. He has published in leading journals, holds patents in cyber risk modeling and pricing, and his work is supported by grants from bodies such as the NSF, DHS, and Society of Actuaries. Amir Ansari is Chief Technology Advisor at Lenovo, where he leads advanced services strategy across EMEA, focusing on AI, Big Data, and cloud-driven transformations for enterprise and public sector clients. With deep expertise in architecting secure, data-centric solutions, Amir has spearheaded initiatives across Smart Cities, Defense, Healthcare, and Education—deploying edge and hybrid cloud strategies that reduce data latency, enforce local data residency, and integrate cybersecurity frameworks such as ISO 27001, NIST, and GDPR. As a trusted advisor to CxOs, Amir has guided organizations in navigating the intersection of innovation and risk, embedding security and compliance into AI, IoT, and edge ecosystems while enabling operational efficiency gains of up to 40%. He is passionate about helping organizations address the rising cyber risks in connected systems by designing resilient architectures that balance agility, compliance, and digital trust. Dr. Yevgeniy Vorobeychik joined Washington University in St. Louis in 2018. He was an assistant professor of computer science and biomedical informatics at Vanderbilt University from 2013 until 2018, and a principal research scientist at Sandia National Laboratories from 2010 until 2013. Between 2008 and 2010 he was a post-doctoral research associate at the University of Pennsylvania Computer and Information Science department. He received a PhD and MSE in Computer Science and Engineering from the University of Michigan and a BS degree in Computer Engineering from Northwestern University. Professor Vorobeychik received an NSF CAREER award in 2017 and was invited to give an IJCAI-16 early career spotlight talk. He was nominated for the 2008 ACM Doctoral Dissertation Award and received honorable mention for the 2008 IFAAMAS Distinguished Dissertation Award. Dr. Linfeng Zhang is an Assistant Professor in the Department of Mathematics at The Ohio State University, specializing in actuarial science and risk analytics. He earned his Ph.D. in Mathematics from the University of Illinois at Urbana–Champaign and is an Associate of the Society of Actuaries. Before joining Ohio State, he served as a Visiting Assistant Professor of Actuarial Science at Drake University and gained industry-oriented research experience at the Critical Infrastructure Resilience Institute, focusing on cyber risk and cyber insurance. His research explores cyber risk, pandemic risk, and privacy risk, with publications in leading journals such as The Geneva Papers on Risk and Insurance, IEEE Transactions on Emerging Topics in Computing, and the Connecticut Insurance Law Journal. He has led and contributed to projects funded by the Society of Actuaries, Fundación MAPFRE, and Cisco, and continues to advance interdisciplinary approaches to risk management and actuarial science.

This paper presents the multifaceted field of cyber risks, their structure and composition, exploring the challenges posed by the rapid evolution of digital technologies. It highlights the prevalence of cyber risks as a set of activities performed in various sectors of human life, revealing the vulnerabilities faced by individual and collective users, commercial organisations, governments and individuals in today's hyper-connected landscape. The paper emphasises the importance of robust risk management strategies, highlighting the dynamic and persistent nature of cyber threats. A host of relevant international standards, frameworks and cyber risk management techniques to mitigate potential losses are reviewed. Approaches to defining the category of cyber risk are analysed. Daily attack techniques are reviewed. Risk analysis based on a set of reports from leading computer firms has been carried out. The structure of cyber security threats affecting the level of risk is determined. Despite the existing scientific and practical achievements in the field of cyber security, the ever-changing tactics of cyber criminals require constant adaptation of organisational and technical actions and the adoption of a set of proactive measures. Cyber risk management strategies are discussed, which include the selection of possible approaches, taking into account factors such as the level of cyber maturity, available resources, required skills and experience in cyber risk management. The article identifies the most prominent risk management tools, suggests some risk management strategies and advocates a comprehensive approach to cyber security that recognises the inevitability of cyber attacks and the need to build resilience in the face of emerging threats.

Purpose The growing importance of risk management programmes and practices in different industries has given rise to a new risk management approach, i.e. enterprise risk management. The purpose of this paper is to better understand the necessity, benefit, approaches and methodologies of managing risks in healthcare. It compares and contrasts between the traditional and enterprise risk management approaches within the healthcare context. In addition, it introduces bow tie methodology, a prospective risk assessment tool proposed by the American Society for Healthcare Risk Management as a visual risk management tool used in enterprise risk management. Design/methodology/approach This is a critical review of published literature on the topics of governance, patient safety, risk management, enterprise risk management and bow tie, which aims to draw a link between them and find the benefits behind their adoption. Findings Enterprise risk management is a generic holistic approach that extends the benefits of risk management programme beyond the traditional insurable hazards and/or losses. In addition, the bow tie methodology is a barrier-based risk analysis and management tool used in enterprise risk management for critical events related to the relevant day-to-day operations. It is a visual risk assessment tool which is used in many higher reliability industries. Nevertheless, enterprise risk management and bow ties are reported with limited use in healthcare. Originality/value The paper suggests the applicability and usefulness of enterprise risk management to healthcare, and proposes the bow tie methodology as a proactive barrier-based risk management tool valid for enterprise risk management implementation in healthcare.

As one of the national critical infrastructures, the water distribution system supports our daily life and economic growth, the failure of which may lead to catastrophic results. Besides the uncertainty from the system component failures, cyberattacks are vital to the secure system operation and have great impacts on the reliability of the water supply service. Malicious attackers may intrude into the supervisory control and data acquisition (SCADA) system of pump stations in the water distribution networks and interrupt the water supply to the customers. Cyber insurance is emerging as a promising financial tool in system risk management. In this paper, cyber insurance is proposed for the cyber risk management of the water distribution system. A semi-Markov process (SMP) model is devised to model the cyberattacks against pump stations in the water distribution system. Both the impacts of the independent cyber risks in the individual distribution network and the correlated cyber risks shared across different water distribution networks are evaluated and modeled. A sequential Monte Carlo Simulation (MCS) based algorithm is developed to evaluate the system loss. Cyber insurance premiums for the water distribution networks are designed based on the actuarial principles and potential system losses. Case studies are also performed on multiple representative water distribution networks, and the results demonstrate the validity of the proposed cyber insurance model.

#### Research Insights: Kwangmin Jung***[Risk Sciences](https://www.keaipublishing.com/en/journals/risk-sciences/)*** aims to foster diverse, multidisciplinary insights in risk sciences, bridging theory and practice through a series of academic activities. This talk is part of the "Research Insights" track of this series, presenting cutting-edge findings and methodologies, offering valuable perspectives to researchers and practitioners alike.Kwangmin Jung, Ph.D, is an Associate professor at the Department of Industrial and Management Engineering, Pohang University of Science and Technology (POSTECH) in South Korea. He received his doctoral degree in Finance (with a focus on risk management and insurance) at the University of St. Gallen, Switzerland. His research explores the intersection of actuarial science, risk management and insurance, particularly studying data science and information technology in insurance, emerging risk analysis (e.g., cyber risk, climate change risk) and extreme risk modeling. This speech record is from Kwangmin's keynote speech for the [Risk Sciences Colloquium – International Seminar on Climate Risks](https://www.keaipublishing.com/en/journals/risk-sciences/event/risk-sciences-colloquium-international-seminar-on-climate-risks/), to be held on January 16, 2025, in Seoul, South Korea.

Stress Testing for Cyber Risks: Cyber Risk Insurance Modeling beyond Value-at-Risk (VaR): Risk, Uncertainty, and, Profit for the Cyber Era

Managing Cyber Risk in Supply Chains: A Review and Research Agenda

Purpose In spite of growing research interest in cyber security, inter-firm based cyber risk studies are rare. Therefore, this study aims to investigate cyber risk management in supply chain contexts. Design/methodology/approach Adapting a systematic literature review process, papers from interdisciplinary areas published between 1990 and 2017 were selected. Different typologies, developed for conducting descriptive and thematic analysis, were established using data mining techniques to conduct a comprehensive, replicable and transparent review. Findings The review identifies multiple future research directions for cyber security/resilience in supply chains. A conceptual model is developed, which indicates a strong link between information technology, organisational and supply chain security systems. The human/behavioural elements within cyber security risk are found to be critical; however, behavioural risks have attracted less attention because of a perceived bias towards technical (data, application and network) risks. There is a need for raising risk awareness, standardised policies, collaborative strategies and empirical models for creating supply chain cyber-resilience. Research limitations/implications Different types of cyber risks and their points of penetration, propagation levels, consequences and mitigation measures are identified. The conceptual model developed in this study drives an agenda for future research on supply chain cyber security/resilience. Practical implications A multi-perspective, systematic study provides a holistic guide for practitioners in understanding cyber-physical systems. The cyber risk challenges and the mitigation strategies identified support supply chain managers in making informed decisions. Originality/value To the best of the authors’ knowledge, this is the first systematic literature review on managing cyber risks in supply chains. The review defines supply chain cyber risk and develops a conceptual model for supply chain cyber security systems and an agenda for future studies.

In this article, cyber resilience is defined as the ability to withstand external shocks caused by cyber risks, recover from them, and adapt to them. The importance of building a cyber resilience system in modern conditions is emphasized and examples of emergency situations of cyberattacks are given. The need to ensure cyber resilience at facilities and institutions is considered, different types of threats aimed at different systems, as well as the consequences of their negative impact are highlighted. It is noted that resilience and risk management, although interrelated, are still different. Risk management involves quantitative risk assessment, which forms a decision on the most appropriate strategy for responding to them. Resilience is important when risk is incalculable, when hazardous conditions are a complete surprise, or when analytical risk parameters have proven ineffective. It is emphasized that at a fundamental level, there are certain disagreements about the true meaning of resilience: for some, it implies the ability of a system to withstand a shock and return to its initial state, while for others it is an evolutionary process leading to adaptation and a new state of balance. Resilience has a long and rich history in various fields of scientific knowledge, including ecology, psychology, and disaster management. One of its main advantages is that it allows complex systems to prepare for adverse events and continue to operate under extraordinary conditions. It is concluded that the "prevent and protect” paradigm, which is still dominant today, is insufficient, and that risk management tools need to be developed in the direction of cyber resilience.