Abstract
The aim of this paper is to deepen the application of value at risk in the cyber domain, with particular attention to its potential role in security investment valuation. Cyber risk is a fundamental component of the overall risk faced by any organization. In order to plan the size of security investments and to estimate the consequent risk reduction, managers strongly need to quantify it. Accordingly, they can decide about the possibility of sharing residual risk with a third party, such as an insurance company. Recently, cyber risk management techniques are including some risk quantile-based measures that are widely employed in the financial domain. They refer to value at risk that, in the cyber context, takes the name of cyber value at risk (Cy-VaR). In this paper, the main features and challenging issues of Cy-VaR are examined. The possible use of this risk measure in supporting investment decisions in cyber context is discussed, and new risk-based security metrics are proposed. Some simple examples are given to show their potential.
Highlights
Companies worldwide face several challenges in managing the impact of increasing interconnectivity on their business
In order to obtain a reliable estimate of cyber value at risk (Cy-value at risk (VaR)), an account must be taken of vulnerability, assets, and the profile of potential attackers
We propose a risk-adjusted return on security investment (ROSI) (RaROSI), which takes into account worst cases
Summary
Companies worldwide face several challenges in managing the impact of increasing interconnectivity on their business. Based on the principles of VaR, and in the interest of helping organizations facing cyber security issues, the World Economic Forum’s Partnering for Cyber Resilience initiative (WEF 2012) introduced a model to measure and quantify the impact of cyber threats on business and the exposure to them. This model, which is known as cyber value-at-risk (Cy-VaR), offers a starting point to quantify risk, and tries to bring more discipline into that area, even if it needs further improvements and testing in the field (Buith and Spataru 2015).
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have