Abstract
The increasing value of data held in enterprises makes it an attractive target to attackers. The increasing likelihood and impact of a cyber attack have highlighted the importance of effective cyber risk estimation. We propose two methods for modelling Value-at-Risk (VaR) which can be used for any time-series data. The first approach is based on Quantile Autoregression (QAR), which can estimate VaR for different quantiles, i. e. confidence levels. The second method, we term Competitive Quantile Autoregression (CQAR), dynamically re-estimates cyber risk as soon as new data becomes available. This method provides a theoretical guarantee that it asymptotically performs as well as any QAR at any time point in the future. We show that these methods can predict the size and inter-arrival time of cyber hacking breaches by running coverage tests. The proposed approaches allow to model a separate stochastic process for each significance level and therefore provide more flexibility compared to previously proposed techniques. We provide a fully reproducible code used for conducting the experiments.
Highlights
The prevalence and impact of cyber attacks on organisations are increasing at an alarming rate
We suggest that each quantile of inter-arrival times and sizes of cyber incidents can be modelled with separate stochastic processes
Though we do not investigate the relationship between inter-arrival times and sizes of breaches, we argue that the proposed methods are more flexible in comparison to previous research as they make fewer assumptions on the nature of the data, since each quantile of breach size or inter-arrival time can be modelled with a separate stochastic process
Summary
The prevalence and impact of cyber attacks on organisations are increasing at an alarming rate. Kaplan and Garrick (1981) define risk to be a set of triplets, which consist of a risk scenario description, the probability of that scenario, and the consequence or evaluation measure of that scenario, i.e., a measure of damage. Another definition of risk is provided by Holton (2004), in which the risk comprises two components: uncertainty and exposure. FAIR is defined as “a standard Value-at-Risk model for information and operational risk that helps information risk, cyber security and business executives measure, manage, and communicate on information risk in a language that the business understands, dollars and cents” (Jones and Tivnan 2018). We propose a new methodology of estimation of VaR for cyber events
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
