If You Can’t Measure it You Can’t Manage it - Quantitative Analysis of Cyber Risk Prediction and Mitigation

Abstract

Cyber breach incidents have increased dramatically during COVID-19 pandemic and keep a cyclical trend there after. Data breach incidents result in severe financial loss and reputational damage to business, government, healthcare and educational institutions. Compared to sufficient amount of cyber risk investigation in economic and IT system domain, seldom investigations of cyber risk have been made in quantitative perspective, In order to fill this gap, we propose a Bayesian generalized linear mixed model to analyze data breach incidents chronology since 2001. Our model captures the dependency between frequency and severity of cyber losses, and the behavior of cyber attacks on entities across time. Risk characteristics such as types of breach, types of organization, entity locations in chronology, as well as time trend effects are taken into consideration when investigating breach frequencies. A statistical predictive model is generated under actuarial mathematics frame, with flexible input available such as location and organization types. Predictions and implications of the proposed model in enterprise risk management and cyber insurance rate filing are discussed and illustrated. Our results show that both geological location and business type play significant roles in measuring cyber risks. The outcomes of our predictive analytics provide numerical currency loss level that can be utilized by various kinds of organizations and design their risk mitigation strategies.