Introducing cybernomics: A unifying economic framework for measuring cyber risk

Abstract

This is the first in a series of papers on the risk measures and unifying economic framework encompassing the cross-disciplinary field of “Cybernomics”. This is also the first academic paper to formally propose measurement units for cyber risk. In this paper, multidisciplinary methodologies are used to apply proven risk measurement methods in finance and medicine to define novel risk units central to cybernomics. Leveraging established risk units – MicroMort (MM) for measuring medical risk and Value-at-Risk (VaR) for measuring market risk – BitMort (BM) and hekla (named after an Icelandic volcano) are defined as cyber risk units. Risk calculation methods and examples are introduced in this paper to measure cost-effectiveness of control factors, articulate an entity's “willingness-to-pay” (risk pricing) for cyber risk reduction, cyber risk limit, and cyber risk appetite. Built around BM and hekla, cybernomics integrates cyber risk management and economics to study the requirements of a databank in order to improve risk analytics solutions for: 1) the valuation of digital assets; 2) the measurement of risk exposure of digital assets; and 3) the capital optimization for managing residual cyber risk. Establishing adequate, holistic and statistically robust data points on the entity, portfolio and global levels for the development of a cybernomics databank are essential for the resilience of our shared digital future. This paper explains the need to establish data schemes such as International Digital Asset Classification (IDAC) and International Classification of Cyber Incidents (ICCI).