On Robust Estimates of Correlated Risk in Cyber-Insured IT Firms

Abstract

In this article, we comment on the drawbacks of the existing AI-based Bayesian network (BN) cyber-vulnerability analysis (C-VA) model proposed in Mukhopadhyay et al. (2013) to assess cyber-risk in IT firms, where this quantity is usually a joint distribution of multiple risk (random) variables (e.g., quality of antivirus, frequency of monitoring, etc.) coming from heterogeneous distribution families. As a major modeling drawback, Mukhopadhyay et al. (2013) assume that any pair of random variables in the BN are linearly correlated with each other. This simplistic assumption might not always hold true for general IT organizational environments. Thus, the use of the C-VA model in general will result in loose estimates of correlated IT risk and will subsequently affect cyber-insurance companies in framing profitable coverage policies for IT organizations. To this end, we propose methods to (1) find a closed-form expression for the maximal correlation arising between pairs of discrete random variables, whose value finds importance in getting robust estimates of copula-induced computations of organizational cyber-risk, and (2) arrive at a computationally effective mechanism to compute nonlinear correlations among pairs of discrete random variables in the correlation matrix of the CBBN model (Mukhopadhyay et al. 2013). We also prove that an empirical computation of MC using our method converges rapidly, that is, exponentially fast, to the true correlation value in the number of samples. Our proposed method contributes to a tighter estimate of IT cyber-risk under environments of low-risk data availability and will enable insurers to better assess organizational risks and subsequently underwrite profitable cyber-insurance policies.