Stress Testing for Cyber Risks: Cyber Risk Insurance Modeling beyond Value-at-Risk (VaR): Risk, Uncertainty, and, Profit for the Cyber Era

Abstract

Quantitative modeling of cyber risk for cyber insurance modeling is at a nascent stage characterized by sparse empirical research and reliable data. Our current investigation reveals that VaR, short for Value-at-Risk (Jorion, 2006), is the current predominant model of choice for cyber insurance modeling. Model risk related to VaR was a key factor in the Global Financial Crisis given its known limitations in modeling tail risks and systemic risks (Haldane & Nelson, 2012; Malhotra, 2012, 2014). As a result, US Federal Reserve and OCC issued model risk compliance guidance for US financial institutions (US Fed & OCC, 2011). Basel Committee of worldwide central bank supervisors stopped relying on VaR for risk modeling (BCBS, 2013). Given history of model risks associated with VaR, we investigate if current reliance of cyber insurance modeling on VaR entails model risk. We develop qualitative frameworks to benchmark relative levels of tail risks and systemic risks associated with cyber risk vis-a-vis financial risks typically modeled with VaR. Our analysis reveals that cyber risk entails exponentially higher tail risks and systemic risks thus making VaR unfit for reliance as the primary risk model for cyber insurance modeling. We develop specific frameworks of model risk management (Derman, 1996; Morini, 2011) for cyber insurance modeling and demonstrate their empirical application in model risk management. We distinguish between model risks arising from the choice of specific quantitative models from those arising from the choice of quantitative methodologies. We demonstrate how to manage model risks associated with VaR using it with multiple simple and advanced models to cross-check its reliability. We also offer alternative coherent risk measures as better alternatives to VaR and empirically demonstrate their application. To enable further minimization of model risk in cyber insurance modeling we do three more things. First, we analyze the Bayesian quantitative statistical inference methodology as a possible alternative to frequentist classical inference methodology that VaR and advanced models typically rely upon. Second, we analyze the Markov Chain Monte Carlo models and related Gibbs Sampling and Metropolis-Hastings statistical computing algorithms to enable the use of Bayesian methodology. Finally, given increasing uncertainty in cyber risk modeling and management, we develop a framework for enabling Knightian uncertainty management (Knight, 1921) relating it to model risk management.ContributionsTo avert the impending national Cyber risk and Cyber-insurance disaster based upon large-scale commercial reliance upon quantitative models with inherent model risks, tail risks, and systemic risks in current form, this dissertation makes the following key contributions.First, we develop the first known Cyber-Finance-Trust™ framework for Cyber insurance modeling to analyze how financial risk entangled with Cyber risk further exacerbates the systemic, interdependent, and correlated character of Cyber risks.Second, we develop the first known model risk management framework for Cyber insurance modeling as model risk management has received sparse attention in Cyber risk assessment and Cyber insurance modeling. Third, our review of quantitative models in Cyber risk and Cyber insurance modeling develops the first known analysis establishing significant and extreme model risks, tail risks, and, systemic risks related to predominant models in use.Fourth, we develop an empirical study of VaR and Bayesian statistical inference methodologies with specific guidance for containing model risks by applying multiple simple and advanced models for cross-checking the reliability of VaR.Fifth, we develop an analysis of the Markov Chain Monte Carlo Models, Gibbs Sampling and Metropolis-Hastings statistical computing algorithms for enabling Bayesian statistical inference methodologies to minimize model risk in Cyber risk and Cyber insurance risk modeling for the specific context of cybersecurity.Sixth, we develop the first known portfolio theory based framework for Cyber insurance modeling with guidance to minimize model risks, tail risks, and systemic risks inherent in models in commercial Cyber insurance modeling.Finally, given increasing role of uncertainty in cyber (and financial) risk modeling and management, we develop a framework for enabling Knightian uncertainty management relating it to model risk management.