Cyber Risk Taxonomies: Statistical Analysis of Cybersecurity Risk Classifications

Malavasi, Matteo; Peters, Gareth; Trück, Stefan; Shevchenko, Pavel V.; Jang, Jiwook; Sofronov, Georgy

doi:10.2139/ssrn.4976237

Download This Paper

Open PDF in Browser

Add Paper to My Library

Cyber Risk Taxonomies: Statistical Analysis of Cybersecurity Risk Classifications

UNSW Business School Research Paper Forthcoming

64 Pages Posted: 15 Nov 2024

See all articles by Matteo Malavasi

Matteo Malavasi

University of New South Wales (UNSW) - School of Actuarial Studies

Gareth Peters

University of California Santa Barbara; University of California, Santa Barbara

Macquarie University Sydney - Department of Applied Finance and Actuarial Studies; Financial Research Network (FIRN); Centre for International Finance and Regulation (CIFR); Macquarie University, Macquarie Business School

Pavel V. Shevchenko

Macquarie University - Department of Actuarial Studies and Business Analytics

Jiwook Jang

Macquarie University, Macquarie Business School

Georgy Sofronov

Macquarie University - Department of Mathematics and Statistics

Date Written: October 02, 2024

Abstract

Cyber risk classifications are widely used in the modeling of cyber event distributions, yet their effectiveness in out of sample forecasting performance remains underexplored. In this paper, we analyse the most commonly used classifications and argue in favour of switching the attention from goodness-of-fit and in-sample predictive performance, to focusing on the out-of sample forecasting performance. We use a rolling window analysis, to compare cyber risk distribution forecasts via threshold weighted scoring functions. Our results indicate that business motivated cyber risk classifications appear to be too restrictive and not flexible enough to capture the heterogeneity of cyber risk events. We investigate how dynamic and impact-based cyber risk classifiers seem to be better suited in forecasting future cyber risk losses than the other considered classifications. These findings suggest that cyber risk types provide limited forecasting ability concerning cyber event severity distribution, and cyber insurance ratemakers should utilize cyber risk types only when modeling the cyber event frequency distribution. Our study offers valuable insights for decision-makers and policymakers alike, contributing to the advancement of scientific knowledge in the field of cyber risk management.

Keywords: Cyber risk, Cyber risk classification, Out of sample analysis, Continuously Ranked Probability Score, Energy Score

Suggested Citation: Suggested Citation

Malavasi, Matteo and Peters, Gareth and Trueck, Stefan and Shevchenko, Pavel V. and Jang, Jiwook and Sofronov, Georgy, Cyber Risk Taxonomies: Statistical Analysis of Cybersecurity Risk Classifications (October 02, 2024). UNSW Business School Research Paper Forthcoming, Available at SSRN: https://ssrn.com/abstract=4976237 or http://dx.doi.org/10.2139/ssrn.4976237