IDEAS home Printed from https://ideas.repec.org/a/eee/ejores/v311y2023i2p708-729.html
   My bibliography  Save this article

Building up cyber resilience by better grasping cyber risk via a new algorithm for modelling heavy-tailed data

Author

Listed:
  • Dacorogna, Michel
  • Debbabi, Nehla
  • Kratz, Marie

Abstract

Cyber security and resilience are major challenges in our modern economies; this is why they are top priorities on the agenda of governments, security and defense forces, management of companies and organizations. Hence, the need of a deep understanding of cyber risks to improve resilience. We propose here an analysis of the database of the cyber complaints filed at the Gendarmerie Nationale. We perform this analysis with a new algorithm developed for non-negative asymmetric heavy-tailed data, which could become a handy tool for applied fields, including operations research. This method gives a good estimation of the full distribution including the tail. Our study confirms the finiteness of the loss expectation, necessary condition for insurability. Finally, we draw the consequences of this model for risk management, compare its results to other standard EVT models, and lay the ground for a classification of attacks based on the fatness of the tail.

Suggested Citation

  • Dacorogna, Michel & Debbabi, Nehla & Kratz, Marie, 2023. "Building up cyber resilience by better grasping cyber risk via a new algorithm for modelling heavy-tailed data," European Journal of Operational Research, Elsevier, vol. 311(2), pages 708-729.
  • Handle: RePEc:eee:ejores:v:311:y:2023:i:2:p:708-729
    DOI: 10.1016/j.ejor.2023.05.003
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S0377221723003466
    Download Restriction: Full text for ScienceDirect subscribers only

    File URL: https://libkey.io/10.1016/j.ejor.2023.05.003?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. World Bank Group & World Federation of Development Financing Institutions, 2018. "2017 Survey of National Development Banks," World Bank Publications - Reports 29815, The World Bank Group.
    2. Acharya, Avidit & Blackwell, Matthew & Sen, Maya, 2018. "Analyzing Causal Mechanisms in Survey Experiments," Political Analysis, Cambridge University Press, vol. 26(4), pages 357-378, October.
    3. Farkas, Sébastien & Lopez, Olivier & Thomas, Maud, 2021. "Cyber claim analysis using Generalized Pareto regression trees with applications to insurance," Insurance: Mathematics and Economics, Elsevier, vol. 98(C), pages 92-105.
    4. Robin L. Lumsdaine & Rogier J. D. Potter van Loon, 2018. "Do Survey Probabilities Match Financial Market Beliefs?," Journal of Behavioral Finance, Taylor & Francis Journals, vol. 19(2), pages 209-220, April.
    5. P. Tencaliec & A.‐C. Favre & P. Naveau & C. Prieur & G. Nicolet, 2020. "Flexible semiparametric generalized Pareto modeling of the entire range of rainfall amount," Environmetrics, John Wiley & Sons, Ltd., vol. 31(2), March.
    6. Fahrenwaldt, Matthias A. & Weber, Stefan & Weske, Kerstin, 2018. "Pricing Of Cyber Insurance Contracts In A Network Model," ASTIN Bulletin, Cambridge University Press, vol. 48(3), pages 1175-1218, September.
    7. Fei He & Jun Zhuang & Nageswara S. V. Rao, 2020. "Discrete game-theoretic analysis of defense in correlated cyber-physical systems," Annals of Operations Research, Springer, vol. 294(1), pages 741-767, November.
    8. Anna Nagurney & Patrizia Daniele & Shivani Shukla, 2017. "A supply chain network game theory model of cybersecurity investments with nonlinear budget constraints," Annals of Operations Research, Springer, vol. 248(1), pages 405-427, January.
    9. Kratz, Marie & Lok, Yen H. & McNeil, Alexander J., 2018. "Multinomial VaR backtests: A simple implicit approach to backtesting expected shortfall," Journal of Banking & Finance, Elsevier, vol. 88(C), pages 393-407.
    10. Eling, Martin & Wirfs, Jan, 2019. "What are the actual costs of cyber risk events?," European Journal of Operational Research, Elsevier, vol. 272(3), pages 1109-1119.
    11. Sushant & Sunpreet Kaur & Sushil Saigal, 2018. "Do surveys (mis)lead? A note for practitioners," Development in Practice, Taylor & Francis Journals, vol. 28(6), pages 842-846, August.
    12. Zhu, Sha & Dekker, Rommert & van Jaarsveld, Willem & Renjie, Rex Wang & Koning, Alex J., 2017. "An improved method for forecasting spare parts demand using extreme value theory," European Journal of Operational Research, Elsevier, vol. 261(1), pages 169-181.
    13. Michel Dacorogna & Marie Kratz, 2022. "Special Issue “Cyber Risk and Security”," Risks, MDPI, vol. 10(6), pages 1-4, May.
    14. Martin Eling & Werner Schnell, 2016. "What do we know about cyber risk and cyber risk insurance?," Journal of Risk Finance, Emerald Group Publishing Limited, vol. 17(5), pages 474-491, November.
    15. Terje Aven, 2019. "The Call for a Shift from Risk to Resilience: What Does it Mean?," Risk Analysis, John Wiley & Sons, vol. 39(6), pages 1196-1203, June.
    16. Antoine Bouveret, 2018. "Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment," IMF Working Papers 2018/143, International Monetary Fund.
    17. Tang, Qihe & Tang, Zhaofeng & Yang, Yang, 2019. "Sharp asymptotics for large portfolio losses under extreme risks," European Journal of Operational Research, Elsevier, vol. 276(2), pages 710-722.
    18. Welburn, Jonathan & Grana, Justin & Schwindt, Karen, 2023. "Cyber deterrence with imperfect attribution and unverifiable signaling," European Journal of Operational Research, Elsevier, vol. 306(3), pages 1399-1416.
    19. Wang, Shaun S., 2019. "Integrated framework for information security investment and cyber insurance," Pacific-Basin Finance Journal, Elsevier, vol. 57(C).
    20. Paul, Jomon A. & Zhang, Minjiao, 2021. "Decision support model for cybersecurity risk planning: A two-stage stochastic programming framework featuring firms, government, and attacker," European Journal of Operational Research, Elsevier, vol. 291(1), pages 349-364.
    21. Keith, Andrew & Ahner, Darryl, 2021. "Counterfactual regret minimization for integrated cyber and air defense resource allocation," European Journal of Operational Research, Elsevier, vol. 292(1), pages 95-107.
    22. Cheung, Kam-Fung & Bell, Michael G.H., 2021. "Attacker–defender model against quantal response adversaries for cyber security in logistics management: An introductory study," European Journal of Operational Research, Elsevier, vol. 291(2), pages 471-481.
    23. Adrian Baldwin & Iffat Gheyas & Christos Ioannidis & David Pym & Julian Williams, 2017. "Contagion in cyber security attacks," Journal of the Operational Research Society, Palgrave Macmillan;The OR Society, vol. 68(7), pages 780-791, July.
    24. Michel Dacorogna & Marie Kratz, 2023. "Managing cyber risk, a science in the making," Scandinavian Actuarial Journal, Taylor & Francis Journals, vol. 2023(10), pages 1000-1021, November.
    25. Valérie Chavez-Demoulin & Paul Embrechts & Marius Hofert, 2016. "An Extreme Value Approach for Modeling Operational Risk Losses Depending on Covariates," Journal of Risk & Insurance, The American Risk and Insurance Association, vol. 83(3), pages 735-776, September.
    26. Chen Peng & Maochao Xu & Shouhuai Xu & Taizhong Hu, 2018. "Modeling multivariate cybersecurity risks," Journal of Applied Statistics, Taylor & Francis Journals, vol. 45(15), pages 2718-2740, November.
    27. Aven, Terje, 2016. "Risk assessment and risk management: Review of recent advances on their foundation," European Journal of Operational Research, Elsevier, vol. 253(1), pages 1-13.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Matteo Malavasi & Gareth W. Peters & Stefan Treuck & Pavel V. Shevchenko & Jiwook Jang & Georgy Sofronov, 2024. "Cyber Risk Taxonomies: Statistical Analysis of Cybersecurity Risk Classifications," Papers 2410.05297, arXiv.org.
    2. Julien Hambuckers & Marie Kratz & Antoine Usseglio-Carleve, 2023. "Efficient Estimation In Extreme Value Regression Models Of Hedge Fund Tail Risks," Working Papers hal-04090916, HAL.
    3. Julien Hambuckers & Marie Kratz & Antoine Usseglio-Carleve, 2023. "Efficient Estimation in Extreme Value Regression Models of Hedge Fund Tail Risks," Papers 2304.06950, arXiv.org.
    4. Wing Fung Chong & Daniel Linders & Zhiyu Quan & Linfeng Zhang, 2023. "Incident-Specific Cyber Insurance," Papers 2308.00921, arXiv.org.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Malavasi, Matteo & Peters, Gareth W. & Shevchenko, Pavel V. & Trück, Stefan & Jang, Jiwook & Sofronov, Georgy, 2022. "Cyber risk frequency, severity and insurance viability," Insurance: Mathematics and Economics, Elsevier, vol. 106(C), pages 90-114.
    2. Daniel Zängerle & Dirk Schiereck, 2023. "Modelling and predicting enterprise-level cyber risks in the context of sparse data availability," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 48(2), pages 434-462, April.
    3. Matteo Malavasi & Gareth W. Peters & Pavel V. Shevchenko & Stefan Truck & Jiwook Jang & Georgy Sofronov, 2021. "Cyber Risk Frequency, Severity and Insurance Viability," Papers 2111.03366, arXiv.org, revised Mar 2022.
    4. Gabriela Zeller & Matthias Scherer, 2023. "Risk mitigation services in cyber insurance: optimal contract design and price structure," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 48(2), pages 502-547, April.
    5. Martin Eling & Kwangmin Jung, 2022. "Heterogeneity in cyber loss severity and its impact on cyber risk measurement," Risk Management, Palgrave Macmillan, vol. 24(4), pages 273-297, December.
    6. Zängerle, Daniel & Schiereck, Dirk, 2022. "Modelling and predicting enterprise‑level cyber risks in the context of sparse data availability," Publications of Darmstadt Technical University, Institute for Business Studies (BWL) 136276, Darmstadt Technical University, Department of Business Administration, Economics and Law, Institute for Business Studies (BWL).
    7. Matteo Malavasi & Gareth W. Peters & Stefan Treuck & Pavel V. Shevchenko & Jiwook Jang & Georgy Sofronov, 2024. "Cyber Risk Taxonomies: Statistical Analysis of Cybersecurity Risk Classifications," Papers 2410.05297, arXiv.org.
    8. Zhang, Xiaoyu & Xu, Maochao & Su, Jianxi & Zhao, Peng, 2023. "Structural models for fog computing based internet of things architectures with insurance and risk management applications," European Journal of Operational Research, Elsevier, vol. 305(3), pages 1273-1291.
    9. Da, Gaofeng & Xu, Maochao & Zhao, Peng, 2021. "Multivariate dependence among cyber risks based on L-hop propagation," Insurance: Mathematics and Economics, Elsevier, vol. 101(PB), pages 525-546.
    10. Michel Dacorogna & Marie Kratz, 2022. "Special Issue “Cyber Risk and Security”," Risks, MDPI, vol. 10(6), pages 1-4, May.
    11. Frank Cremer & Barry Sheehan & Michael Fortmann & Arash N. Kia & Martin Mullins & Finbarr Murphy & Stefan Materne, 2022. "Cyber risk and cybersecurity: a systematic review of data availability," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 47(3), pages 698-736, July.
    12. Ma, Boyuan & Chu, Tingjin & Jin, Zhuo, 2022. "Frequency and severity estimation of cyber attacks using spatial clustering analysis," Insurance: Mathematics and Economics, Elsevier, vol. 106(C), pages 33-45.
    13. Ulrik Franke, 2020. "IT service outage cost: case study and implications for cyber insurance," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 760-784, October.
    14. Suyuan Luo & Tsan‐Ming Choi, 2022. "E‐commerce supply chains with considerations of cyber‐security: Should governments play a role?," Production and Operations Management, Production and Operations Management Society, vol. 31(5), pages 2107-2126, May.
    15. Aldasoro, Iñaki & Gambacorta, Leonardo & Giudici, Paolo & Leach, Thomas, 2022. "The drivers of cyber risk," Journal of Financial Stability, Elsevier, vol. 60(C).
    16. Gareth W. Peters & Matteo Malavasi & Georgy Sofronov & Pavel V. Shevchenko & Stefan Truck & Jiwook Jang, 2022. "Cyber Loss Model Risk Translates to Premium Mispricing and Risk Sensitivity," Papers 2202.10588, arXiv.org, revised Mar 2023.
    17. Caroline Hillairet & Olivier Lopez, 2021. "Propagation of cyber incidents in an insurance portfolio: counting processes combined with compartmental epidemiological models," Post-Print hal-02564462, HAL.
    18. Eling, Martin & Wirfs, Jan, 2019. "What are the actual costs of cyber risk events?," European Journal of Operational Research, Elsevier, vol. 272(3), pages 1109-1119.
    19. Martin Eling & Michael McShane & Trung Nguyen, 2021. "Cyber risk management: History and future research directions," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 24(1), pages 93-125, March.
    20. Young Jun Choi & Mi Sun Jeon, 2020. "How Business Interests and Government Inaction Led to the Humidifier Disinfectant Disaster in South Korea: Implications for Better Risk Governance," Risk Analysis, John Wiley & Sons, vol. 40(2), pages 240-253, February.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:ejores:v:311:y:2023:i:2:p:708-729. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: http://www.elsevier.com/locate/eor .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.