IDEAS home Printed from https://ideas.repec.org/a/gam/jrisks/v8y2020i2p61-d367206.html
   My bibliography  Save this article

A Multivariate Model to Quantify and Mitigate Cybersecurity Risk

Author

Listed:
  • Mark Bentley

    (Data 61, Commonwealth Scientific and Industrial Research Organisation (CSIRO), Melbourne 3008, Australia)

  • Alec Stephenson

    (Data 61, Commonwealth Scientific and Industrial Research Organisation (CSIRO), Melbourne 3008, Australia)

  • Peter Toscas

    (Data 61, Commonwealth Scientific and Industrial Research Organisation (CSIRO), Melbourne 3008, Australia)

  • Zili Zhu

    (Data 61, Commonwealth Scientific and Industrial Research Organisation (CSIRO), Melbourne 3008, Australia)

Abstract

The cost of cybersecurity incidents is large and growing. However, conventional methods for measuring loss and choosing mitigation strategies use simplifying assumptions and are often not supported by cyber attack data. In this paper, we present a multivariate model for different, dependent types of attack and the effect of mitigation strategies on those attacks. Utilising collected cyber attack data and assumptions on mitigation approaches, we look at an example of using the model to optimise the choice of mitigations. We find that the optimal choice of mitigations will depend on the goal—to prevent extreme damages or damage on average. Numerical experiments suggest the dependence aspect is important and can alter final risk estimates by as much as 30%. The methodology can be used to quantify the cost of cyber attacks and support decision making on the choice of optimal mitigation strategies.

Suggested Citation

  • Mark Bentley & Alec Stephenson & Peter Toscas & Zili Zhu, 2020. "A Multivariate Model to Quantify and Mitigate Cybersecurity Risk," Risks, MDPI, vol. 8(2), pages 1-21, June.
    • Handle: RePEc:gam:jrisks:v:8:y:2020:i:2:p:61-:d:367206
    as

    Download full text from publisher

    File URL: https://www.mdpi.com/2227-9091/8/2/61/pdf
    Download Restriction: no
    File URL: https://www.mdpi.com/2227-9091/8/2/61/
    Download Restriction: no
    ---><---

    References listed on IDEAS

    as
    1. M.‐Elisabeth Paté‐Cornell & Marshall Kuypers & Matthew Smith & Philip Keller, 2018. "Cyber Risk Management for Critical Infrastructure: A Risk Analysis Model and Three Case Studies," Risk Analysis, John Wiley & Sons, vol. 38(2), pages 226-241, February.
    2. Pavel V. Shevchenko, 2010. "Calculation of aggregate loss distributions," Papers 1008.1108, arXiv.org.
    3. Philippe Artzner & Freddy Delbaen & Jean‐Marc Eber & David Heath, 1999. "Coherent Measures of Risk," Mathematical Finance, Wiley Blackwell, vol. 9(3), pages 203-228, July.
    4. Lindskog, Filip & McNeil, Alexander J., 2003. "Common Poisson Shock Models: Applications to Insurance and Credit Risk Modelling," ASTIN Bulletin, Cambridge University Press, vol. 33(2), pages 209-238, November.
    5. Nandi O Leslie & Richard E Harang & Lawrence P Knachel & Alexander Kott, 2018. "Statistical models for the number of successful cyber intrusions," The Journal of Defense Modeling and Simulation, , vol. 15(1), pages 49-63, January.
    6. Chavez-Demoulin, V. & Embrechts, P. & Neslehova, J., 2006. "Quantitative models for operational risk: Extremes, dependence and aggregation," Journal of Banking & Finance, Elsevier, vol. 30(10), pages 2635-2658, October.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Albina Orlando, 2021. "Cyber Risk Quantification: Investigating the Role of Cyber Value at Risk," Risks, MDPI, vol. 9(10), pages 1-12, October.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Pavel V. Shevchenko, 2009. "Implementing Loss Distribution Approach for Operational Risk," Papers 0904.1805, arXiv.org, revised Jul 2009.
    2. Pavel V. Shevchenko, 2010. "Implementing loss distribution approach for operational risk," Applied Stochastic Models in Business and Industry, John Wiley & Sons, vol. 26(3), pages 277-307, May.
    3. Gareth W. Peters & Pavel V. Shevchenko & Mario V. Wuthrich, 2009. "Dynamic operational risk: modeling dependence and combining different sources of information," Papers 0904.4074, arXiv.org, revised Jul 2009.
    4. Antoine Bouveret, 2018. "Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment," IMF Working Papers 2018/143, International Monetary Fund.
    5. Robert Jarrow & Jeff Oxman & Yildiray Yildirim, 2010. "The cost of operational risk loss insurance," Review of Derivatives Research, Springer, vol. 13(3), pages 273-295, October.
    6. Eckert, Christian & Gatzert, Nadine, 2017. "Modeling operational risk incorporating reputation risk: An integrated analysis for financial firms," Insurance: Mathematics and Economics, Elsevier, vol. 72(C), pages 122-137.
    7. Robert Jarrow, 2017. "Operational Risk," World Scientific Book Chapters, in: THE ECONOMIC FOUNDATIONS OF RISK MANAGEMENT Theory, Practice, and Applications, chapter 8, pages 69-70, World Scientific Publishing Co. Pte. Ltd..
    8. Brechmann, Eike & Czado, Claudia & Paterlini, Sandra, 2014. "Flexible dependence modeling of operational risk losses and its impact on total capital requirements," Journal of Banking & Finance, Elsevier, vol. 40(C), pages 271-285.
    9. Silvia Figini & Lijun Gao & Paolo Giudici, 2013. "Bayesian operational risk models," DEM Working Papers Series 047, University of Pavia, Department of Economics and Management.
    10. Hans Buhlmann & Pavel V. Shevchenko & Mario V. Wuthrich, 2009. "A "Toy" Model for Operational Risk Quantification using Credibility Theory," Papers 0904.1772, arXiv.org.
    11. P. V. Shevchenko & M. V. Wuthrich, 2009. "The Structural Modelling of Operational Risk via Bayesian inference: Combining Loss Data with Expert Opinions," Papers 0904.1067, arXiv.org.
    12. Alejandro Balbás & Iván Blanco & José Garrido, 2014. "Measuring Risk When Expected Losses Are Unbounded," Risks, MDPI, vol. 2(4), pages 1-14, September.
    13. repec:cte:idrepe:id-16-01 is not listed on IDEAS
    14. Cossette, Hélène & Mailhot, Mélina & Marceau, Étienne, 2012. "TVaR-based capital allocation for multivariate compound distributions with positive continuous claim amounts," Insurance: Mathematics and Economics, Elsevier, vol. 50(2), pages 247-256.
    15. Rafał Wójcik & Charlie Wusuo Liu & Jayanta Guin, 2019. "Direct and Hierarchical Models for Aggregating Spatially Dependent Catastrophe Risks," Risks, MDPI, vol. 7(2), pages 1-22, May.
    16. Balbás, Beatriz & Balbás, Raquel, 2016. "VaR as the CVaR sensitivity : applications in risk optimization," IC3JM - Estudios = Working Papers id-16-01, Instituto Mixto Carlos III - Juan March de Ciencias Sociales (IC3JM).
    17. Ramírez-Cobo, Pepa & Carrizosa, Emilio & Lillo, Rosa E., 2021. "Analysis of an aggregate loss model in a Markov renewal regime," Applied Mathematics and Computation, Elsevier, vol. 396(C).
    18. Mora Valencia Andrés, 2014. "El uso de la distribución g-h en riesgo operativo," Contaduría y Administración, Accounting and Management, vol. 59(1), pages 123-148, enero-mar.
    19. Sofiane Aboura, 2014. "When the U.S. Stock Market Becomes Extreme?," Risks, MDPI, vol. 2(2), pages 1-15, May.
    20. Gordon J. Alexander & Alexandre M. Baptista, 2004. "A Comparison of VaR and CVaR Constraints on Portfolio Selection with the Mean-Variance Model," Management Science, INFORMS, vol. 50(9), pages 1261-1273, September.
    21. Iñaki Aldasoro & Leonardo Gambacorta & Paolo Giudici & Thomas Leach, 2023. "Operational and Cyber Risks in the Financial Sector," International Journal of Central Banking, International Journal of Central Banking, vol. 19(5), pages 340-402, December.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jrisks:v:8:y:2020:i:2:p:61-:d:367206. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.