Cyber Risk Assessment for Capital Management

Cyber risk is an omnipresent risk in the increasingly digitized world that is known to be difficult to quantify and assess. Despite the fact that cyber risk shows distinct characteristics from conventional risks, most existing models for cyber risk in the insurance literature have been purely based on frequency-severity analysis, which was developed for classical property and casualty risks. In contrast, the cybersecurity engineering literature employs different approaches, under which cyber incidents are viewed as threats or hacker attacks acting on a particular set of vulnerabilities. There appears a gap in cyber risk modeling between engineering and insurance literature. This paper presents a novel model to capture these unique dynamics of cyber risk known from engineering and to model loss distributions based on industry loss data and a particular company's cybersecurity profile. The analysis leads to a new tool for allocating resources of the company between cybersecurity investments and loss-absorbing reserves.