Project description
Figuring out how much cyber risk isn’t risky
The number of devices connected to the internet will reach 125 billion in 2030, up from 27 billion in 2017. The fast-growing Internet of things, however, makes us more vulnerable in the cyber domain. Since it is not possible to achieve zero risk of cyberattacks, the question is how much risk can be tolerated. Risk quantification is necessary. The EU-funded QCYRISK project will infer loss distributions from insurance prices. It will also infer full cyber loss distributions, including how they vary based on firm-specific characteristics. The project will study synthetic distributions and real cybercrime data. A main objective is to provide a set of loss distributions for multiple cyber incident types adjusted based on a firm’s revenue and industry.
Objective
Quantifying cyber risk is an important step in assigning resources to prevention. Yet data limitations mean that current estimates ignore certain incidents (e.g ransomware), rarely provide the financial cost, and cannot describe how risk varies based on the firm’s revenue or industry. Surprisingly insurers sell cyber insurance for the ignored incident types and vary the price based on firm-specific characteristics. Extracting insurers’ cyber loss models could help firms manage risk, regardless of whether they purchase insurance.
The proposed action (QCYRISK) uses an iterative model fitting approach to infer loss distributions from insurance prices. The first research question develops the conceptual foundations by building an economic argument about how much information can be extracted from insurance markets. QCYRISK's second question seeks to infer full cyber loss distributions, including how they vary based on firm-specific characteristics. The final research question adopts an adversarial machine learning approach to probe the validity of the inferences, using both synthetic distributions and real cyber crime data.
In terms of results and dissemination, QCYRISK will provide a set of loss distributions for multiple cyber incident types adjusted based on the firm’s revenue and industry. These will be made available as a spreadsheet for real-world risk managers. We will also run a continuing education seminar for insurance professionals to raise awareness about the method. The developed method represents a new computational insurance technique that could be applied to extract information from a global total of €4.7 trillion insurance premiums.
Fields of science
Programme(s)
Funding Scheme
MSCA-IF-EF-ST - Standard EFCoordinator
6020 Innsbruck
Austria