Cyber risk measurement with ordinal data

The paper proposes a new methodology to measure cyber risks which, instead of using quantitative loss data, often not available, employs ordinal data. The method relies on the construction of a criticality index , whose properties are discussed and compared with alternative measures employed in operational risk measurement. The methodology is illustrated on data regarding cyber attacks collected at the worldwide level. The proposed measure is found to be quite effective to rank cyber risk types. Thus, from a policy perspective, it can be useful to guide the implementation of preventive actions.

[1]  Paolo Giudici,et al.  Estimating bank default with generalised extreme value models , 2013 .

[2]  Silvia Angela Osmetti,et al.  A risk index for ordinal variables and its statistical properties: A priority of intervention indicator in quality control framework , 2018, Qual. Reliab. Eng. Int..

[3]  Theodore T. Allen,et al.  Data-Driven Cyber-Vulnerability Maintenance Policies , 2014 .

[4]  Paolo Giudici,et al.  Measuring risk with ordinal variables , 2013 .

[5]  Paolo Giudici,et al.  Statistical merging of rating models , 2011, J. Oper. Res. Soc..

[6]  Joshua Neil,et al.  Attack chain detection , 2015, Stat. Anal. Data Min..

[7]  Harshinder Singh,et al.  Testing for Second-Order Stochastic Dominance of Two Distributions , 1994, Econometric Theory.

[8]  William H. Jean The Geometric Mean and Stochastic Dominance , 1980 .

[9]  Dylan Evans,et al.  Problems with scoring methods and ordinal scales in risk assessment , 2010, IBM J. Res. Dev..

[10]  Emanuel Kopp,et al.  Cyber Risk, Market Failures, and Financial Stability , 2017, SSRN Electronic Journal.

[11]  L. A. Cox Evaluating and improving risk formulas for allocating limited budgets to expensive risk-reduction opportunities. , 2012, Risk analysis : an official publication of the Society for Risk Analysis.

[12]  Douglas W. Hubbard,et al.  How to Measure Anything in Cybersecurity Risk , 2016 .

[13]  Marcelo Cruz Modeling, Measuring and Hedging Operational Risk , 2002 .

[14]  William H. Jean The Harmonic Mean and Other Necessary Conditions for Stochastic Dominance , 1984 .

[15]  Dean Fantazzini,et al.  Copulae and Operational Risks , 2008 .

[16]  Cameron A MacKenzie,et al.  Summarizing Risk Using Risk Measures and Risk Indices , 2014, Risk analysis : an official publication of the Society for Risk Analysis.

[17]  Philippe Artzner,et al.  Coherent Measures of Risk , 1999 .

[18]  Antoine Bouveret Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment , 2018 .

[19]  Paolo Giudici,et al.  Estimating bank default with generalised extreme value regression models , 2015, J. Oper. Res. Soc..

[20]  C. Alexander Operational Risk: Regulation, Analysis and Management , 2003 .

[21]  Moshe Shaked,et al.  Stochastic orders and their applications , 1994 .