2023 Australasian Actuarial Education and Research Symposium

Matteo Malavasi

UNSW

Cyber risk taxonomies: statistical analysis of operational cybersecurity risk classifications

This is joint work with Pavel Shevchenko, Stefan Trueck, Jiwook Jang, Georgy Sofronov, Gareth Peters

Cyber risk classifications map cyber threats to cyber risk types, allowing for cyber loss modelling and quantification. There exist a growing number of cyber risk classifications, each designed with specific intent, purpose, and which build on pre‐existing laws and policies. In this paper we analyse the most commonly used classifications and argue in favour of switching the attention from goodness of fit and in-sample predictive performance, to focusing on out-of-sample forecasting performance in evaluating cyber risk classifications. We adopt the maximising sharpness of the predictive distribution subject of calibration paradigm and evaluate the forecasting performance of cyber risk classifications via various threshold weighted scoring rules. Our results suggest that business motivated cyber risk classification appears to be too restrictive and not flexible enough to capture the heterogeneity of cyber risk events. Moreover, we investigate how dynamic cyber risk classifications based on risk metric evaluation, seem to be better suited in forecasting future cyber risk losses than the other considered classifications. Our study provides insights on the classification of cyber risks useful for both decision and policy makers, and it contributes to the scientific literature on cyber risk.