Quantifying cyber risk is an important step in assigning resources to prevention. Yet data limitations mean that current estimates ignore certain incidents (e.g. ransomware), rarely provide the financial cost, and cannot describe how risk varies based on the firm’s revenue or industry. Surprisingly insurers sell cyber insurance for the ignored incident types and vary the price based on firm-specific characteristics. Extracting insurers’ cyber loss models could help firms manage risk, regardless of whether they purchase insurance.
QCYRISK uses an iterative model fitting approach to infer loss distributions from insurance prices. The first research question develops the conceptual foundations by building an economic argument about how much information can be extracted from insurance markets. QCYRISK’s second question seeks to infer full cyber loss distributions, including how they vary based on firm-specific characteristics. The final research question adopts an adversarial machine learning approach to probe the validity of the inferences, using both synthetic distributions and real cyber crime data.
The developed method represents a new computational insurance technique that could be applied to extract information from a global total of €4.7 trillion insurance premiums.