Cyber risk modeling: a discrete multivariate count process approach. (English) Zbl 1542.91344
Summary: In the past decade, cyber risk has raised much interest in the economy, and cyber risk has evolved from a type of pure operational risk to both operational and liability risk. However, the modeling of cyber risk is still in its infancy. Compared with other financial risks, cyber risk has some unique features. In particular, discrete variables regularly arise both in the frequency component (e.g. number of events per unit time), and the severity component (e.g. the number of data breaches for each cyber event). In addition, the modeling of these count variables are further complicated by nonstandard properties such as zero inflation, serial and cross-sectional correlations, as well as heavy tails. Previous cyber risk models have largely focused on continuous models that are incompatible with many of these characteristics. This paper introduces a new count-based frequency-severity framework to model cyber risk, with a dynamic multivariate negative binomial autoregressive process for the frequency component, and the generalized Poisson inverse-Gaussian distribution for the severity component. We unify these new modeling tools by proposing a tractable generalized method of moments for their estimation and applying them to the Privacy Rights Clearinghouse (PRC) dataset.
MSC:
| 91G05 | Actuarial mathematics |
| 62P05 | Applications of statistics to actuarial sciences and financial mathematics |
Keywords:
operational risk; cyber risk; systemic and pairwise contagion; self-excitation; negative binomial autoregressive process; generalized Poisson inverse-Gaussian distribution; discrete stable distributionReferences:
| [1] | Aït-Sahalia, Y., Laeven, R. J. & Pelizzon, L. (2014). Mutual excitation in Eurozone sovereign CDS. Journal of Econometrics183(2), 151-167. · Zbl 1312.91089 |
| [2] | Bailey, T., Del Miglio, A. & Richter, W. (2014). The rising strategic risks of cyberattacks. Technical report, McKinsey & Company. |
| [3] | Bessy-Roland, Y., Boumezoued, A. & Hillairet, C. (2021). Multivariate Hawkes process for cyber insurance. Annals of Actuarial Science15(1), 14-39. |
| [4] | Best, A. M. (2019). Cyber insurance: profitability less certain as new risks emerge. Technical report, Best’s Market Segment Report. |
| [5] | Biener, C., Eling, M. & Wirfs, J. H. (2015). Insurability of cyber risk: an empirical analysis. Geneva Papers on Risk and Insurance-Issues and Practice40(1), 131-158. |
| [6] | Böhme, R. & Kataria, G. (2006). Models and measures for correlation in cyber-insurance. NYU Stern Working paper. |
| [7] | Boudreault, M. & Charpentier, A. (2011). Multivariate integer-valued autoregressive models applied to earthquake counts. arXiv preprint arXiv:1112.0929. |
| [8] | Carr, P., Geman, H., Madan, D. B. & Yor, M. (2002). The fine structure of asset returns: an empirical investigation. Journal of Business75(2), 305-333. |
| [9] | Carrasco, M. & Florens, J.-P. (2000). Generalization of GMM to a continuum of moment conditions. Econometric Theory16(6), 797-834. · Zbl 0968.62028 |
| [10] | Catania, L. & Di Mari, R. (2021). Hierarchical Markov-Switching models for multivariate integer-valued time-series. Journal of Econometrics221(1), 118-137. · Zbl 1464.62376 |
| [11] | Cebula, J. L. & Young, L. R. (2010). A taxonomy of operational cyber security risks. Technical report, Carnegie-Mellon Univ Pittsburgh Pa Software Engineering Inst. |
| [12] | Chavez-Demoulin, V., Davison, A. C. & McNeil, A. J. (2005). Estimating value-at-risk: a point process approach. Quantitative Finance5(2), 227-234. · Zbl 1118.91353 |
| [13] | Chavez-Demoulin, V., Embrechts, P. & Hofert, M. (2016). An extreme value approach for modeling operational risk losses depending on covariates. Journal of Risk and Insurance83(3), 735-776. |
| [14] | Christoph, G. & Schreiber, K. (1998). Discrete stable random variables. Statistics & Probability Letters37(3), 243-247. · Zbl 1246.60026 |
| [15] | Cummins, J. D., Lewis, C. M. & Wei, R. (2006). The market value impact of operational loss events for US banks and insurers. Journal of Banking & Finance30(10), 2605-2634. |
| [16] | Darolles, S., Gourieroux, C. & Jasiak, J. (2006). Structural Laplace transform and compound autoregressive models. Journal of Time Series Analysis27(4), 477-503. · Zbl 1112.62090 |
| [17] | Darolles, S., Le Fol, G., Lu, Y. & Sun, R. (2019). Bivariate integer-autoregressive process with an application to mutual fund flows. Journal of Multivariate Analysis173, 181-203. · Zbl 1451.60038 |
| [18] | Davis, R. A., Fokianos, K., Holan, S. H., Joe, H., Livsey, J., Lund, R., Pipiras, V. & Ravishanker, N. (2021). Count time series: a methodological review. Journal of the American Statistical Association116(535), 1533-1547. · Zbl 1510.62356 |
| [19] | Denuit, M. & Lu, Y. (2021). Wishart-gamma random effects models with applications to nonlife insurance. Journal of Risk and Insurance88(2), 443-481. |
| [20] | Edwards, B., Hofmeyr, S. & Forrest, S. (2016). Hype and heavy tails: a closer look at data breaches. Journal of Cybersecurity2(1), 3-14. |
| [21] | El-Shaarawi, A. H., Zhu, R. & Joe, H. (2011). Modelling species abundance using the Poisson-Tweedie family. Environmetrics22(2), 152-164. |
| [22] | Eling, M. & Jung, K. (2018). Copula approaches for modeling cross-sectional dependence of data breach losses. Insurance: Mathematics and Economics82, 167-180. · Zbl 1416.91173 |
| [23] | Eling, M. & Loperfido, N. (2017). Data breaches: goodness of fit, pricing, and risk measurement. Insurance: Mathematics and Economics75, 126-136. · Zbl 1394.91211 |
| [24] | Eling, M. & Schnell, W. (2020). Capital requirements for cyber risk and cyber risk insurance: an analysis of solvency II, the US risk-based capital standards, and the Swiss Solvency test. North American Actuarial Journal24(3), 370-392. · Zbl 1454.91181 |
| [25] | Eling, M. & Wirfs, J. (2019). What are the actual costs of cyber risk events?European Journal of Operational Research272(3), 1109-1119. |
| [26] | Embrechts, P., Liniger, T. & Lin, L. (2011). Multivariate Hawkes processes: an application to financial data. Journal of Applied Probability48(A), 367-378. · Zbl 1242.62093 |
| [27] | Fahrenwaldt, M. A., Weber, S. & Weske, K. (2018). Pricing of cyber insurance contracts in a network model. ASTIN Bulletin48(3), 1175-1218. · Zbl 1416.91175 |
| [28] | Falco, G., Eling, M., Jablanski, D., Weber, M., Miller, V., Gordon, L. A., Wang, S. S., Schmit, J., Thomas, R. & Elvedi, M., et al. (2019). Cyber risk research impeded by disciplinary barriers. Science366(6469), 1066-1069. |
| [29] | Farkas, S., Lopez, O. & Thomas, M. (2021). Cyber claim analysis using generalized Pareto regression trees with applications to insurance. Insurance: Mathematics and Economics98, 92-105. · Zbl 1466.91255 |
| [30] | FitchRatings, (2021). Sharply rising cyber insurance claims signal further risk challenges. |
| [31] | Fokianos, K., Støve, B., Tjøstheim, D. & Doukhan, P. (2020). Multivariate count autoregression. Bernoulli26(1), 471-499. · Zbl 1456.62155 |
| [32] | Furman, E., Hackmann, D. & Kuznetsov, A. (2020). On log-normal convolutions: an analytical-numerical method with applications to economic capital determination. Insurance: Mathematics and Economics90, 120-134. · Zbl 1431.91327 |
| [33] | Gartner, (2021). Gartner forecasts worldwide security and risk management spending to exceed \(150 billion in 2021. Gartner Press Releas\) |
| [34] | Gatzert, N. & Kolb, A. (2014). Risk measurement and management of operational risk in insurance companies from an enterprise perspective. Journal of Risk and Insurance81(3), 683-708. |
| [35] | Genest, C. & Nešlehová, J. (2007). A primer on copulas for count data. ASTIN Bulletin37(2), 475-515. · Zbl 1274.62398 |
| [36] | The Geneva Association, (2016). Ten key questions on cyber risk and cyber risk insurance. Technical report, The Geneva Association, Zurich. |
| [37] | Gouriéroux, C. & Lu, Y. (2019). Negative binomial autoregressive process with stochastic intensity. Journal of Time Series Analysis40(2), 225-247. · Zbl 1425.62125 |
| [38] | Gourieroux, C., Monfort, A. & Polimenis, V. (2006). Affine models for credit risk analysis. Journal of Financial Econometrics4(3), 494-530. |
| [39] | Hall, A. R. (2005). Generalized method of moments. Oxford: Oxford University Press. · Zbl 1076.62118 |
| [40] | Hansen, L. P. (1982). Large sample properties of generalized method of moments estimators. Econometrica50(4), 1029-1054. · Zbl 0502.62098 |
| [41] | Heinen, A. & Rengifo, E. (2007). Multivariate autoregressive modeling of time series count data using copulas. Journal of Empirical Finance14(4), 564-583. |
| [42] | Hillairet, C. & Lopez, O. (2021). Propagation of cyber incidents in an insurance portfolio: counting processes combined with compartmental epidemiological models. Scandinavian Actuarial Journal2021(8), 671-694. · Zbl 1479.91327 |
| [43] | Hougaard, P. (1986). Survival models for heterogeneous populations derived from stable distributions. Biometrika73(2), 387-396. · Zbl 0603.62015 |
| [44] | IBM, (2020). Cost of a data breach report. Technical report, IBM Security. |
| [45] | Jacobs, J. (2014). Analyzing ponemon cost of data breach. Data Driven Security11, 5. |
| [46] | Jevtić, P. & Lanchier, N. (2020). Dynamic structural percolation model of loss distribution for cyber risk of small and medium-sized enterprises for tree-based lan topology. Insurance: Mathematics and Economics91, 209-223. · Zbl 1435.91154 |
| [47] | Jørgensen, B. (1987). Exponential dispersion models. Journal of the Royal Statistical Society: Series B (Methodological)49(2), 127-145. · Zbl 0662.62078 |
| [48] | Jørgensen, B., Lundbye-Christensen, S., Song, P.-K. & Sun, L. (1999). A state space model for multivariate longitudinal count data. Biometrika86(1), 169-181. · Zbl 0916.62062 |
| [49] | Jung, K. (2021). Extreme data breach losses: an alternative approach to estimating probable maximum loss for data breach risk. North American Actuarial Journal25(4), 580-603. · Zbl 1484.91389 |
| [50] | Jung, R. C., Liesenfeld, R. & Richard, J. -F. (2011). Dynamic factor models for multivariate count data: an application to stock-market trading activity. Journal of Business & Economic Statistics29(1), 73-85. · Zbl 1214.62092 |
| [51] | Kendall, M. G. (1975). Rank correlation methods. 4th ed., London: Charles Griffin. |
| [52] | Kim, E., Gardner, D., Deshpande, S., Contu, R., Kish, D. & Canales, C. (2018). Forecast analysis: information security, worldwide, 2Q18 update. Gartner Research0, 0-0. |
| [53] | Livsey, J., Lund, R., Kechagias, S. & Pipiras, V. (2018). Multivariate integer-valued time series with flexible autocovariances and their application to major hurricane counts. Annals of Applied Statistics12(1), 408-431. · Zbl 1393.62126 |
| [54] | Lu, Y. (2018). Dynamic frailty count process in insurance: a unified framework for estimation, pricing, and forecasting. Journal of Risk and Insurance85(4), 1083-1102. |
| [55] | Lu, Y. (2021). The predictive distributions of thinning-based count processes. Scandinavian Journal of Statistics48(1), 42-67. · Zbl 1467.62147 |
| [56] | Maillart, T. & Sornette, D. (2010). Heavy-tailed distribution of cyber-risks. European Physical Journal B75(3), 357-364. · Zbl 1202.68057 |
| [57] | Mann, H. B. (1945). Nonparametric tests against trend. Econometrica: Journal of the Econometric Society13(3), 245-259. · Zbl 0063.03770 |
| [58] | Mátyás, L. (1999). Generalized method of moments estimation. Cambridge: Cambridge University Press. |
| [59] | Nguyen, Q. H. & Robert, C. Y. (2015). Series expansions for convolutions of pareto distributions. Statistics & Risk Modeling32(1), 49-72. · Zbl 1346.60044 |
| [60] | OECD, (2017). Enhancing the role of insurance in cyber risk management. Technical report, OECD Publishing, Paris. |
| [61] | OECD, (2019). Insurance business written in the reporting country. OECD Insurance Statistics (database). |
| [62] | Pedeli, X. & Karlis, D. (2013). On composite likelihood estimation of a multivariate INAR (1) model. Journal of Time Series Analysis34(2), 206-220. · Zbl 1274.62376 |
| [63] | Peng, C., Xu, M., Xu, S. & Hu, T. (2017). Modeling and predicting extreme cyber attack rates via marked point processes. Journal of Applied Statistics44(14), 2534-2563. · Zbl 1516.62538 |
| [64] | Peng, C., Xu, M., Xu, S. & Hu, T. (2018). Modeling multivariate cybersecurity risks. Journal of Applied Statistics45(15), 2718-2740. · Zbl 1516.62539 |
| [65] | RMS-CCRS, (2016). Managing cyber insurance accumulation risk. Technical report, Risk Management Solutions, Inc. and Cambridge Centre for Risk Studies, Cambridge University. |
| [66] | Steutel, F. W. & van Harn, K. (1979). Discrete analogues of self-decomposability and stability. Annals of Probability7(5), 893-899. · Zbl 0418.60020 |
| [67] | Sun, H., Xu, M. & Zhao, P. (2020). Modeling malicious hacking data breach risks. forthcoming, North American Actuarial Journal, P. 1-19. |
| [68] | SwissRe, (2017). Cyber: getting to grips with a complex risk. Sigma1(1), 1-38. |
| [69] | Tanoue, Y., Kawada, A. & Yamashita, S. (2017). Forecasting loss given default of bank loans with multi-stage model. International Journal of Forecasting33(2), 513-522. |
| [70] | Trivedi, P. & Zimmer, D. (2017). A note on identification of bivariate copulas for discrete count data. Econometrics5(1), 10. |
| [71] | Wang, L., Akritas, M. G. & Van Keilegom, I. (2008). An anova-type nonparametric diagnostic test for heteroscedastic regression models. Journal of Nonparametric Statistics20(5), 365-382. · Zbl 1142.62025 |
| [72] | Wang, S. & Panjer, H. (1993). Critical starting points for stable evaluation of mixed poisson probabilities. Insurance: Mathematics and Economics13(3), 287-297. · Zbl 0797.62098 |
| [73] | Wheatley, S., Hofmann, A. & Sornette, D. (2021). Addressing insurance of data breach cyber risks in the catastrophe framework. Geneva Papers on Risk and Insurance-Issues and Practice46(1), 53-78. |
| [74] | Wheatley, S., Maillart, T. & Sornette, D. (2016). The extreme risk of personal data breaches and the erosion of privacy. European Physical Journal B89(1), 1-12. |
| [75] | Willmot, G. E. (1987). The poisson-inverse Gaussian distribution as an alternative to the negative binomial. Scandinavian Actuarial Journal1987(3-4), 113-127. |
| [76] | Xu, M. & Hua, L. (2019). Cybersecurity insurance: modeling and pricing. North American Actuarial Journal23(2), 220-249. · Zbl 1410.91291 |
| [77] | Xu, M., Hua, L. & Xu, S. (2017). A vine copula model for predicting the effectiveness of cyber defense early-warning. Technometrics59(4), 508-520. |
| [78] | Xu, M. & Zhang, Y. (2021). Data breach CAT bonds: modeling and pricing. North American Actuarial Journal25(4), 543-561. · Zbl 1484.91412 |
| [79] | Zhu, R. & Joe, H. (2009). Modelling heavy-tailed count data using a generalised poisson-inverse Gaussian family. Statistics & Probability Letters79(15), 1695-1703. · Zbl 1166.62009 |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
