Cyber risk ordering with rank-based statistical models
- PDF / 913,332 Bytes
- 16 Pages / 439.37 x 666.142 pts Page_size
- 23 Downloads / 139 Views
Cyber risk ordering with rank‑based statistical models Paolo Giudici1 · Emanuela Raffinetti2 Received: 25 March 2020 / Accepted: 27 November 2020 © The Author(s) 2020
Abstract In a world that is increasingly connected on-line, cyber risks become critical. Cyber risk management is very difficult, as cyber loss data are typically not disclosed. To mitigate the reputational risks associated with their disclosure, loss data may be collected in terms of ordered severity levels. However, to date, there are no risk models for ordinal cyber data. We fill the gap, proposing a rank-based statistical model aimed at predicting the severity levels of cyber risks. The application of our approach to a real-world case shows that the proposed models are, while statistically sound, simple to implement and interpret. Keywords Cyber attacks · Concordance measures · Operational risks · Ordinal data · Rank regression
1 Introduction Operational risk has been defined, by the Basel Committee on Banking Supervision, as “the risk of a monetary loss caused by human resources, IT systems, by organisation processes or by external events”. Within operational risks, those caused by IT systems are gaining increasing importance, due to technological advancements and to the globalisation of financial activities. Financial institutions are encouraged by regulators to use statistical approaches to measure operational risk, which include risks stemming from IT systems. This requires the presence of historical loss data, in a quantitative format. Within this framework, operational risks are usually classified in event types, according to the type of risk involved, and in business lines, * Emanuela Raffinetti [email protected] Paolo Giudici [email protected] 1
Department of Economics and Management, University of Pavia, Via San Felice 5, 27100 Pavia, Italy
2
Department of Economics, Management and Quantitative Methods, Università degli Studi di Milano, Via Conservatorio 7, 20122 Milan, Italy
13
Vol.:(0123456789)
P. Giudici, E. Raffinetti
according to area of the company that is mostly affected. To measure operational risks, the scientific literature suggests to collect past losses in each business line and event type and then calculate the corresponding severity and frequency distributions. Their convolution, by means of a Monte Carlo simulation, leads to the value at risk, which corresponds to the total economic capital required to protect an institution against possible operational losses (see, e.g., Cruz 2002; Alexander 2003; Giudici and Bilotta 2004). Cyber risks can be defined as “any risk emerging from intentional attacks on information and communication technology (ICT) systems that compromises the confidentiality, availability, or the integrity of data or services” (see, e.g., Cebula and Young 2010; Edgar and Manz 2017; Kopp et al. 2017). Note that, according to this definition, cyber risk does not strictly coincide with IT operational risks, as it relates only to intentional attacks, on one hand, and it deals not
Data Loading...
