IDEAS home Printed from https://ideas.repec.org/p/dar/wpaper/156328.html
   My bibliography  Save this paper

Modelling and predicting enterprise-level cyber risks in the context of sparse data availability

Author

Listed:
  • Zängerle, Daniel
  • Schiereck, Dirk

Abstract

Despite growing attention to cyber risks in research and practice, quantitative cyber risk assessments remain limited, mainly due to a lack of reliable data. This analysis leverages sparse historical data to quantify the financial impact of cyber incidents at the enterprise level. For this purpose, an operational risk database—which has not been previously used in cyber research—was examined to model and predict the likelihood, severity and time dependence of a company’s cyber risk exposure. The proposed model can predict a negative time correlation, indicating that individual cyber exposure is increasing if no cyber loss has been reported in previous years, and vice versa. The results suggest that the probability of a cyber incident correlates with the subindustry, with the insurance sector being particularly exposed. The predicted financial losses from a cyber incident are less extreme than cited in recent investigations. The study confirms that cyber risks are heavy-tailed, jeopardising business operations and profitability.

Suggested Citation

  • Zängerle, Daniel & Schiereck, Dirk, 2025. "Modelling and predicting enterprise-level cyber risks in the context of sparse data availability," Publications of Darmstadt Technical University, Institute for Business Studies (BWL) 156328, Darmstadt Technical University, Department of Business Administration, Economics and Law, Institute for Business Studies (BWL).
    • Handle: RePEc:dar:wpaper:156328
    DOI: 10.1057/s41288-022-00282-6
    Note: for complete metadata visit http://tubiblio.ulb.tu-darmstadt.de/156328/
    as

    Download full text from publisher

    File URL: https://tuprints.ulb.tu-darmstadt.de/28449
    Download Restriction: no
    File URL: https://doi.org/10.1057/s41288-022-00282-6
    Download Restriction: no
    File URL: https://libkey.io/10.1057/s41288-022-00282-6?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Eling, Martin & Jung, Kwangmin, 2018. "Copula approaches for modeling cross-sectional dependence of data breach losses," Insurance: Mathematics and Economics, Elsevier, vol. 82(C), pages 167-180.
    2. Omer Ilker Poyraz & Mustafa Canan & Michael McShane & C. Ariel Pinto & T. Steven Cotter, 2020. "Cyber assets at risk: monetary impact of U.S. personally identifiable information mega data breaches," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 616-638, October.
    3. Smith, Michael Stanley, 2015. "Copula modelling of dependence in multivariate time series," International Journal of Forecasting, Elsevier, vol. 31(3), pages 815-833.
    4. Eckert, Christian & Gatzert, Nadine & Heidinger, Dinah, 2020. "Empirically assessing and modeling spillover effects from operational risk events in the insurance industry," Insurance: Mathematics and Economics, Elsevier, vol. 93(C), pages 72-83.
    5. Aas, Kjersti & Czado, Claudia & Frigessi, Arnoldo & Bakken, Henrik, 2009. "Pair-copula constructions of multiple dependence," Insurance: Mathematics and Economics, Elsevier, vol. 44(2), pages 182-198, April.
    6. Martin Eling & Werner Schnell, 2016. "What do we know about cyber risk and cyber risk insurance?," Journal of Risk Finance, Emerald Group Publishing Limited, vol. 17(5), pages 474-491, November.
    7. Cameron A. MacKenzie, 2014. "Summarizing Risk Using Risk Measures and Risk Indices," Risk Analysis, John Wiley & Sons, vol. 34(12), pages 2143-2162, December.
    8. Antoine Bouveret, 2018. "Cyber Risk for the Financial Sector: A Framework for Quantitative Assessment," IMF Working Papers 2018/143, International Monetary Fund.
    9. Spencer Wheatley & Thomas Maillart & Didier Sornette, 2016. "The extreme risk of personal data breaches and the erosion of privacy," The European Physical Journal B: Condensed Matter and Complex Systems, Springer;EDP Sciences, vol. 89(1), pages 1-12, January.
    10. Kularatne, Thilini Dulanjali & Li, Jackie & Pitt, David, 2021. "On the use of Archimedean copulas for insurance modelling," Annals of Actuarial Science, Cambridge University Press, vol. 15(1), pages 57-81, March.
    11. Kamiya, Shinichi & Kang, Jun-Koo & Kim, Jungmin & Milidonis, Andreas & Stulz, René M., 2021. "Risk management, firm reputation, and the impact of successful cyberattacks on target firms," Journal of Financial Economics, Elsevier, vol. 139(3), pages 719-749.
    12. Sachin Shetty & Michael McShane & Linfeng Zhang & Jay P. Kesan & Charles A. Kamhoua & Kevin Kwiat & Laurent L. Njilla, 2018. "Reducing Informational Disadvantages to Improve Cyber Risk Management†," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 43(2), pages 224-238, April.
    13. Spencer Wheatley & Annette Hofmann & Didier Sornette, 2021. "Addressing insurance of data breach cyber risks in the catastrophe framework," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 46(1), pages 53-78, January.
    14. Rakes, Terry R. & Deane, Jason K. & Paul Rees, Loren, 2012. "IT security planning under uncertainty for high-impact events," Omega, Elsevier, vol. 40(1), pages 79-88, January.
    15. Christian Biener & Martin Eling & Jan Hendrik Wirfs, 2015. "Insurability of Cyber Risk: An Empirical Analysis†," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 40(1), pages 131-158, January.
    16. Sturm, Philipp, 2013. "Operational and reputational risk in the European banking industry: The market reaction to operational risk events," Journal of Economic Behavior & Organization, Elsevier, vol. 85(C), pages 191-206.
    17. Peng Shi & Lu Yang, 2018. "Pair Copula Constructions for Insurance Experience Rating," Journal of the American Statistical Association, Taylor & Francis Journals, vol. 113(521), pages 122-133, January.
    18. Barry Sheehan & Finbarr Murphy & Arash N. Kia & Ronan Kiely, 2021. "A quantitative bow-tie cyber risk classification and assessment framework," Journal of Risk Research, Taylor & Francis Journals, vol. 24(12), pages 1619-1638, December.
    19. Joe, Harry, 2005. "Asymptotic efficiency of the two-stage estimation method for copula-based models," Journal of Multivariate Analysis, Elsevier, vol. 94(2), pages 401-419, June.
    20. T. Maillart & D. Sornette, 2010. "Heavy-tailed distribution of cyber-risks," The European Physical Journal B: Condensed Matter and Complex Systems, Springer;EDP Sciences, vol. 75(3), pages 357-364, June.
    21. Gneiting, Tilmann & Raftery, Adrian E., 2007. "Strictly Proper Scoring Rules, Prediction, and Estimation," Journal of the American Statistical Association, American Statistical Association, vol. 102, pages 359-378, March.
    22. Valérie Chavez-Demoulin & Paul Embrechts & Marius Hofert, 2016. "An Extreme Value Approach for Modeling Operational Risk Losses Depending on Covariates," Journal of Risk & Insurance, The American Risk and Insurance Association, vol. 83(3), pages 735-776, September.
    23. Spencer Wheatley & Thomas Maillart & Didier Sornette, 2016. "The extreme risk of personal data breaches and the erosion of privacy," The European Physical Journal B: Condensed Matter and Complex Systems, Springer;EDP Sciences, vol. 89(1), pages 1-12, January.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Zängerle, Daniel & Schiereck, Dirk, 2022. "Modelling and predicting enterprise‑level cyber risks in the context of sparse data availability," Publications of Darmstadt Technical University, Institute for Business Studies (BWL) 136276, Darmstadt Technical University, Department of Business Administration, Economics and Law, Institute for Business Studies (BWL).
    2. Daniel Zängerle & Dirk Schiereck, 2023. "Modelling and predicting enterprise-level cyber risks in the context of sparse data availability," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 48(2), pages 434-462, April.
    3. Matteo Malavasi & Gareth W. Peters & Pavel V. Shevchenko & Stefan Truck & Jiwook Jang & Georgy Sofronov, 2021. "Cyber Risk Frequency, Severity and Insurance Viability," Papers 2111.03366, arXiv.org, revised Mar 2022.
    4. Malavasi, Matteo & Peters, Gareth W. & Shevchenko, Pavel V. & Trück, Stefan & Jang, Jiwook & Sofronov, Georgy, 2022. "Cyber risk frequency, severity and insurance viability," Insurance: Mathematics and Economics, Elsevier, vol. 106(C), pages 90-114.
    5. Gareth W. Peters & Matteo Malavasi & Georgy Sofronov & Pavel V. Shevchenko & Stefan Trück & Jiwook Jang, 2023. "Cyber loss model risk translates to premium mispricing and risk sensitivity," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 48(2), pages 372-433, April.
    6. Jevtić, Petar & Lanchier, Nicolas, 2020. "Dynamic structural percolation model of loss distribution for cyber risk of small and medium-sized enterprises for tree-based LAN topology," Insurance: Mathematics and Economics, Elsevier, vol. 91(C), pages 209-223.
    7. Eling, Martin & Loperfido, Nicola, 2017. "Data breaches: Goodness of fit, pricing, and risk measurement," Insurance: Mathematics and Economics, Elsevier, vol. 75(C), pages 126-136.
    8. Martin Eling & Michael McShane & Trung Nguyen, 2021. "Cyber risk management: History and future research directions," Risk Management and Insurance Review, American Risk and Insurance Association, vol. 24(1), pages 93-125, March.
    9. Shi, Peng & Zhao, Zifeng, 2024. "Enhanced pricing and management of bundled insurance risks with dependence-aware prediction using pair copula construction," Journal of Econometrics, Elsevier, vol. 240(1).
    10. Martin Eling & Kwangmin Jung, 2022. "Heterogeneity in cyber loss severity and its impact on cyber risk measurement," Risk Management, Palgrave Macmillan, vol. 24(4), pages 273-297, December.
    11. Farkas, Sébastien & Lopez, Olivier & Thomas, Maud, 2021. "Cyber claim analysis using Generalized Pareto regression trees with applications to insurance," Insurance: Mathematics and Economics, Elsevier, vol. 98(C), pages 92-105.
    12. Spencer Wheatley & Annette Hofmann & Didier Sornette, 2021. "Addressing insurance of data breach cyber risks in the catastrophe framework," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 46(1), pages 53-78, January.
    13. Martins, António Miguel & Moutinho, Nuno, 2025. "Stock-Term market impact of major cyber-attacks: Evidence for the ten most exposed insurance firms to cyber risk," Finance Research Letters, Elsevier, vol. 71(C).
    14. Saeide Sefidi & Mojtaba Ganjali & Taban Baghfalaki, 2022. "Analysis of ordinal and continuous longitudinal responses using pair copula construction," METRON, Springer;Sapienza Università di Roma, vol. 80(2), pages 255-280, August.
    15. Kjartan Palsson & Steinn Gudmundsson & Sachin Shetty, 0. "Analysis of the impact of cyber events for cyber insurance," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 0, pages 1-16.
    16. Matteo Malavasi & Gareth W. Peters & Stefan Treuck & Pavel V. Shevchenko & Jiwook Jang & Georgy Sofronov, 2024. "Cyber Risk Taxonomies: Statistical Analysis of Cybersecurity Risk Classifications," Papers 2410.05297, arXiv.org.
    17. Frank Cremer & Barry Sheehan & Michael Fortmann & Arash N. Kia & Martin Mullins & Finbarr Murphy & Stefan Materne, 2022. "Cyber risk and cybersecurity: a systematic review of data availability," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 47(3), pages 698-736, July.
    18. Eling, Martin & Jung, Kwangmin, 2018. "Copula approaches for modeling cross-sectional dependence of data breach losses," Insurance: Mathematics and Economics, Elsevier, vol. 82(C), pages 167-180.
    19. Nagler, Thomas & Krüger, Daniel & Min, Aleksey, 2022. "Stationary vine copula models for multivariate time series," Journal of Econometrics, Elsevier, vol. 227(2), pages 305-324.
    20. Kjartan Palsson & Steinn Gudmundsson & Sachin Shetty, 2020. "Analysis of the impact of cyber events for cyber insurance," The Geneva Papers on Risk and Insurance - Issues and Practice, Palgrave Macmillan;The Geneva Association, vol. 45(4), pages 564-579, October.

    More about this item

    NEP fields

    This paper has been announced in the following NEP Reports:

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:dar:wpaper:156328. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Dekanatssekretariat (email available below). General contact details of provider: https://edirc.repec.org/data/ivthdde.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.