Skip to main content
Log in

Cyber risk measurement with ordinal data

  • Original Paper
  • Published:
Statistical Methods & Applications Aims and scope Submit manuscript


The paper proposes a new methodology to measure cyber risks which, instead of using quantitative loss data, often not available, employs ordinal data. The method relies on the construction of a criticality index, whose properties are discussed and compared with alternative measures employed in operational risk measurement. The methodology is illustrated on data regarding cyber attacks collected at the worldwide level. The proposed measure is found to be quite effective to rank cyber risk types. Thus, from a policy perspective, it can be useful to guide the implementation of preventive actions.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others


  1. In the loss data framework, the severity is a continuous random variable, while in the context of ordinal risk data, the severity is generally expressed on an ordinal scale, characterised by K distinct levels, ordered according to the corresponding magnitude.


  • Afful Dadzie A, Allen T (2014) Data driven cyber vulnerability maintenance policies. J Qual Technol 46:234–250

    Article  Google Scholar 

  • Alexander C (2003) Operational risk: regulation, analysis and management. Prentice Hall, New York

    Google Scholar 

  • Artzner P, Delbaen J, Heat D (1999) Coherent measures of risk. Math Finance 9:203–228

    Article  MathSciNet  Google Scholar 

  • Bouveret A (2018) Cyber risk for the financial sector: a framework for quantitative assessment. IMF Working Paper WP/18/143, pp 1–27

  • Calabrese R, Giudici P (2015) Estimating bank default with generalised extreme value regressiob mnodels. J Oper Res Soc 66(11):1783–1792

    Article  Google Scholar 

  • Cebula J, Young L (2010) On the equivalence of constrained and compound optimal designs. In: Proceedings of the fourth Berkeley symposium on mathematical statistic and probability. A taxonomy of operational cyber security risks, Technical Note CMU/SEI-2010-TN-028. Software Engineering Institute, Carnegie Mellon University

  • Cerchiello P, Dequarti E, Giudici P, Magni C (2010) Scorecard models to evaluate perceived quality of academic teaching. Stat Appl 8:145–155

    Google Scholar 

  • Clusit (2018) 2018 Report on ICT security in Italy

  • Cox L (2012) Evaluating and improving risk formulas for allocating limited budgets to expensive risk-reduction opportunities. Risk Anal 32:1244–1252

    Article  Google Scholar 

  • Cruz M (2002) Modeling, measuring and hedging operational risk. Wiley, New York

    Google Scholar 

  • Dalla Valle L, Fantazzini D, Giudici P (2008) Copulae and operational risks. Int J Risk Assess Manag 9:238–257

    Article  Google Scholar 

  • Edgar T, Manz D (2017) Research methods for cyber security. Elsevier, Cambridge

    Google Scholar 

  • Facchinetti S, Osmetti S (2018) A risk index for ordinal variables and its statistical properties: a priority of intervention indicator in quality control framework. Qual Reliab Eng Int 34(1):265–275

    Article  Google Scholar 

  • Figini S, Giudici P (2011) Statistical merging of rating models. J Operl Res Soc 62:1067–1074

    Article  Google Scholar 

  • Figini S, Giudici P (2013) Measuring risk with ordinal variables. J Oper Risk 8:35–43

    Article  Google Scholar 

  • Forum WE (2018) The global risks report 2018

  • Hubbard D, Evans D (2010) Problems with scoring methods and ordinal scales in risk assessment. J Res Dev 54:2–10

    Google Scholar 

  • Hubbard D, Seiersen R (2016) How to measure anything in cybersecurity risk. Wiley, New York

    Book  Google Scholar 

  • Jean W (1980) The geometric mean and stochastic dominance. J Finance 39:527–534

    Article  MathSciNet  Google Scholar 

  • Kaur A, Prakasa Rao B, Singh H (1994) Testing for second-order stochastic dominance of two distributions. Econ Theory 10:849–866

    Article  MathSciNet  Google Scholar 

  • Kopp E, Kaffenberger L, Wilson C (2017) Cyber risk, market failures, and financial stability. IMF Working Paper WP/17/185, pp 1–35

  • MacKenzie C (2014) Summarizing risk using risk measures and risk indices. Risk Anal 4:2143–2162

    Article  Google Scholar 

  • Sexton J, Storlie C, Neil J (2015) Attack chain detection. Stat Anal Data Min ASA Data Sci J 84:353–363

    Article  MathSciNet  Google Scholar 

  • Shaked M, Shanthikumar G (1994) Stochastic orders and their applications. Academic press, Boston

    MATH  Google Scholar 

Download references


We thank the editor and two anonymous referees for useful comments and suggestions, that have improved the quality of the paper.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Paolo Giudici.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Facchinetti, S., Giudici, P. & Osmetti, S.A. Cyber risk measurement with ordinal data. Stat Methods Appl 29, 173–185 (2020).

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: