Abstract
Considering data breaches as a man-made catastrophe helps clarify the actuarial need for multiple levels of analysis—going beyond claims-driven loss statistics alone—and calls for specific advances in both data and models. The prominent human element and the dynamic, networked and multi-type nature of cyber risk are perhaps what makes it uniquely challenging. Complementary top-down statistical and bottom-up analytical approaches are discussed. Focusing on data breach severity, we exploit open data for events at organisations in the U.S. We show that this extremely heavy-tailed risk is worsening for external attacker ‘hack’ events. Writing in Q2 of 2018, the median predicted number of ids breached in the U.S. due to hacking in the last 6 months of 2018 was 0.5 billion, with a 5% chance that the figure exceeds 7 billion, doubling the historical total. ‘Fortunately’, the total breach in that period turned out to be near the median.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
Of basic personal information ‘ids’, such as name, social security number, address, etc., as well as accounts, transactions, and privileged communications. Article 4(12) of the GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Such as the concentration of semiconductor manufacturing in a region of high flood risk in Thailand, see Romero, J. “The Lessons of Thailand’s Flood”, IEEE Spectrum, 1 Nov 2012. Also, in November 2017, it was confirmed that millions of Intel chips have a major vulnerability, potentially allowing arbitrary remote code execution and privileged information access. See https://www.us-cert.gov/ncas/current-activity/2017/11/21/Intel-Firmware-Vulnerability.
"Collection #1". https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/.
Among other conditions, with event loss in excess of USD 20–50 million, depending on sector.
“Expert Workshop on Improving the measurement of digital security incidents and risk management”. OECD. 12–13 May 2017. http://www.oecd.org/sti/ieconomy/improving-the-measurement-of-digital-security-incidents-and-risk-management.htm.
Uber Paid Hackers to Delete Stolen Data on 57 Million People, By Eric Newcomer, 21 November 2017 https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data.
To test empirically, one could look at data breaches in each state separately and see if there was a change point when a new cyber law was introduced. This could be an interesting way forward but goes beyond the current paper.
Highest frequencies are in New York and California, with highest severities in Nebraska, Nevada, and D.C. See Appendix A1.
Stolen identities have been used for fake comments online, distorting the appearance of important dialogues, and “hacking consensus”. See, for example, the information on Hackernoon: https://hackernoon.com/more-than-a-million-pro-repeal-net-neutrality-comments-were-likely-faked-e9f0e3ed36a6.
Useful categories could include: external/internal actor, data media (hard or software), attack strategy/mode, intentional or accidental, actual effect or potential (i.e., precursor), data type, aggregating factors (for example, distributed online), “cost” (for example, total fraud, total liability, etc.).
Uber Breach, Kept Secret for a Year, Hit 57 Million Accounts. The New York Times. November 22, 2017. See https://www.nytimes.com/2017/11/21/technology/uber-hack.html.
One sided Z-test of the growth rates of the u = 106 and u = 104 fits gives p = 0.007, indicating significantly faster growth of more extreme breaches.
The distribution such that the natural logarithm is the lower-truncated normal distribution with parameters (µ, σ2). See Malevergne et al. (2011) for examples, and the uniformly most powerful unbiased test against the Pareto tail.
Pareto distribution with upper truncation set to the size of the largest HACK event: 3 × 109.
According to a Chi square likelihood ratio test, only the untruncated Pareto is significantly worse (p < 0.01).
With intercept 13.1 (2.3), slope 1.7 (0.4), and NB dispersion parameter 14.3 (6.65), for example, predicting a level of 13.1 events per 6 months in 2005, and approx. 35.2 by Q3 2017, where the exponential model predicts 38.4.
References
Ayoub, A., W. Kröger, O. Nusbaumer, and D. Sornette. 2019. Simplified/harmonized PSA: A generic modeling framework applied to precursor analysis. In ANS PSA 2019, 16th international topical meeting on probabilistic safety assessment and analysis, Charleston, South Carolina.
Bandyopadhyay, T., V.S. Mookerjee, and R.C. Rao. 2009. Why IT managers don’t go for cyber-insurance products. Communications of the ACM 52(11): 68–73.
Betterley, R.S. 2013. Cyber/Privacy Insurance Market Survey 2013: Carriers deepen their risk management services benefits—Insureds grow increasingly concerned with coverage limitations, online edition, 2013, http://betterley.com/samples/cpims13_nt.pdf. Accessed 10 Feb 2020.
Biener, C., M. Eling, and J.H. Wirfs. 2015. Insurability of cyber risk: An empirical analysis. The Geneva Papers on Risk and Insurance—Issues and Practice 40(1): 131–158.
Boehme, R., S. Laube, and M. Riek. 2017. A fundamental approach to cyber risk analysis. Variance 12: 161–185.
Böhme, R., and G. Schwartz. Modeling cyber-insurance: Towards a unifying framework. WEIS. 2010. http://www.icsi.berkeley.edu/pubs/networking/modelingcyber10.pdf. Accessed 10 Feb 2020.
Bouchaud, J.-P., D. Sornette, C. Walter, and J.P. Aguilar. 1998. Taming large events: Optimal portfolio theory for strongly fluctuating assets. International Journal of Theoretical and Applied Finance 1(1): 25–41.
Cebula, J.J., M.E. Popeck, and L.R. Young. 2010. A taxonomy of operational cyber security risks, Technical Note, CMU/SE-2010-TN-028. Software Engineering Institute, Carnegie Mellon University.
Chernov, D., and D. Sornette. 2016. Man-made catastrophes and risk information concealment (Case studies of major disasters and human fallibility), 1st ed. Cham: Springer.
Chernov, D., and D. Sornette. 2020. Critical risks of different economic sectors. New York: Springer.
Cisco. 2017. Midyear cybersecurity report. online edition. https://engage2demand.cisco.com/LP=5897. Accessed 10 Feb 2020.
CRO Forum. 2016. Concept paper on a proposed categorisation methodology for cyber risk. https://www.thecroforum.org/wp-content/uploads/2016/06/ZRH-16-09033-P1_CRO_Forum_Cyber-Risk_web-2.pdf. Accessed 10 Feb 2020.
CRO Forum. 2018. Emerging risks initiative: Major trends and emerging risk radar April 2018 Update, CRO Forum. https://www.thecroforum.org/wp-content/uploads/2018/05/CRO-ERI_Emerging-Risk-RadarTrends_Apr2018_FINAL.pdf. Accessed 10 Feb 2020.
CyRiM project. 2019. Bashe attack: Global infection by contagious malware. https://www.lloyds.com/news-and-risk-insight/risk-reports/library/technology/bashe-attack. Accessed 10 Feb 2020.
EDPB. 2019. First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities, European Union. http://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2019/02-25/9_EDPB_report_EN.pdf. Accessed 10 Feb 2020.
Edwards, B., S. Hofmeyr, and S. Forrest. 2016. Hype and heavy tails: A closer look at data breaches. Journal of Cybersecurity 2(1): 3–14.
Eling, M., and W. Schnell. 2016a. What do we know about cyber risk and cyber risk insurance? The Journal of Risk Finance 17(5): 474–491.
Eling, M., and W. Schnell. 2016b. Ten key questions on cyber risk and cyber risk insurance, The Geneva Association, November 2016 Report. https://www.genevaassociation.org/sites/default/files/research-topics-document-type/pdf_public//cyber-risk-10_key_questions.pdf. Accessed 10 Feb 2020.
Eling, M. and J.H. Wirfs. 2015. Modelling and management of cyber risk. https://www.actuaries.org/oslo2015/papers/IAALS-WirfsandEling.pdf. Accessed 10 Feb 2020.
Eling, M., and J.H. Wirfs. 2019. What are the actual costs of cyber risk events? European Journal of Operational Research 2723(3): 1109–1119.
ENISA. 2016. The cost of incidents affecting CIIs. ENISA 2016. https://www.enisa.europa.eu/publications/the-cost-of-incidents-affecting-ciis. Accessed 10 Feb 2020.
eSentire. 2019. Nearly half of firms suffer data breach at hands of vendors, esentire.com https://www.esentire.com/blog/nearly-half-of-firms-suffer-data-breach-at-hands-of-vendors/Blog. Accessed 6 Mar 2019.
Europol. 2018. Europol’s 2016 Internet Organised Crime Threat Assessment (IOCTA). https://www.europol.europa.eu/internet-organised-crime-threat-assessment-2018. Accessed 10 Feb 2020.
Gartner. 2017. Gartner says 8.4 billion connected “things” will be in use in 2017, up 31 percent from 2016, Gartner. https://www.gartner.com/en/newsroom/press-releases/2017-02-07-gartner-says-8-billion-connected-things-will-be-in-use-in-2017-up-31-percent-from-2016. Accessed 10 Feb 2020.
Gordon, L.A., M.P. Loeb, and T. Sohail. 2003. A framework for using insurance for cyber-risk management. Communications of the ACM 46(3): 81–85.
Grossi, P., and H. Kunreuther, eds. 2005. Catastrophe modeling: a new approach to managing risk. Huebner international series on risk, insurance and economic security. New York: Springer.
Hofmann, A., and H. Ramaj. 2011. Interdependent risk networks: The threat of cyber attack. International Journal of Management and Decision Making 11(5/6): 312–323.
Ibragimov, R., D. Jaffee, and J. Walden. 2009. Nondiversification traps in catastrophe insurance markets. Review of Financial Studies 22(3): 959–993.
Ibragimov, R., and J. Walden. 2007. The limits of diversification when losses may be large. Journal of Banking & Finance 31(8): 2551–2569.
Jacobs, J. 2014. Analyzing Ponemon cost of data breach, datadrivensecurity.com. https://datadrivensecurity.info/blog/posts/2014/Dec/ponemon/ 11 Dec.
Kaplan, S., and B.J. Garrick. 1981. On the quantitative definition of risk. Risk Analysis 1(1): 11–27.
Kessler. 2018. Cyber risk survey report 2018—Cyber risk from a Swiss perspective. https://www.kessler.ch/fileadmin/user_upload/KS_Cyber_Report_2018_EN.pdf. Accessed 10 Feb 2020.
Koenker, R., and K.F. Hallock. 2001. Quantile regression. Journal of Economic Perspectives 15(4): 143–156.
Kovalenko, T. and D. Sornette. 2016. Risk and resilience management in social-economic systems, IRGC resource guide on resilience. https://www.irgc.org/irgc-resource-guide-on-resilience, http://ssrn.com/abstract=2775264. Accessed 10 Feb 2020.
KPMG. 2016. Small business reputation & the cyber risk, KPMG. https://home.kpmg/content/dam/kpmg/pdf/2016/02/small-business-reputation-new.pdf. Accessed 10 Feb 2020.
Kröger, W. 2019. Achieving resilience of large-scale engineered infrastructure systems. In Resilient structures and infrastructure, ed. E. Noroozinejad Farsangi, I. Takewaki, T. Yang, A. Astaneh-Asl, and P. Gardoni, 289–313. Singapore: Springer.
Kumar, V., R. Telang, and T. Mukhopadhyay. 2007 Optimally securing interconnected information systems and assets. In Proceedings of the sixth workshop on the economics of information security, 7–8 June, Carnegie Mellon University. http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.209.425. Accessed 10 Feb 2020.
Kunreuther, H., V.M. Bier, and J.R. Phimister (eds.). 2004. Accident precursor analysis and management: Reducing technological risk through diligence. Washington, DC: National Academies Press.
Kunreuther, H., and G. Heal. 2003. Interdependent security. Journal of Risk and Uncertainty 26(2–3): 231–249.
Leveson, N.G. 2011. Engineering a safer world: Systems thinking applied to safety. Cambridge: MIT Press.
Lloyd’s. 2017. Counting the cost: Cyber exposure decoded, Emerging Risks Report 2017, Lloyds/Cyence.
Maillart, T., and D. Sornette. 2010. Heavy-tailed distribution of cyber-risks. European Physical Journal B 75(3): 357–364.
Maillart, T., D. Sornette, S. Frei, T. Duebendorfer, and A. Saichev. 2011. Quantification of deviations from rationality with heavy-tails in human dynamics. Physical Review E 83: 056101.
Malevergne, Y., V. Pisarenko, and D. Sornette. 2011. Testing the Pareto against the lognormal distributions with the uniformly most powerful unbiased test applied to the distribution of cities. Physical Review E 83(3): 036111.
Marotta, A., F. Martinelli, S. Nanni, A. Orlando, and A. Yautsiukhin. 2017. Cyber-insurance survey. Computer Science Review 24: 35–61.
Mukhopadhyay, A., S. Chatterjee, D. Saha, A. Mahanti, and S.K. Sadhukhan. 2013. Cyber-risk decision models: To insure IT or not? Decision Support Systems 56: 11–26.
Net Diligence. 2014. Cyber claims study 2014. https://netdiligence.com/NetDiligence_2014CyberClaimsStudy.pdf. Accessed 10 Feb 2020.
Öǧüt, H., S. Raghunathan, and N. Menon. 2011. Cyber security risk management: Public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection. Risk Analysis 31(3): 497–512.
ORX. 2018. Annual Insurance Risk Report, ORX. https://managingrisktogether.orx.org/sites/default/files/downloads/2018/07/annual_insurance_loss_report_2018.pdf. Accessed 10 Feb 2020.
Ponemon. 2014. 2014 cost of data breach study, IBM/Ponemon.
Ponemon. 2017. 2017 cost of data breach study, IBM/Ponemon.
Proofpoint. 2019. The latest in phishing: First of 2019. Proofpoint. https://www.proofpoint.com/us/security-awareness/post/latest-phishing-first-2019. Accessed 10 Feb 2020.
Romanosky, S. 2016. Examining the costs and causes of cyber incidents. Journal of Cybersecurity 2(2): 121–135.
Romanosky, S., L. Ablon, A. Kuehn, and T. Jones. 2017. Content analysis of cyber insurance policies: How do carriers write policies and price cyber risk?. Working Paper, RAND Justice, Infrastructure, and Environment.
Rothschild, M., and J. Stiglitz. 1976. Equilibrium in competitive insurance markets: An essay on the economics of imperfect information. Quarterly Journal of Economics 90(4): 629–649.
RSA. 2018. 2018 Current State of Cybercrime, RSA. https://www.rsa.com/content/dam/premium/en/white-paper/rsa-2018-current-state-of-cybercrime.pdf. Accessed 10 Feb 2020.
Ruffle, S.J., G. Bowman, F. Caccioli, A.W. Coburn, S. Kelly, B. Leslie, and D. Ralph. 2014. Stress test scenario: Sybil logic bomb cyber catastrophe. Cambridge: Cambridge Risk Framew. Ser. Cent. Risk Stud. Univ.
Saichev, A., and D. Sornette. 2010. Effects of diversity and procrastination in priority queuing theory: The different power law regimes. Physical Review E 81: 016108.
Schelling, T.C. 1978. Micromotives and macrobehavior. New York: W.W. Norton.
Shetty, S., M. McShane, L. Zhang, J.P. Kesan, C.A. Kamhoua, K. Kwiat, and L.L. Njilla. 2018. Reducing informational disadvantages to improve cyber risk management. The Geneva Papers on Risk and Insurance—Issues and Practice 43(2): 224–238.
Shevchenko, N., et al. 2018. Threat modeling: A summary of available methods. Software Engineering Institute, Carnegie Mellon University. https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=524448. Accessed 10 Feb 2020.
Sornette, D., W. Kröger, and S. Wheatley. 2019. New Ways and Needs for Exploiting Nuclear Energy. Springer.
SRA. 2015. SRA glossary. Society for Risk Analysis. https://www.sra.org/sites/default/files/pdf/SRA-glossary-approved22june2015-x.pdf. Accessed 10 Feb 2020.
Swiss Re. 2017. Cyber: Getting to grips with a complex risk. Sigma 1/17, https://www.swissre.com/dam/jcr:995517ee-27cd-4aae-b4b1-44fb862af25e/sigma1_2017_en.pdf. Accessed 10 Feb 2020.
Swiss Re. 2018. Natural catastrophes and man-made disasters in 2017: A year of record-breaking losses. Sigma (No 1/2018).
Trump, B.D., M.-V. Florin, and I. Linkov (Eds.). 2018. IRGC resource guide on resilience (vol. 2): Domains of resilience for complex interconnected systems. Lausanne: EPFL International Risk Governance Center (IRGC). www.irgc.epfl.ch. Accessed 10 Feb 2020.
WEF. 2018. The global risks report 2018, 13th edition. https://www.weforum.org/reports/the-global-risks-report-2018. Accessed 10 Feb 2020.
Wheatley, S., T. Maillart, and D. Sornette. 2016. The extreme risk of personal data breaches and the erosion of privacy. The European Physical Journal B 89(7): 1–12.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix
Appendix
A1: Cyber events in the U.S. by state
Figure 7 shows the 12-year frequency and median severity of information items compromised by U.S. state. As can be seen, the highest frequencies are in the states of New York and California, followed by Texas and Ohio. The highest severity, interestingly, is for Nebraska, followed by Nevada and District of Columbia.
12-year frequency and median severity of ids (information items compromised) by U.S. state. Notes: We use only breach events from the PRC [rather than OSF DLDB] database, where state information is readily accessible. States with ≤ 10 cyber incidents over the 12 years were omitted [i.e., Alaska, Arkansas, Delaware, Hawaii, Idaho, Kansas, Louisiana, Maine, Mississippi, New Hampshire, New Mexico, North Dakota, Rhode Island, South Dakota, Vermont, West Virginia, Wyoming]. The inset panel magnifies the cluster near the origin
A2: Chronology of cyber events: is there a general trend?
There is a strong trend towards increasing frequency and severity of hack data breach events with a size > 10,000 k. This very strong trend is not distinguishable for overall breach events in excess of 10 k (see Figs. 8, 9).
Chronology of high-impact cyber events involving ids > 25,000 k compromised during 01/2005 through 9/2017. We can see a strong upward trend in severity here. Note: Natural logarithmic scale for ids along the ordinate axis
Chronology of all breach events from 01/2005 through 9/2017. As can be seen, the overall picture for the severity shows a weak upward trend. A more specific view (as shown in Fig. 8) is necessary to identify trends. Note: Natural logarithmic scale for ids
Rights and permissions
About this article
Cite this article
Wheatley, S., Hofmann, A. & Sornette, D. Addressing insurance of data breach cyber risks in the catastrophe framework. Geneva Pap Risk Insur Issues Pract 46, 53–78 (2021). https://doi.org/10.1057/s41288-020-00163-w
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1057/s41288-020-00163-w