What Is the Worst Scenario? Modeling Extreme Cyber Losses

  • Grzegorz StrupczewskiEmail author
Conference paper
Part of the Springer Proceedings in Business and Economics book series (SPBE)


Digitalization is not only a source of development and innovation, but also carries a risk related to the growing number of threats in cyberspace—so-called cyber risk. Any significant disruption in cyberspace, whether global or local, will have an impact on the security of business transactions, a sense of security for citizens, the efficiency of public sector institutions, the course of production processes and services, and consequently on national security in general. Modeling extreme events in the area of cyber risk may be used in determining the level of capital necessary to cover financial losses resulting from low-probability high-impact (LPHI) events. We conduct an analysis of the tail distributions, using univariate extreme value theory. In particular, we adopt the peak-over-threshold (POT) by Generalized Pareto Distribution (GPD) approach for exceedances (tails). Moreover, we applied another approach to extreme risk modelling—fitting a spliced distribution. The splicing of a Mixed Erlang distribution for the body and an extreme value distribution (Pareto or GPD) for the tail as well as mixtures of gamma/log-normal/Weibull distributions with GDP are considered. This approach overcomes the subjectivity of manual threshold selection, because it can be estimated as a parameter. We compare the results of fitted distributions and draw conclusions based on VaR’s estimates for each analyzed models. We found that the GPD model has proven its superiority over spliced distributions in terms of goodness-of-fit and accuracy of VaR estimations. Therefore we conclude that the GPD is the most recommended distribution to model extreme risk measures (VaR, ES). VaR and ES indicate the level of risk capital that should be carried by a company in case of LPHI cyber event.


Cyber risk Cyber loss Extreme value theory EVT 


  1. Albrecher, H., Beirlant, J., Teugels, J.: Reinsurance: Actuarial and Statistical Aspects. Wiley, Chichester (2017)CrossRefGoogle Scholar
  2. Balkema, A.A., de Haan, L.: Residual life time at great age. Ann. Probab. 2, 792–804 (1974)CrossRefGoogle Scholar
  3. Behrens, C.N., Lopes, H.F., Gamerman, D.: Bayesian analysis of extreme events with threshold estimation. Stat. Model. 4(3), 227–244 (2004)CrossRefGoogle Scholar
  4. Bandyopadhyay, T.: Organizational adoption of cyber insurance instruments in IT security risk management—a modeling approach. In: Proceedings of the Southern Association for Information Systems Conference, Atlanta, GA, USA, 23–24 Mar 2012. last accessed 21 Oct 2018
  5. Cebula, J., Young, L.: A taxonomy of operational cyber security risks. In: Technical Note CMU/SEI-2010-TN-028. Carnegie Mellon University, Pittsburgh (2010). Last accessed 24 Feb 2017
  6. Davidson, A.C., Smith, R.L.: Models for exceedances over high thresholds. J. Roy. Stat. Soc. 52(3), 393–442 (1990)Google Scholar
  7. Diebolt, J., Guillou, A., Ribereau, P.: Asymptotic normality of extreme quantile estimators based on the peaks-over-threshold approach. Commun. Stat.—Theor. Methods 36(5), 869–886 (2007)CrossRefGoogle Scholar
  8. Diebold, F.X., Schuermann, T., Stroughair, J.: Pitfalls and opportunities in the use of extreme value theory in risk management. In: Refenes, A.-P.N., Moody, J.D., Burgess, A.N. (eds.) Advances in Computational Finance, pp. 3–12. Kluwer Academic Publishers, Amsterdam (1998)Google Scholar
  9. Embrechts, P., Klüppelberg, C., Mikosch, T.: Modelling Extremal Events for Insurance and Finance. Springer, Berlin (1997)CrossRefGoogle Scholar
  10. Engberg, A.: An Empirical Comparison of Extreme Value Modeling Procedures for the Estimation of High Quantiles. Uppsala University, Uppsala (2016). Last accessed 12 Apr 2018
  11. Fisher, R.A., Tippett, L.H.C.: Limiting forms of the frequency distribution of the largest or smallest member of a sample. In: Mathematical Proceedings of the Cambridge Philosophical Society 24, pp. 180–190. Cambridge University Press, Cambridge (1928)Google Scholar
  12. Hu, Y.: Extreme value mixture modelling: An R package and simulation study. M.Sc. (Hons) thesis. University of Canterbury, New Zealand (2013). Last accessed 23 May 2018
  13. Katz, R.W., Parlange, M.B., Naveau, P.: Statistics of extremes in hydrology. Adv. Water Resour. 25, 1287–1304 (2002)CrossRefGoogle Scholar
  14. Kharin, V.V., Zwiers, F., Zhang, X., Wehner, M.: Changes in temperature and precipitation extremes in the CMIP5 ensemble. Clim. Change 119, 345–357 (2013)CrossRefGoogle Scholar
  15. Koch, R.: The 80/20 Principle: The Secret of Achieving More with Less. Doubleday, New York (1998)Google Scholar
  16. Kuritzkes, A.: Operational risk capital: a problem of definition. J. Risk Finan. 4(1), 47–56 (2002). Scholar
  17. Lee, S.C., Lin, X.S.: Modeling and evaluating insurance losses via mixtures of Erlang distributions. North Am. Actuarial J. 14(1), 107–130 (2010)CrossRefGoogle Scholar
  18. McNeil, A.J.: Extreme value theory for risk managers. In: Internal Modelling and CAD II, pp. 93–113. RISK Books, New York (1999)Google Scholar
  19. Novak, S.Y.: Extreme Value Methods with Applications to Finance. CRC Press, Boca Raton (2011)CrossRefGoogle Scholar
  20. Pickands III, J.: Statistical inference using extreme order statistics. Ann. Stat. 3, 119–131 (1975)CrossRefGoogle Scholar
  21. Reynkens, T., Verbelen, R., Beirlant, J., Antonio, K.: Modelling censored losses using splicing: a global fit strategy with mixed Erlang and extreme value distributions. Insur.: Math. Econ. 77, 65–77 (2017)Google Scholar
  22. Reynkens, T.: Using the ReIns package. Last accessed 06 Apr 2018
  23. Rocco, M.: Extreme value theory in finance: a survey. J. Econ. Surv. 28(1), 82–108 (2013)CrossRefGoogle Scholar
  24. Romanosky, S.: Examining the costs and causes of cyber incidents. J. Cybersecur. 2(2), 121–135 (2016). Scholar
  25. Ruan, K.: Introducing cybernomics: a unifying economic framework for measuring cyber risk. Comput. Secur. 65, 77–89 (2017)CrossRefGoogle Scholar
  26. Scarrott, C., MacDonald, A.: A review of extreme value threshold estimation and uncertainty quantification. Revstat Stat. J. 10(1), 33–60 (2012)Google Scholar
  27. Vaughan, E.J., Vaughan, T.M.: Fundamentals of Risk and Insurance. Wiley, Hoboken (2013)Google Scholar
  28. Verbelen, R., Gong, L., Antonio, K., Badescu, A., Lin, S.: Fitting mixtures of Erlangs to censored and truncated data using the EM algorithm. KU Lueven (2015).,+K.,+Badescu,+A.,+Gong,+L.,+Sheldon,+L.+and+Verbelen,+R.+(2014).+Fitting+mixtures+of+Erlangs+to+censored+and+truncated+data+using+the+EM+algorithm.pdf. last accessed 09 June 2018
  29. Wang, S.S.: Integrated framework for information security investment and cyber insurance. SSRN Electron. J. (2017).
  30. WEF: The Global Risks Report 2017. World Economic Forum, Geneva (2017). Last accessed 12 Sept 2017

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Cracow University of EconomicsCracowPoland

Personalised recommendations