Modelling and predicting enterprise-level cyber risks in the context of sparse data availability

Despite growing attention to cyber risks in research and practice, quantitative cyber risk assessments remain limited, mainly due to a lack of reliable data. This analysis leverages sparse historical data to quantify the financial impact of cyber incidents at the enterprise level. For this purpose, an operational risk database—which has not been previously used in cyber research—was examined to model and predict the likelihood, severity and time dependence of a company’s cyber risk exposure. The proposed model can predict a negative time correlation, indicating that individual cyber exposure is increasing if no cyber loss has been reported in previous years, and vice versa. The results suggest that the probability of a cyber incident correlates with the subindustry, with the insurance sector being particularly exposed. The predicted financial losses from a cyber incident are less extreme than cited in recent investigations. The study confirms that cyber risks are heavy-tailed, jeopardising business operations and profitability.


Introduction
Cyber risks are one of the greatest threats of the twenty-first century (WEF 2021). Originally arising from the use of information technology (IT), cyber risks have since increased in both number and financial impact, especially due to rapidly progressing digitisation, worldwide interconnection and the introduction of new digital products and services (Njegomir and Marović 2012;Rakes et al. 2012;Aldasoro et al. 2020). The cost of cyber incidents is estimated at more than USD 1 trillion (McAfee 2020) globally. Cyber incidents not only jeopardise private customers but also pose new challenges for companies and organisations (Njegomir and Marović 2012;Choudhry 2014;Bendovschi 2015;Wrede et al. 2018;Aldasoro et al. 2020). Despite the high awareness of cyber risk among corporate decision makers (Smidt and Botzen 2018) and insurance companies (Pooser et al. 2018), enterprise risk management (ERM) still neglects the associated risks, with some industries and firms even adopting a passive stance (Ashby et al. 2018;Pooser et al. 2018).
Effective cyber risk management should be comprehensively incorporated into ERM rather than analysed in an isolated manner, such as exclusively in IT departments (Marotta and McShane 2018;Shetty et al. 2018;Poyraz et al. 2020). Furthermore, there is evidence that cyber risk management processes are generally qualitative and are missing quantitative findings (Palsson et al. 2020). The usual method to quantify cyber risk is through an analysis of historical cyber incidents from verifiable sources and the performance of empirical, statistical and actuarial examinations to determine the financial impact and likelihood of a cyber incident in a specific organisation (Smidt and Botzen 2018; Palsson et al. 2020). However, the lack of data restrains the quality of such assessments and constitutes the main research gap in the cyber risk literature Marotta et al. 2017;Boyer 2020).
To address this, we quantitatively assess the financial impact of cyber risks at the enterprise level using sparse historical data. Our analysis is based on the Öffentliche Schadenfälle OpRisk (ÖffSchOR) database-an operational risk (OpRisk) database on publicly disclosed loss events in the European financial sector-which has not been adapted to cyber risk research. We apply advanced modelling techniques suggested by Shi and Yang (2018), Eling and Wirfs (2019) and Fang et al. (2021) to predict the likelihood and loss exposure of a potential cyber incident. We specifically use statistical dependence, modelled by a D-vine copula structure, to cope with the sparsity of events in a multivariate time series setting. In doing so, we provide new empirical evidence and quantitative results on actual cyber risk losses at the company level. Our findings suggest that cyber risks are less severe than recent studies claim and that subindustries must be separately modelled. Additionally, our results support the insight that cyber risks are heavy tailed, with an extreme cyber incident as a worst-case scenario that would seriously harm or default a company (Eling and Wirfs 2019;Wheatley et al. 2021).
The results of this study provide one of the first quantitative insights on the nature of cyber risks and introduce a new dataset to cyber research. The outlined methodology allows researchers and practitioners, in particular cyber insurers, to assess cyber risks despite the lack of larger datasets and to combine with existing pricing tools in order to evaluate risk-based premiums (Nurse et al. 2020;Cremer et al. 2022). Our study, thus, contributes to the limited research available on the empirical quantification of cyber risks and to a better understanding within the field.
The remainder of this paper is structured as follows. The next section provides a summary of the most relevant literature. Then, we introduce the dataset and methodology. The fourth section presents the results of our analysis. The final section concludes with a discussion of the findings and limitations of the study as well as future research possibilities.

Literature review
Compared to the prevailing research on operational risk modelling (see e.g. Cox 2012; MacKenzie 2014), cyber risk analyses are still very limited (Eling 2020). 1 This lack of research is often linked to the limited availability of cyber loss data (Maillart and Sornette 2010;Biener et al. 2015), which is typically not disclosed by organisations in an effort to avoid reputational damage (Giudici and Raffinetti 2020). Despite several public and private initiatives to form databases (see the next section), companies have little incentive to share loss information in a public or consortium repository (Palsson et al. 2020). Initiatives such as the introduction of new reporting requirements for cyber incidents and data breaches-in the U.S. by the National Conference of State Legislatures (NCSL 2016) and in Europe by the European Union (EU 2016)-might improve modelling techniques (Eling and Wirfs 2019) but are still incapable of delivering new insights. Further, the introduction of individual cyber risk definitions leads to a maze of terms rather than a comprehensive and unified terminology and understanding of cyber risks (Zängerle and Schiereck 2022).
The lack of cyber risk data has also been addressed in recent publications. In particular, Cremer et al. (2022) conduct a comprehensive and systematic review of cyber data availability, identifying only 79 datasets from a preliminary 5,219 peer-reviewed cyber studies. Furthermore, most of these databases focus on technical cybersecurity aspects, such as intrusion detection and machine learning, with only a fraction of available datasets on cyber risks. The authors find that the lack of available data on cyber risks is a serious problem for stakeholders that undermines collective efforts to better manage these risks. This interpretation is supported by Romanosky et al. (2019), who show that (cyber) insurers in the U.S. have no historic or credible data to assess the loss expectation of cyber insurance coverages.
Due to the scarcity of cyber loss information, data breaches, mainly in the U.S., have received the most attention in empirical research (see e.g. Maillart and Sornette 2010;Edwards et al. 2016;Wheatley et al. 2016;Eling and Loperfido 2017;Eling 2018;Xu et al. 2018;Wheatley et al. 2021). Attempts have also been made to assess the monetary impact of data breaches (see e.g. Layton and Watters 2014;Romanosky 2016;Ruan 2017;Poyraz et al. 2020). However, as addressed by Woods and Böhme (2021), these studies have produced contradictory results, depending on the dataset and methodology applied. Furthermore, Eling and Wirfs (2019) found that data breaches account for just 25% of all cyber events, and the estimated distribution of breached records does not align with that of the actual financial cost of cyber incidents. To this day, only a few studies have assessed the financial impact of cyber incidents in a comprehensive way. Biener et al. (2015) analyse cyber losses from the SAS operational loss database and emphasise the distinct characteristics of cyber risks, including the lack of data, information asymmetries and highly interrelated losses. However, the authors focus on insurability rather than the modelling and prediction of cyber losses. Romanosky (2016) provides the first quantitative insights from actual loss information based on the Advisen dataset but concentrates on descriptive statistics. 2 Later, Palsson et al. (2020) use the same database to model the financial cost of different cyber event types by applying a random forest algorithm. Although the data are not sufficiently detailed to construct a predictive model with high accuracy, the researchers identify relevant factors affecting the expenses of such incidents. Similar to our examination, Eling and Wirfs (2019) analyse the actual costs of cyber incidents from the SAS loss database with statistical and actuarial methods. By applying the peaksover-threshold (POT) method from extreme value theory (EVT), they find that cyber risks are distinct from other risk categories and argue that researchers must distinguish between 'cyber risks of daily life' and 'extreme cyber risks'. In addition, they present a simulation study for practical application. We apply techniques similar to those of Eling and Wirfs (2019), who focus on monthly aggregated observations from all entities available, treated as one sample from a single distribution. We, however, utilise enterprise-level sparse time series data from a database that has not yet been used in the context of cyber risk modelling.
A second research stream focusing on the modelling of dependence structures has recently emerged (Eling 2020). In particular, the application of copula theory is widely accepted due to the ability to use any marginal distribution, which is essential for diverse cyber risk classes, and to address non-linear dependencies (see e.g. Böhme and Kataria 2006;Herath and Herath 2011;Mukhopadhyay et al. 2013). Further studies have extended these approaches to multivariate settings using vine copulas (see e.g. Joe 1997; Bedford and Cooke 2002;Kurowicka and Cooke 2006;Aas et al. 2009), which generate a multivariate copula based on iterative and bivariate pairwise copula constructions (PCC). The D-vine, a distinct vine copula, is particularly structured and simple to interpret in the time series context (Zhao et al. 2020). For example, Peng et al. (2016) use honeypot data to model multivariate and extreme cyber risks with marked point processes and vine copulas, later progressing with a vine copula GARCH model ). Shi and Yang (2018) analyse the temporal dependence in longitudinal data by a D-vine copula. Xu et al. (2018) model the interarrival times of data breaches by ARMA-GARCH and joint density with copula. Eling and Jung (2018) apply the Privacy Rights Clearinghouse (PRC) dataset and model the cross-sectional dependence of data breaches. They find that vine structures exhibit a better fit than simple elliptical or Archimedean copulas. Fang et al. (2021) also study the same dataset, but in a multivariate time series setting with sparse observations at the enterprise level. Therefore, they propose a D-vine copula to model the serial trend. We adopt this framework to model the financial impact of actual cyber incidents rather than data breaches alone.
The current emergence of network models also offers a new, more appealing path for cyber risk modelling (see e.g. Fahrenwaldt et al. 2018;Jevtić and Lanchier 2020;Wu et al. 2021). However, these advanced predictive models are currently limited to simulation studies, as applying such methods to real-world data requires a vast amount of unfiltered data points in order to provide accurate predictions (Tavabi et al. 2020). These techniques are consequently not applicable to our setting due to the lack of sufficient data.

Data and methodology
In addition to the fact that information on cyber risks is typically not publicly available, the systematic collection of known cyber incidents poses further challenges (Eling and Wirfs 2016b). As Romanosky (2016) illustrates, only a fraction of actual cyber incidents is recorded in associated loss databases. A limited number of cyber databases (see Table 1) do exist, mainly established by private and public companies and consortia. Nevertheless, it is challenging to gain access to them, and there is no standard practice in the recording and collection of cyber incidents.
OpRisk databases from the U.S. have been primarily used to model cyber risks in the existing literature, including Advisen (see e.g. Romanosky 2016; Kesan and Zhang 2019;McShane and Nguyen 2020;Palsson et al. 2020) and the SAS OpRisk database (see e.g. Biener et al. 2015;Wirfs 2016a, 2019). Furthermore, other organisations and consortia collaborate and share data on operational and cyber risks to build systematic databases. Specific databases focusing on data breaches in the U.S. (e.g. Privacy Rights Clearinghouse) and private initiatives (e.g. Hackmaggedon) have emerged. However, only some of the above-mentioned initiatives provide information on the economic loss of reported cyber incidents. For our analyses, we use the German Öffentliche Schadenfälle OpRisk database due to the following reasons. First, the database is rather small, which emphasises the introduced motivation of sparse cyber risk modelling. Second, ÖffSchOR focuses on OpRisk losses from the financial sector in Europe, providing some of the first insights both from this important industry in the European Union and from Europe overall. In particular, the size of the recorded losses and relative number of cyber incidents are comparable to previous studies (see e.g. Eling and Wirfs 2019). Third, ÖffSchOR provided free access to the database to conduct this research project and to promote quantitative cyber research. Fourth, and to the best of our knowledge, this is the first scientific analysis based on ÖffSchOR in the context of cyber risk research. 3  ./.

ÖffSchOR database
ÖffSchOR is an information database on publicly disclosed loss events of operational risks in the financial sector. The database is operated by VÖB-Service GmbH, a subsidiary of the Federal Association of Public Banks (Bundesverband Öffentlicher Banken Deutschlands, VÖB) in Germany. In general, losses of a gross amount of EUR 100,000 or more are recorded in the database, including reputational risks and risk scenarios. The industry focus is on financial services and insurance companies in Europe. In addition, interesting loss events can be examined from other economic sectors or regions. ÖffSchOR uses print and online media services to collect data. All loss events are categorised according to the Capital Requirements Regulation (CRR) specifications (EU 2013). Loss incidents are assigned to different subcategories, such as conduct risk, legal risk, information and communication technology (ICT) risk or sustainability risk. To date, however, there is no unique identifier for cyber risk in the ÖffSchOR database. Therefore, subcategories distinguishing cyber and non-cyber events are necessary.

Methodology
Motivated by the framework of Fang et al. (2021), the methodology of this study is organised into six key components: (1) data preparation, analysis and transformation; (2) marginal model; (3) modelling frequency; (4) modelling severity; (5) modelling temporal dependence and (6) predicting the next time period.

Data preparation, explorative data analysis and data transformation
As of 30 September 2021, the ÖffSchOR database consists of 3,261 operational loss events between 2002 and 2021. Given that the database does not categorise cyber events, it is first necessary to allocate the sample to cyber and non-cyber incidents. Cyber risk is defined as "any risk emerging from the use of ICT that compromises the confidentiality, availability, or integrity of data or services […]. Cyber risk is either caused by natural disasters or is man-made where the latter may emerge from human failure, cyber criminality (e.g. extortion, fraud), cyber war or cyber terrorism" ). Based on this definition, which has been suggested as the most comprehensive in the cyber risk literature (Strupczewski 2021), Tables 2 and 3 present the search strategy employed to identify 341 cyber events in the ÖffSchOR database. The strategy combines both systematic and manual search steps to maximise and validate the categorisation of cyber events. In order to gain preliminary insights from the data, a descriptive analysis is conducted.
The dataset is then transformed into a time series, where y it is the amount of all cyber losses of company i in year t, n is the number of companies in the data and T is the time horizon. Non-cyber incidents and companies without a single cyber Table 2 Search and identification of cyber events in the ÖffSchOR database and remaining data points (in bold) Values in italics used to highlight the difference or add-on of data points Step Task  incident are not considered in the analysis. If several companies are affected by an event, the reported loss figure is equally distributed. Further, if a company experiences several cyber incidents in one year, the total amount is accumulated. This transformation results in a multivariate time series with many instances in which y it = 0 , indicating that many companies, i, did not suffer any cyber loss in year t.

Marginal model
In the following, let the random variable Y it represent the cyber loss of company i in year t. Thus, the distribution function, F it , of Y it and the corresponding density function, f it , can be described as follows (Shi and Yang 2018;Fang et al. 2021): where I(·) is the indicator function, p it is the probability that company i experiences no cyber incident in year t, M it is the distribution function and m it is the corresponding density function of Y it under the condition that Y it > 0 (i.e. a cyber loss has occurred).

Modelling frequency
A logistic regression is performed to determine the probability of occurrence 1 − p it . As the dataset consists of limited additional information, the temporal trend t and the categories industry (ind) and region (reg) are included, such that the overall model M equals: (1)  (23) Skimming (98) Data security (23) Smartphone (5) Data theft (87) Security gap (15) Bitcoin (4) Cyber (60) pushTAN/mTAN (10) Security system (3) Phishing (51) E-mail (7) Mobile (2) Stealing data (10) Password (3) DDoS (7) PIN (1) IT attack (2) Social engineering (1) Spam (1) where X ind = {Bank, Municipal bank, Insurance, Other} and X reg = {DACH, Europe, Americas, Other} . The category other serves as the base reference. The Results section analyses further model variants. The aim is to obtain a robust and valid estimate of p it while minimising the coefficient β.

Modelling severity
Given that cyber risks are skewed and heavy tailed (Maillart and Sornette 2010;Wirfs 2016b, 2019;Wheatley et al. 2016;Fang et al. 2021), a mixedmodel approach based on EVT is chosen to model the distribution of M it : where Θ is the parameter vector and H i (y | Θ) and G i (y | Θ) are the distribution functions below and above the threshold i , respectively.
This approach offers a high degree of flexibility in the choice of distribution functions. Due to the sparse data and for robust estimation of Θ, a probability distribution with few shape parameters is preferred, especially for the distribution below the threshold. Based on the explorative data analysis and for a simple illustration of the methodology, we set H i (y | Θ) ∼ N H i , H i to the normal distribution and G i (y | Θ) ∼ GPD G i , G i , to the generalised Pareto distribution (GPD) while considering the log-transformed losses (Eling and Wirfs 2016b;Eling and Loperfido 2017;Fang et al. 2021). The parameter vector Θ is then estimated numerically using the maximum likelihood estimation (MLE). To further analyse the robustness of the model, the estimation of Θ is performed and evaluated with different timeframes

Modelling temporal dependence
To model the temporal dependence (i.e. serial trend, between Y i1 , … , Y iT ), we use a copula structure such that where y = y 1 , … , y T , F i1 , … , F iT are the marginal distributions from Eq. (1) and C is the copula. A large variety of copulas could be used. As our focus is on modelling the serial trend in a time series setting, the D-vine copula provides a good fit-offering flexibility and efficiency and incorporating the temporal structure of time series data (Shi and Yang 2018;Fang et al. 2021).
Considering the random variable Y i = Y i1 , … , Y iT of company i, the joint density of its cyber losses can be expressed as follows: where y k = y k1 , … y kT . To estimate the model's parameters, the two-stage inference functions for margins (IFM) approach is used, which are practical for predictive applications and computationally efficient (Joe 2005). Applying the sequential approach (Shi and Yang 2018), we estimate and fix the dependence structure for each tree by selecting the bivariate copula with the lowest Akaike information criterion (AIC). Starting from the first tree, we estimate the next tree using the estimates of the previous tree(s). For practical reasons, we also fix the dependence structure in each tree, which leads to the same copula within one tree but can differ between trees.
Due to the flexible bivariate, pairwise copula construction, a variety of copulas can be used. With regard to the limited data, the following one-parametric copulas are considered for the pairwise copula construction: the independence copula, the Gaussian copula, the Frank copula, the Joe copula, the Clayton copula and the Gumbel copula. Special attention is dedicated to the Frank copula, which can represent both positive and negative dependence structures and has already been successfully applied in comparable scientific investigations Kularatne et al. 2021): with ≠ 0 being the copula parameter. Further information on the other copulas can be found in Nelsen (2006).

Predicting the next time period
The final aim is to predict the probability of an occurrence and the economic impact of a potential cyber event on company i for the future time period T + 1 . In the first step, the probability of occurrence 1 − p i,T+1 of a cyber event for company i is estimated. In the second step, the loss amount Y i,T+1 is determined under the condition that a cyber event has occurred. Given historical loss data y i = y i1 , … y iT for company i, the conditional density of Y i,t+1 | y i can be expressed as follows: with i ∈ {1, … , n} . This method allows prediction of the cyber loss distribution of entity i one step ahead of time. As there is no closed formula for Y i,T+1 , a Monte Carlo simulation based on the rejection sampling method is used for the prediction (Robert and Casella 2004;Fang et al. 2021). The validity and goodness of fit of the predicted model are measured by the ranked probability score (RPS), which is a commonly used accuracy measure (Epstein 1969;Gneiting and Raftery 2007). Due to the nature of the (mixed-model) approach, standard measures such as mean absolute error (MAE) and mean standard error (MSE) are not applicable.

Data preparation, explorative data analysis and data transformation
Since the ÖffSchOR database does not consist of any identifier for cyber events, all 3,261 data points are first categorised into cyber and non-cyber events. Based on the cyber definition of  and the iterative search and identification presented in Tables 2 and 3, 22 unique keywords for cyber risks are identified and further categorised into threats (10 keywords), vulnerabilities (7) and risk objects (5) in line with Böhme et al. (2019). The most frequently identified keywords from the threats category are hacker (120), skimming (98), data theft (87), cyber (60) and phishing (51). The most frequently identified keywords from the vulnerabilities category are data breach (39) and data security (23), and the most frequently identified keyword from the assets category is customer data (23). In total, 341 cyber (10%) and 2,920 non-cyber events are determined in the database and manually checked for correct categorisation. Table 4 summarises the descriptive analysis of the ÖffSchOR database, split into four different panels. According to Panel A, cyber risks differ from non-cyber (operational) risks. Cyber risks have a lower average loss severity and skewness. For example, the average loss of a cyber event is EUR 17.4 million, while a non-cyber event costs on average EUR 210.9 million. In terms of skewness, the 95% quantile of cyber events is approximately EUR 82 million and the maximum is more than 10 times that amount at EUR 877 million. For non-cyber events, the 95% quantile is almost 10 times as large as the same figure for cyber events, at almost EUR 800 million. The maximum for non-cyber events of EUR 24.6 billion corresponds to a 30-fold multiplier between the maximum and the 95% quantile.
Panel B focuses solely on cyber risks and demonstrates a detailed split regarding the event origin. Almost three quarters (74%) of all cyber incidents have an external origin, which also correspond to the highest loss amounts (95% quantile: i,s,t+1|(s+1)∶t y s , y | y (s+1)∶t , EUR 82 million, maximum: EUR 877 million). The human factor (13%) is a considerable source of risk-with similarly high figures. Cyber events caused by internal processes (3%) and systems (11%) exhibit a lower average loss, but a comparable median of EUR 1-1.3 million. Regarding the regional distribution of cyber incidents (Panel C), more than two thirds of all cases are reported in Germany, Austria and Switzerland (DACH) (61%) and Europe (15%). Although a minority of events originates from the Americas (16%) and the rest of the world (7%), these events demonstrate a much higher loss value, both on average and in the quantiles. For example, the average loss amount in the Americas and the rest of the world is between EUR 60-75 million, and the 95% quantile is around EUR 300-330 million. In comparison, the average loss amount in DACH is EUR 2.7 million and the 95% quantile is EUR 6.9 million. One could, therefore, conclude that cyber losses in DACH and Europe are mild in relative terms. However, the focus of the ÖffSchOR database is on loss data from Germany and Europe, which is why non-European losses are recorded from a relatively high absolute loss figure.
Finally, Panel D indicates that more than one company is affected in one third of all cyber incidents. In these cases, the average loss amount as well as the 95% quantile are approximately three times higher compared to a singular (e.g. one company is affected) incident.
In summary, cyber and non-cyber risks must be distinguished and separately modelled. In particular, external cyber events have historically corresponded to the highest loss amounts and almost every third cyber event has affected multiple entities. Nevertheless, non-cyber risks statistically exhibit higher mean values and skewness compared to cyber risks. To conclude, the cyber data subset needs to be transformed into a time series. Further limitations of the dataset arise due to the incompleteness of the data and restrictions of the time horizon. Specific loss amount information is available for only 207 of the 341 cyber incidents. As the dataset is already very small, all 341 cyber incidents are used to model the frequency according to Eq. (2), and the remaining 207 data points are used thereafter-in particular for modelling the severity. If several companies are affected by a cyber incident, the loss amount is distributed equally among all companies. The time horizon corresponds to one year, which is why losses during the year are aggregated at the annual level. The relevant timeframe is set to t 0 = 2005 and T = 2018 , meaning that we predict the likelihood and severity of an enterprise-level cyber incident for year T + 1 = 2019. 4 In total, the time series consists of n = 275 companies for the modelling of frequency and n = 184 companies thereafter, over a time span of 14 years.
First, all parameters of models M1 and M3 are significant at p ≤ 0.05 , which do not hold for M and M2. In particular, the regional dummy variables X reg are only significant with the temporal interaction term t. Furthermore, we find that 3 , … , 5 > 0 and 9 , … , 11 > 0 , implying an initially positive and subsequently negative non-linear trend for the dummy variable X ind . The reverse trend (first negative, then positive) is observed for the regional dummy variable due to 6 , … , 8 < 0 and 12 , … , 14 > 0.
Comparing the four models, M exhibits the lowest AIC and highest log-likelihood value (LL) as well as the highest pseudo R 2 (McKelvey and Zavoina 1975) and area under curve (AUC). M2 demonstrates only slightly less favourable values for the considered ratios, followed by M1 and M3. The Hosmer-Lemeshow test (HLT) can be rejected for all models. Thus, in principle, model M could be the most appropriate. However, we choose model M2 for the following reasons. First, the ANOVA test confirms that there is no significant difference between models M1 and M3 with respect to M2 ( p < 0.01 ) such that model M2 is preferred over the variants M1 and M3. Second, M and M2 reveal similar goodness-of-fit statistics, with M2 having fewer regression parameters. Under the condition of variable reduction, M2 is, thus, selected as the preferred model. The adequacy and accuracy of model M2 Table 5 Results of the logistic regression  Table 6. Both the MAE and the MSE are low, with 2.0% and 0.1% respectively. Furthermore, M2 has the lowest MAE and MSE regarding the subcategories municipal bank (MB) and insurance (I). Hence, the adequacy and accuracy of model M2 can be sufficiently confirmed. Based on M2, the probability 1 − p i,T+1 of a cyber event for company i will be predicted.

Modelling severity
We subsequently model the severity of cyber losses according to the proposed mixed model from Eq. (3). As described previously, only 207 cyber losses with a loss amount y it > 0 are used in the following analysis. Due to the very small dataset and the fact that six parameters of the vector Θ = { , , , , G , G } need to be estimated, separated modelling by subindustry-analogous to the probability of occurrence-cannot be conducted in order to ensure convergence and robust estimation. Figure 1 depicts the plotted log-transformed cyber losses and the fitted mixed model, which exhibits a good overall fit to the data. In greater detail, Table 7 presents the estimated values and standard deviations of the parameter vector Θ for T = 2018 and the estimation results with a truncated period from t 0 = 2005 to T = 2013, … , 2017 . The truncated analysis is performed to affirm the overall robustness of the model due to data scarcity.
For T = 2018 , we observe a log threshold μ = 7.12 , which nominally is equal to EUR 13.2 million (10 7.12 ). Regarding the normal distribution below the threshold, the log-expected value is G = 5.62 (nominally EUR 417,000) with a standard deviation of log( G ) = 0.67 . The scaling parameter of the generalised Pareto distribution is equal to 0.06 and the shape parameter = 1.56 . With = 0.21 , approximately every fifth cyber loss is above the threshold value µ. Furthermore, Table 7 presents that there are no significant changes in the estimated parameters while truncating the time period, indicating a very robust estimation of the parameter vector Θ and a robust mixed-model approach.

Modelling temporal dependence
Following the methodology, we next model the serial trend based on the D-vine copula from Eq. (5). Regarding the pair-copula construction, six bivariate copulas are considered Ω = {Independent, Gaussian, Clayton, Frank, Gumbel, Joe} . Given the time frame T − t 0 = 13 , a maximum of 13 trees could be estimated. However, due to the sparse information on serial trends in the database, we decide to limit the estimation to five trees, meaning that the temporal dependence of the last six years is taken into account in the copula model. For each tree Tr 1 , … , Tr 5 , the bivariate linking copula with the lowest AIC is chosen. As reflected in the results in Table 8 (Panel A), the Frank copula demonstrates the lowest AIC for all trees, which is why the Frank copula is selected to represent the pairwise serial trend. It is important to note that for the Gumbel and Joe copula ̂ ≈ 1 and for the Clayton copula ̂ ≈ 0 regarding the trees Tr 1 , … , Tr 5 , suggesting very little to no temporal dependence. However, the log-likelihood and AIC are significantly less favourable in comparison to the Frank and Gaussian copula.
Panel B provides the estimated parameter value, ̂ , of the selected bivariate linking copula (Frank), its standard deviation and the Kendall rank correlation coefficient for Tr 1 , … , Tr 5 . The parameter ̂ of the Frank copula is negative for all trees, indicating a negative temporal dependence. This result suggests that if a company has not yet experienced a cyber loss, it is relatively likely that a loss will occur in the next time period. However, if there has been a previous cyber incident, it is relatively unlikely that another cyber incident will occur within the next five years. This negative dependence may be a result of the fact that (external) attackers are not interested in breaching the same company twice. In the aftermath of an attack, companies tend to close security gaps and invest in their cyber risk management (Kamiya et al. 2021).
Further assessment of the goodness of fit reveals that the RPS of the mixed D-vine with Frank is the lowest at 0.219, followed by the mixed D-vine with Gauss (0.251) and independence copula (0.311). Therefore, the mixed D-vine with Frank provides the best fit and is chosen to represent the serial trend.

Predicting the next time period
Finally, we predict the frequency and severity of an enterprise-level cyber event with respect to the next time period T + 1 = 2019 . Table 9 summarises the key statistical values derived from the distribution Y i,T+1 | y i for randomly selected companies in the four industry categories. Values for the maximum and tail value at risk (TVaR) are not presented because the shape parameter > 1 (i.e. we deal with infinite mean models with extreme uncertainties in very high quantiles; see e.g. Chavez-Demoulin et al. 2016;Eling and Wirfs 2019).
Regarding the probability of occurrence 1 − p i,T+1 , the chance of a cyber incident in the next year is predicted to be 0.6% for a selected municipal bank, 2.0% for a bank, 8.7% for an insurer and 1.4% for any other financial services company. Under the condition that a cyber incident does occur in the next year, the minimum loss value is estimated to be around EUR 1,000-3,000, while the median loss ranges between EUR 455,000 (insurance) and EUR 585,000 (other). With respect to value at risk (VaR) measures, the VaR(90%) is equal to EUR 14.6 million for the municipal bank and EUR 15.4 million for the selected bank, while the VaR(95%) is approximately EUR 18.5-22.3 million. At a higher confidence level, the VaR(99%) ranges from EUR 69.5 million (municipal bank) to EUR 543 million (insurance). Even more extreme values are observed for the VaR(99.5%), indicating a worst-case incident that can cause the collapse of a company.

Discussion and conclusion
This study provides new insights on the empirical nature and prediction of cyber risks at the enterprise level under data scarcity. We introduced the ÖffSchOR database to cyber risk research and applied advanced modelling techniques adapted from the work of Shi and Yang (2018), Eling and Wirfs (2019) and Fang et al. (2021) to predict the frequency, severity and serial trend of enterprise cyber risks. Our findings first suggest that cyber risks are indeed different from operational risks. In particular, we found that cyber risks are lower on average, less skewed and less extreme compared to non-cyber risks in the dataset (Biener et al. 2015;Woods and Böhme 2021). Second, the industry subcategories exhibited different probabilities of occurrence, a finding which has not yet been addressed in previous studies. Third, in modelling the impact of the log-transformed cyber incidents, the POT model with a normal distribution below the threshold demonstrated a satisfying fit, which is in line with previous empirical results and supports the differentiation of daily and extreme cyber risks (Eling and Loperfido 2017;Eling and Wirfs 2019). Due to the limited data, a separate loss modelling for each subcategory was not possible. By leveraging the serial dependence, the D-vine copula was able to predict the impact of a potential cyber incident in the next time period with a negative correlation over time . The prediction results provide some of the first quantitative insights on the financial impact of a cyber incident at the enterprise level based on historic data. Our results underline that high-level descriptive statistics from commercial datasets might be misleading for enterprise risk managers due to information asymmetry and interdependence of loss events (Eling and Wirfs 2016a;Marotta et al. 2017;Zeller and Scherer 2021). In particular, our model predicted a median enterpriselevel loss amount of EUR 455,000− 585,000, only a fraction of the millions of dollars often cited in surveys (e.g. USD 3.86 million; IBM Security 2020). In a U.K. survey, the maximum loss is around GBP 310,000 (~ EUR 370,000; Heitzenrater and Simpson 2016), while Romanosky (2016) estimates the average data breach loss to be even lower, at USD 200,000 (~ EUR 180,000), bearing in mind that data breaches only account for 25% of cyber events and that the transfer from data breaches to actual costs is misrepresentative (Eling and Wirfs 2019). Moreover, the estimated extreme losses of VaR(99%) and VaR(99.5%) can be compared to mega breaches such as those of Home Depot (USD 340 million), Anthem (USD 407 million) and Yahoo (USD 502 million) in the U.S. (Poyraz et al. 2020) or to General Data Protection Regulation (GDPR) fines on Whatsapp (EUR 225 million) and Amazon (EUR 745 million) in Europe (CNPD 2021; EDPB 2021). The estimated VaR(95%) can be interpreted as the lower limit of a GDPR penalty, at a minimum of EUR 20 million (Poyraz et al. 2020). This information supports the impression that our estimates are reasonable in size. Furthermore, our findings suggest that cyber risks are less heavy tailed than often anticipated. For example, Eling and Wirfs (2019) simulate VaR measures for a small bank with 5,000 employees, which is comparable to our municipal bank category. Our estimated figures are significantly lower, such as EUR 18.5 million vs. EUR 48 million (USD 55 million) for the VaR (95%) and EUR 69.5 million vs. EUR 422 million (USD 480 million) for the VaR (99%). One conclusion from these findings is that cyber risks are just not that harmful (Woods and Böhme 2021). Another reason suggested by practitioners is that attackers have focused on easier targets while the financial services industry is comparably well protected due to regulated risk management and anti-money laundering systems. However, cyber risks are still heavy tailed and extreme. With every fifth cyber incident above the threshold of EUR 13.2 million, there is still a (small) chance of a devastating cyber event seriously harming an individual company Wheatley et al. 2021).
Comparing the four subcategories, our findings imply that bigger banks suffer from a higher potential loss than smaller (municipal) banks, indicating that the loss amount might be correlated to the company size (i.e. revenue or number of employees; Poyraz et al. 2020). Furthermore, the selected insurance company exhibited a four-times greater chance of a cyber incident, with the highest estimated risk measures for VaR (99%) and VaR (99.5%). Similar heavy tails were observed for the category other consisting of payment providers, stock exchanges and other financial services providers, which seems plausible due to their high interconnectivity to other companies.
In practice, most risk and expert assessments are solely qualitative due to the limited data available on cyber incidents. For example, the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) provided one of the first frameworks to identify and manage information security risks by analysing a company's asset, threat and vulnerability information (Alberts et al. 1999). Further information security risk assessment (ISRA) methods have been developed, with the Core Unified Risk Framework (CURF) being the most comprehensive and allinclusive approach (Wangen et al. 2018). A specific cyber risk classification framework named Quantitative Bow-tie (QBowTie) has been suggested by Sheehan et al. (2021) combining proactive and reactive barriers to reduce a company's risk exposure and quantify the risk. However, all these (qualitative) methods are generally based on the assessment of probability of occurrence and of the associated consequence of an event, i.e. requiring a quantification of the (cyber) risk.
Compared to that, our analysis provides a helpful tool in the ongoing quantification of cyber risks. Nevertheless, the method also comes with limitations. First, researchers have argued that the rapidly changing cyber risk environment may render historic data useless (CRO Forum 2014;. Given ongoing digitisation and in times of a global pandemic, the usefulness of historic data can be questioned. A further limitation is the assumption of independence between entities. Particularly for extreme cyber risks and mega breaches, there is a high correlation between companies (Biener et al. 2015). However, our framework could be extended to model both the serial and cross-company dependence, as conceptually shown by Acar et al. (2019) and Zhao et al. (2020) for dense data. Further limitations arise due to the use of the ÖffSchOR database. In particular, ÖffSchOR relies on print and online media to detect operational risk events which could bias the recorded loss events and in turn the modelling results. The latter could also be influenced by the historical (log-normal) distribution of the cyber loss severity. Furthermore, the total number of identified cyber events is rather small compared to other studies within the research (e.g. 1,579 cyber incidents are analysed by Eling and Wirfs 2019), challenging the robustness of our results. Finally, due to the limited dataset, we did not distinguish between different cyber risks or loss categories even though different types of cyber risks follow different distributions (Eling and Loperfido 2017;Eling and Jung 2018) and cyber risks do not only cause economic losses, but also intangible losses, including reputational damage (Xie et al. 2020).
Despite these limitations and the dynamic nature of cyber risks (Boyer 2020), this study contributes to the literature on cyber risk measurement and can help practitioners such as risk managers, insurers and policymakers by providing a quantitative and data-driven cyber risk assessment. Insurance stakeholders particularly face a major challenge in assessing and understanding cyber risk due to the lack of historical data (Cremer et al. 2022). We believe that the provided methodology could be combined and integrated with existing pricing tools and factors from cyber insurers to better evaluate cyber risk and the required risk-based premiums at the enterprise level (Nurse et al. 2020).
There are plenty of future research opportunities to further develop quantitative approaches. With better and more data, more accurate models can be designed, for example by including both cyber incident data and corporate financial data as proposed by Palsson et al. (2020) or by using network models as seen in Fahrenwaldt et al. (2018), Jevtić and Lanchier (2020) and Wu et al. (2021). The integration of different approaches from diverse disciplines poses extensive future opportunities in the field of cyber risk measurement (Falco et al. 2019).