Communications for Statistical Applications and Methods

The Korean Statistical Society (한국통계학회)
권호 표지
DOI QR코드

DOI QR Code

Cyber risk measurement via loss distribution approach and GARCH model

  • Received : 2022.05.06
  • Accepted : 2022.06.01
  • Published : 2023.01.31
Download PDF
⟨ Previous Next ⟩

Abstract

The growing trend of cyber risk has put forward the importance of cyber risk management. Cyber risk is defined as an accidental or intentional risk related to information and technology assets. Although cyber risk is a subset of operational risk, it is reported to be handled differently from operational risk due to its different features of the loss distribution. In this study, we aim to detect the characteristics of cyber loss and find a suitable model by measuring value at risk (VaR). We use the loss distribution approach (LDA) and the time series model to describe cyber losses of financial and non-financial business sectors, provided in SAS® OpRisk Global Data. Peaks over threshold (POT) method is also incorporated to improve the risk measurement. For the financial sector, the LDA and GARCH model with POT perform better than those without POT, respectively. The same result is obtained for the non-financial sector, although the differences are not significant. We also build a two-dimensional model reflecting the dependence structure between financial and non-financial sectors through a bivariate copula and check the model adequacy through VaR.

Keywords

References

  1. Aue F and Kalkbrener M (2007). LDA at work: Deutsche Bank's approach to quantifying operational risk, Journal of Operational Risk, 1, 49-93. https://doi.org/10.21314/JOP.2007.020
  2. SAS, Retrieved June 20, 2021, Available from: https://www.sas.com/content/dam/SAS/en_us/doc/produ\protect\@normalcr\relaxctbrief/sas-oprisk-global-data-101187.pdf
  3. Balkema AA and De Haan L. (1974). Residual life time at great age, Annals of Probability, 2, 792-804. https://doi.org/10.1214/aop/1176996548
  4. Basel Committee on Banking Supervision (2006). International Convergence of Capital Measurement and Capital Standards: A Revised Framework - Comprehensive Version, Bank for International Settlements, Retrieved December 13, 2021, Available from: www.bis.org
  5. Basel Committee on Banking Supervision (2021). Newsletter on cyber security, Retrieved November 25, 2021, Available from: https://www.bis.org/publ/bcbs_nl25.htm
  6. Beirlant J, Goegebeur Y, Segers J, Teugels JL, Waal DD, and Ferro C. (2004). Statistics of Extremes: Theory and Applications, John Wiley & Sons, New Jersey.
  7. Bera AK and Higgins ML (1993). ARCH models: Properties, estimation and testing, Journal of Economic Surveys, 7, 305-366. https://doi.org/10.1111/j.1467-6419.1993.tb00170.x
  8. Biener C, Eling M, and Wirfs JH (2015). Insurability of cyber risk: An empirical analysis, Geneva Papers on Risk and Insurance-Issues and Practice, 40, 131-158. https://doi.org/10.1057/gpp.2014.19
  9. Bollerslev T (1986). generalized autoregressive conditional heteroskedasticity, Journal of Econometrics, 31, 307-327. https://doi.org/10.1016/0304-4076(86)90063-1
  10. Bollerslev T, Chou RY, and Kroner KF (1992). ARCH modeling in finance: A review of the theory and empirical evidence, Journal of Econometrics, 52, 5-59. https://doi.org/10.1016/0304-4076(92)90064-X
  11. Byun K and Song S (2021). Value at risk of portfolios using copulas, Communications for Statistical Applications and Methods, 28, 59-79. https://doi.org/10.29220/CSAM.2021.28.1.059
  12. Carfora MF and Orlando A (2019). Quantile based risk measures in cyber security, In proceedings of 2019 International Conference on Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA), Oxford, 1-4.
  13. Cebula JL and Young LR (2010). A taxonomy of operational cyber security risks, Carnegie-Mellon Univ Pittsburgh Pa Software Engineering Inst.
  14. Chernobai AS, Rachev ST, and Fabozzi FJ (2008). Operational Risk: A Guide to Basel II Capital Requirements, Models, and Analysis, John Wiley & Sons, New Jersey.
  15. Coles S, Bawa J, Trenner L, and Dorazio P. (2001). An Introduction to Statistical Modeling of Extreme Values, Springer, London.
  16. Cont R (2007). Long Memory in Economics, Springer, Heidelberg.
  17. Di Clemente A and Romano C (2004). A copula-extreme value theory approach for modelling operational risk, Operational Risk Modelling and Analysis, (pp. 189-208), Risk Books, London.
  18. Edwards B, Hofmeyr S, and Forrest S (2016). Hype and heavy tails: A closer look at data breaches, Journal of Cybersecurity, 2, 3-14. https://doi.org/10.1093/cybsec/tyw003
  19. Eling M (2012). Fitting insurance claims to skewed distributions: Are the skew-normal and skewstudent good models?, Insurance: Mathematics and Economics, 51, 239-248. https://doi.org/10.1016/j.insmatheco.2012.04.001
  20. Eling M and Wirfs JH (2015). Modelling and management of cyber risk, University of St.Gallen, Oslo, Available from: https://www.actuaries.org/oslo2015/presentations/IAALS-Wirfs&Eling-P.pdf
  21. Eling M and Wirfs JH (2016). Cyber risk: Too big to insure? Risk transfer options for a mercurial risk class, I. VW HSG Schriftenreihe, St. Gallen.
  22. Eling M and Wirfs J (2019). What are the actual costs of cyber risk events?, European Journal of Operational Research, 272, 1109-1119. https://doi.org/10.1016/j.ejor.2018.07.021
  23. Embrechts P, Kluppelberg C, and Mikosch T (2013). Modelling Extremal Events: For Insurance and Finance, Springer Science & Business Media, Berlin.
  24. Engle RF (1982). Autoregressive conditional heteroscedasticity with estimates of the variance of United Kingdom inflation, Econometrica: Journal of the Econometric Society, 50, 987-1007. https://doi.org/10.2307/1912773
  25. Engle R (2001). GARCH 101: The use of ARCH/GARCH models in applied econometrics, Journal of Economic Perspectives, 15, 157-168. https://doi.org/10.1257/jep.15.4.157
  26. Gilli M (2006). An application of extreme value theory for measuring financial risk, Computational Economics, 27, 207-228. https://doi.org/10.1007/s10614-006-9025-7
  27. Ghosh S and Resnick S (2010). A discussion on mean excess plots, Stochastic Processes and their Applications, 120, 1492-1517. https://doi.org/10.1016/j.spa.2010.04.002
  28. International Banker (2021), Retrieved May 05, 2022, Available from: https://internationalbanker.com/history\-of-financial-crises/bernie-madoffs-ponzi-scheme-2008/
  29. Jacobs J (2014) Analyzing ponemon cost of data breach, Retrieved December 10, 2021, Available from: http://datadrivensecurity.info/blog/posts/2014/Dec/ponemon/
  30. Kole E, Koedijk K, and Verbeek M (2007). Selecting copulas for risk management, Journal of Banking & Finance, 31, 2405-2423. https://doi.org/10.1016/j.jbankfin.2006.09.010
  31. Kupiec P (1995). Techniques for verifying the accuracy of risk measurement models, The Journal of Derivatives, 3, 73-84. https://doi.org/10.3905/jod.1995.407942
  32. McNeil AJ and Frey R (2000). Estimation of tail-related risk measures for heteroscedastic financial time series: An extreme value approach, Journal of Empirical Finance, 7, 271-300. https://doi.org/10.1016/S0927-5398(00)00012-8
  33. McNeil AJ, Frey R, and Embrechts P (2015). Quantitative Risk Management: Concepts, Techniques and Tools-revised Edition, Princeton university press, New Jersey.
  34. Philippe J (2001). Value at Risk: The New Benchmark for Managing Financial Risk, McGraw-Hill Professional, New York.
  35. Pickands III J (1975). Statistical inference using extreme order statistics, Annals of Statistics, 3, 119-131. https://doi.org/10.1214/aos/1176343003
  36. Rydman M (2018). Application of the peaks-over-threshold method on insurance data, Available from: https://www.diva-portal.org/smash/get/diva2:1231783/FULLTEXT01.pdf
  37. Sklar A (1959). Fonctions de reprtition an dimensions et leursmarges, Publications de l'Institut Statistique de l'Universit 'e de Paris, 8, 229-231.