Cyber Risk Evaluation and Mitigation – A Quantitative Research Analysis


Cybersecurity has become increasingly important in recent years, with cyber-related crime on the rise. This had made cybersecurity, risk evaluation, and mitigation increasingly important, particularly for companies wanting to reduce their vulnerabilities to cyber risks and refine their insurance offerings.


Meng Sun, a PhD Candidate at Simon Fraser University and Senior data scientist investigating risk management in life and general insurance, has created a qualitative and quantitative analyses to consider time series, type of institution, and geographic dependency, particularly in relation to US markets. Ms Sun aims to share her findings of cyber risk to provide risk mitigation insights to different kinds of organisations. Find out more about Ms Sun’s research via her researcher profileGoogle Scholar, and LinkedIn.


Read the original research:


Image Source: SevenNine/ Shutterstock





Hello and welcome to Research Pod. Thank you for listening and joining us today.


Today we are looking at the work of Meng Sun, a PhD Candidate at Simon Fraser University and Senior data scientist investigating risk management in life and general insurance. Ms Sun’s work in Actuarial science covers predictive analytics modelling, advanced statistical analysis, financial mathematics and economics.


Suns latest paper examines cybersecurity, risk evaluation and mitigation. This work is of key importance to enterprises to mitigate the cyber risks coming from their digital assets and insurers wanting to reduce their vulnerabilities to cyber risks and refine their insurance offerings. Ms Sun’s qualitative and quantitative analyses consider time series, type of institution, and geographic dependency, particularly in relation to US markets. Sun aims to share her findings of cyber risk to provide risk mitigation insights to different kinds of organisations.


Cyber risk means any risk of financial loss, disruption, or damage to the reputation of an organisation due to a failure of its information technology systems. It covers activities like card fraud, hacking, unintended disclosure, and identity theft. There are many examples of the high economic and social relevance of cyber risk such as the recent NSA, Sony, or LGT data breaches. Recently, the G20 group denoted cyber-attacks as a threat to the global economy—an assessment that is not surprising considering that expected annual losses from cyber risk are estimated between 300 billion and 1 trillion US dollars.


Cyber risk is an emerging dynamic and difficult-to-quantify risk category. Despite its increasing relevance for businesses at present, research on cyber risk is limited. Even though cyber risk impact in amount of loss has attracted the attention of the public over the last 30 years, much of the investigation and research is from either the economics, or an information technology perspective.


Quantitative-based cyber risk research using predictive modelling is sparse. This is where the work of Meng Sun comes in; using her background in statistics and mathematics, with a Masters from the University of Connecticut, Meng’s research uses innovative, multidimensional predictive modelling to forecast future cyber loss in dollar amounts to different types of organisations.


Ms. Sun’s research was carried out in a quantitative manner, using prior data breach incidents from 2005 to 2020 that happened in the U.S. This tracks different cyber-related breach incidents that occurred across US institutions. Sun manipulated the data and generated the key driver of breach incidents. Taking those factors as indicators, Sun applied advanced statistic algorithms to generate a flexible and accurate predictive model that can forecast future cyber beach incidents and their dollar amount in loss in a given time frame.


The application of Ms. Sun’s research is two-fold:


First, in enterprise risk management and mitigation: Businesses are facing cyber risks that can lead to considerable corporate losses. Ms. Sun’s model, however, can generate accurate predictions of different kinds of cyber loss in a selected time, for different types of organisations, such as businesses, educational institutes, government and military, healthcare, and medical providers.


From Ms. Sun’s research, businesses organisations faced with a high frequency and severity of potential cyber loss are well served to set aside contingency funds for potential cyber-attacks. Her model shows that the government and military are facing a slowly increasing frequency, but a dramatically increasing severity of future cyber breach loss. Cyber breach frequency has been well controlled due to advanced IT defense systems and well-executed safety access procedures to cyber property. It should not be overlooked, however, that cyber breach severity in per-breach dollar loss amount is increasing dramatically.


Moreover, Sun’s research also shows that there is a consistently high cyber breach frequency for healthcare and medical providers, with personal information and social security identification information at risk. Sun’s research suggests that healthcare organisations haven’t invested enough into improving their data warehouses and employees lack systematic training in preventing cyber breach and controlling the loss in the event of a breach.


Ms. Sun provides an accurate prediction of how future cyber loss will evolve and allows the institutions to prepare and deal with the loss. Her research also shows that most cyber breach incidents happen with zero-loss, especially for the government and military, which can’t be overlooked.  Hacking activity is time dependent and self-learned, and previous zero-loss breaches provide direction for future attacks. If organizations don’t take it seriously and take action to prevent such attacks, future attacks will be target orientated and cause significant informational and reputational loss.


Stakeholders need to have a clear picture of how future cyber risk will affect their institution and the dollar amount loss resulting from cyber breaches. Ms. Sun is the one of the few current researchers able to provide an accurate prediction by using an actuarial mathematics model considering all kinds of incidents and contexts.


Another application of Ms. Sun’s research is for cyber insurance implementation from insurance company and competitive insurance market perspective. Every reported incident of data breach or system failure resulting in high financial or reputational loss increases decision-maker awareness, that current insurance policies do not adequately cover cyber risks. Traditional general insurance companies that offer cyber insurance either underestimate future actual cyber loss, or take little action to update their pricing model using the latest cyber loss information. Insurance companies struggle to access enhanced data to which technology companies have a monopoly – a major problem for implementing cyber security measures.


Given the current cyber loss trends, if insurance companies don’t update their current cyber insurance product, here is what will happen to the insured-insurer market:

Organizations will not seek cyber insurance as risk mitigation because…

(1) the policy limit is lower than their average losses to cybercrime, even though cyber risk exposure becomes an ever larger threat

and (2) the policies are more expensive.


In which case, insurance companies will be reluctant to provide cyber insurance as well because premiums derived by low limitation models can’t make up for increasing cyber claim frequency and severity.


Solid evidence has shown that the current cyber risk rating plan used in the insurance industry is outdated due to the rapid increase of cyber breach activities and increased exposure risk. Simply capping losses to cyber-crimes at under-policy limits could work, under the condition that risk is independent and narrowly scattered – That is all based on the assumption that successful cyber-attacks are infrequent, do manageable damage, and expose companies to median losses. The cap might have held on some level decades ago, when internet access was not so widespread and intrusive, with less interconnected systems.


However, that is definitely not the case for today’s cyber risk. Instead, firms and their insurers face an extraordinary portion of millions of dollars in losses, and Ms. Suns model predicts attacks will maintain steady and periodic growth over time.


When the global pandemic occurred, businesses around the world were heavily impacted and companies transferred significant parts of their daily work to online services. If the insurance industry doesn’t take action to update their cyber insurance model, sooner or later, there will be no cyber insurance product offered in the market and organizations will simply opt to plough ahead with the risks and losses of cyber-attacks instead of buying insurance. There is an opportunity for revolutionary change in cyber insurance, made possible by applying Ms. Sun’s research model and actuarial skills in emerging areas of practice.


Cyber risk is becoming more significant both in underwriting and operational risk of insurance companies. There are immense difficulties to insure cyber risk, especially due to a lack of data and modelling approaches. Cyber risks are high on the business agenda of every company, but they are difficult to assess without that data and analysis. Ms. Sun consider a broad range of cyber risk events and actual cost data from open access vendor information. Utilising advanced methods from her statistics and actuarial science background, she has pioneered analysis in this critical space, and her models can be used to yield consistent risk estimates, depending on location, industry, time, and other variables.


In Sun’s own words, “Tons of publications talks about cyber risk, but seldom do the quantitative and predictive analysis of it and give a dollar amount prediction”.


There is still work to be done on calibrating predictive models such as Ms Suns’ with the ever-growing body of cyber breach data over the last few years.


Ms Sun intends to keep tracking external forces such as global economics and pandemics and modify the model, given that there is clear evidence that cyber risk in the post pandemic period has evolved greatly to pose new threats. She welcomes cooperation opportunities from other researchers, insurers, and security organisations, and hopes to consolidate her model with wider inputs.


Thanks for listening. Be sure to stay subscribed to ResearchPod for more of the latest science. See you again soon.

Leave a Reply

Your email address will not be published.

Researchpod Let's Talk

Share This

Copy Link to Clipboard