research-article

Analysis of Cyber Incident Categories Based on Losses

Authors:

Linfeng ZhangAuthors Info & Claims

ACM Transactions on Management Information Systems (TMIS), Volume 11, Issue 4

Article No.: 25, Pages 1 - 28

https://doi.org/10.1145/3418288

Published: 27 September 2020 Publication History

Abstract

The fact that “cyber risk” is indeed a collective term for various distinct risks creates great difficulty in communications. For example, policyholders of “cyber insurance” contracts often have a limited or inaccurate understanding about the coverage that they have. To address this issue, we propose a cyber risk categorization method using clustering techniques. This method classifies cyber incidents based on their consequential losses for insurance and risk management purposes. As a result, it also reveals the relationship between the causes and the outcomes of incidents. Our results show that similar cyber incidents, which are often not properly distinguished, can lead to very different losses. We hope that our work can clarify the differences between cyber risks and provide a set of risk categories that is feasible in practice and for future studies.

References

[1]

George A. Akerlof. 1970. The market for “Lemons”: Quality uncertainty and the market mechanism. Quart. J. Econ. 84, 3 (Aug. 1970), 488.

[2]

Bander Ali Saleh Al-rimy, Mohd Aizaini Maarof, and Syed Zainudeen Mohd Shaid. 2018. Ransomware threat success factors, taxonomy, and countermeasures: A survey and research directions. Comput. Secur. 74 (May 2018), 144--166.

[3]

Ross Anderson. 2001. Why information security is hard - an economic perspective. In Proceedings of the 17th Annual Computer Security Applications Conference. Annual Computer Security Applications Conference, IEEE Comput. Soc.

[4]

Ross Anderson and Tyler Moore. [n.d.]. Information security economics—and beyond. In Proceedings of the Conference on Advances in Cryptology (CRYPTO’07). Springer Berlin Heidelberg, 68--91.

[5]

Ross Anderson and Tyler Moore. 2009. Information security: Where computer science, economics and psychology meet. Philos. Trans. Roy. Soc. A: Math., Phys. Eng. Sci. 367, 1898 (July 2009), 2717--2727.

[6]

BBC. 2017. Cyber-attack: Europol says it was unprecedented in scale. Retrieved from http://www.bbc.com/news/world-europe-39907965.

[7]

Richard Bellman. 2010. Dynamic Programming. Princeton University Press, Princeton.

Digital Library

[8]

Jonathan Berr. 2017. “WannaCry” ransomware attack losses could reach $4 billion. Retrieved from https://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/.

[9]

Christian Biener, Martin Eling, and Jan Hendrik Wirfs. 2014. Insurability of cyber risk: An empirical analysis. The Geneva Papers on Risk and Insurance—Issues and Practice 40, 1 (June 2014), 131--158.

[10]

Rainer Böhme and Gaurav Kataria. 2006. Models and measures for correlation in cyber-insurance. In Proceedings of the Workshop on the Economics of Information Security (WEIS’06).

[11]

Rainer Böhme. 2005. Cyber-insurance revisited. Workshop on the Economics of Information Security (WEIS). http://infosecon.net/workshop/pdf/15.pdf.

[12]

Rainer Böhme and Galina Schwartz. 2010. Modeling cyber-insurance: Towards a unifying framework. In Proceedings of the Workshop on the Economics of Information Security (WEIS’10). Retrieved from http://www.econinfosec.org/archive/weis2010/papers/session5/weis2010_boehme.pdf.

[13]

T. Calinski and J. Harabasz. 1974. A dendrite method for cluster analysis. Communications in Statistics—Theory and Methods 3, 1 (1974), 1--27.

[14]

Katherine Campbell, Lawrence A. Gordon, Martin P. Loeb, and Lei Zhou. 2003. The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. J. Comput. Secur. 11, 3 (Apr. 2003), 431--448.

[15]

James J. Cebula and Lisa R. Young. 2010. A Taxonomy of Operational Cyber Security Risks. Technical Report. Carnegie Mellon University.

[16]

Check Point. 2017. WannaCry—Paid Time Off? Retrieved from https://blog.checkpoint.com/2017/05/14/wannacry-paid-time-off/.

[17]

Harald Cramer. 1946. Mathematical Methods of Statistics. Princeton University Press.

[18]

Michel Denuit and Philippe Lambert. 2005. Constraints on concordance measures in bivariate discrete data. J. Multivar. Anal. 93, 1 (Mar. 2005), 40--57.

Digital Library

[19]

Martin Eling and Kwangmin Jung. 2018. Copula approaches for modeling cross-sectional dependence of data breach losses. Insurance: Math. Econ. 82 (Sept. 2018), 167--180.

[20]

Martin Eling and Nicola Loperfido. 2017. Data breaches: Goodness of fit, pricing, and risk measurement. Insurance: Math. Econ. 75 (July 2017), 126--136.

[21]

Sam Adam Elnagdy, Meikang Qiu, and Keke Gai. 2016. Cyber incident classifications using ontology-based knowledge representation for cybersecurity insurance in financial industry. In Proceedings of the IEEE 3rd International Conference on Cyber Security and Cloud Computing (CSCloud’16). IEEE.

[22]

Equifax Inc. 2017. Equifax Announces Cybersecurity Incident Involving Consumer Information. Retrieved from https://www.prnewswire.com/news-releases/equifax-announces-cybersecurity-incident-involving-consumer-information-300515960.html.

[23]

Equifax Inc. 2017. Quarterly Report on Form 10-Q. Retrieved from https://www.sec.gov/Archives/edgar/data/33185/000003318517000032/efx10q20170930.htm.

[24]

Federal Trade Commission. 2019. Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach. Retrieved from https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related.

[25]

Barbara Filkins. 2016. Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey. Technical Report.

[26]

Sam Friedman and Adam Thomas. 2017. Demystifying cyber insurance coverage - Clearing obstacles in a problematic but promising growth market. Retrieved from https://www2.deloitte.com/insights/us/en/industry/financial-services/demystifying-cybersecurity-insurance.html.

[27]

Christian Genest and Johanna Nešlehová. 2007. A primer on copulas for count data. ASTIN Bull. 37, 2 (Nov. 2007), 475--515.

[28]

Christian Genest, Johanna G. Nešlehová, and Bruno Rémillard. 2014. On the empirical multilinear copula process for count data. Bernoulli 20, 3 (Aug. 2014), 1344--1371.

[29]

Lawrence A. Gordon, Martin P. Loeb, and Lei Zhou. 2011. The impact of information security breaches: Has there been a downward shift in costs?J. Comput. Secur. 19, 1 (Jan. 2011), 33--56.

[30]

Joy Paul Guilford. 1954. Psychometric Methods (McGraw-Hill Series in Psychology). McGraw-Hill Book Company.

[31]

Hemantha Herath and Tejaswini Herath. 2011. Copula-based actuarial model for pricing cyber-insurance policies. Insur. Markets Comp.: Anal. Actuar. Comput. 2, 1 (2011), 7--20.

[32]

Internet Crime Complaint Center. 2020. 2019 Internet Crime Report. Retrieved from https://pdf.ic3.gov/2019_IC3Report.pdf.

[33]

Anil K. Jain. 2010. Data clustering: 50 years beyond K-means. Pattern Recognition Letters 31, 8 (June 2010), 651--666.

Digital Library

[34]

Manpreet Kaur and Usvir Kaur. 2013. Comparison between K-mean and hierarchical algorithm using query redirection. Int. J. Adv. Res. Comput. Sci. Softw. Eng. 3 (2013), 1454--1459. Issue 7.

[35]

Jay P. Kesan, Rupterto P. Majuca, and William J. Yurcik. 2008. Three economic arguments for cyberinsurance. In Securing Privacy in the Internet Age, Anupam Chander, Lauren Gelman, and Margaret Jane Radin (Ed.). Stanford University Press, 345--366.

[36]

John Maddison. 2017. 2017 Threat Trends—The Year in Review. Retrieved from https://www.csoonline.com/article/3243062/security/2017-threat-trends-the-year-in-review.html.

[37]

Ruperto P. Majuca, William Yurcik, and Jay P. Kesan. 2006. The evolution of cyberinsurance. arXiv preprint cs/0601020.

[38]

Marsh 8 McLennan Companies. 2018. Cyber Risk Management Response and Recovery. Retrieved from https://www.marsh.com/sg/insights/research/cyber-risk-management-response-and-recovery.html.

[39]

Albert W. Marshall. 1996. Copulas, marginals, and joint distributions. In Distributions with fixed marginals and related topics (Seattle, WA, 1993). IMS Lecture Notes Monogr. Ser., Vol. 28. Inst. Math. Statist., Hayward, CA, 213--222.

[40]

National Conference of State Legislatures. 2020. Security Breach Notification Laws. Retrieved from https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx.

[41]

National Institute of Standards and Technology. 2014. Framework for Improving Critical Infrastructure Cybersecurity. Retrieved from https://www.nist.gov/system/files/documents/cyberframework/cybersecurity-framework-021214.pdf.

[42]

OECD. 2020. Encouraging Clarity in Cyber Insurance Coverage: The Role of Public Policy and Regulation. Retrieved from http://www.oecd.org/finance/insurance/The-Role-of-Public-Policy-and-Regulation-in-Encouraging-Clarity-in-Cyber-Insurance-Coverage.pdf.

[43]

Ranjan Pal and Leana Golubchik. 2011. Pricing and Investments in Internet Security: A Cyber-Insurance Perspective. Technical Report.

[44]

Ranjan Pal and Pan Hui. 2011. The Impact of Secure OSs on Internet Security: What Cyber-Insurers Need to Know. Technical Report.

[45]

PartnerRe 8 Advisen. 2018. 2018 Survey of Cyber Insurance Market Trends. Retrieved from https://partnerre.com/wp-content/uploads/2018/10/2018-Survey-of-Cyber-Insurance-Market-Trends.pdf.

[46]

J. M. Peña, J. A. Lozano, and P. Larrañaga. 1999. An empirical comparison of four initialization methods for the K-Means algorithm. Pattern Recogn. Lett. 20, 10 (Oct. 1999), 1027--1040.

Digital Library

[47]

Justin Pope. 2016. Ransomware: Minimizing the risks. Innovat. Clin. Neurosci. 13, 11--12 (2016), 37.

[48]

Privacy Rights Clearinghouse. 2019. Data Breaches. Retrieved from https://privacyrights.org/data-breaches.

[49]

Sasha Romanosky. 2016. Examining the costs and causes of cyber incidents. J. Cybersecur. 2, 2 (08 2016), 121--135.

[50]

Sasha Romanosky, Lillian Ablon, Andreas Kuehn, and Therese Jones. 2019. Content analysis of cyber insurance policies: How do carriers price cyber risk?J. Cybersecur. 5, 1 (02 2019).

[51]

Bruce Schneier. 2000. Secrets and Lies: Digital Security in a Networked World. John Wiley 8 Sons.

Digital Library

[52]

M. Sklar. 1959. Fonctions de répartition à n dimensions et leurs marges. Publications de l’Institut de Statistique de l’Université de Paris 8 (1959), 229--231.

[53]

Alexander Smith, Saphora Smith, Nick Bailey, and Petra Cahill. 2017. Why “WannaCry” Malware Caused Chaos for National Health Service in U.K. Technical Report.

[54]

Shawn Snow. 2018. Major data breach at Marine Forces Reserve impacts thousands. Retrieved from https://www.marinecorpstimes.com/news/your-marine-corps/2018/02/28/major-data-breach-at-marine-forces-reserve-impacts-thousands/.

[55]

R. R. Sokal and C. D. Michener. 1958. A Statistical Method for Evaluating Systematic Relationships. University of Kansas.

[56]

T. J. Sørensen. 1948. A Method of Establishing Groups of Equal Amplitude in Plant Sociology Based on Similarity of Species Content and Its Application to Analyses of the Vegetation on Danish Commons. I. kommission hos E. Munksgaard.

[57]

H. Steinhaus. 1956. Sur la division des corps materiels en parties. Bulletin de l’Academie Polonaise des Sciences 4 (1956), 801--804. Issue 12.

[58]

Abdelouahid Tajar, Michel Denuit, and Philippe Lambert. 2001. Copula-type representation for random couples with Bernoulli margins. University Catholique de Louvain Institut De Statistique Discussion Paper 118 (2001).

[59]

Robert L. Thorndike. 1953. Who belongs in the family? Psychometrika (1953), 267--276.

[60]

Maochao Xu, Kristin M. Schweitzer, Raymond M. Bateman, and Shouhuai Xu. 2018. Modeling and predicting cyber hacking breaches. IEEE Trans. Info. Forensics Secur. 13, 11 (Nov. 2018), 2856--2871.

Cited By

Aleksandrova ANinova VZhelev Z(2023)A Survey on AI Implementation in Finance, (Cyber) Insurance and Financial ControllingRisks10.3390/risks1105009111:5(91)Online publication date: 11-May-2023
https://doi.org/10.3390/risks11050091
Virglerova ZPanic MVoza DVelickovic M(2021)Model of business risks and their impact on operational performance of SMEsEconomic Research-Ekonomska Istraživanja10.1080/1331677X.2021.201011135:1(4047-4064)Online publication date: 6-Dec-2021
https://doi.org/10.1080/1331677X.2021.2010111
Gomes Filho NRego NClaro J(undefined)A Cybersecurity Incident Classification Integrating the Perspectives of Perpetrators and Target CompaniesSSRN Electronic Journal10.2139/ssrn.4101510
https://doi.org/10.2139/ssrn.4101510

Index Terms

Analysis of Cyber Incident Categories Based on Losses
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Economics of security and privacy
    2. Social aspects of security and privacy
2. Social and professional topics
  1. Professional topics
    1. Computing and business
      1. Economic impact
    2. Management of computing and information systems
      1. Implementation management
        Pricing and resource allocation
      2. Information system economics

Recommendations

On the insurability of cyber warfare: An investigation into the German cyber insurance market
Abstract
Insurance is an important part of a constellation of institutions that assist in the provision of security, resilience and welfare. This is true across a range of threats, including those in the cyber domain. Cyber risks, particularly those ...
Cyber Insurance and Post-Breach Services: A Normative Analysis
Service Science/Stochastic Systems Joint Special Issue
Cyber insurance is becoming an essential tool for managing cybersecurity risks. In this study, we analyze how having the option to subscribe to cyber insurance services affects firms’ risk prevention and mitigation decisions. We model the scenario where ...
Effective Premium Discrimination for Designing Cyber Insurance Policies with Rare Losses
Decision and Game Theory for Security
Abstract
Cyber insurance like other types of insurance is a method of risk transfer, where the insured pays a premium in exchange for coverage in the event of a loss. As a result of the reduced risk for the insured and the lack of information on the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Management Information Systems

ACM Transactions on Management Information Systems Volume 11, Issue 4

Special Issue on Analytics for Cybersecurity and Privacy, Part 1

December 2020

244 pages

ISSN:2158-656X

EISSN:2158-6578

DOI:10.1145/3426166

Editor:
Daniel Zeng
Chinese Academy of Sciences, China

Issue’s Table of Contents

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 September 2020

Accepted: 01 July 2020

Revised: 01 June 2020

Received: 01 November 2019

Published in TMIS Volume 11, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

U.S. Department of Homeland Security

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
384
Total Downloads

Downloads (Last 12 months)85
Downloads (Last 6 weeks)5

Reflects downloads up to 02 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Aleksandrova ANinova VZhelev Z(2023)A Survey on AI Implementation in Finance, (Cyber) Insurance and Financial ControllingRisks10.3390/risks1105009111:5(91)Online publication date: 11-May-2023
https://doi.org/10.3390/risks11050091
Virglerova ZPanic MVoza DVelickovic M(2021)Model of business risks and their impact on operational performance of SMEsEconomic Research-Ekonomska Istraživanja10.1080/1331677X.2021.201011135:1(4047-4064)Online publication date: 6-Dec-2021
https://doi.org/10.1080/1331677X.2021.2010111
Gomes Filho NRego NClaro J(undefined)A Cybersecurity Incident Classification Integrating the Perspectives of Perpetrators and Target CompaniesSSRN Electronic Journal10.2139/ssrn.4101510
https://doi.org/10.2139/ssrn.4101510

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Issue’s Table of Contents