Heavy-Tailed Distribution of Cyber-Risks

TL;DR

This paper analyzes the statistical properties of cyber-risks, revealing a stable power-law distribution of identity losses that indicates increasing insecurity over time and a size effect where larger organizations face disproportionately bigger risks.

Contribution

It uncovers a universal power-law distribution of cyber-identity losses and links it to organizational size and non-stationary growth, providing insights into risk dynamics and security trends.

Findings

Power-law tail distribution of ID losses with exponent ~0.7.

Cumulative losses grow faster-than-linearly over time.

Largest ID losses scale super-linearly with organization size.

Abstract

With the development of the Internet, new kinds of massive epidemics, distributed attacks, virtual conflicts and criminality have emerged. We present a study of some striking statistical properties of cyber-risks that quantify the distribution and time evolution of information risks on the Internet, to understand their mechanisms, and create opportunities to mitigate, control, predict and insure them at a global scale. First, we report an exceptionnaly stable power-law tail distribution of personal identity losses per event, ${\rm Pr}({\rm ID loss} \geq V) \sim 1/V^b$, with $b =0.7 \pm 0.1$. This result is robust against a surprising strong non-stationary growth of ID losses culminating in July 2006 followed by a more stationary phase. Moreover, this distribution is identical for different types and sizes of targeted organizations. Since $b<1$, the cumulative number of all losses over all events up to time $t$ increases faster-than-linear with time according to $\mathbf{\simeq t^{1/b}}$, suggesting that privacy, characterized by personal identities, is necessarily becoming more and more insecure. We also show the existence of a size effect, such that the largest possible ID losses per event grow faster-than-linearly as $\sim S^{1.3}$ with the organization size $S$. The small value $b \simeq 0.7$ of the power law distribution of ID losses is explained by the interplay between Zipf's law and the size effect. We also infer that compromised entities exhibit basically the same probability to incur a small or large loss.