Data breaches in the catastrophe framework & beyond

TL;DR

This paper models cyber data breaches as man-made catastrophes, emphasizing the need for multi-level analysis and showing that breach severity, especially from hacking, is increasing with heavy-tailed risks.

Contribution

It introduces a comprehensive framework for cyber risk analysis, combining statistical and analytical approaches, and provides empirical evidence of worsening breach severity from open U.S. data.

Findings

Hacking-related breach severity is increasing in frequency and magnitude.

Heavy-tailed risk distribution with potential for extremely large breaches.

Predicted median breach size for late 2018 was 0.5 billion ids, with a 5% chance of exceeding 7 billion.

Abstract

Development of sustainable insurance for cyber risks, with associated benefits, inter alia requires reduction of ambiguity of the risk. Considering cyber risk, and data breaches in particular, as a man-made catastrophe clarifies the actuarial need for multiple levels of analysis - going beyond claims-driven loss statistics alone to include exposure, hazard, breach size, and so on - and necessitating specific advances in scope, quality, and standards of both data and models. The prominent human element, as well as dynamic, networked, and multi-type nature, of cyber risk makes it perhaps uniquely challenging. Complementary top-down statistical, and bottom-up analytical approaches are discussed. Focusing on data breach severity, measured in private information items ('ids') extracted, we exploit relatively mature open data for U.S. data breaches. We show that this extremely heavy-tailed risk is worsening for external attacker ('hack') events - both in frequency and severity. Writing in Q2-2018, the median predicted number of ids breached in the U.S. due to hacking, for the last 6 months of 2018, is 0.5 billion. But with a 5% chance that the figure exceeds 7 billion - doubling the historical total. 'Fortunately' the total breach in that period turned out to be near the median.