Cyber Risk Taxonomies: Statistical Analysis of Cybersecurity Risk Classifications

TL;DR

This study evaluates various cyber risk classifications, emphasizing the importance of out-of-sample forecasting performance over in-sample fit, and finds that dynamic, impact-based classifiers better predict future cyber risk losses.

Contribution

It highlights the limited forecasting ability of traditional classifications and advocates for using dynamic, impact-based classifiers for better cyber risk loss prediction.

Findings

Business motivated classifications are too restrictive.

Dynamic, impact-based classifiers outperform others in forecasting.

Cyber risk types are more suitable for modeling event frequency.

Abstract

Cyber risk classifications are widely used in the modeling of cyber event distributions, yet their effectiveness in out of sample forecasting performance remains underexplored. In this paper, we analyse the most commonly used classifications and argue in favour of switching the attention from goodness-of-fit and in-sample predictive performance, to focusing on the out-of sample forecasting performance. We use a rolling window analysis, to compare cyber risk distribution forecasts via threshold weighted scoring functions. Our results indicate that business motivated cyber risk classifications appear to be too restrictive and not flexible enough to capture the heterogeneity of cyber risk events. We investigate how dynamic and impact-based cyber risk classifiers seem to be better suited in forecasting future cyber risk losses than the other considered classifications. These findings suggest that cyber risk types provide limited forecasting ability concerning cyber event severity distribution, and cyber insurance ratemakers should utilize cyber risk types only when modeling the cyber event frequency distribution. Our study offers valuable insights for decision-makers and policymakers alike, contributing to the advancement of scientific knowledge in the field of cyber risk management.