A new approach to quantifying, reducing, and insuring cyber risk: Preliminary analysis and proposal for further research
We are moving into a world in which assets are primarily digital and not physical. In 2018, physical assets such as buildings and equipment accounted for only 16% of the value of S&P 500 firms.1 At the same time, digital assets are increasingly subject to cyber risks. At the micro level, such risks include falling prey to ransomware, viruses, and phishing attacks. Cyberattacks can shut down ecommerce websites, steal assets from bank accounts, and shut down key government websites. Although few would dispute that cyber risk is a very serious problem for the global economy and for society, there is a disconnect between acknowledgement of the problem and actions taken to address it.
One might expect that greater awareness in recent years about viruses and malware has resulted in nearly all firms and consumers protecting and insuring their websites, computers, and digital assets. That is not the case. In 2016, nearly 25% of the personal computers in the world had no basic protection from viruses and malware. Hence, the magnitude of the problem is substantial – and the large number of unprotected users provides strong incentives for cyber criminals. In August 2019, The New York Times reported that more than 40 local governments in the US suffered cyberattacks in 2019.2
In addition, relative to cyber risk, there is currently a dearth of cyber insurance policies (Romanosky et al. 2019). This leaves a huge part of the digital economy dangerously unprotected.
Cyber risk is very different from other forms of risk for the following reasons:
Long-term historical data do not exist.
There are strategic adversaries creating the dangers.
There are interdependent security and correlated risks.
Cyberattacks can go undetected for long periods of time.
However, there are many other variables that might affect whether cyber risk leads to security incidents: These include:
Different types of vulnerabilities in computer systems
Infrastructure and preventive measures
Further, and critically important, most cyberattacks are still based on well-known attacker strategies, such as phishing email attacks, in which a user is tricked into clicking a malicious link (National Cyber Security Centre 2018). According to the Microsoft 2018 Security Report, phishing remains the most frequently employed cyberattack (Microsoft 2018). The important takeaways are that (i) it is possible to defend against such well-known attack strategies; and (ii) it should be possible to examine the relationship between vulnerabilities, preventive measures, and security incidents.
Over the past few years, researchers of information security have come to realise that cyber security breaches are often not due to the lack of technological solutions, but rather to the absence of appropriate incentives. Humans are often considered the weakest link in internet security. It is now generally accepted that computers will never be completely secure, and that to manage the risks, economics is critical for ensuring improved security. Understanding that behaviour has led to the development of research on the economics of cyber security. Anderson and Moore (2006) provide an overview of early work in the field.
There are now many theoretical articles about cyber risk, cybersecurity, and cyber insurance. To date, contributions by economists have primarily been theoretical and have focused on:
The lack of incentives for individuals, firms or network operators to take adequate security precautions (e.g. Varian 2004, Camp and Wolfram 2004)
Incentives for firms to ex-ante reduce the number of software vulnerabilities (Arora et al. 2006)
The incentives for firms to disclose information about vulnerabilities (Choi et al. 2010).
However, despite its importance, cybersecurity has not yet attained widespread attention in the economics discipline.
The empirical research on cyber-risk and cyber-security has focused on estimating the costs of various data breaches. There are two basic approaches:
Calculating the cost of cyber incidents by analysing data at the level of the incident (e.g. Biener et al. 2015).
Using ‘event study’ methodology to estimate the cost of data breaches at publicly traded firms (several authors have taken this approach, including Campbell et al. 2003 and Gatzlaff and McCullough 2011).
Despite these advancements, little if anything is known about the detailed relationship between specific vulnerabilities, infrastructure risks, email attacks, and various types of successful attacks (incidents).
The goal of our paper (Gandal et al. 2020) is to show that such research is possible. We first lay out the key elements of a theoretical model relating vulnerabilities, attempted email attacks, precautions, and firm characteristics to incidents. Then, using a unique cross-sectional data set, we take a first step towards quantifying the relationship between specific risks, including vulnerabilities and attempted email attacks, and security incidents (breaches). We show that there are meaningful correlations in the relatively small cross-sectional data set. We then estimate a reduced-form model with incidents as the dependent variable to illustrate the potential from employing such data.
We believe that this will enable the start of an analytically based micro approach to measuring cyber-risk, the benefits from precautions, and the pricing of cyber insurance.
The data for our analysis were provided by Kovrr,3 an Israeli cyber risk modelling firm.4 The data offer the potential to understand the relationship among vulnerabilities, infrastructure, and incidents at the individual firm level. We have the following firm-level data for 990 small and medium-sized firms in the UK:
Traditional enterprise characteristics, including data on revenues, employees, industry, whether the firm is engaged in ecommerce ( i.e. sales via the internet)
Enterprise-level data on 13 different critical software vulnerabilities5
Data on various precautions or security investments6
Data on many types of incidents (breaches), at the level of the incident
Critically, we also have data on a variable that measures whether the firm was attacked (e.g. through a phishing email attack).
Overall, 39% of the firms in the data set suffered an incident (breach). The most prolific incident, affecting 27% of those firms, was “sensitive data leaked to the web”. This is a serious breach that could compromise consumer data held by the firm (e.g. credit card information).
Summary data show that nearly 87% of the firms in the sample (858 out of 990) have at least one vulnerability. Fully 43% of these 858 firms suffered from at least one incident. On the other hand, only 18% of 132 firms with no vulnerabilities suffered an incident. Thus, the probability of suffering an incident is more than twice as high if a firm has any vulnerabilities.
An attempted email attack is an in-between stage event that occurs between stage one (in which firms invest in various precautions) and stage two (in which attacks occur). In a phishing attack, a user is tricked (through an email) into clicking a malicious link. This can lead to the revealing of sensitive information as well as other problems. This background suggests a causal pattern – namely, firms that suffer from attempted email attacks are more likely to suffer a leak of sensitive data. The relationship between an attack on email and the occurrence of a data leak incident is remarkably revealing: 95% (87 of 92) of the firms that suffered an attempted email attack were found to have leaked sensitive data to the web. On the other hand, only 20% (178 out of 898) of the firms that did not suffer an attempted email attack were found to have leaked sensitive data to the web.
Our analysis shows other interesting patterns in this small cross-sectional data set. A much larger data set will be orders of magnitude more helpful. More importantly, we are currently putting together a panel data set to address the issue of endogeneity of precautions/investments by the firms.7 We hope that this long-term project will help reduce the cyber risks society faces and efficiently insure against those that cannot be completely eliminated.
Anderson, R and T Moore (2006), “The economics of information security”, Science 314(5799): 610-613.
Arora, A, J P Caulkins and R Telang (2006), “Sell First, Fix Later: Impact of Patching on Software Quality”, Management Science 52(3): 465–471.
Biener, C, M Eling and J Wirfs (2015), “Insurability of Cyber Risk: An Empirical Analysis Geneva Papers on Risk and Insurance”, Vol. 40, No. 1, University of St. Gallen, School of Finance Research Paper No. 2015/03
Camp, L J and C Wolfram (2004), “Pricing Security”, in L.J. Camp and S. Lewis (eds), Economics of Information Security, vol. 12, Advances in Information Security. Springer-Kluwer.
Campbell, K, L A Gordon, M P Loeb and L Zhou (2003), “The economic cost of publicly announced information security breaches: empirical evidence from the stock market”, Journal of Computer Security 11(3): 431–448.
Choi, J, C Fershtman, C and N Gandal (2010) “Network Security: Vulnerabilities and Disclosure Policy”, Journal of Industrial Economics 58:868-894
Eling, M. and W Schnell (2016), “Ten Key Questions on Cyber Risk and Cyber Risk Insurance”, (edited by F Sommerrock).
Falco, G, M Eling, D Jablanski, V Miller, G Gordon, S Wang, J Schmit, R Thomas, M Elvedi, T Maillart, E Donavan, S Dejung, W Weber, E Durand, F Nutter, U Scheffer, G Arazi, G Ohana and H Lin (2019), “A Research Agenda for Cyber Risk and Cyber Insurance”.
Gandal, N, M Riordan and S Bublil (2020), “A New Approach to Quantifying, Reducing and Insuring Cyber Risk: Preliminary Analysis and Proposal for Further Research”, CEPR Discussion Paper 14461.
Gatzlaff, K and K McCullough (2011), “The Effect of Data Breaches on Shareholder Wealth Management”, Risk Management and Insurance Review.
Gordon, L and M Loeb (2002), “The Economics of Information Security Investment”, ACM Transactions on Information and System Security 5(4): 438–457.
4 One of us (Shalom Bublil) is the Chief Product Officer at Kovrr.
5 These data are obtained by Kovrr from online data in the public domain. (All of the data Kovrr collects are in the public domain of the Internet.)
6 For example, a CAPTCHA or “Completely Automated Public Turing test to tell Computers and Humans Apart” protects websites against bots by generating “tests” that humans can pass but (current) computer programs cannot.
7 We can see the “endogeneity” problem when we look at the relationship between precautions (which are “first stage” choice variables) and breaches (i.e. successful attacks.) For example, if we were to add an independent variable that measures precautions (either whether the firm has taken any precautions or the number of precautions that it has taken,) to the regressions in Table 3, the coefficients on the “precautions” variable is positive. Obviously, that does not mean that taking precautions leads to incidents, but rather that those who suffered breaches/incidents were likely to install precautions following an incident.