Cyber risks are high on the business agenda of every company, but they are difficult to assess due to the absence of reliable data and thorough analyses. To improve this situation, we identify cyber losses from an operational risk database and analyze these with methods from the field of actuarial science. Specifically, we use the peaks-over-threshold method from extreme value theory to identify “cyber risks of daily life” and “extreme cyber risks”. We show that human behavior is the main source of cyber risk and that cyber risks are unique. Our models can be used to yield consistent risk estimates, depending on country, industry, size, and other variables. The findings of the paper are useful for practitioners, policymakers and regulators in improving the understanding of this new and serious type of risk.
Institute of Insurance Economics, University of St. Gallen, Working Paper Series on Risk Management and Insurance #183
- Martin Eling, Jan Hendrik Wirfs