Cyber risk modelling using copulas
| Název práce v češtině: | Modelování kybernetického rizika pomocí kopula funkcí |
|---|---|
| Název v anglickém jazyce: | Cyber risk modelling using copulas |
| Klíčová slova: | kybernetické riziko, operační riziko, únik dat, teorie extrémních hodnot, kopule, hodnota v riziku, podmíněná hodnota v riziku |
| Klíčová slova anglicky: | cyber risk, operational risk, data breach, extreme value theory, copula, value at risk, conditional value at risk |
| Akademický rok vypsání: | 2017/2018 |
| Typ práce: | diplomová práce |
| Jazyk práce: | angličtina |
| Ústav: | Institut ekonomických studií (23-IES) |
| Vedoucí / školitel: | prof. PhDr. Petr Teplý, Ph.D. |
| Řešitel: | skrytý - zadáno vedoucím/školitelem |
| Datum přihlášení: | 14.06.2018 |
| Datum zadání: | 14.06.2018 |
| Datum a čas obhajoby: | 15.09.2020 09:00 |
| Místo konání obhajoby: | Opletalova - Opletalova 26, O314, Opletalova - místn. č. 314 |
| Datum odevzdání elektronické podoby: | 31.07.2020 |
| Datum proběhlé obhajoby: | 15.09.2020 |
| Oponenti: | doc. PhDr. Jozef Baruník, Ph.D. |
| Kontrola URKUND: | |
| Zásady pro vypracování |
| The risk that a cyber attack disrupts a part of the economy is clearly rising while at the same time the level of cyber risk research is globally far behind what is needed. Cyber risk research is currently concentrated around consulting firms and insurance companies which share their findings only exceptionally. The supply of publicly available data is insufficient because the organisations mentioned above profit from such low supply by selling their overpriced products.
The procedure of operational risk assessment is described for example in (Lebovič, 2012). A more advanced method combining extreme value theory and copulas is applied in the work of (Abbate, Farkas, & Gourier, 2009). However, cyber risk modelling is more challenging than traditional operational risk modelling what is also confirmed by (Biener, Eling, & Wirfs, 2015). Even though (Lloyd’s, 2017) do not fully disclose their methodology, their cyber risk estimates acquired with a scenario analysis are a substantial contribution to the research. Similar impact has a report by (Verizon, 2018) which is an annual publication with descriptive statistics related to data breach risk. The aim of this thesis is to provide fully reproducible research while using the best publicly available data. This thesis will discuss cyber risk, its modelling and its impact on organisations around the world. It will build upon the model used to measure cyber risk using copulas introduced by (Herath & Herath, 2011) and (Shah, 2016). Particular attention will be paid to data breach risk which is a major and relatively easily measurable component of cyber risk. The importance of data breach risk is highlighted also by (Verizon, 2018). Expected Contribution: Modelling cyber risk is generally more challenging than modelling other types of operational risk because of the constantly changing nature of cyber risk resulting in the insufficient availability of suitable data. Operational risk is a widely researched area; however cyber risk still lacks sufficient attention. Some consulting firms already offer services that assess cyber risks of interested organisations; however, their models are kept private; thus public evaluation of their validity is impossible. This thesis will offer comprehensive and fully transparent research of cyber risk. It will use carefully selected and unique data which have been overlooked by many researchers in this field. Results can be to some degree directly used by financial institutions and other organisations to asses their exposure to cyber risk. However, it is more expected that the model and the methodology used in this thesis will serve as a prototype for other cyber risk researches. This thesis will be especially valuable to actuaries specialising in cyber risk. |
| Seznam odborné literatury |
| Abbate, D., Farkas, W., & Gourier, E. (2009). Operational Risk Quantification using Extreme Value Theory and Copulas: From Theory to Practice.
Biener, C., Eling, M., & Wirfs, J. (2015). Insurability of Cyber Risk: An Empirical Analysis. Geneva Papers on Risk and Insurance, 40(1), 32. Clemente, A., & Romano, C. (2004). A copula-Extreme Value Theory approach for modelling operational risk. In Operational Risl Modelling and Analysis: Theory and Practice. Genest, C., Rémillard, B., & Beaudoin, D. (2009). Goodness-of-fit tests for copulas: A review and a power study. Insurance: Mathematics and Economics, 44(2), 199-213. Herath, H., & Herath, T. (2011). Copula Based Actuarial Model for Pricing Cyber-Insurance Policies. Chernobai, A., Rachev, S., & Fabozzi, F. (2007). Operational Risk: A Guide to Basel II Capital Requirements, Models, and Analysis. Lebovič, M. (2012). The use of coherent risk measures in operational risk modeling. Lloyd’s. (2017). Counting the cost. Retrieved from https://www.lloyds.com/news-and-risk-insight/risk-reports/library/technology/countingthecost Shah, A. (2016). Pricing and Risk Mitigation Analysis of a Cyber Liability Insurance using Gaussian, t and Gumbel Copulas – A Case for Cyber Risk Index. CANADIAN ECONOMICS ASSOCIATION. Verizon. (2018). 2018 Data Breach Investigations Report. Retrieved from https://www.verizonenterprise.com/verizon-insights-lab/dbir/ |
| Předběžná náplň práce |
| Hypotheses:
1. Hypothesis #1: Frequencies of losses caused by data breaches follow a Poisson distribution. 2. Hypothesis #2: Severities of losses caused by data breaches follow a log-normal distribution. 3. Hypothesis #3: A Gaussian copula describes dependencies between aggregate losses caused by data breaches in different industries. 4. Hypothesis #4: The possible total worldwide cost of data breaches per one year is smaller than the nominal GDP of the Czech Republic. Methodology: The first two hypotheses will be tested with Kolmogorov-Smirnov and Anderson-Darling tests. The third hypothesis will be tested with copulas goodness of fit tests such as those described in (Genest, Rémillard, & Beaudoin, 2009). We will consider more different copulas, and we will select the most suitable one for risk measures calculation. The actuarial model used for risk measures calculation will broadly follow the one described by (Chernobai, Rachev, & Fabozzi, 2007). Nonetheless, many enhancements and optimisations introduced for instance by (Clemente & Romano, 2004) will be incorporated into the model. The last hypothesis will be tested by calculating confidence intervals of means of risk measures using Monte Carlo simulation. Rejecting the last hypothesis will allow us to claim that the possible total worldwide cost of data breaches per one year is either lower or higher than the nominal GDP of the selected country. The parametric model used to test these hypotheses will be calibrated using publicly available data from Breach Level Index database published by Gemalto. Outline: 1. Introduction 2. Theoretical background 2.1. Definition of cyber risk 2.2. Trends in cyber risk assessment 2.3. Current cyber threats 2.4. GDPR and the data breach risk 3. Literature review 4. Methodology 5. Empirical analysis 6. Discussion of results 7. Results 8. Conclusion |