Quantifying Cyber Risk

Research question(s): How much harm results from cyber incidents? − Which security interventions effectively reduce harm? − Have these answers changed over time? • Approach: Systematization of the empirical literature in several disciplines • Data: Stock markets, financial disclosures, insurance claims, news reports (breach disclosures), technical measurements, survey responses • Main result(s): Studies disagree on the harm resulting from cyber incidents − Omitted variables and sampling biases cast doubt on many results − Indicators of exposure explain more variance than indicators of preventive security − Very little is known about systemic cyber risk • Policy implication(s): The market can handle individual cyber losses, but externalities creating systemic cyber risk require policy attention. Statistical institutes should extend the collection of cyber risk indicators on a representative basis.