A statistical approach for assessing cyber risk via ordered response models

Proper evaluation of the risk associated to a cyber attack is a crucial aspect for many companies. There is an increasing need to plan for and implement effective ways to address cyber security, data security, and privacy protection. Estimating the risk of a successful cyber attack is an important issue, since this type of threat is proliferating and thus poses increasing danger to companies and the customers who use their services. While quantitative loss data are rarely available, it is possible to obtain a qualitative evaluation on an ordinal scale of severity of cyber attacks from experts of the sector. Hence, it is natural to apply order response models for the analysis of cyber risk. In particular, we rely on cumulative link models. We explain the experts' assessment of the severity of a cyber attack as a function of a set of explanatory variables describing the characteristics of the attack under consideration. A measure of diffusion of the effects of the attacks obtained via the use of a network structure is also incorporated into the set of explanatory variables of the model. Along with the description of the methodology, we present a detailed analysis of a real data set that includes information on serious cyber attacks occurred worldwide in the period 2017-2018.