Risk Management and the Board of Directors

“… new risks—and the intensification of longstanding risks—are pressure-testing the agility and resilience of corporate strategies, risk management systems and practices.” Lire

Cyber Risk: Hyperconnectivity and the Political Economy of Uncertainty

“This paper explores the notion of ‘cyber risk’, asking how we might understand it through a sociotechnical lens. It pays specific attention to how we can theorise cyber risk as an assemblage of sociotechnical ‘riskscapes’, in which our understanding of risk goes beyond organisational imperatives of ‘risk management’ and into treating cyber risk as a set of productive knowledges and practices within a […]

Building Resilience in Cybersecurity — An Artificial Lab Approach

“Using the lab, in numerical case studies, we identify two classes of measures to control systemic cyber risks: security- and topology-based interventions. We discuss the implications of our findings on selected real-world cybersecurity measures currently applied in the insurance and regulation practice or under discussion for future cyber risk control. To this end, we provide […]

Supply Chain Characteristics as Predictors of Cyber Risk: A Machine-Learning Assessment

“… supply chain network features add significant detection power to predicting enterprise cyber risk, relative to merely using enterprise-only attributes. Particularly, compared to a base model that relies only on internal enterprise features… Given that each cyber data breach is a low probability high impact risk event, these improvements in the prediction power have significant […]

Malware Classification Using Feature Reduction Method and Autoscaling

“These attacks are unknown to the human eye due to malicious intent to harm any underlying infrastructure. So, to overcome the problems and make a flexible solution, we propose a framework where machine learning algorithms are applied to find relevant features from the existing dataset.” Lire

Cybersecurity, Cloud and Critical Infrastructure

“… there is a risk that the EU’s Network and Information Systems Directive (‘NIS Directive’) might lead to only incremental improvements in the cybersecurity of Europe’s critical infrastructure and digital services, while generating substantial compliance activity, aimed at placating regulators and reassuring the general public.” Lire

The Tensions of Cyber-Resilience: From Sensemaking to Practice

“We apply Weick’s (1995) sensemaking framework to examine four foundational tensions of cyber-resilience: a definitional tension, an environmental tension, an internal tension, and a regulatory tension. We then document how these tensions are embedded in cyber-resilience practices at the preparatory, response and adaptive stages. We rely on qualitative data from a sample of 58 cybersecurity […]

A Mathematical Model for Risk Assessment of Social Engineering Attacks

“Social engineering is a very common type of malicious activity conducted on cyberspace that targets both individuals and companies in order to gain access to information or systems. It is part of the broader domain of cybersecurity and the first step to mitigate this type of attack is to know its attack vectors. This way, […]

Cyber Risk Assessment for Capital Management

“There appears a gap in cyber risk modeling between engineering and insurance literature. This paper presents a novel model to capture these unique dynamics of cyber risk known from engineering and to model loss distributions based on industry loss data and a particular company’s cybersecurity profile. The analysis leads to a new tool for allocating […]

Cybersecurity and Financial Stability

“Cyber attacks can impair banks operations and precipitate bank runs. When digital infrastructure is shared, banks defend themselves by investing in cybersecurity but can free-ride on the security measures of others. Ex ante free-riding by banks interacts with the ex post coordination frictions underpinning bank runs.”    Lire