Cyber risk quantification: Investigating the role of cyber value at risk

The aim of this paper is to deepen the application of value at risk in the cyber domain, with particular attention to its potential role in security investment valuation. Cyber risk is a fundamental component of the overall risk faced by any organization. In order to plan the size of security investments and to estimate the consequent risk reduction, managers strongly need to quantify it. Accordingly, they can decide about the possibility of sharing residual risk with a third party, such as an insurance company. Recently, cyber risk management techniques are including some risk quantile-based measures that are widely employed in the financial domain. They refer to value at risk that, in the cyber context, takes the name of cyber value at risk (Cy-VaR). In this paper, the main features and challenging issues of Cy-VaR are examined. The possible use of this risk measure in supporting investment decisions in cyber context is discussed, and new risk-based security metrics are proposed. Some simple examples are given to show their potential.