Data Analytics Techniques
In this section, a brief introduction to data analytics techniques is drawn to make some remarks. First, a definition of the term data analytics is needed to understand the problem to be faced. Data analytics is defined as the process for cleaning, transforming, and modeling collected data to point out relevant information for decision-making.
There are several types of data analysis techniques that exist based on business and technology. The major types of data analysis are as follows:
- • Text analysis.
- • Statistical analysis.
- • Diagnostic analysis.
- • Predictive analysis.
- • Prescriptive analysis.
These techniques can be applied for different purposes, and depending on the problem to be solved and the significance of the collected datasets, the appropriate technique must be applied.
Cyber Risk Assessments
In this section, the powerful Big Data analytics tool will be applied to support decision makers in cyber insurance companies (Bartolini et ah, 2017b).
Cyber risks primarily affect digital information security, but also any source of information independently of its nature. Cyber risk can jeopardize the availability, integrity, and confidentiality of sensitive data, processes, and information when it is realized.
"Die approach chosen in the work described in this chapter explores the features of factors related to cyber risk and cyber security, and tries to identify which factors more significantly impact the insurers’ economic risk assessment (Bartolini et al., 2018a). "Die selection criteria adopted in our approach point out the following set of features as the most appropriate:
• The Turnover, as per definition, means “the aggregate value of the realization of amount made from the sale, supply, or distribution of goods or on account of services rendered, or both, by the company during a financial year.” Basically, it concerns the company benefits. Usually, big companies require large IT infrastructures and the Turnover is higher than in small ones.
In addition, a large and well-known company is more exposed to a cyber-attack than a small one.
- • Other IT insurances regards companies which contract additional insurances. This factor, for an economic as well as a risk-based approach, is relevant because given the company has more IT insurances besides the cyber insurance and if this additional risk transfer has a positive correlation.
- • Credit card/cardholder and personal identifying information (CC/ PII) data. Hosting this personal information is a risk for the company given in the case of successful cyber-attack these data can be stolen, the insurance company should attend the claims, and the company reputation will drop.
- • Data breaches have dramatic outcomes in which personal data as well as cardholder data are stolen by criminals. Claims payments can arise when the company is forced to pay fines in the legal context (e.g., GDPR) or in the regulatory context (e.g., Payment Card Industry Data Security Standard [PCI DSS]).
- • The result of the technical cyber risk assessment is the Rating.
As described in previous related work (Bartolini et al., 2018b), a company can be technically insured if the result of the cyber risk assessment (technical risk assessment) reaches the minimum Rating score 2.00. Therefore, this criterion is the one used to decide whether to proceed with the insurance contract or not. The Rating depends on the other factors mentioned in this work.
- • Critical infrastructures (KRITIS) are organizational and physical structures and facilities of such vital importance to a nation’s society and economy that their failure or degradation would result in sustained supply shortages, significant disruption of public safety and security, or other dramatic consequences. The customer is one of the critical infrastructures. As critical infrastructures are a high target for criminals, these companies need to have a high maturity level.
- • Investments in IT/Cyber Programs is another economic factor to be considered in the correlation analysis. In general, the investment in IT makes the whole infrastructure more robust and protected against cyber-attacks, and the cyber risk drops noticeably.
- • In the case a cyber-attack succeeds, a damage finally is produced. In consequence, the insurance company must compensate the damages. The factor called cyber Insurance claim concerns the expenses when the damage has occurred at the company. It is a very important aspect to consider in the approach.
Analysis of Cyber Security-Related Data
The term “cyber risk” refers to a multitude of different sources of risk affecting the information and technology assets of a firm. Cyber risk can be categorized according to different criteria. A detailed categorization is provided at Biener et al. (2015).
The data used to assess whether a company can be insured in relation to cyber security has been presented previously. It is about observing the risk of suffering a cyber-attack and the damage and economic cost that would impact the insurance company, given the compensation that it should provide to those affected.
For this, the interdependencies between the different parameters that have already been identified as relevant when assessing the possibility of insuring a company against possible cyber-attacks, that is, cyber risk, should be analyzed.
In the first phase, the parameter data will be carried out individually in order to obtain the most relevant characteristics. In the second phase, the dependencies between the data will be analyzed in order to identify which ones have the greatest weight in the decision-making process and in the establishment of an adequate model.
Probability distribution functions are used as part of a set of analytical tools. The beginning of its employment dates to the 19th century. Figures 9.1a-9.1g show the probability distribution functions of the parameters used to analyze and evaluate the contract of cyber insurance. "Die analysis of the probability distribution functions can allow us to infer which would be the most appropriate analysis regarding the regression model to be applied. In some cases, a logistic regression should be applied, given the characteristics of some of the variables. In other cases, a deeper analysis will have to be done to determine whether it is convenient to use the linear regression of one or several variables, or another type.
Figure 9.1d shows the probability distribution function of the Rating, and most companies (more than 80%) obtain a Rating of 3. On the other hand, approximately in the sixth part, 14% of companies obtain a Rating of 2, which implies a high risk of being sensitive to cyber-attacks, cyber risk.