Predicting Cyber Risks through National Vulnerability Database

Data-driven predictive modeling in risk assessment: Challenges and directions for proper uncertainty representation

Data-driven predictive modeling is increasingly being used in risk assessments. While such modeling may provide improved consequence predictions and probability estimates, it also comes with challenges. One is that the modeling and its output does not measure and represent uncertainty due to lack of knowledge, that is, "epistemic uncertainty." In this article, we demonstrate this point by conceptually linking the main elements and output of data-driven predictive models with the main elements of a general risk description, thereby placing data-driven predictive modeling on a risk science foundation. This allows for an evaluation of such modeling with reference to risk science recommendations for what constitutes a complete risk description. The evaluation leads us to conclude that, as a minimum, to cover all elements of a complete risk description a risk assessment using data-driven predictive modeling needs to be supported by assessments of the uncertainty and risk related to the assumptions underlying the modeling. In response to this need, we discuss an approach for assessing assumptions in data-driven predictive modeling.

Cyber risk and cybersecurity: a systematic review of data availability

Cybercrime is estimated to have cost the global economy just under USD 1 trillion in 2020, indicating an increase of more than 50% since 2018. With the average cyber insurance claim rising from USD 145,000 in 2019 to USD 359,000 in 2020, there is a growing necessity for better cyber information sources, standardised databases, mandatory reporting and public awareness. This research analyses the extant academic and industry literature on cybersecurity and cyber risk management with a particular focus on data availability. From a preliminary search resulting in 5219 cyber peer-reviewed studies, the application of the systematic methodology resulted in 79 unique datasets. We posit that the lack of available data on cyber risk poses a serious problem for stakeholders seeking to tackle this issue. In particular, we identify a lacuna in open databases that undermine collective endeavours to better manage this set of risks. The resulting data evaluation and categorisation will support cybersecurity researchers and the insurance industry in their efforts to comprehend, metricise and manage cyber risks.

SUPPLEMENTARY INFORMATION

The online version contains supplementary material available at 10.1057/s41288-022-00266-6.

Predicting Cyber-Events by Leveraging Hacker Sentiment

Recent high-profile cyber-attacks exemplify why organizations need better cyber-defenses. Cyber-threats are hard to accurately predict because attackers usually try to mask their traces. However, they often discuss exploits and techniques on hacking forums. The community behavior of the hackers may provide insights into the groups’ collective malicious activity. We propose a novel approach to predict cyber-events using sentiment analysis. We test our approach using cyber-attack data from two major business organizations. We consider three types of events: malicious software installation, malicious-destination visits, and malicious emails that surmounted the target organizations’ defenses. We construct predictive signals by applying sentiment analysis to hacker forum posts to better understand hacker behavior. We analyze over 400 K posts written between January 2016 and January 2018 on over 100 hacking forums both on the surface and dark web. We find that some forums have significantly more predictive power than others. Sentiment-based models that leverage specific forums can complement state-of-the-art time-series models on forecasting cyber-attacks weeks ahead of the events.