网络数据丢失及其与操作风险的关系研究

IF 0.4 4区经济学 Q4 BUSINESS, FINANCE

Journal of Operational Risk Pub Date : 2019-09-24 DOI:10.21314/jop.2019.228

Ruben D. Cohen, Jonathan Humphries, S. Veau, R. Francis

{"title":"网络数据丢失及其与操作风险的关系研究","authors":"Ruben D. Cohen, Jonathan Humphries, S. Veau, R. Francis","doi":"10.21314/jop.2019.228","DOIUrl":null,"url":null,"abstract":"Cyber risk is one of the most challenging areas of risk, not only because it is relatively nascent but also because it remains an elusive moving target due to an ever-evolving threat landscape. A lack of structured data and the systemic implications of multifaceted impacts of overlapping risk frameworks are additional factors that make this risk difficult to quantify. As a starting point for overcoming this challenge, our paper considers a potential definition of this risk type, encompassing confidentiality, integrity and availability; the key components of a cyber-risk framework; a taxonomy to help establish a common framework for data collection to aid quantification; and the key quantification challenges. It then focuses on quantifying the direct financial and compensatory losses emanating from cyber risks. To help us carry this out, dimensional analysis is incorporated in the same manner as it has been applied to operational losses; this enables the identification of any similarities and/ or gross deviations between the profiles of cyber and non-cyber operational losses. In all, considering the limited amount of cyber data available, this analysis shows that: \n \n(1) a taxonomy for cyber risk that maps directly to operational risk might be a worthwhile exercise; \n \n(2) cyber loss data has a fundamental risk profile similar to that of non-cyber operational risk losses, with both following the same trend; and \n \n(3) the underlying risk profile related to cyber losses has not changed materially over time. \n \nThese findings come with the added implications that: \n \n(1) mapping the taxonomies of cyber and operational risk against each other could be conducted more objectively; \n \n(2) operational risk modeling techniques that have been developed over the past decade or so could be used in the same way to assess the direct financial impact of cyber risk as a starting point; and \n \n(3) although there has been an increase in both the frequency and the severity of cyber losses over the past few years, there has not been a major paradigm shift in their fundamental risk profile over the same period of time.","PeriodicalId":54030,"journal":{"name":"Journal of Operational Risk","volume":"59 1","pages":""},"PeriodicalIF":0.4000,"publicationDate":"2019-09-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":"{\"title\":\"An Investigation of Cyber Loss Data and Its Links to Operational Risk\",\"authors\":\"Ruben D. Cohen, Jonathan Humphries, S. Veau, R. Francis\",\"doi\":\"10.21314/jop.2019.228\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Cyber risk is one of the most challenging areas of risk, not only because it is relatively nascent but also because it remains an elusive moving target due to an ever-evolving threat landscape. A lack of structured data and the systemic implications of multifaceted impacts of overlapping risk frameworks are additional factors that make this risk difficult to quantify. As a starting point for overcoming this challenge, our paper considers a potential definition of this risk type, encompassing confidentiality, integrity and availability; the key components of a cyber-risk framework; a taxonomy to help establish a common framework for data collection to aid quantification; and the key quantification challenges. It then focuses on quantifying the direct financial and compensatory losses emanating from cyber risks. To help us carry this out, dimensional analysis is incorporated in the same manner as it has been applied to operational losses; this enables the identification of any similarities and/ or gross deviations between the profiles of cyber and non-cyber operational losses. In all, considering the limited amount of cyber data available, this analysis shows that: \\n \\n(1) a taxonomy for cyber risk that maps directly to operational risk might be a worthwhile exercise; \\n \\n(2) cyber loss data has a fundamental risk profile similar to that of non-cyber operational risk losses, with both following the same trend; and \\n \\n(3) the underlying risk profile related to cyber losses has not changed materially over time. \\n \\nThese findings come with the added implications that: \\n \\n(1) mapping the taxonomies of cyber and operational risk against each other could be conducted more objectively; \\n \\n(2) operational risk modeling techniques that have been developed over the past decade or so could be used in the same way to assess the direct financial impact of cyber risk as a starting point; and \\n \\n(3) although there has been an increase in both the frequency and the severity of cyber losses over the past few years, there has not been a major paradigm shift in their fundamental risk profile over the same period of time.\",\"PeriodicalId\":54030,\"journal\":{\"name\":\"Journal of Operational Risk\",\"volume\":\"59 1\",\"pages\":\"\"},\"PeriodicalIF\":0.4000,\"publicationDate\":\"2019-09-24\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"12\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Operational Risk\",\"FirstCategoryId\":\"96\",\"ListUrlMain\":\"https://doi.org/10.21314/jop.2019.228\",\"RegionNum\":4,\"RegionCategory\":\"经济学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q4\",\"JCRName\":\"BUSINESS, FINANCE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Operational Risk","FirstCategoryId":"96","ListUrlMain":"https://doi.org/10.21314/jop.2019.228","RegionNum":4,"RegionCategory":"经济学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"BUSINESS, FINANCE","Score":null,"Total":0}

引用次数: 12

摘要

网络风险是最具挑战性的风险领域之一，不仅因为它是相对新生的，而且因为它仍然是一个难以捉摸的移动目标，因为威胁形势不断变化。缺乏结构化数据和重叠风险框架的多方面影响的系统性影响是使这种风险难以量化的其他因素。作为克服这一挑战的起点，我们的论文考虑了这种风险类型的潜在定义，包括机密性，完整性和可用性;网络风险框架的关键组成部分;一种分类法，帮助建立数据收集的共同框架，以协助量化;以及关键的量化挑战。然后，它将重点放在量化网络风险带来的直接财务损失和补偿性损失上。为了帮助我们进行这项工作，量纲分析以与应用于操作损失相同的方式纳入;这使得能够识别网络和非网络作战损失概况之间的任何相似之处和/或严重偏差。总而言之，考虑到可用的网络数据数量有限，本分析表明:(1)直接映射到操作风险的网络风险分类可能是一项有价值的工作;(2)网络损失数据的基本风险特征与非网络操作风险损失数据相似，且两者的趋势相同;(3)随着时间的推移，与网络损失相关的潜在风险状况并未发生重大变化。这些发现带来了额外的启示:(1)可以更客观地对网络风险和操作风险进行分类;(2)过去十年左右发展起来的操作风险建模技术可以以同样的方式用于评估网络风险的直接财务影响，以此作为起点;(3)尽管在过去几年中，网络损失的频率和严重程度都有所增加，但在同一时期，它们的基本风险状况并没有发生重大转变。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

An Investigation of Cyber Loss Data and Its Links to Operational Risk

Cyber risk is one of the most challenging areas of risk, not only because it is relatively nascent but also because it remains an elusive moving target due to an ever-evolving threat landscape. A lack of structured data and the systemic implications of multifaceted impacts of overlapping risk frameworks are additional factors that make this risk difficult to quantify. As a starting point for overcoming this challenge, our paper considers a potential definition of this risk type, encompassing confidentiality, integrity and availability; the key components of a cyber-risk framework; a taxonomy to help establish a common framework for data collection to aid quantification; and the key quantification challenges. It then focuses on quantifying the direct financial and compensatory losses emanating from cyber risks. To help us carry this out, dimensional analysis is incorporated in the same manner as it has been applied to operational losses; this enables the identification of any similarities and/ or gross deviations between the profiles of cyber and non-cyber operational losses. In all, considering the limited amount of cyber data available, this analysis shows that: (1) a taxonomy for cyber risk that maps directly to operational risk might be a worthwhile exercise; (2) cyber loss data has a fundamental risk profile similar to that of non-cyber operational risk losses, with both following the same trend; and (3) the underlying risk profile related to cyber losses has not changed materially over time. These findings come with the added implications that: (1) mapping the taxonomies of cyber and operational risk against each other could be conducted more objectively; (2) operational risk modeling techniques that have been developed over the past decade or so could be used in the same way to assess the direct financial impact of cyber risk as a starting point; and (3) although there has been an increase in both the frequency and the severity of cyber losses over the past few years, there has not been a major paradigm shift in their fundamental risk profile over the same period of time.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Journal of Operational Risk BUSINESS, FINANCE-

CiteScore

1.00

自引率

40.00%

发文量

期刊介绍： In December 2017, the Basel Committee published the final version of its standardized measurement approach (SMA) methodology, which will replace the approaches set out in Basel II (ie, the simpler standardized approaches and advanced measurement approach (AMA) that allowed use of internal models) from January 1, 2022. Independently of the Basel III rules, in order to manage and mitigate risks, they still need to be measurable by anyone. The operational risk industry needs to keep that in mind. While the purpose of the now defunct AMA was to find out the level of regulatory capital to protect a firm against operational risks, we still can – and should – use models to estimate operational risk economic capital. Without these, the task of managing and mitigating capital would be incredibly difficult. These internal models are now unshackled from regulatory requirements and can be optimized for managing the daily risks to which financial institutions are exposed. In addition, operational risk models can and should be used for stress tests and Comprehensive Capital Analysis and Review (CCAR). The Journal of Operational Risk also welcomes papers on nonfinancial risks as well as topics including, but not limited to, the following. The modeling and management of operational risk. Recent advances in techniques used to model operational risk, eg, copulas, correlation, aggregate loss distributions, Bayesian methods and extreme value theory. The pricing and hedging of operational risk and/or any risk transfer techniques. Data modeling external loss data, business control factors and scenario analysis. Models used to aggregate different types of data. Causal models that link key risk indicators and macroeconomic factors to operational losses. Regulatory issues, such as Basel II or any other local regulatory issue. Enterprise risk management. Cyber risk. Big data.