Systemic Cyber Risk and Aggregate Impacts

Published in: Risk Analysis (2021). doi: 10.1111/risa.13715

by Jonathan W. Welburn, Aaron Strong

Read More

Access further information on this document at Wiley Online Library

This article was published outside of RAND. The full text of the article can be found at the link above.

With some of the largest cyber attacks occurring in recent years—from 2010 to 2019—we are only beginning to understand the full extent of cyber risk. As businesses grapple with the risks of cyber-incidents and their imperfect ability to prevent them, attention has shifted toward risk management and insurance. While there have been efforts to understand the costs of cyber attacks, the systemic risk—a result of risks spreading across interdependent systems—associated with cyber attacks remains a critical and problem in need of further study. We contribute a theoretical framework that describes systemic cyber risk as the result of cascading, common cause, or independent failures following a cyber incident. We construct a quantitative model of cascading failures to estimate the potential economic damage associated with a given cyber incident. We present an interdisciplinary approach for extending standard sector-level input-output analyses to the cyber domain, which has not been done. We estimate the aggregate losses associated with firm-level incidents, a contribution to risk analysis and computational economic modeling. We use this model to estimate the impact of potential cyber incidents and compare model results to a case with known damages. Finally, we use the model of systemic cyber failure to consider the implications on the growing cyber insurance market and the need for broader cyber policy. While we discuss the topic of systemic cyber risk, our contribution of using I/O analysis to estimate the aggregate losses from firm-level incidents is applicable across a variety of risk analysis applications from environment to health.

Research conducted by

This report is part of the RAND Corporation External publication series. Many RAND studies are published in peer-reviewed scholarly journals, as chapters in commercial books, or as documents published by other organizations.

Our mission to help improve policy and decisionmaking through research and analysis is enabled through our core values of quality and objectivity and our unwavering commitment to the highest level of integrity and ethical behavior. To help ensure our research and analysis are rigorous, objective, and nonpartisan, we subject our research publications to a robust and exacting quality-assurance process; avoid both the appearance and reality of financial and other conflicts of interest through staff training, project screening, and a policy of mandatory disclosure; and pursue transparency in our research engagements through our commitment to the open publication of our research findings and recommendations, disclosure of the source of funding of published research, and policies to ensure intellectual independence. For more information, visit

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.