Systemic Cyber Risk and Aggregate Impacts

Published in: Risk Analysis (2021). doi: 10.1111/risa.13715

Posted on RAND.org on February 18, 2021

by Jonathan William Welburn, Aaron Strong

Read More

Access further information on this document at Wiley Online Library

This article was published outside of RAND. The full text of the article can be found at the link above.

With some of the largest cyber attacks occurring in recent years—from 2010 to 2019—we are only beginning to understand the full extent of cyber risk. As businesses grapple with the risks of cyber-incidents and their imperfect ability to prevent them, attention has shifted toward risk management and insurance. While there have been efforts to understand the costs of cyber attacks, the systemic risk—a result of risks spreading across interdependent systems—associated with cyber attacks remains a critical and problem in need of further study. We contribute a theoretical framework that describes systemic cyber risk as the result of cascading, common cause, or independent failures following a cyber incident. We construct a quantitative model of cascading failures to estimate the potential economic damage associated with a given cyber incident. We present an interdisciplinary approach for extending standard sector-level input-output analyses to the cyber domain, which has not been done. We estimate the aggregate losses associated with firm-level incidents, a contribution to risk analysis and computational economic modeling. We use this model to estimate the impact of potential cyber incidents and compare model results to a case with known damages. Finally, we use the model of systemic cyber failure to consider the implications on the growing cyber insurance market and the need for broader cyber policy. While we discuss the topic of systemic cyber risk, our contribution of using I/O analysis to estimate the aggregate losses from firm-level incidents is applicable across a variety of risk analysis applications from environment to health.

Research conducted by

This report is part of the RAND Corporation external publication series. Many RAND studies are published in peer-reviewed scholarly journals, as chapters in commercial books, or as documents published by other organizations.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.