Systemic Cyber Risk and Aggregate Impacts
Published in: Risk Analysis (2021). doi: 10.1111/risa.13715
Posted on RAND.org on February 18, 2021
With some of the largest cyber attacks occurring in recent years—from 2010 to 2019—we are only beginning to understand the full extent of cyber risk. As businesses grapple with the risks of cyber-incidents and their imperfect ability to prevent them, attention has shifted toward risk management and insurance. While there have been efforts to understand the costs of cyber attacks, the systemic risk—a result of risks spreading across interdependent systems—associated with cyber attacks remains a critical and problem in need of further study. We contribute a theoretical framework that describes systemic cyber risk as the result of cascading, common cause, or independent failures following a cyber incident. We construct a quantitative model of cascading failures to estimate the potential economic damage associated with a given cyber incident. We present an interdisciplinary approach for extending standard sector-level input-output analyses to the cyber domain, which has not been done. We estimate the aggregate losses associated with firm-level incidents, a contribution to risk analysis and computational economic modeling. We use this model to estimate the impact of potential cyber incidents and compare model results to a case with known damages. Finally, we use the model of systemic cyber failure to consider the implications on the growing cyber insurance market and the need for broader cyber policy. While we discuss the topic of systemic cyber risk, our contribution of using I/O analysis to estimate the aggregate losses from firm-level incidents is applicable across a variety of risk analysis applications from environment to health.