Download Free Electronic Document

FormatFile SizeNotes
PDF file 0.9 MB

Use Adobe Acrobat Reader version 10 or higher for the best experience.

With some of the largest cyber-attacks occurring in recent years — from 2010 to 2019 — we are only beginning to understand the full extent of cyber risk. As businesses grapple with the risks of cyber-incidents and their imperfect ability to prevent them, attention has shifted towards risk management and insurance. While there have been efforts to understand the costs of cyber-attacks, the systemic risk — a result of risks spreading across interdependent systems — associated with cyber-attacks remains a critical and problem in need of further study. We contribute a theoretical framework that describes systemic cyber risk as the result of cascading, common cause, or independent failures following a cyber incident. We construct a quantitative model of cascading failures to estimate the potential economic damage associated with a given cyber incident. We present an interdisciplinary approach for extending standard sector-level input-output analyses to the cyber domain, which has not been done. We estimate the aggregate losses associated with firm-level incidents, a contribution to risk analysis and computational economic modeling. We use this model to estimate the impact of potential cyber incidents and compare model results to a case with known damages. Finally, we use the model of systemic cyber risk to consider the implications on the growing cyber insurance market and the need for broader cyber policy.

Research conducted by

The research described in this report was conducted by the RAND Institute for Civil Justice within RAND Social and Economic Well-Being.

This report is part of the RAND Corporation working paper series. RAND working papers are intended to share researchers' latest findings and to solicit informal peer review. They have been approved for circulation by RAND but may not have been formally edited or peer reviewed.

Permission is given to duplicate this electronic document for personal use only, as long as it is unaltered and complete. Copies may not be duplicated for commercial purposes. Unauthorized posting of RAND PDFs to a non-RAND Web site is prohibited. RAND PDFs are protected under copyright law. For information on reprint and linking permissions, please visit the RAND Permissions page.

The RAND Corporation is a nonprofit institution that helps improve policy and decisionmaking through research and analysis. RAND's publications do not necessarily reflect the opinions of its research clients and sponsors.