基于数据泄露类型的网络信息安全风险度量与可保性研究

The Measurement and Insurability of Cyber Security Risk Based on Data Breaches Types

网络信息安全风险已成为全球最为关注的问题之一,但由于缺乏可靠的数据和全面的分析,很难对网络信息安全风险进行评估。本文首次利用Gemalto数据泄露库刻画全球范围内不同类型的数据泄露风险,并利用最优拟合分布度量网络信息安全风险和相应保费。研究结果表明,不同数据泄露类型风险的最优拟合分布不同,但整体上数据泄露事件的频率服从负二项分布,数据泄露量服从不同的对数正态分布族;计算最优拟合分布度量不同数据泄露类型风险的VaR值和CVaR值,并与实际值相比较,得到除内部恶意行为引发的数据泄露和身份盗用类的数据外,其他数据泄露类型的估计值与实际值不存在显著的异方差。此外,根据可保性标准,我国网络信息安全风险满足可保性,并给出了不同数据泄露类型在纯保费、期望值和标准差准则下的保费,以及不同置信水平下的VaR和CVaR风险资本。通过对比保费和风险资本发现,期望值准则下外部恶意行为和身份盗用两类的保费可以覆盖90%以下的风险。本文的结果可以为保险企业提供开展网络信息安全保险服务的理论支持和实践指导。

Cyber security have become the most concerned issue for organizations around the world.However,due to the lack of reliable data and comprehensive analysis,it is difficult to assess the cyber risks.This paper was the first to use the Gemalto data breaches database to describe different types of data breaches worldwide,and used the optimal fit distribution to measure cyber risks and corresponding premiums.The results showed that,the optimal fit distribution of different data breaches types was different;the frequency of data breaches events complied with negative binomial distribution;the data breaches amount complied with different lognormal distribution families.By calculating the VaR and CVaR of different data breaches type by optimal fitting distribution,and then comparing them with the actual value,the paper derived that the estimated value and actual value of other data breaches types showed no significant heteroscedasticity,except malicious insider type and identity theft type.In addition,according to the insurability criteria,cyber risks meet with the insurability standards in China.The paper offered premiums of different types of data breaches,including net premiums,expected value and premiums under standard deviation criteria,and capital at risk of VaR and CVaR under different confidence levels.By comparing premiums and capital at risk,the expectation criterion premiums of malicious outsider type and identity theft type could completely cover the risk below 90%.The research results can provide theoretical support and practical guidance for insurance companies in operating cyber security insurance.