Comprehensive statistical modeling of cyber risks and analysis of data breaches with applications in cyber insurance

In the rapidly evolving landscape of cybersecurity, the increased demand for zero trust protection and the intricate management of digital assets give rise to the urgent need for robust cyber risk mitigation strategies. Despite significant investments in information security, the escalating frequency and severity of cyber breaches pose substantial risks to business operations, with potential large-scale economic impacts. This thesis presents a comprehensive analysis of data breaches, employing advanced statistical modeling and estimation techniques. An empirical investigation of the Privacy Rights Clearinghouse (PRC) Data Breach Chronology dataset, including cluster analysis and preliminary data examination, sets the groundwork for subsequent modeling approaches. A Bayesian negative binomial generalized linear mixed model is introduced to capture quarterly variation and heterogeneity in cyber incidents frequency. Further, the thesis proposes a zero-inflated mixture and composite regression model for the loss severity. This model incorporates splicing and finite mixture techniques to address unique features of data breaches, with the parameter estimation facilitated by the expectation-maximization (E-M) algorithm. Building on frequency and severity models, the research introduces aggregate loss modeling approaches, including simple aggregation and MCMC-based methods. These models offer practical strategies for the cyber insurance industry. The impact of various deductibles, limits, and reinsurance practices on loss aggregations is also examined. The findings emphasize the critical importance of accurate cyber risk measurement and prediction for effective risk management and mitigation. By leveraging advanced statistical models, this research contributes to the development of more resilient cybersecurity frameworks and informs strategic decision-making in advancing cyber insurance products.