{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,20]],"date-time":"2026-04-20T15:28:19Z","timestamp":1776698899892,"version":"3.51.2"},"reference-count":36,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2023,1,24]],"date-time":"2023-01-24T00:00:00Z","timestamp":1674518400000},"content-version":"vor","delay-in-days":23,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100001230","name":"Macquarie University","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100001230","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023,1,5]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>In this study, we examine the nature of losses from cyber-related events across different risk categories and business sectors. Using a leading industry dataset of cyber events, we evaluate the relationship between the frequency and severity of individual cyber-related events and the number of affected records. We find that the frequency of reported cyber-related events has substantially increased between 2008 and 2016. Furthermore, the frequency and severity of losses depend on the business sector and type of cyber threat: the most significant cyber loss event categories, by number of events, were related to data breaches and the unauthorized disclosure of data, while cyber extortion, phishing, spoofing, and other social engineering practices showed substantial growth rates. Interestingly, we do not find a distinct pattern between the frequency of events, the loss severity, and the number of affected records as often alluded to in the literature. We also analyse the severity distribution of cyber-related events across all risk categories and business sectors. This analysis reveals that cyber risks are heavy-tailed, i.e. cyber risk events have a higher probability to produce extreme losses than events whose severity follows an exponential distribution. Furthermore, we find that the frequency and severity of cyber-related losses exhibit a very dynamic and time-varying nature.<\/jats:p>","DOI":"10.1093\/cybsec\/tyac016","type":"journal-article","created":{"date-parts":[[2023,1,25]],"date-time":"2023-01-25T05:33:15Z","timestamp":1674624795000},"source":"Crossref","is-referenced-by-count":27,"title":["The nature of losses from cyber-related events: risk categories and business sectors"],"prefix":"10.1093","volume":"9","author":[{"given":"Pavel V","family":"Shevchenko","sequence":"first","affiliation":[{"name":"Department of Actuarial Studies and Business Analytics, Macquarie Business School, Macquarie University , Sydney NSW 2109, Australia"}]},{"given":"Jiwook","family":"Jang","sequence":"additional","affiliation":[{"name":"Department of Actuarial Studies and Business Analytics, Macquarie Business School, Macquarie University , Sydney NSW 2109, Australia"}]},{"given":"Matteo","family":"Malavasi","sequence":"additional","affiliation":[{"name":"Department of Actuarial Studies and Business Analytics, Macquarie Business School, Macquarie University , Sydney NSW 2109, Australia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2768-8979","authenticated-orcid":false,"given":"Gareth W","family":"Peters","sequence":"additional","affiliation":[{"name":"Department of Statistics and Applied Probability, College of Letters and Science, University of California Santa Barbara , Santa Barbara, CA 93106, USA"}]},{"given":"Georgy","family":"Sofronov","sequence":"additional","affiliation":[{"name":"School of Mathematical and Physical Sciences, Faculty of Science and Engineering, Macquarie University , Sydney NSW 2109, Australia"}]},{"given":"Stefan","family":"Tr\u00fcck","sequence":"additional","affiliation":[{"name":"Department of Actuarial Studies and Business Analytics, Macquarie Business School, Macquarie University , Sydney NSW 2109, Australia"}]}],"member":"286","published-online":{"date-parts":[[2023,1,24]]},"reference":[{"key":"2023012505325854800_bib1","article-title":"Global risk report","author":"World Economic Forum","year":"2020"},{"key":"2023012505325854800_bib2","article-title":"Cyber risk resources for practitioners","author":"Allison","year":"2014"},{"key":"2023012505325854800_bib3","article-title":"Cyber risk executive summary","author":"Allison","year":"2014"},{"key":"2023012505325854800_bib4","article-title":"International convergence of capital measurement and capital standards: a revised framework","author":"Basel Committee on Banking Supervision","year":"2006"},{"key":"2023012505325854800_bib5","article-title":"A taxonomy of operational cyber security risks","author":"Cebula","year":"2010"},{"key":"2023012505325854800_bib6","doi-asserted-by":"crossref","DOI":"10.1002\/9781118573013","volume-title":"Fundamental Aspects of Operational Risk and Insurance Analytics: A Handbook of Operational Risk","author":"Cruz","year":"2015"},{"key":"2023012505325854800_bib7","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-642-15923-7","volume-title":"Modelling Operational Risk Using Bayesian Inference","author":"Shevchenko","year":"2011"},{"issue":"(3)","key":"2023012505325854800_bib8","first-page":"1","article-title":"An investigation of cyber loss data and its links to operational risk","volume":"14","author":"Cohen","year":"2019","journal-title":"J Oper Risk"},{"key":"2023012505325854800_bib9","doi-asserted-by":"crossref","first-page":"90","DOI":"10.1016\/j.insmatheco.2022.05.003","article-title":"Cyber risk frequency, severity and insurance viability","volume":"106","author":"Malavasi","year":"2022","journal-title":"Insur Math Econ"},{"key":"2023012505325854800_bib10","author":"Allianz Risk Barometer","year":"2021"},{"key":"2023012505325854800_bib11","doi-asserted-by":"crossref","first-page":"93","DOI":"10.1111\/rmir.12169","article-title":"Cyber risk management: history and future research directions","volume":"24","author":"McShane","year":"2021","journal-title":"Risk Manag Insur Rev"},{"key":"2023012505325854800_bib12","doi-asserted-by":"crossref","first-page":"102248","DOI":"10.1016\/j.cose.2021.102248","article-title":"Cyber security in the age of COVID-19: a timeline and analysis of cyber-crime and cyber-attacks during the pandemic","volume":"105","author":"Lallie","year":"2021","journal-title":"Comput Secur"},{"key":"2023012505325854800_bib13","doi-asserted-by":"crossref","first-page":"131","DOI":"10.1057\/gpp.2014.19","article-title":"Insurability of cyber risk: an empirical analysis","volume":"40","author":"Biener","year":"2015","journal-title":"Geneva Pap Risk Insur Iss Pract"},{"key":"2023012505325854800_bib14","doi-asserted-by":"crossref","first-page":"1109","DOI":"10.1016\/j.ejor.2018.07.021","article-title":"What are the actual costs of cyber risk events?","volume":"272","author":"Eling","year":"2019","journal-title":"Eur J Oper Res"},{"key":"2023012505325854800_bib15","doi-asserted-by":"crossref","first-page":"81","DOI":"10.1145\/636772.636774","article-title":"A framework for using insurance for cyber-risk management","volume":"46","author":"Gordon","year":"2003","journal-title":"Commun ACM"},{"key":"2023012505325854800_bib16","article-title":"Cyber information sharing: building collective security","author":"World Economic Forum","year":"2020"},{"key":"2023012505325854800_bib17","article-title":"Privacy Amendment (notifiable data breaches) Bill 2016","author":"Parliament of Australia","year":"2017"},{"key":"2023012505325854800_bib18","first-page":"121","article-title":"Examining the costs and causes of cyber incidents","volume":"2","author":"Romanosky","year":"2016","journal-title":"J Cybersecur"},{"key":"2023012505325854800_bib19","volume-title":"Heavy-Tail Phenomena: Probabilistic and Statistical Modeling","author":"Resnick","year":"2007"},{"key":"2023012505325854800_bib20","article-title":"European cybersecurity centres of expertise map","author":"JRC","year":"2018"},{"key":"2023012505325854800_bib21","first-page":"303","article-title":"Understanding cyber-risk and cyber-insurance","author":"Peters","year":"2018","journal-title":"Fintech: Growth and Deregulation"},{"key":"2023012505325854800_bib22","first-page":"75","article-title":"Statistical machine learning analysis of cyber risk data: event case studies","volume-title":"Fintech: Growth and Deregulation","author":"Peters","year":"2018"},{"key":"2023012505325854800_bib23","article-title":"A proposal for a European cybersecurity taxonomy","author":"JRC","year":"2019"},{"key":"2023012505325854800_bib24","doi-asserted-by":"crossref","DOI":"10.21236\/ADA609863","article-title":"A taxonomy of operational cyber security risks version 2","author":"Cebula","year":"2014"},{"key":"2023012505325854800_bib25","article-title":"Cyber resilience: the cyber risk challenge and the role of insurance","author":"CRO","year":"2014"},{"key":"2023012505325854800_bib26","article-title":"CRO Forum Concept Paper on a proposed categorisation methodology for cyber risk","author":"CRO","year":"2016"},{"key":"2023012505325854800_bib27","article-title":"Information risk: insight study","author":"Cyentia","year":"2016"},{"key":"2023012505325854800_bib28","article-title":"Standards for security categorization of federal information and information systems","author":"NIST","year":"2004"},{"key":"2023012505325854800_bib29","article-title":"Annual cyber threat report","author":"Australian Cyber Security Centre","year":"2020"},{"key":"2023012505325854800_bib30","article-title":"North American Industry Classification System","author":"Executive Office of the President Office of Management and Budget","year":"2020"},{"key":"2023012505325854800_bib31","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1093\/cybsec\/tyw003","article-title":"Hype and heavy tails: a closer look at data breaches","volume":"2","author":"Edwards","year":"2016","journal-title":"J Cybersecur"},{"key":"2023012505325854800_bib32","doi-asserted-by":"crossref","first-page":"126","DOI":"10.1016\/j.insmatheco.2017.05.008","article-title":"Data breaches: goodness of fit, pricing, and risk measurement","volume":"75","author":"Eling","year":"2017","journal-title":"Insur Math Econ"},{"key":"2023012505325854800_bib33","doi-asserted-by":"crossref","first-page":"357","DOI":"10.1140\/epjb\/e2010-00120-8","article-title":"Heavy-tailed distribution of cyber-risks","volume":"75","author":"Maillart","year":"2010","journal-title":"Eur Phys J B"},{"key":"2023012505325854800_bib34","article-title":"The Freedom of Information Act","author":"The U.S. Department of Justice","year":"2016"},{"issue":"(3)","key":"2023012505325854800_bib35","doi-asserted-by":"crossref","first-page":"3","DOI":"10.21314\/JOP.2006.016","article-title":"The structural modeling of operational risk via Bayesian inference: combining loss data with expert opinions","volume":"1","author":"Shevchenko","year":"2006","journal-title":"J Oper Risk"},{"issue":"(3)","key":"2023012505325854800_bib36","doi-asserted-by":"crossref","first-page":"3","DOI":"10.21314\/JOP.2007.030","article-title":"The quantification of operational risk using internal data, relevant external data and expert opinion","volume":"2","author":"Lambrigger","year":"2007","journal-title":"J Oper Risk"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/9\/1\/tyac016\/48846454\/tyac016.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/9\/1\/tyac016\/48846454\/tyac016.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,1,25]],"date-time":"2023-01-25T05:33:29Z","timestamp":1674624809000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyac016\/7000422"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,1,1]]},"references-count":36,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2023,1,5]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyac016","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2023,1,1]]},"published":{"date-parts":[[2023,1,1]]},"article-number":"tyac016"}}