SaTC: CORE: Small: Measuring Systemic Cyber Risk

Many firms and sectors within the global economy depend on a common set of critical technology products and software services. While this convergence has undoubtedly enhanced efficiency, the widespread reliance on a limited set of specialized products and services has given rise to many single points of system vulnerability. Such concentration of risk amplifies the potential fallout from security breaches, especially since attackers have strong incentives to specifically attack such products and services.

This project seeks to develop improved measures of financial sector cyber risk. The findings should have an immediate and direct impact on measuring and mitigating systemic (i.e., system-wide) cyber risk. It will also provide insights, providing guidance for data that should be gathered in the U.S. and beyond in future to evaluate and quantify systemic cyber risk.

The findings could also help the comparatively new cyber insurance market measure and quantify correlated cyber risk.

This project takes an important step in defining and empirically measuring systemic cyber risk. Systemic risk and cyber risk are first measured separately. Then, they are combined to examine key research questions about systemic cyber risk.

Product-level systemic cyber risk occurs when there is concentration among technology suppliers and the products of those suppliers exhibit significant numbers of vulnerabilities, product exploits and/or publicly observed attacks. Firm-level systemic cyber risk occurs when dominant firms in a sector employ few security controls. Since cyberspace is so complex, the project develops several different methods for measuring systemic risk and uses them to provide various measures of systemic cyber risk by sectors and firms.

The project leverages comprehensive data on firms and the technologies from the Spiceworks Company Intelligence Database (CIDB), which reports over 11,000 IT infrastructure products at the site and firm level for multiple years. The project additionally constructs datasets that measure security controls employed by firms as well as vulnerabilities and exploits at the product level.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.