Communications for Statistical Applications and Methods

The Korean Statistical Society (한국통계학회)
권호 표지
DOI QR코드

DOI QR Code

Volatility clustering in data breach counts

  • Shim, Hyunoo (Department of Actuarial Science, Hanyang University) ;
  • Kim, Changki (Korea University Business School, Korea University) ;
  • Choi, Yang Ho (Department of Actuarial Science, Hanyang University)
  • Received : 2020.04.20
  • Accepted : 2020.06.20
  • Published : 2020.07.31
Download PDF
⟨ Previous Next ⟩

Abstract

Insurers face increasing demands for cyber liability; entailed in part by a variety of new forms of risk of data breaches. As data breach occurrences develop, our understanding of the volatility in data breach counts has also become important as well as its expected occurrences. Volatility clustering, the tendency of large changes in a random variable to cluster together in time, are frequently observed in many financial asset prices, asset returns, and it is questioned whether the volatility of data breach occurrences are also clustered in time. We now present volatility analysis based on INGARCH models, i.e., integer-valued generalized autoregressive conditional heteroskedasticity time series model for frequency counts due to data breaches. Using the INGARCH(1, 1) model with data breach samples, we show evidence of temporal volatility clustering for data breaches. In addition, we present that the firms' volatilities are correlated between some they belong to and that such a clustering effect remains even after excluding the effect of financial covariates such as the VIX and the stock return of S&P500 that have their own volatility clustering.

Keywords

References

  1. Achcar JA, Coelho-Barros EA, Cuevas JRT, and Mazucheli J (2018). Use of Levy distribution to analyze longitudinal data with asymmetric distribution and presence of left censored data, Communications for Statistical Applications and Methods, 25, 43-60. https://doi.org/10.29220/CSAM.2018.25.1.043
  2. Aliyu SUR (2010). Does inflation has an impact on stock returns and volatility? Evidence from Nigeria and Ghana, Applied Financial Economics, 22, 427-435. https://doi.org/10.1080/09603107.2011.617691
  3. Axtell RL (2001). Zipf Distribution of U.S. Firm Sizes, Science (New York, N.Y.), 293, 1818-1820. https://doi.org/10.1126/science.1062081
  4. Bashan A, Berezin Y, Buldyrev SV, and Havlin S (2013). The extreme vulnerability of interdependent spatially embedded networks, Nature Physics, 9, 667-672. https://doi.org/10.1038/nphys2727
  5. Berliner B (1982). Limits of Insurability of Risks (1st Ed), Prentice Hall, Englewood Cliffs, N.J.
  6. Biener C and Eling M (2012). Insurability in microinsurance markets: an analysis of problems and potential solutions, The Geneva Papers on Risk and Insurance - Issues and Practice, 37, 77-107. https://doi.org/10.1057/gpp.2011.29
  7. Biener C, Eling M, and Wirfs JH (2015). Insurability of cyber risk: an empirical analysis, Geneva Papers on Risk and Insurance-Issues and Practice, 40, 131-158. https://doi.org/10.1057/gpp.2014.19
  8. Bohme R and Kataria G (2006). On the Limits of Cyber-Insurance. In Trust, Privacy, and Security in Digital Business, Proceedings, (S. Fischer-Hubner, S. Furnell, and C. Lambrinoudakis Eds), 4083, Springer, Berlin, Heidelberg.
  9. Bojanc R, and Jerman-Blazic B (2008). An economic modelling approach to information security risk management, International Journal of Information Management, 28, 413-422. https://doi.org/10.1016/j.ijinfomgt.2008.02.002
  10. Bollerslev T (1986). Generalized autoregressive conditional heteroskedasticity, Journal of Econometrics, 31, 307-327. https://doi.org/10.1016/0304-4076(86)90063-1
  11. Bonfim D (2009). Credit risk drivers: evaluating the contribution of firm level information and of macroeconomic dynamics, Journal of Banking & Finance, 33, 281-299. https://doi.org/10.1016/j.jbankfin.2008.08.006
  12. Cyber Claims Study (2018). NetDiligence. https://netdiligence.com/wp-content/uploads/2018/11/2018-NetDiligence-Claims-Study_Version-1.0.pdf.
  13. Campbell K, Gordon LA, Loeb MP, and Zhou L (2003). The economic cost of publicly announced information security breaches: empirical evidence from the stock market, Journal of Computer Security, 11, 431-448. https://doi.org/10.3233/JCS-2003-11308
  14. Cavusoglu H, Mishra B, and Raghunathan S (2004). The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers, International Journal of Electronic Commerce, 9, 69-104.
  15. Chavez-Demoulin V, Embrechts P, and Neslehova J (2006). Quantitative models for operational risk: extremes, dependence and aggregation, Journal of Banking & Finance, 30, 2635-2658. https://doi.org/10.1016/j.jbankfin.2005.11.008
  16. Clemen RT and Reilly T (1999). Correlations and copulas for decision and risk analysis, Management Science, 45, 208-224. https://doi.org/10.1287/mnsc.45.2.208
  17. CRO Forum (2014). Cyber resilience - The cyber risk challenge and the role of insurance. CRO Forum. https://www.thecroforum.org/wp-content/uploads/2015/01/Cyber-Risk-Paper-version-24-1.pdf.
  18. Durbin J, and Koopman SJ (2000). Time series analysis of non-Gaussian observations based on state space models from both classical and Bayesian perspectives, Journal of the Royal Statistical Society. Series B (Statistical Methodology), 62, Part1: 3-56. https://doi.org/10.1111/1467-9868.00218
  19. Eling M and Loperfido N (2017). Data breaches: goodness of fit, pricing, and risk measurement, Insurance: Mathematics and Economics, 75, 126-136. https://doi.org/10.1016/j.insmatheco.2017.05.008
  20. Eling M and Schnell W (2016). What do we know about cyber risk and cyber risk insurance?, The Journal of Risk Finance, 17, (5). Emerald Group Publishing Limited, 474-491. https://doi.org/10.1108/JRF-09-2016-0122
  21. Eling M and Wirfs JH (2016). Cyber risk: too big to insure? Risk Transfer Options for a Mercurial Risk Class. Institute of Insurance Economics I.VW-HSG.
  22. Engle RF (1982). Autoregressive conditional heteroscedasticity with estimates of the variance of United Kingdom Inflation, Econometrica, 50, 987-1007. https://doi.org/10.2307/1912773
  23. Ferland R, Latour A, and Oraichi D (2006). Integer-valued GARCH process, Journal of Time Series Analysis, 27, 923-942. https://doi.org/10.1111/j.1467-9892.2006.00496.x
  24. Heinen A (2003). Modelling time series count data, An Autoregressive Conditional Poisson Model. CORE Discussion Paper 2003062. Universite catholique de Louvain, Center for Operations Research and Econometrics (CORE).
  25. Herath H and Herath T (2011). Copula-based actuarial model for pricing cyber-insurance policies, Insurance Markets and Companies: Analyses and Actuarial Computations, 2, 7-10.
  26. Hofmann A and Ramaj H (2011). Interdependent risk networks: the threat of cyber attack, International Journal of Management and Decision Making, 11, 312. https://doi.org/10.1504/IJMDM.2011.043406
  27. Hovav A and Darcy JL (2003). The impact of denial-of-service attack announcements on the market value of firms, Risk Management and Insurance Review, 10, 97-121. https://doi.org/10.1046/J.1098-1616.2003.026.x
  28. Information Memorandum (2015). Information Memorandum, United States Department of Health and Human Services, Administration for Children and Families.
  29. Jacobsen B and Dannenburg D (2007). Volatility Clustering in Monthly Stock Returns, SSRN Scholarly Paper ID 1016668. Rochester, NY: Social Science Research Network.
  30. Kalman RE (1960). A new approach to linear filtering and prediction problems, Journal of Basic Engineering, 82, 35-45. https://doi.org/10.1115/1.3662552
  31. Kitagawa G (1981). A nonstationary time series model and its fitting by a recursive filter, Journal of Time Series Analysis, 2, 103-116 https://doi.org/10.1111/j.1467-9892.1981.tb00316.x
  32. Kitagawa G (1987). Non-Gaussian state-space modeling of nonstationary time series, Journal of the American Statistical Association, 82, 1032-1041. https://doi.org/10.2307/2289375
  33. Lee J and Hwang E (2018). A generalized regime-switching integer-valued GARCH(1, 1) model and its volatility forecasting, Communications for Statistical Applications and Methods, 25, 29-42. https://doi.org/10.29220/CSAM.2018.25.1.029
  34. Maillart T and Sornette D (2010). Heavy-Tailed Distribution of Cyber-Risks, The European Physical Journal B, 75, 357-764. https://doi.org/10.1140/epjb/e2010-00120-8
  35. Mandelbrot B (1963). The variation of certain speculative prices, The Journal of Business, 36, 394-394. https://doi.org/10.1086/294632
  36. Mukhopadhyay A, Chatterjee S, Saha D, Mahanti A, and Sadhukhan SK (2013). Cyber-risk decision models: To insure IT or not?, Decision Support Systems, 56, 11-16. https://doi.org/10.1016/j.dss.2013.04.004
  37. Ogut H, Raghunathan S, and Menon N (2011). Cyber security risk management: public policy implications of correlated risk, imperfect ability to prove loss, and observability of self-protection: cyber security risk management, Risk Analysis, 31, 497-512. https://doi.org/10.1111/j.1539-6924.2010.01478.x
  38. Pooser DM, Browne MJ, and Arkhangelska O (2018). Growth in the perception of cyber risk: evidence from U.S. P&C insurers, The Geneva Papers on Risk and Insurance - Issues and Practice, 43, 208-223. https://doi.org/10.1057/s41288-017-0077-9
  39. Samiev S (2013). GARCH(1, 1) with Exogenous Covariate for EUR/SEK Exchange Rate Volatility: On the Effects of Global Volatility Shock on Volatility. https://www.diva-portal.org/smash/get/diva2:676106/FULLTEXT01.pdf
  40. Sen R and Borle S (2015). Estimating the contextual risk of data breach: an empirical approach, Journal of Management Information Systems, 32, 314-341. https://doi.org/10.1080/07421222.2015.1063315
  41. Solove DJ, and Citron DK. 2017. "Risk and Anxiety: A Theory of Data-Breach Harms. Texas Law Review 96 (4): 737786.
  42. Sornette D, Malevergne Y, and Muzy JF (2004). Volatility fingerprints of large shocks: endogenous versus exogenous. In The Application of Econophysics (Hideki Takayasu ed, 9-102), Springer, Tokyo.
  43. Tariq U, Hong MP, and Lhee KS (2006). A Comprehensive Categorization of DDoS Attack and DDoS Defense Techniques. In Advanced Data Mining and Applications (Xue Li, Osmar R. Zaiane, and Zhanhuai Li eds, pp. 1025-1036). Lecture Notes in Computer Science, 4093, Springer, Berlin, Heidelberg.
  44. Tseng JJ and Li SP (2012). Quantifying volatility clustering in financial time series, International Review of Financial Analysis, 23, 11-19. https://doi.org/10.1016/j.irfa.2011.06.017
  45. Timmer J and Weigend AS (1997). Modeling volatility using state space models, International Journal of Neural Systems, 8, 385-398. https://doi.org/10.1142/S0129065797000392
  46. Wheatley S, Maillart T, and Sornette D (2016). The extreme risk of personal data breaches and the erosion of privacy, The European Physical Journal B, 89, 7. https://doi.org/10.1140/epjb/e2015-60754-4
  47. Yang Z and Lui JCS (2014). Security adoption and influence of cyber-insurance markets in heterogeneous networks, Performance Evaluation, 74, 1-17. https://doi.org/10.1016/j.peva.2013.10.003