Cyber risk measurement with ordinal data

  • Silvia Facchinetti
  • Paolo GiudiciEmail author
  • Silvia Angela Osmetti
Original Paper


The paper proposes a new methodology to measure cyber risks which, instead of using quantitative loss data, often not available, employs ordinal data. The method relies on the construction of a criticality index, whose properties are discussed and compared with alternative measures employed in operational risk measurement. The methodology is illustrated on data regarding cyber attacks collected at the worldwide level. The proposed measure is found to be quite effective to rank cyber risk types. Thus, from a policy perspective, it can be useful to guide the implementation of preventive actions.


Citicality index Cyber attacks Operational risk Ordinal data modelling 



We thank the editor and two anonymous referees for useful comments and suggestions, that have improved the quality of the paper.


  1. Afful Dadzie A, Allen T (2014) Data driven cyber vulnerability maintenance policies. J Qual Technol 46:234–250CrossRefGoogle Scholar
  2. Alexander C (2003) Operational risk: regulation, analysis and management. Prentice Hall, New YorkGoogle Scholar
  3. Artzner P, Delbaen J, Heat D (1999) Coherent measures of risk. Math Finance 9:203–228MathSciNetCrossRefzbMATHGoogle Scholar
  4. Bouveret A (2018) Cyber risk for the financial sector: a framework for quantitative assessment. IMF Working Paper WP/18/143, pp 1–27Google Scholar
  5. Calabrese R, Giudici P (2015) Estimating bank default with generalised extreme value regressiob mnodels. J Oper Res Soc 66(11):1783–1792CrossRefGoogle Scholar
  6. Cebula J, Young L (2010) On the equivalence of constrained and compound optimal designs. In: Proceedings of the fourth Berkeley symposium on mathematical statistic and probability. A taxonomy of operational cyber security risks, Technical Note CMU/SEI-2010-TN-028. Software Engineering Institute, Carnegie Mellon UniversityGoogle Scholar
  7. Cerchiello P, Dequarti E, Giudici P, Magni C (2010) Scorecard models to evaluate perceived quality of academic teaching. Stat Appl 8:145–155Google Scholar
  8. Clusit (2018) 2018 Report on ICT security in ItalyGoogle Scholar
  9. Cox L (2012) Evaluating and improving risk formulas for allocating limited budgets to expensive risk-reduction opportunities. Risk Anal 32:1244–1252CrossRefGoogle Scholar
  10. Cruz M (2002) Modeling, measuring and hedging operational risk. Wiley, New YorkGoogle Scholar
  11. Dalla Valle L, Fantazzini D, Giudici P (2008) Copulae and operational risks. Int J Risk Assess Manag 9:238–257CrossRefGoogle Scholar
  12. Edgar T, Manz D (2017) Research methods for cyber security. Elsevier, CambridgeGoogle Scholar
  13. Facchinetti S, Osmetti S (2018) A risk index for ordinal variables and its statistical properties: a priority of intervention indicator in quality control framework. Qual Reliab Eng Int 34(1):265–275CrossRefGoogle Scholar
  14. Figini S, Giudici P (2011) Statistical merging of rating models. J Operl Res Soc 62:1067–1074CrossRefGoogle Scholar
  15. Figini S, Giudici P (2013) Measuring risk with ordinal variables. J Oper Risk 8:35–43CrossRefGoogle Scholar
  16. Forum WE (2018) The global risks report 2018Google Scholar
  17. Hubbard D, Evans D (2010) Problems with scoring methods and ordinal scales in risk assessment. J Res Dev 54:2–10Google Scholar
  18. Hubbard D, Seiersen R (2016) How to measure anything in cybersecurity risk. Wiley, New YorkCrossRefGoogle Scholar
  19. Jean W (1980) The geometric mean and stochastic dominance. J Finance 39:527–534MathSciNetCrossRefGoogle Scholar
  20. Kaur A, Prakasa Rao B, Singh H (1994) Testing for second-order stochastic dominance of two distributions. Econ Theory 10:849–866MathSciNetCrossRefGoogle Scholar
  21. Kopp E, Kaffenberger L, Wilson C (2017) Cyber risk, market failures, and financial stability. IMF Working Paper WP/17/185, pp 1–35Google Scholar
  22. MacKenzie C (2014) Summarizing risk using risk measures and risk indices. Risk Anal 4:2143–2162CrossRefGoogle Scholar
  23. Sexton J, Storlie C, Neil J (2015) Attack chain detection. Stat Anal Data Min ASA Data Sci J 84:353–363MathSciNetCrossRefGoogle Scholar
  24. Shaked M, Shanthikumar G (1994) Stochastic orders and their applications. Academic press, BostonzbMATHGoogle Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Departement of Statistical scienceUniversità Cattolica del Sacro CuoreMilanItaly
  2. 2.Department of Economics and ManagementUniversity of PaviaPaviaItaly

Personalised recommendations