Cyber risk is one of the most challenging areas of risk, not only because it is relatively nascent but also because it remains an elusive moving target due to an ever-evolving threat landscape. A lack of structured data and the systemic implications of multifaceted impacts of overlapping risk frameworks are additional factors that make this risk difficult to quantify. As a starting point for overcoming this challenge, our paper considers a potential definition of this risk type, encompassing confidentiality, integrity and availability; the key components of a cyber-risk framework; a taxonomy to help establish a common framework for data collection to aid quantification; and the key quantification challenges. It then focuses on quantifying the direct financial and compensatory losses emanating from cyber risks. To help us carry this out, dimensional analysis is incorporated in the same manner as it has been applied to operational losses; this enables the identification of any similarities and/ or gross deviations between the profiles of cyber and non-cyber operational losses. In all, considering the limited amount of cyber data available, this analysis shows that: (1) a taxonomy for cyber risk that maps directly to operational risk might be a worthwhile exercise; (2) cyber loss data has a fundamental risk profile similar to that of non-cyber operational risk losses, with both following the same trend; and (3) the underlying risk profile related to cyber losses has not changed materially over time. These findings come with the added implications that: (1) mapping the taxonomies of cyber and operational risk against each other could be conducted more objectively; (2) operational risk modeling techniques that have been developed over the past decade or so could be used in the same way to assess the direct financial impact of cyber risk as a starting point; and (3) although there has been an increase in both the frequency and the severity of cyber losses over the past few years, there has not been a major paradigm shift in their fundamental risk profile over the same period of time.

中文翻译：

---

网络损失数据及其与操作风险的联系调查

网络风险是最具挑战性的风险领域之一，不仅因为它相对新生，而且由于不断变化的威胁形势，它仍然是一个难以捉摸的移动目标。缺乏结构化数据以及重叠风险框架的多方面影响的系统性影响是使这种风险难以量化的额外因素。作为克服这一挑战的起点，我们的论文考虑了这种风险类型的潜在定义，包括机密性、完整性和可用性；网络风险框架的关键组成部分；帮助建立数据收集的通用框架以帮助量化的分类法；以及关键的量化挑战。然后，它侧重于量化由网络风险引起的直接财务和补偿性损失。为了帮助我们实现这一目标，维度分析的合并方式与应用于运营损失的方式相同；这使得能够识别网络和非网络运营损失概况之间的任何相似性和/或总偏差。总而言之，考虑到可用的网络数据数量有限，该分析表明：(1) 直接映射到运营风险的网络风险分类法可能是值得的；(2) 网络损失数据具有与非网络操作风险损失相似的基本风险特征，且趋势相同；(3) 与网络损失相关的潜在风险状况没有随时间发生重大变化。这些发现带来了额外的影响：(1) 可以更客观地对网络风险和运营风险进行分类；(2) 过去十年左右发展起来的操作风险建模技术可以以同样的方式用于评估网络风险的直接财务影响作为起点；(3) 尽管过去几年网络损失的频率和严重程度都有所增加，但在同一时期，其基本风险状况并未发生重大范式转变。