Statistical Modeling of Data Breach Risks: Time to Identification and Notification

It is very challenging to predict the cost of a cyber incident owing to the complex nature of cyber risk. However, it is inevitable for insurance companies who offer cyber insurance policies. The time to identify an incident and the time to notify affected individuals are two important components in determining the cost of a cyber incident. In this work, we initiate a study on these two metrics via statistical modeling approaches. Particularly, we propose a novel approach to imputing the missing data and further develop a dependence model to capture the complex pattern exhibited by those two metrics. The empirical study shows that the proposed approach has a satisfactory predictive performance and is superior to several commonly used models.This work was supported by a grant from the Casualty Actuarial Society.