pith. sign in

arxiv: 2307.11140 · v1 · submitted 2023-07-20 · 💻 cs.CR · cs.CY· cs.IR

RCVaR: an Economic Approach to Estimate Cyberattacks Costs using Data from Industry Reports

Muriel Figueredo Franco , Fabian K\"unzler , Jan von der Assen , Chao Feng , Burkhard Stiller This is my paper

Pith reviewed 2026-05-24 07:30 UTC · model grok-4.3

classification 💻 cs.CR cs.CYcs.IR
keywords cybersecurityrisk estimationcost modelingValue at Riskindustry reportscyberattack impactseconomic analysis
0
0 comments X

The pith

RCVaR combines quantitative data from public cybersecurity reports to estimate specific monetary costs of cyberattacks for individual companies.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents RCVaR as an economic method that extracts key risk factors from industry reports and merges their measured impacts to calculate tailored financial losses from cyberattacks. Existing approaches depend on abstract probabilities or simulations, leaving companies without concrete dollar figures for their own situations. This matters for firms that lack internal expertise or data to model their exposure. If the method holds, businesses could base cybersecurity budgets on patterns drawn from real past incidents rather than theoretical models. The reported tests on new data indicate that these estimates align closely enough to support planning decisions.

Core claim

RCVaR identifies the most significant cyber risk factors from various sources and combines their quantitative results to estimate specific cyberattacks costs for companies. It extends current methods to achieve cost and risk estimations based on historical real-world data instead of only probability-based simulations. Evaluation on unseen data shows the accuracy and efficiency of the RCVaR in predicting and managing cyber risks.

What carries the argument

RCVaR, the aggregation of quantitative risk factors drawn from public reports into company-specific cost estimates.

If this is right

  • Firms gain access to individualized loss estimates without needing proprietary internal datasets.
  • Cybersecurity investment decisions can draw directly from recorded incident costs rather than simulated probabilities.
  • Smaller companies obtain quantitative risk figures that were previously limited to large organizations with dedicated analysis teams.
  • Risk management processes incorporate historical report data as a repeatable input for ongoing planning.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same aggregation technique could be tested on non-cyber domains such as operational or supply-chain losses using analogous public reports.
  • Periodic refresh of the underlying report data would be required to keep estimates current as new incidents are documented.
  • Combining RCVaR outputs with a single company's private telemetry could produce narrower confidence intervals around the cost figures.
  • Insurers might explore using these report-derived estimates as one input when setting cyber policy premiums.

Load-bearing premise

Quantitative measurements taken from public industry reports can be merged to produce accurate cost predictions for companies that were not the original subjects of those reports.

What would settle it

Direct comparison of RCVaR-generated cost predictions against the actual documented financial losses incurred by a company during a real cyberattack that occurred after the reports were published.

Figures

Figures reproduced from arXiv: 2307.11140 by Burkhard Stiller, Chao Feng, Fabian K\"unzler, Jan von der Assen, Muriel Figueredo Franco.

Figure 1
Figure 1. Figure 1: Value at Risk (VaR) in Stock Returns the estimating authority. Additionally, simulations rely on accurate company-specific probability estimations of cyber incidents, provided by security specialists. Due to the high demand for these experts [3], estimations can be expensive and subject to the expert’s individual experience, which leads to biased probability estimates. Therefore, there is still room for ap… view at source ↗
Figure 2
Figure 2. Figure 2: Overview of the RCVaR Approach First, in the Data Layer, inputs from cybersecurity reports are received (e.g., costs per industry sectors or region). These reports can come from sources with different levels of informa￾tion, such as consultancy agencies, publicly available reports, or partners. Then, the data type (e.g., raw numbers, plots, or tables) is identified, and then data is extracted and processed… view at source ↗
Figure 3
Figure 3. Figure 3: Cost Density Distribution of the Extracted Data from [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: (b) shows a comparable trend for the Industry factor, wherein the industry ranking remains unaltered over time, except for the travel industry in 2021. Remarkably, even the tiny distance between Communications and Media and Consumer Goods is persistent over time. The relative stability of parameterratios is particularly noteworthy, considering that the parameters were computed based on source data from dif… view at source ↗
Figure 5
Figure 5. Figure 5: Distribution of the Parameters Within Factors [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Distributions Fit to Sample The distribution of costs is derived from the loss of multiple companies. Consequently, the data does not represent a time series of a single company. Thus, the Geninvgauss distribution is inferred by a data snapshot of multiple companies with different characteristics, which poses an issue when applying [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗
Figure 8
Figure 8. Figure 8: Dashboard of RCVaR Outputs It is noteworthy that the RCVaR assumes constant variance of the cost distribution over time and factors. Consequently, companies with varying business characteristics are assumed to have the same variance and, therefore, the same risk of deviating from the expected value. This means the in￾dividualized CVaR is always 2.9 times the expected value, with a 95% confidence level. Thi… view at source ↗
Figure 7
Figure 7. Figure 7: Web-based Interface for Input Factor Configurations [PITH_FULL_IMAGE:figures/full_fig_p010_7.png] view at source ↗
Figure 9
Figure 9. Figure 9: Example of RCVaR of a Company in 2019 with 95% [PITH_FULL_IMAGE:figures/full_fig_p011_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: Comparison of the cybersecurity cost Density Distri [PITH_FULL_IMAGE:figures/full_fig_p012_10.png] view at source ↗
read the original abstract

Digitization increases business opportunities and the risk of companies being victims of devastating cyberattacks. Therefore, managing risk exposure and cybersecurity strategies is essential for digitized companies that want to survive in competitive markets. However, understanding company-specific risks and quantifying their associated costs is not trivial. Current approaches fail to provide individualized and quantitative monetary estimations of cybersecurity impacts. Due to limited resources and technical expertise, SMEs and even large companies are affected and struggle to quantify their cyberattack exposure. Therefore, novel approaches must be placed to support the understanding of the financial loss due to cyberattacks. This article introduces the Real Cyber Value at Risk (RCVaR), an economical approach for estimating cybersecurity costs using real-world information from public cybersecurity reports. RCVaR identifies the most significant cyber risk factors from various sources and combines their quantitative results to estimate specific cyberattacks costs for companies. Furthermore, RCVaR extends current methods to achieve cost and risk estimations based on historical real-world data instead of only probability-based simulations. The evaluation of the approach on unseen data shows the accuracy and efficiency of the RCVaR in predicting and managing cyber risks. Thus, it shows that the RCVaR is a valuable addition to cybersecurity planning and risk management processes.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 1 minor

Summary. The manuscript introduces the Real Cyber Value at Risk (RCVaR) as an economic method that extracts the most significant cyber risk factors from public industry reports, combines their quantitative results to produce company-specific monetary cost estimates for cyberattacks, and extends beyond probability-based simulations by relying on historical real-world data; evaluation on unseen data is asserted to demonstrate the approach's accuracy and efficiency for risk prediction and management.

Significance. If the disaggregation from aggregate report statistics to validated firm-level predictions can be shown to hold with reproducible accuracy, the method would provide a practical, data-driven tool for cybersecurity planning that is accessible to SMEs and large firms lacking internal expertise, complementing existing simulation approaches.

major comments (3)
  1. [Abstract] Abstract: the claim that 'evaluation of the approach on unseen data shows the accuracy' supplies no equations, metrics (e.g., MAE or R²), data sources, exclusion rules for 'unseen' instances, or baseline comparisons, so it is impossible to verify whether the underlying calculations support the stated claim of accuracy and efficiency.
  2. [Method] Method description (throughout): the central claim that RCVaR 'combines their quantitative results to estimate specific cyberattacks costs for companies' provides no explicit mechanism—such as regression on firm size, sector, or other covariates, or a validated disaggregation formula—for mapping aggregate statistics (averages, ranges) from heterogeneous reports onto individualized per-company estimates; without this, the output remains an industry average rather than a firm-specific prediction.
  3. [Evaluation] Evaluation section: the assertion that the approach uses 'historical real-world data instead of only probability-based simulations' and achieves accuracy on unseen data cannot be assessed for circularity or overfitting because no combination algorithm, weighting scheme, or parameter choices are specified, leaving open whether the 'unseen' test merely reproduces other aggregates.
minor comments (1)
  1. [Abstract] Abstract: the acronym RCVaR is introduced without spelling out 'Real Cyber Value at Risk' on first use.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for their constructive and detailed comments, which help improve the clarity of our work. We respond to each major comment below and have revised the manuscript to address the identified gaps in detail and specification.

read point-by-point responses

  1. Referee: [Abstract] Abstract: the claim that 'evaluation of the approach on unseen data shows the accuracy' supplies no equations, metrics (e.g., MAE or R²), data sources, exclusion rules for 'unseen' instances, or baseline comparisons, so it is impossible to verify whether the underlying calculations support the stated claim of accuracy and efficiency.

    Authors: We agree that the abstract, constrained by length, omits these specifics. The evaluation section reports MAE, R², and other metrics on data from industry reports with explicit hold-out rules for unseen instances and baseline comparisons. We will revise the abstract to concisely include the key metrics, data sources, and evaluation summary. revision: yes

  2. Referee: [Method] Method description (throughout): the central claim that RCVaR 'combines their quantitative results to estimate specific cyberattacks costs for companies' provides no explicit mechanism—such as regression on firm size, sector, or other covariates, or a validated disaggregation formula—for mapping aggregate statistics (averages, ranges) from heterogeneous reports onto individualized per-company estimates; without this, the output remains an industry average rather than a firm-specific prediction.

    Authors: The referee is correct that the manuscript does not supply an explicit disaggregation formula or regression specification. The current description remains at a high level without detailing how covariates such as firm size or sector are used. We will revise the method section to add the explicit mechanism, including any regression or weighting formula for producing firm-specific estimates. revision: yes

  3. Referee: [Evaluation] Evaluation section: the assertion that the approach uses 'historical real-world data instead of only probability-based simulations' and achieves accuracy on unseen data cannot be assessed for circularity or overfitting because no combination algorithm, weighting scheme, or parameter choices are specified, leaving open whether the 'unseen' test merely reproduces other aggregates.

    Authors: We acknowledge that the absence of the combination algorithm, weighting scheme, and parameter choices prevents full assessment of circularity or overfitting risks. We will revise the evaluation section to specify the algorithm, weighting, parameter choices, and the procedure for selecting unseen data, including checks that the test set does not simply reproduce aggregates. revision: yes

Circularity Check

0 steps flagged

No circularity: derivation relies on external report data without self-referential fitting or self-citation chains

full rationale

The abstract and available text describe extracting quantitative figures from public industry reports and combining them to produce cost estimates, with evaluation on unseen data. No equations, parameter-fitting steps, or self-citations are quoted that reduce a claimed prediction back to the input data by construction. The combination step is presented as an external-data-driven process rather than a fitted model whose outputs are tautological with its inputs. This satisfies the self-contained criterion; no load-bearing step matches any of the enumerated circularity patterns.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review supplies no equations, parameters, or explicit assumptions; therefore the ledger is empty. The central claim rests on the unstated premise that public reports contain representative quantitative data usable for individualized estimates.

pith-pipeline@v0.9.0 · 5769 in / 1153 out tokens · 31005 ms · 2026-05-24T07:30:19.058266+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

54 extracted references · 54 canonical work pages

  1. [1]

    Global Cybersecurity Outlook 2023 - Insight Report,

    World Economic Forum (WEF), “Global Cybersecurity Outlook 2023 - Insight Report,” 2023, Available at https://www3.weforum.org/docs/ WEF Global Security Outlook Report 2023.pdf

    work page 2023

  2. [2]

    Cybersecurity for SMEs: Challenges and Recommendations,

    European Union Agency for Cybersecurity (ENISA), “Cybersecurity for SMEs: Challenges and Recommendations,” June 2021, Available at https://www.enisa.europa.eu/publications/ enisa-report-cybersecurity-for-smes

    work page 2021

  3. [3]

    CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment,

    M. F. Franco, “CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment,” February 2023, PhD Thesis, Communication Systems Group (CSG), University of Zurich

    work page 2023

  4. [4]

    Challenges to Cybersecurity: Current State of affairs,

    R. Sen, “Challenges to Cybersecurity: Current State of affairs,” Com- munications of the Association for Information Systems , vol. 43, no. 1, p. 2, 2018

    work page 2018

  5. [5]

    Cybersecu- rity for SMEs: Cybersecurity Standardization Essentials,

    European Telecommunications Standards Institute (ETSI), “Cybersecu- rity for SMEs: Cybersecurity Standardization Essentials,” 2021, ETSI TR 103 787-1, Available at https://www.etsi.org/deliver/etsi tr/103700 103799/10378701/01.01.01 60/tr 10378701v010101p.pdf

    work page 2021

  6. [6]

    Reshaping the Cy- bersecurity Landscape,

    J. Bernard and M. Nicholson, “Reshaping the Cy- bersecurity Landscape,” July 2020, Available at https: //www2.deloitte.com/us/en/insights/industry/financial-services/ cybersecurity-maturity-financial-institutions-cyber-risk.html

    work page 2020

  7. [7]

    Cybersecurity for SMEs,

    European Union Agency for Cybersecurity (ENISA), “Cybersecurity for SMEs,” 2021, Available at https://www.enisa.europa.eu/publications/ enisa-report-cybersecurity-for-smes

    work page 2021

  8. [8]

    CoReTM: An Approach Enabling Cross-Functional Collaborative Threat Modeling,

    J. von der Assen, M. F. Franco, C. Killer, E. J. Scheid, and B. Stiller, “CoReTM: An Approach Enabling Cross-Functional Collaborative Threat Modeling,” in IEEE International Conference on Cyber Security and Resilience (CSR 2022) , Rhodes, Greece, July 2022, pp. 1–8

    work page 2022

  9. [9]

    SecRiskAI: a Machine Learning-Based Approach for Cybersecurity Risk Prediction in Businesses,

    M. F. Franco, E. Sula, A. Huertas, E. J. Scheid, , L. Z. Granville, and B. Stiller, “SecRiskAI: a Machine Learning-Based Approach for Cybersecurity Risk Prediction in Businesses,” in 24th IEEE Interna- tional Conference on Business Informatics (CBI 2022) . Amsterdan, Netherlands: IEEE, June 2022, pp. 1–10

    work page 2022

  10. [10]

    A Framework for the Planning and Management of Cybersecurity Projects in Small and Medium-sized Enterprises,

    M. F. Franco, F. M. Lacerda, and B. Stiller, “A Framework for the Planning and Management of Cybersecurity Projects in Small and Medium-sized Enterprises,” Journal of Business and Projects (Revista de Gest ˜ao e Projetos) , vol. 13, no. 3, pp. 1–25, nov 2022

    work page 2022

  11. [11]

    Conditional Value-at-Risk Beyond Finance: a Survey,

    C. Filippi, G. Guastaroba, M.G. Speranza, “Conditional Value-at-Risk Beyond Finance: a Survey,” International Transactions in Operational Research, vol. 27, no. 3, pp. 1277–1319, 2020

    work page 2020

  12. [12]

    The Economics of Information Security,

    A. Ross, T. Moore, “The Economics of Information Security,” Journal of Science, vol. 314, pp. 610–613, October 2006

    work page 2006

  13. [13]

    Information Segmentation and Investing in Cybersecurity,

    L. A. Gordon, M. P. Loeb, L. Zhou, “Information Segmentation and Investing in Cybersecurity,” Journal of Information Security , vol. 12, pp. 115–136, January 2021

    work page 2021

  14. [14]

    Systematically Under- standing Cybersecurity Economics: A Survey,

    M. Kianpour, S. J. Kowalski, and H. Øverby, “Systematically Under- standing Cybersecurity Economics: A Survey,” Sustainability, vol. 13, no. 24, 2021

    work page 2021

  15. [15]

    A fundamental approach to cyber risk analysis,

    R. B ¨ohme, S. Laube, and M. Riek, “A fundamental approach to cyber risk analysis,” Variance, vol. 12, no. 2, pp. 161–185, 2019

    work page 2019

  16. [16]

    Using Deep Learning For Assessing Cybersecurity Economic Risks In Virtual Power Plants,

    V . S. Kumar and V . L. Narasimhan, “Using Deep Learning For Assessing Cybersecurity Economic Risks In Virtual Power Plants,” in 7th Inter- national Conference on Electrical Energy Systems (ICEES) , Chennai, India, February 2021, pp. 530–537

    work page 2021

  17. [17]

    MENTOR: The Design and Evaluation of a Protection Services Recommender System,

    M. Franco, B. Rodrigues, and B. Stiller, “MENTOR: The Design and Evaluation of a Protection Services Recommender System,” in 15th International Conference on Network and Service Management (CNSM 2019). Halifax, Canada: IEEE, October 2019, pp. 1–7

    work page 2019

  18. [18]

    The Cost of Cyber- crime,

    Accenture and Ponemon Institute LLC, “The Cost of Cyber- crime,” 2019, Available at https://www.accenture.com/ acnmedia/ pdf-96/accenture-2019-cost-of-cybercrime-study-final.pdf

    work page 2019

  19. [19]

    Cost of a Data Breach Report 2022,

    I. Corporation, “Cost of a Data Breach Report 2022,” 2022, Available at https://www.ibm.com/security/data-breach

    work page 2022

  20. [20]

    2012 Cost of Cyber Crime Study: United States,

    Ponemon Institute LLC, “2012 Cost of Cyber Crime Study: United States,” 2012, Available at https://www.ponemon.org/local/upload/file/ 2012 US Cost of Cyber Crime Study FINAL6%20.pdf

    work page 2012

  21. [21]

    Global Corporate IT Security Risks: 2013,

    Kaspersky Lab ZAO, “Global Corporate IT Security Risks: 2013,” 2013, Available at https://media.kaspersky.com/en/business-security/ Kaspersky Global IT Security Risks Survey report Eng final.pdf

    work page 2013

  22. [22]

    On The Quantitative Definition of Risk,

    S. Kaplan and B. J. Garrick, “On The Quantitative Definition of Risk,” Risk Analysis, vol. 1, no. 1, pp. 11–27, 1981

    work page 1981

  23. [23]

    Cybersecurity Economics,

    H. Aver, “Cybersecurity Economics,” September 2020, Available at https://www.kaspersky.com/blog/it-security-economics-2020-main/ 37205/

    work page 2020

  24. [24]

    Ransomware Statistics for Cybersecurity,

    Safeatlast, “Ransomware Statistics for Cybersecurity,” January 2022, Available at https://safeatlast.co/blog/ransomware-statistics/

    work page 2022

  25. [25]

    US Offers $ 10m Bounty for Colonial Pipeline Hackers,

    BBC, “US Offers $ 10m Bounty for Colonial Pipeline Hackers,” Novem- ber 2021, Available at https://www.bbc.com/news/technology-59176826

    work page 2021

  26. [26]

    The GDPR Enforcement Fines at Glance,

    J. Ruohonen and K. Hjerppe, “The GDPR Enforcement Fines at Glance,” Information Systems, vol. 106, p. 101876, 2022

    work page 2022

  27. [27]

    GDPR Enforcement Tracker,

    CMS Law, Tax, Future, “GDPR Enforcement Tracker,” November 2021, Available at https://www.enforcementtracker.com/

    work page 2021

  28. [28]

    Introduction to Return on Security Investment,

    European Network and Information Security Agency (ENISA), “Introduction to Return on Security Investment,” 2012, Available at https://www.enisa.europa.eu/publications/ introduction-to-return-on-security-investment

    work page 2012

  29. [29]

    Partnering for Cyber Resilience Towards the Quantification of Cyber Threats,

    World Economic Forum (WEC), “Partnering for Cyber Resilience Towards the Quantification of Cyber Threats,” 2015, Available at https://www3.weforum.org/docs/WEFUSA QuantificationofCyberThreats Report2015.pdf

    work page 2015

  30. [30]

    Cyber Risk Quantification: Investigating the Role of Cyber Value at Risk,

    A. Orlando, “Cyber Risk Quantification: Investigating the Role of Cyber Value at Risk,” Risks, vol. 9, no. 10, p. 184, 2021

    work page 2021

  31. [31]

    Efficient Capital Markets: A Review of Theory and Empirical Work,

    E. F. Fama, “Efficient Capital Markets: A Review of Theory and Empirical Work,” The Journal of Finance , vol. 25, no. 2, pp. 383–417, 1970, jSTOR

    work page 1970

  32. [32]

    An Empirical Anal- ysis of Cyber Security Incidents at a Large Organization,

    Kuypers, M. and Maillart, T. and Pat ´e-Cornell, E., “An Empirical Anal- ysis of Cyber Security Incidents at a Large Organization,” Department of Management Science and Engineering, Stanford University, School of Information, UC Berkley , vol. 30, 2016

    work page 2016

  33. [33]

    The County Fair Cyber Loss Distribution: Drawing Inferences from Insurance Prices,

    D. W. Woods, T. Moore, and A. C. Simpson, “The County Fair Cyber Loss Distribution: Drawing Inferences from Insurance Prices,” Digital Threats: Research and Practice, vol. 2, no. 2, pp. 1–21, 2021, association for Computing Machinery

    work page 2021

  34. [34]

    Deloitte Re- view: Quantifying Risk,

    A. Raghavan, and A. Thomas, “Deloitte Re- view: Quantifying Risk,” 2016, Available at https: //www2.deloitte.com/us/en/insights/deloitte-review/issue-19/ quantifying-risk-lessons-from-financial-services-industry.html

    work page 2016

  35. [35]

    Cyber Value at Risk in the Nether- lands,

    M. Van Wieren, E. Van Luit, E. R., V . Jacobs, and J. Bulters, “Cyber Value at Risk in the Nether- lands,” 2016, Available at https://securitydelta.nl/images/ deloitte-nl-risk-cyber-value-at-Risk-in-the-Netherlands.pdf

    work page 2016

  36. [36]

    A System to Calculate Cyber-Value-at-Risk,

    A. Erola, I. Agrafiotis, J. Nurse, L. Axon, M. Goldsmith, and S. Creese, “A System to Calculate Cyber-Value-at-Risk,” Computers & Security , vol. 113, p. 102545, 2021, elsevier

    work page 2021

  37. [37]

    Cyber Value-at-Risk (Cyber VaR),

    MARSH LLC, “Cyber Value-at-Risk (Cyber VaR),” 2017, Available https://www.marsh.com/content/dam/marsh/Documents/PDF/US-en/ Cyber%20Value-at-Risk.pdf

    work page 2017

  38. [38]

    On the Validity of Value-at-Risk: Comparative Analyses with Expected Shortfall,

    Y . Yamai and T. Yoshiba, “On the Validity of Value-at-Risk: Comparative Analyses with Expected Shortfall,” Monetary and Economic Studies , vol. 20, no. 1, pp. 57–85, 2002, institute for Monetary and Economic Studies, Bank of Japan

    work page 2002

  39. [39]

    RCVaR Repository,

    F. Kuenzler, M. F. Franco, “RCVaR Repository,” February 2023, Avail- able at https://gitlab.com/FinanceLecture/rcvar

    work page 2023

  40. [40]

    Information Sharing in Cybersecurity: A Review,

    A. Pala, J. Zhuang, “Information Sharing in Cybersecurity: A Review,” Decision Analysis, vol. 16, no. 3, pp. 172–196, 2019

    work page 2019

  41. [41]

    Economics of ITSe- curity Management: Four Improvements to Current Security Practices,

    H. Cavusoglu, H. Cavusoglu, and S. Raghunathan, “Economics of ITSe- curity Management: Four Improvements to Current Security Practices,” Communications of the Association for Information Systems , vol. 14, no. 1, p. 3, 2004, aIS eLibrary

    work page 2004

  42. [42]

    2017 Cost of Cyber Crime Study,

    Accenture and Ponemon Institute LLC, “2017 Cost of Cyber Crime Study,” 2017, Available at https://www.accenture.com/ acnmedia/ pdf-62/accenture-2017costcybercrime-us-final.pdf

    work page 2017

  43. [43]

    How Aligning Security and the Business Creates Cyber Resilience,

    K. Bissell, J. Fox, R. M. LaSalle, and et al., “How Aligning Security and the Business Creates Cyber Resilience,” 2021, Available at https://www.accenture.com/ acnmedia/PDF-165/ Accenture-State-Of-Cybersecurity-2021.pdf

    work page 2021

  44. [44]

    Sectors & Industries Overview,

    Fidelity Investment, “Sectors & Industries Overview,” 2022, Avail- able at https://eresearch.fidelity.com/eresearch/markets sectors/sectors/ sectors in market.jhtml

    work page 2022

  45. [45]

    What Data Should I Protect? Recommender and Planning Support for Data Security Ana- lysts,

    T. Li, G. Convertino, R. K. Tayi, and S. Kazerooni, “What Data Should I Protect? Recommender and Planning Support for Data Security Ana- lysts,” in 24th International Conference on Intelligent User Interfaces . Marina del Ray, USA: Association for Computing Machinery, March 2019, pp. 286–297

    work page 2019

  46. [46]

    The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers,

    H. Cavusoglu, B. Mishra, and S. Raghunathan, “The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers,” In- ternational Journal of Electronic Commerce , vol. 9, no. 1, pp. 70–104, 2004, taylor & Francis

    work page 2004

  47. [47]

    Shinder and M

    D. Shinder and M. Cross, Scene of the Cybercrime . Elsevier, 2008

    work page 2008

  48. [48]

    The Kolmogorov-Smirnov Test for Goodness of Fit,

    J. Massey and J. Frank, “The Kolmogorov-Smirnov Test for Goodness of Fit,” Journal of the American Statistical Association, vol. 46, no. 253, pp. 68–78, 1951

    work page 1951

  49. [49]

    Real Cyber Value at Risk: An Approach to Estimate Economic Impacts of Cyberattacks on Businesses,

    F. K ¨uzler, “Real Cyber Value at Risk: An Approach to Estimate Economic Impacts of Cyberattacks on Businesses,” Z ¨urich, Switzerland, January 2023, Master Thesis, Communication Systems Group (CSG), University of Zurich

    work page 2023

  50. [50]

    Discovering Business Process Similarities: An Empirical Study With SAP Best Practice Business Processes,

    R. Akkiraju and A. Ivan, “Discovering Business Process Similarities: An Empirical Study With SAP Best Practice Business Processes,” in International Conference on Service-Oriented Computing . San Francisco, USA: Springer, December 2010, pp. 515–526

    work page 2010

  51. [51]

    Beneath the Surface of a Cyberattack,

    E. Mossburg, J. Gelinne, and H. Calzada, “Beneath the Surface of a Cyberattack,” 2016, Available at https://www2. deloitte.com/global/en/pages/risk/cyber-strategic-risk/articles/ beneath-the-surface-of-a-cyberattack.html

    work page 2016

  52. [52]

    VC Valuations Report,

    Pitchbook, “VC Valuations Report,” 2022, Available at https://files.pitchbook.com/website/files/pdf/Q1 2022 US VC Valuations Report.pdf

    work page 2022

  53. [53]

    Return on Equity by Sector (US),

    NYU Stern School of Business, “Return on Equity by Sector (US),” 2022, Available at https://pages.stern.nyu.edu/ ∼adamodar/New Home Page/datafile/roe.html, Last accessed Dec. 2022

    work page 2022

  54. [54]

    Is FAIR a Value-at-Risk Model?

    FAIR Institute, “Is FAIR a Value-at-Risk Model?” January 2018, Avail- able at https://www.fairinstitute.org/blog/is-fair-a-value-at-risk-model

    work page 2018