94 résultats
pour « Résilience numérique »
This paper introduces a dynamic, proactive cyber risk assessment methodology that combines internal and external data, converting qualitative inputs into quantitative measures within a Bayesian network. Using the Exploit Prediction Scoring System, it dynamically estimates attack success probabilities and asset impact, validated through a Supervisory Control and Data Acquisition (SCADA) environment case study.
Cybersecurity investment models often mislead practitioners due to unreliable data, unverified assumptions, and false premises. These models work under idealized conditions rarely seen in real-world settings, so practitioners should carefully adapt them, recognizing their limitations and avoiding strict reliance on their recommendations.
Open innovation in software can improve security by allowing vulnerabilities to be found before release. However, for open source software, post-release vulnerabilities are more likely to be exploited due to source code visibility. This research shows that open source software faces greater attack risks after vulnerabilities are discovered compared to closed source software.
This paper argues that traditional cyber risk classifications are too restrictive for effective out-of-sample forecasting. It recommends focusing on dynamic, impact-based classifications for better predictions of cyber risk losses, suggesting that risk types are more useful for modeling event frequency rather than severity.
This paper introduces a novel multivariate dependence model to better represent cyber breach risks by capturing temporal and cross-group dependencies. Using a semi-parametric and copula approach, it improves predictive performance and generates more profitable insurance contracts, outperforming existing models in managing cyber risk and insurance pricing.
This study examines how organizations conceptualize and manage cyber risk, finding a gap between the normative risk-based management approach and actual practices. Organizations often use qualitative assessments masked as quantitative, creating an illusion of precision. The study proposes "qualculation" as the highest standard for aligning cyber risk measurement and management.
“We find suggestive evidence indicating that some firms manipulate the discovery date (“misreport”) of a cybersecurity incident to postpone the disclosure of the incident, as evidenced by a pronounced spike in insider sales before the reported discovery date. We also find that misreporting is more prevalent among firms with weak internal control systems, when firms face low litigation risk, and when firms have greater pressure to meet a disclosure deadline.”
Financial institutions must enhance cyber defenses and regulatory frameworks must adapt to new risks. International agencies are creating coherent cybersecurity standards, exemplified by the EU's Digital Operational Resilience Act (DORA). Effective defense also requires robust institutional governance and sector-led standards.
Optimal cybersecurity investment depends on threat severity and bank fragility. Regulators should consider operational resilience standards, red-teaming, subsidies, and negligence penalties to facilitate socially desirable cybersecurity investment.
The paper reviews the DORA Regulation, highlighting challenges in supervisory convergence, solution centralization, and oversight fragmentation. It argues that despite DORA's positive steps for digital resilience, Europe's fragmented supervision system hampers its effectiveness. The authors suggest that a more centralized, cross-sectoral supervisory approach is needed for better regulation and supervision.