Entity-level dependence among cyber incident types

Determine whether, at the level of individual organizations, susceptibility to one cyber incident type implies increased propensity for other incident types; specifically, establish whether entity-level dependence exists among incident types such as Data Breach, Privacy Violation, Extortion/Fraud, IT Error, and Other to inform multi-peril cyber insurance design.

Background

Most prior studies model dependence among cyber incident types at the industry level due to limited entity-specific data. This paper highlights that the presence and nature of dependence at the organization level have not been established in the literature, despite their importance for designing multi-peril cyber insurance.

Using an InsurTech-enriched dataset, the authors implement classifier and regressor chains to explore dependencies among incident types but report that no significant correlations are observed in their datasets. Nevertheless, given data and methodological limitations, the question of whether such dependence exists more generally at the entity level remains unresolved in the broader context.

References

In addition, the dependence among different incident types is also often modeled at the industry level (See, for example, \citet{eling_copula_2018}), whereas the dependence at the entity level remains unknown. That is, does being susceptible to one type of incident suggest that the organization is also prone to other types of incidents?

Entity-Specific Cyber Risk Assessment using InsurTech Empowered Risk Factors  (2507.08193 - Guo et al., 10 Jul 2025) in Section 1.2, Data-driven Approaches to Cyber Risk Modeling