# An Overview of Security Breach Probability Models

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

- We propose a list of properties that a breach probability function might/should have (Section 2.2);
- We report the breach probability functions appearing in the literature (Section 2.3, Section 2.4, Section 2.5, Section 2.6, Section 2.7, Section 2.8, Section 2.9, Section 2.10 and Section 2.11);
- We analyze their properties as above (Section 2.3, Section 2.4, Section 2.5, Section 2.6, Section 2.7, Section 2.8, Section 2.9, Section 2.10 and Section 2.11);
- We examine the impact of their parameters (Section 3);
- We report a comparison of models through different aspects with the purpose of helping the reader choose the most suitable for the case at hand (in the Conclusions).

## 2. Security Breach Probability Models

#### 2.1. Definitions

- Purchasing antivirus software;
- Installing firewalls inside the network;
- Deploying tighter access control policies;
- Renewing and updating the ICT infrastructures;
- Having employees attend training courses to increase their awareness of cybersecurity risks and develop more cautious behavior.

#### 2.2. Fundamental Properties

- $\mathbb{P}1$:
- $S(z,0)=0$, $\forall z\ge 0$;
- $\mathbb{P}2$:
- $S(0,v)=v$, $\forall v$;
- $\mathbb{P}3$:
- $\underset{z\to \infty}{lim}S(z,v)=0$, $\forall v\in (0,1)$
- $\mathbb{P}4$:
- $\frac{\partial S(z,v)}{\partial z}<0$, $\forall v\in (0,1)$ and $\forall z>0$;
- $\mathbb{P}5.1$:
- $\frac{{\partial}^{2}S(z,v)}{\partial {z}^{2}}>0$, $\forall v\in (0,1)$ and $\forall z$;
- $\mathbb{P}5.2$:
- $\frac{{\partial}^{2}S(z,v)}{\partial {z}^{2}}\left\{\begin{array}{cc}<0\hfill & \mathrm{if}z<{z}_{\mathrm{i}}\hfill \\ >0\hfill & \mathrm{if}z>{z}_{\mathrm{i}}\hfill \end{array}\right.$$\forall v\in (0,1)$
- $\mathbb{P}5.3$:
- $\frac{{\partial}^{2}S(z,v)}{\partial {z}^{2}}<0$, $\forall v\in (0,1)$;
- $\mathbb{P}5.4$:
- $\frac{{\partial}^{2}S(z,v)}{\partial {z}^{2}}=0$, $\forall v\in (0,1)$ and $\forall z$.

- Gordon–Loeb Class One;
- Gordon–Loeb Class Two;
- Hausken Class Three;
- Hausken Class Four;
- Hausken Class Five;
- Hausken Class Six;
- The Exponential Power Class;
- The Proportional Hazard Class;
- The Wang Transform Class.

#### 2.3. Gordon–Loeb Class One Model

- $\mathbb{P}1$:
- ${S}_{GL1}(z,0)=\frac{0}{{({\alpha}_{1}z+1)}^{{\alpha}_{2}}}=0$;
- $\mathbb{P}2$:
- ${S}_{GL1}(0,v)=\frac{v}{{({\alpha}_{1}\xb70+1)}^{{\alpha}_{2}}}=v$;
- $\mathbb{P}3$:
- ${lim}_{z\to \infty}{S}_{GL1}(z,v)={lim}_{z\to \infty}\frac{v}{{({\alpha}_{1}z+1)}^{{\alpha}_{2}}}=0$;
- $\mathbb{P}4$:
- $\frac{\partial {S}_{GL1}(z,v)}{\partial z}=-\frac{{\alpha}_{1}{\alpha}_{2}v}{{({\alpha}_{1}z+1)}^{{\alpha}_{2}+1}}<0$;
- $\mathbb{P}5.1$:
- $\frac{{\partial}^{2}{S}_{GL1}(z,v)}{\partial {z}^{2}}=\frac{{\alpha}_{1}^{2}{\alpha}_{2}^{2}v}{{({\alpha}_{1}z+1)}^{{\alpha}_{2}+2}}>0$.

#### 2.4. Gordon–Loeb Class Two Model

- $\mathbb{P}1$:
- ${S}_{GL2}(z,0)={0}^{\beta z+1}=0$;
- $\mathbb{P}2$:
- ${S}_{GL2}(0,v)={v}^{0+1}=v$;
- $\mathbb{P}3$:
- ${lim}_{z\to \infty}{S}_{GL2}(z,v)={lim}_{z\to \infty}{v}^{\beta z+1}=0$;
- $\mathbb{P}4$:
- $\frac{\partial {S}_{GL2}(z,v)}{\partial z}=\beta ln\left(v\right){v}^{\beta z+1}<0\phantom{\rule{8.53581pt}{0ex}}\mathrm{sin}\mathrm{ce}\phantom{\rule{5.69054pt}{0ex}}ln\left(v\right)<0$;
- $\mathbb{P}5.1$:
- $\frac{{\partial}^{2}{S}_{GL2}(z,v)}{\partial {z}^{2}}={\beta}^{2}{ln}^{2}\left(v\right){v}^{\beta z+1}>0$.

#### 2.5. Hausken Class Three Model

- $\mathbb{P}1$:
- ${S}_{H3}(z,0)=\frac{0}{1+{\gamma}_{1}({e}^{{\gamma}_{2}z}-1)}=0$;
- $\mathbb{P}2$:
- ${S}_{H3}(0,v)=\frac{v}{1+{\gamma}_{1}({e}^{{\gamma}_{2}0}-1)}=v$;
- $\mathbb{P}3$:
- ${lim}_{z\to \infty}{S}_{H3}(z,v)={lim}_{z\to \infty}\frac{v}{1+{\gamma}_{1}({e}^{{\gamma}_{2}z}-1)}=0$;
- $\mathbb{P}4$:
- $\frac{\partial {S}_{H3}(z,v)}{\partial z}=-\frac{v{\gamma}_{1}{\gamma}_{2}{e}^{{\gamma}_{2}z}}{{(1+{\gamma}_{1}({e}^{{\gamma}_{2}z}-1))}^{2}}<0$.

#### 2.6. Hausken Class Four Model

- $\mathbb{P}1$:
- ${S}_{H4}(z,0)=0(1-\epsilon {z}^{\varphi})=0$;
- $\mathbb{P}2$:
- ${S}_{H4}(0,v)=v(1-\epsilon {0}^{\varphi})=v$;
- $\mathbb{P}3$:
- ${lim}_{z\to \infty}{S}_{H4}(z,v)={S}_{H4}{(z,v)|}_{z>{z}_{u}}=0$;
- $\mathbb{P}4$:
- $\frac{\partial {S}_{H4}(z,v)}{\partial z}=-\epsilon \varphi v{z}^{\varphi -1}<0$;
- $\mathbb{P}5.1$:
- $\frac{{\partial}^{2}{S}_{H4}(z,v)}{\partial {z}^{2}}=-\epsilon \varphi (\varphi -1)v{z}^{\varphi -2}>0$.

#### 2.7. Hausken Class Five Model

- $\mathbb{P}1$
- : ${S}_{H5}(z,0)=0(1-\omega {z}^{k})=0$;
- $\mathbb{P}2$
- : ${S}_{H5}(0,v)=v(1-\omega {0}^{k})=v$;
- $\mathbb{P}3$
- : ${S}_{H5}(z,v)=0$ when $z>{z}_{u}$;
- $\mathbb{P}4$
- : $:\frac{\partial {S}_{H5}(z,v)}{\partial z}=-v\omega k{z}^{k-1}<0$;
- $\mathbb{P}5.3$
- : $\frac{{\partial}^{2}{S}_{H5}(z,v)}{\partial {z}^{2}}=-v\omega k(k-1){z}^{k-2}<0$.

#### 2.8. Hausken Class Six Model

- $\mathbb{P}1$
- : ${S}_{H6}(z,0)=0(1-\lambda z)=0$;
- $\mathbb{P}2$
- : ${S}_{H6}(0,v)=v(1-\lambda 0)=v$;
- $\mathbb{P}3$
- : ${S}_{H6}(z,v)=0$ when $z>{z}_{u}$;
- $\mathbb{P}4$
- : $:\frac{\partial {S}_{H6}(z,v)}{\partial z}=-\lambda v<0$;
- $\mathbb{P}5.4$
- : $\frac{{\partial}^{2}{S}_{H6}(z,v)}{\partial {z}^{2}}=0$.

#### 2.9. The Exponential Power Class Model

- $\mathbb{P}1$:
- ${S}_{\mathrm{EP}}(z,0)=0\xb7{\zeta}^{{z}^{\eta}}=0$;
- $\mathbb{P}2$:
- ${S}_{\mathrm{EP}}(0,v)=v{\zeta}^{0}=v$;
- $\mathbb{P}3$:
- ${lim}_{z\to \infty}{S}_{\mathrm{EP}}(z,v)={lim}_{z\to \infty}v{\zeta}^{{z}^{\eta}}=0$ since $\zeta <1$;
- $\mathbb{P}4$:
- $\frac{\partial {S}_{\mathrm{EP}}(z,v)}{\partial z}=\eta vln\left(\zeta \right){z}^{\eta -1}{\zeta}^{{z}^{\eta}}<0$, again since $\zeta <1$;
- $\mathbb{P}5.2$:
- $\frac{{\partial}^{2}{S}_{\mathrm{EP}}(z,v)}{\partial {z}^{2}}=v\eta {\zeta}^{{z}^{\eta}}{z}^{\eta -2}ln\zeta \left[\eta ln\zeta {z}^{\eta}+\eta -1\right]\gtrless 0$.

#### 2.10. The Proportional Hazard Class Model

- $\mathbb{P}1:$
- ${S}_{\mathrm{PH}}(z,0)=0\xb7\left(1-{\xi}^{{z}^{-\eta}}\right)=0$;
- $\mathbb{P}2:$
- ${S}_{\mathrm{PH}}(0,v)={lim}_{z\to 0}v\left(1-{\xi}^{{z}^{-\eta}}\right)=v$ since $\xi <1$;
- $\mathbb{P}3:$
- ${lim}_{z\to \infty}{S}_{\mathrm{PH}}(z,v)={lim}_{z\to \infty}v\left(1-{\xi}^{{z}^{-\eta}}\right)=v\xb70=0$, again since $\xi <1$;
- $\mathbb{P}4:$
- $\frac{\partial {S}_{\mathrm{PH}}(z,v)}{\partial z}=v\eta {z}^{-\eta -1}ln\left(\xi \right){\xi}^{{z}^{-\eta}}<0$;
- $\mathbb{P}5.2:$
- $\frac{{\partial}^{2}{S}_{\mathrm{PH}}(z,v)}{\partial {z}^{2}}=v\eta ln\left(\xi \right)[(-\eta -1){z}^{-\eta -2}{\xi}^{{z}^{-\eta}}\phantom{\rule{0ex}{0ex}}-\eta {z}^{-2\eta -2}ln\left(\xi \right){\xi}^{{z}^{-\eta}}]=-v\eta ln\left(\xi \right){\xi}^{{z}^{-\eta}}{z}^{-\eta -2}\phantom{\rule{0ex}{0ex}}\times \left[\eta +1+\eta {z}^{-\eta}ln\left(\xi \right)\right]\gtrless 0.$

#### 2.11. The Wang Transform Class

- $\mathbb{P}1:$
- ${S}_{\mathrm{WT}}(z,0)=v\Phi [{\Phi}^{-1}\left(\rho \right)-\eta ln\left(z\right)]\phantom{\rule{0ex}{0ex}}0\xb7\Phi [{\Phi}^{-1}\left(\rho \right)-\eta ln\left(z\right)]=0$;
- $\mathbb{P}2:$
- ${S}_{\mathrm{WT}}(0,v)={lim}_{z\to 0}v\Phi [{\Phi}^{-1}\left(\rho \right)-\eta ln\left(z\right)]=v$;
- $\mathbb{P}3:$
- ${lim}_{z\to \infty}{S}_{\mathrm{WT}}(z,v)={lim}_{z\to \infty}v\Phi [{\Phi}^{-1}\left(\rho \right)-\eta ln\left(z\right)]=v\Phi (-\infty )=0$;
- $\mathbb{P}4:$
- $\frac{\partial {S}_{\mathrm{WT}}(z,v)}{\partial z}=-\frac{v\eta}{\sqrt{2\pi}z}{e}^{-\frac{1}{2}{[{\Phi}^{-1}\left(\rho \right)-\eta ln\left(z\right)]}^{2}}<0$;
- $\mathbb{P}5.2:$
- $\frac{{\partial}^{2}{S}_{\mathrm{WT}}(z,v)}{\partial {z}^{2}}=-\frac{v\eta}{z\sqrt{2\pi}}{e}^{-\frac{1}{2}{[{\Phi}^{-1}\left(\rho \right)-\eta ln\left(\rho \right)]}^{2}}\phantom{\rule{0ex}{0ex}}\times \{-1+\eta [{\Phi}^{-1}\left(\rho \right)-\eta ln\left(z\right)]\}\gtrless 0.$

## 3. Sensitivity of the Security Breach Probability Functions

#### 3.1. Quasi-Elasticity

#### 3.2. Gordon–Loeb Class One Model Elasticity

#### 3.3. Gordon–Loeb Class Two Model Elasticity

#### 3.4. Hausken Class Three Model Elasticity

#### 3.5. Hausken Class Four Model Elasticity

#### 3.6. Hausken Class Five Model Elasticity

#### 3.7. Hausken Class Six Model Elasticity

#### 3.8. Exponential Power Class Elasticity

#### 3.9. Proportional Hazard Class Elasticity

#### 3.10. Wang Transform Class Elasticity

## 4. Conclusions

## Author Contributions

## Funding

## Data Availability Statement

## Conflicts of Interest

## Note

1 | See the definition provided at https://www.trendmicro.com/vinfo/us/security/definition/data-breach, accessed on 16 November 2022. |

## References

- Ale, Ben. 2016. Risk analysis and big data. In Safety and Reliability. London: Taylor & Francis, vol. 36, pp. 153–65. [Google Scholar]
- Antonio, Yeftanus, Sapto Wahyu Indratno, and Suhadi Wido Saputro. 2021. Pricing of cyber insurance premiums using a markov-based dynamic model with clustering structure. PLoS ONE 16: e0258867. [Google Scholar] [CrossRef] [PubMed]
- Arcuri, Maria Cristina, Marina Brogi, and Gino Gandolfi. 2017. How does cyber crime affect firms? the effect of information security breaches on stock returns. Paper presented at First Italian Conference on Cybersecurity (ITASEC17), Venice, Italy, January 17–20; pp. 175–93. [Google Scholar]
- Arnold, Roger A. 2008. Economics, 8th ed. Mason: Thomson South-Western. [Google Scholar]
- Aven, Terje. 2011. Quantitative Risk Assessment: The Scientific Platform. Cambridge: Cambridge University Press. [Google Scholar]
- Aven, Terje, and Roger Flage. 2020. Foundational challenges for advancing the field and discipline of risk analysis. Risk Analysis 40: 2128–36. [Google Scholar] [CrossRef] [PubMed]
- Aven, Terje, Yakov Ben-Haim, H. Boje Andersen, Tony Cox, Enrique López Droguett, Michael Greenberg, Seth Guikema, Wolfgang Kröger, Ortwin Renn, Kimberly M. Thompson, and et al. 2018. Society for Risk Analysis Glossary. McLean: Society for Risk Analysis. [Google Scholar]
- Bothos, Ioannis, Vasileios Vlachos, Dimitris M. Kyriazanos, Ioannis Stamatiou, Konstantinos Georgios Thanos, Pantelis Tzamalis, Sotirios Nikoletseas, and Stelios C. A. Thomopoulos. 2021. Modelling cyber-risk in an economic perspective. Paper presented at 2021 IEEE International Conference on Cyber Security and Resilience (CSR), Rhodes, Greece, July 26–28; pp. 372–77. [Google Scholar]
- Chiaradonna, Stefano, and Nicolas Lanchier. 2021. Exact insurance premiums for cyber risk of small and medium-sized enterprises. arXiv arXiv:2110.08910. [Google Scholar] [CrossRef]
- Choi, Tsan-Ming, and James H. Lambert. 2017. Advances in risk analysis with big data. Risk Analysis 37: 1435–42. [Google Scholar] [CrossRef] [PubMed]
- Cremer, Frank, Barry Sheehan, Michael Fortmann, Arash N. Kia, Martin Mullins, Finbarr Murphy, and Stefan Materne. 2022. Cyber risk and cybersecurity: A systematic review of data availability. The Geneva Papers on Risk and Insurance-Issues and Practice 47: 698–736. [Google Scholar] [CrossRef]
- Eling, Martin, and Jan Wirfs. 2019. What are the actual costs of cyber risk events? European Journal of Operational Research 272: 1109–19. [Google Scholar] [CrossRef]
- Erola, Arnau, Ioannis Agrafiotis, Jason R. C. Nurse, Louise Axon, Michael Goldsmith, and Sadie Creese. 2022. A system to calculate cyber-value-at-risk. Computers & Security 113: 102545. [Google Scholar]
- Feng, Shaohan, Zehui Xiong, Dusit Niyato, Ping Wang, Shaun Shuxun Wang, and Xuemin Sherman Shen. 2020. Joint pricing and security investment in cloud security service market with user interdependency. IEEE Transactions on Services Computing 15: 1461–72. [Google Scholar] [CrossRef]
- Gao, Xing, Weijun Zhong, and Shue Mei. 2015. Security investment and information sharing under an alternative security breach probability function. Information Systems Frontiers 17: 423–38. [Google Scholar] [CrossRef]
- Georgescu, Tiberiu-Marian. 2021. A study on how the pandemic changed the cybersecurity landscape. Informatica Economica 25: 42–60. [Google Scholar] [CrossRef]
- Giudici, Paolo, and Emanuela Raffinetti. 2022. Explainable ai methods in cyber risk management. Quality and Reliability Engineering International 38: 1318–26. [Google Scholar] [CrossRef]
- Gordon, Lawrence A., and Martin P. Loeb. 2002. The economics of information security investment. ACM Transactions on Information and System Security 5: 438–57. [Google Scholar] [CrossRef]
- Gordon, Lawrence A., Martin P. Loeb, and Lei Zhou. 2020. Integrating cost–benefit analysis into the nist cybersecurity framework via the gordon–loeb model. Journal of Cybersecurity 6: tyaa005. [Google Scholar] [CrossRef]
- Gordon, Lawrence A., Martin P. Loeb, William Lucyshyn, and Lei Zhou. 2015. Increasing cybersecurity investments in private sector firms. Journal of Cybersecurity 1: 3–17. [Google Scholar] [CrossRef] [Green Version]
- Hausken, Kjell. 2006. Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability. Information Systems Frontiers 8: 338–49. [Google Scholar] [CrossRef]
- Hovav, Anat, and John D’Arcy. 2003. The impact of denial-of-service attack announcements on the market value of firms. Risk Management and Insurance Review 6: 97–121. [Google Scholar] [CrossRef]
- Hua, Jian, and Sanjay Bapna. 2013. The economic impact of cyber terrorism. The Journal of Strategic Information Systems 22: 175–86. [Google Scholar] [CrossRef]
- Huang, C. Derrick, and Ravi S. Behara. 2013. Economics of information security investment in the case of concurrent heterogeneous attacks with budget constraints. International Journal of Production Economics 141: 255–68. [Google Scholar] [CrossRef]
- Jerman-Blažič, Borka. 2008. An economic modelling approach to information security risk management. International Journal of Information Management 28: 413–22. [Google Scholar]
- Kamiya, Shinichi, Jun-Koo Kang, Jungmin Kim, Andreas Milidonis, and René M. Stulz. 2020. Risk management, firm reputation, and the impact of successful cyberattacks on target firms. Journal of Financial Economics 139: 719–49. [Google Scholar] [CrossRef]
- Khalili, Mohammad Mahdi, Parinaz Naghizadeh, and Mingyan Liu. 2018. Designing cyber insurance policies: The role of pre-screening and security interdependence. IEEE Transactions on Information Forensics and Security 13: 2226–39. [Google Scholar] [CrossRef]
- Krugman, Paul, and Robin Wells. 2009. The rational consumer. Microeconomics, 269–90. [Google Scholar]
- Krutilla, Kerry, Alexander Alexeev, Eric Jardine, and David Good. 2021. The benefits and costs of cybersecurity risk reduction: A dynamic extension of the gordon and loeb model. Risk Analysis 41: 1795–808. [Google Scholar] [CrossRef] [PubMed]
- Lin, Zhaoxin, Travis R. A. Sapp, Rahul Parsa, Jackie Rees Ulmer, and Chengxin Cao. 2021. Pricing cyber security insurance. Journal of Mathematical Finance 12: 46–70. [Google Scholar] [CrossRef]
- Lopez, Olivier, and Maud Thomas. 2022. Parametric Insurance for Extreme Risks: The Challenge to Properly Cover Severe Claims. HAL Preprint no. 03524677. Available online: https://hal.sorbonne-universite.fr/hal-03524677 (accessed on 9 October 2022).
- Mai, Van Sy, Richard J. La, and Abdella Battou. 2021. Optimal cybersecurity investments in large networks using sis model: Algorithm design. IEEE/ACM Transactions on Networking 29: 2453–66. [Google Scholar] [CrossRef]
- Maillart, Thomas, and Didier Sornette. 2010. Heavy-tailed distribution of cyber-risks. The European Physical Journal B 75: 357–64. [Google Scholar] [CrossRef]
- Marotta, Angelica, Fabio Martinelli, Stefano Nanni, Albina Orlando, and Artsiom Yautsiukhin. 2017. Cyber-insurance survey. Computer Science Review 24: 35–61. [Google Scholar] [CrossRef]
- Mastroeni, Loretta, Alessandro Mazzoccoli, and Maurizio Naldi. 2019. Service level agreement violations in cloud storage: Insurance and compensation sustainability. Future Internet 11: 142. [Google Scholar] [CrossRef] [Green Version]
- Mayadunne, Sanjaya, and Sungjune Park. 2016. An economic model to evaluate information security investment of risk-taking small and medium enterprises. International Journal of Production Economics 182: 519–30. [Google Scholar] [CrossRef]
- Mazzoccoli, Alessandro, and Maurizio Naldi. 2020a. The expected utility insurance premium principle with fourth-order statistics: Does it make a difference? Algorithms 13: 116. [Google Scholar] [CrossRef]
- Mazzoccoli, Alessandro, and Maurizio Naldi. 2020b. Robustness of optimal investment decisions in mixed insurance/investment cyber risk management. Risk Analysis 30: 550–64. [Google Scholar] [CrossRef] [PubMed]
- Mazzoccoli, Alessandro, and Maurizio Naldi. 2021. Optimal investment in cyber-security under cyber insurance for a multi-branch firm. Risks 9: 24. [Google Scholar] [CrossRef]
- McShane, Michael, Martin Eling, and Trung Nguyen. 2021. Cyber risk management: History and future research directions. Risk Management and Insurance Review 24: 93–125. [Google Scholar]
- Mukhopadhyay, Arunabha, Samir Chatterjee, Kallol K. Bagchi, Peteer J. Kirs, and Girja K. Shukla. 2019. Cyber risk assessment and mitigation (cram) framework using logit and probit models for cyber insurance. Information Systems Frontiers 21: 997–1018. [Google Scholar] [CrossRef]
- Murphy, Diane R., and Richard H. Murphy. 2013. Teaching cybersecurity: Protecting the business environment. Paper presented at 2013 on InfoSecCD’13: Information Security Curriculum Development Conference, Kennesaw, GA, USA, October 12; pp. 88–93. [Google Scholar]
- Naldi, Maurizio, and Alessandro Mazzoccoli. 2018. Computation of the insurance premium for cloud services based on fourth-order statistics. International Journal of Simulation: Systems, Science and Technology 19: 1–6. [Google Scholar] [CrossRef] [Green Version]
- Naldi, Maurizio, and Marta Flamini. 2017. Calibration of the Gordon-Loeb Models for the Probability of Security Breaches. Paper presented at 2017 UKSim-AMSS 19th International Conference on Computer Modelling & Simulation (UKSim), Cambridge, UK, April 5–7; pp. 135–40. [Google Scholar]
- Naldi, Maurizio, Gaia Nicosia, Andrea Pacifici, and Ulrich Pferschy. 2019. Profit-fairness trade-off in project selection. Socio-Economic Planning Sciences 67: 133–46. [Google Scholar] [CrossRef]
- Naldi, Maurizio, Marta Flamini, and Giuseppe D’Acquisto. 2018. Negligence and sanctions in information security investments in a cloud environment. Electronic Markets 28: 39–52. [Google Scholar] [CrossRef]
- Nateghi, Roshanak, and Terje Aven. 2021. Risk analysis in the age of big data: The promises and pitfalls. Risk Analysis 41: 1751–58. [Google Scholar] [CrossRef]
- Orlando, Albina. 2021. Cyber risk quantification: Investigating the role of cyber value at risk. Risks 9: 184. [Google Scholar] [CrossRef]
- Palsson, Kjartan, Steinn Gudmundsson, and Sachin Shetty. 2020. Analysis of the impact of cyber events for cyber insurance. The Geneva Papers on Risk and Insurance-Issues and Practice 45: 564–79. [Google Scholar] [CrossRef]
- Paté-Cornell, M-Elisabeth, Marshall Kuypers, Matthew Smith, and Philip Keller. 2018. Cyber risk management for critical infrastructure: A risk analysis model and three case studies. Risk Analysis 38: 226–41. [Google Scholar] [CrossRef] [PubMed]
- Poufinas, Thomas, and Nikolaos Vordonis. 2018. Pricing the cost of cybercrime—A financial protection approach. iBusiness 10: 128. [Google Scholar] [CrossRef] [Green Version]
- Refsdal, Atle, Bjørnar Solhaug, and Ketil Stølen. 2015. Cyber-risk management. In Cyber-Risk Management. New York: Springer, pp. 33–47. [Google Scholar]
- Rodrigues, Bruno, Muriel Franco, Geetha Parangi, and Burkhard Stiller. 2019. Seconomy: A framework for the economic assessment of cybersecurity. In International Conference on the Economics of Grids, Clouds, Systems, and Services. New York: Springer, pp. 154–66. [Google Scholar]
- Rosson, Jack, Mason Rice, Juan Lopez, and David Fass. 2019. Incentivizing cyber security investment in the power sector using an extended cyber insurance framework. Homeland Security Affairs 15: 1–25. [Google Scholar]
- Sangari, Seema, and Dr Dallal. 2022. Correcting for reporting delays in cyber incidents. arXiv arXiv:2201.10348. [Google Scholar]
- Sawik, Tadeusz. 2020. A linear model for optimal cybersecurity investment in industry 4.0 supply chains. International Journal of Production Research 60: 1–18. [Google Scholar] [CrossRef]
- Scala, Natalie M., Allison C. Reilly, Paul L. Goethals, and Michel Cukier. 2019. Risk and the five hard problems of cybersecurity. Risk Analysis 39: 2119–26. [Google Scholar] [CrossRef]
- Skeoch, Henry R. K. 2022. Expanding the gordon-loeb model to cyber-insurance. Computers & Security 112: 102533. [Google Scholar]
- Strupczewski, Grzegorz. 2018. Current state of the cyber insurance market. In Proceedings of the 10th Economics and Finance Conference. Number 6910062. Rome: International Institute of Social and Economic Sciences. [Google Scholar]
- The Ponemon Institute. 2016. 2016 Cost of Data Breach Study: Global Analysis. Technical Report. Traverse City: The Ponemon Institute. [Google Scholar]
- Uuganbayar, Ganbayar, Artsiom Yautsiukhin, Fabio Martinelli, and Fabio Massacci. 2021. Optimisation of cyber insurance coverage with selection of cost effective security controls. Computers & Security 101: 102121. [Google Scholar]
- Vakilinia, Iman, and Shamik Sengupta. 2018. A coalitional cyber-insurance framework for a common platform. IEEE Transactions on Information Forensics and Security 14: 1526–38. [Google Scholar] [CrossRef]
- Verizon Risk Team. 2022. 2022 Data Breach Investigations Report. Technical Report. New York: Verizon. [Google Scholar]
- Wang, Shaun. 2017. Optimal Level and Allocation of Cybersecurity Spending: Model and Formula. SSRN Preprint no. 3010029. Available online: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3010029 (accessed on 16 November 2022).
- Wang, Shaun S. 2019. Integrated framework for information security investment and cyber insurance. Pacific-Basin Finance Journal 57: 101173. [Google Scholar] [CrossRef]
- Wheatley, Spencer, Thomas Maillart, and Didier Sornette. 2016. The extreme risk of personal data breaches and the erosion of privacy. The European Physical Journal B 89: 1–12. [Google Scholar] [CrossRef] [Green Version]
- Woods, Daniel W., Tyler Moore, and Andrew C. Simpson. 2021. The county fair cyber loss distribution: Drawing inferences from insurance prices. Digital Threats: Research and Practice 2: 1–21. [Google Scholar] [CrossRef]
- World Economic Forum. 2015. Partnering for Cyber Resilience: Towards the Quantification of Cyber Threats. Technical Report. Davos: World Economic Forum. [Google Scholar]
- Wu, Yong, Gengzhong Feng, Nengmin Wang, and Huigang Liang. 2015. Game of information security investment: Impact of attack types and network vulnerability. Expert Systems with Applications 42: 6132–46. [Google Scholar] [CrossRef]
- Xu, Lu, Yanhui Li, and Jing Fu. 2019. Cybersecurity investment allocation for a multi-branch firm: Modeling and optimization. Mathematics 7: 587. [Google Scholar] [CrossRef] [Green Version]
- Xu, Maochao, and Lei Hua. 2019. Cybersecurity insurance: Modeling and pricing. North American Actuarial Journal 23: 220–49. [Google Scholar] [CrossRef]
- Xu, Maochao, Kristin M. Schweitzer, Raymond M. Bateman, and Shouhuai Xu. 2018. Modeling and predicting cyber hacking breaches. IEEE Transactions on Information Forensics and Security 13: 2856–71. [Google Scholar] [CrossRef]
- Yaakov, Yoav Ben, Xinrun Wang, Joachim Meyer, and Bo An. 2019. Choosing protection: User investments in security measures for cyber risk management. In International Conference on Decision and Game Theory for Security. New York: Springer, pp. 33–44. [Google Scholar]
- Yamada, Michihiro, Hiroaki Kikuchi, Naoki Matsuyama, and Koji Inui. 2019. Mathematical model to estimate loss by cyber incident in japan. Paper presented at ICISSP 2019, Prague, Czech Republic, February 23–25; pp. 353–60. [Google Scholar]
- Yeboah-Ofori, Abel, Shareeful Islam, Sin Wee Lee, Zia Ush Shamszaman, Khan Muhammad, Meteb Altaf, and Mabrook S. Al-Rakhami. 2021. Cyber threat predictive analytics for improving cyber supply chain security. IEEE Access 9: 94318–37. [Google Scholar] [CrossRef]
- Young, Derek, Juan Lopez, Mason Rice, Benjamin Ramsey, and Robert McTasney. 2016. A framework for incorporating insurance in critical infrastructure cyber risk strategies. International Journal of Critical Infrastructure Protection 14: 43–57. [Google Scholar] [CrossRef]

**Figure 1.**Impact of the investment in security z on the normalized GL1 security breach probability function.

**Figure 2.**Impact of the investment in security z on the normalized GL2 security breach probability function.

**Figure 22.**Quasi-elasticity with respect to $\eta $ as a function of S in the Exponential Power Class model.

**Figure 24.**Quasi-elasticity with respect to $\eta $ as a function of S in the Proportional Hazard Class model.

Model | Formulation | Num. of Parameters |
---|---|---|

Gordon and Loeb (GL1) | $\frac{v}{{({\alpha}_{1}z+1)}^{{\alpha}_{2}}}$ | 2 |

Gordon and Loeb (GL2) | ${v}^{\beta z+1}$ | 1 |

Hausken (H3) | $\frac{v}{1+{\gamma}_{1}({e}^{{\gamma}_{2}z}-1)}$ | 2 |

Hausken (H4) | $\left\{\begin{array}{c}v(1-\epsilon {z}^{\varphi})\phantom{\rule{2.84526pt}{0ex}}\mathrm{if}\phantom{\rule{2.84526pt}{0ex}}z<{\epsilon}^{-\frac{1}{\varphi}}\hfill \\ 0\phantom{\rule{2.84526pt}{0ex}}\mathrm{if}\phantom{\rule{2.84526pt}{0ex}}z>{\epsilon}^{-\frac{1}{\varphi}}\hfill \end{array}\right.$ | 2 |

Hausken (H5) | $\left\{\begin{array}{c}v(1-\omega {z}^{k})\phantom{\rule{2.84526pt}{0ex}}\mathrm{if}\phantom{\rule{2.84526pt}{0ex}}z<{w}^{-\frac{1}{k}}\hfill \\ 0\phantom{\rule{2.84526pt}{0ex}}\mathrm{if}\phantom{\rule{2.84526pt}{0ex}}z>{w}^{-\frac{1}{k}}\hfill \end{array}\right.$ | 2 |

Hausken (H6) | $\left\{\begin{array}{c}v(1-\lambda z)\phantom{\rule{2.84526pt}{0ex}}\mathrm{if}\phantom{\rule{2.84526pt}{0ex}}z<\frac{1}{\lambda}\hfill \\ 0\phantom{\rule{2.84526pt}{0ex}}\mathrm{if}\phantom{\rule{2.84526pt}{0ex}}z>\frac{1}{\lambda}\hfill \end{array}\right.$ | 2 |

Exponential Power (EP) | $v{\widehat{S}}_{\mathrm{EP}}{\left(1\right)}^{{\left(\frac{z}{B}\right)}^{\eta}}$ | 1 |

Proportional Hazard (PH) | $v[1-{(1-{\widehat{S}}_{\mathrm{PH}}\left(1\right))}^{{\left(\frac{z}{B}\right)}^{-\eta}}]$ | 1 |

Wang Transform (WT) | $v\Phi [{\Phi}^{-1}\left({\widehat{S}}_{\mathrm{WT}}\left(1\right)\right)-\eta ln\left(\frac{z}{B}\right)]$ | 1 |

Class | Parameter | Value |
---|---|---|

GL1 | ${\alpha}_{1}$ | $2.7\times {10}^{-5}$ |

${\alpha}_{2}$ | 0.5 | |

GL2 | $\beta $ | $2.7\times {10}^{-5}$ |

H3 | ${\gamma}_{1}$ | 0.2 |

${\gamma}_{2}$ | $2.7\times {10}^{-5}$ | |

H4 | $\u03f5$ | 0.08 |

$\varphi $ | 0.2 | |

H5 | $\omega $ | $1.89\times {10}^{-7}$ |

k | 1.2 | |

H6 | $\lambda $ | $2.5\times {10}^{-6}$ |

EP | $\eta $ | $4.5$ |

PH | $\eta $ | $1.8$ |

WT | $\eta $ | $1.2$ |

GL1 | GL2 | H3 | H4 | H5 | H6 | EP | PH | WT | |
---|---|---|---|---|---|---|---|---|---|

$\mathbb{P}1$ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |

$\mathbb{P}2$ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |

$\mathbb{P}3$ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |

$\mathbb{P}4$ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |

$\mathbb{P}5.1$ | ✓ | ✓ | ✓ | ||||||

$\mathbb{P}5.2$ | ✓ | ✓ | ✓ | ✓ | |||||

$\mathbb{P}5.3$ | ✓ | ||||||||

$\mathbb{P}5.4$ | ✓ |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Mazzoccoli, A.; Naldi, M.
An Overview of Security Breach Probability Models. *Risks* **2022**, *10*, 220.
https://doi.org/10.3390/risks10110220

**AMA Style**

Mazzoccoli A, Naldi M.
An Overview of Security Breach Probability Models. *Risks*. 2022; 10(11):220.
https://doi.org/10.3390/risks10110220

**Chicago/Turabian Style**

Mazzoccoli, Alessandro, and Maurizio Naldi.
2022. "An Overview of Security Breach Probability Models" *Risks* 10, no. 11: 220.
https://doi.org/10.3390/risks10110220