When Cyberattacks Go Viral: Modeling Firm Risk and Insurance Impact

Author: Denis Avetisyan

A new stochastic model connects the spread of cyberattacks within organizations to their growth and the potential cascading effects on insurance portfolios.

The data reveals a temporal pattern of newly infected firms across size categories from May to July 2024, quantified as <span class="katex-eq" data-katex-display="false"> I_{k} </span>, indicating the daily incidence of infection spreading through the business landscape. — The data reveals a temporal pattern of newly infected firms across size categories from May to July 2024, quantified as $I_{k}$ , indicating the daily incidence of infection spreading through the business landscape.

This paper presents a stochastic SIR model incorporating firm growth dynamics and a Cox process to assess systemic cyber risk and aggregate exceedance probability.

Traditional catastrophe modeling often struggles to capture the nuanced, firm-specific impacts of systemic cyber risk. This is addressed in ‘A stochastic SIR model for cyber contagion: application to granular growth of firms and to insurance portfolio’, which proposes a novel framework coupling a stochastic Susceptible-Infected-Recovered (SIR) model with a granular firm growth model to quantify the financial consequences of cyberattacks. The analysis reveals that internal contagion pathways are particularly impactful, disproportionately affecting larger firms within a portfolio-potentially leading to losses equivalent to two days of revenue for an insurer with 50% probability over a 100-day incident. How can these insights be leveraged to develop more robust cyber risk mitigation strategies and refine insurance pricing models in an increasingly interconnected digital landscape?

Unveiling Hidden Pathways: Beyond Perimeter-Based Cyber Defense

Conventional cybersecurity strategies are frequently designed to defend against threats originating from outside an organization’s network, creating a considerable blind spot regarding the propagation of cyber-events within its internal systems. This external focus often neglects the reality that vulnerabilities and compromised assets inside a firm can facilitate rapid and widespread contagion, potentially exceeding the damage caused by initial external breaches. A compromised employee account, a vulnerable internal server, or even a simple phishing success can act as a launchpad for attacks that spread quickly through interconnected networks, bypassing many perimeter defenses. Consequently, an overreliance on external threat mitigation leaves organizations exposed to a significant, and often underestimated, risk stemming from the internal transmission of cyber-events, highlighting the need for a more holistic security approach.

Accurate assessment of cyber risk and the development of effective mitigation strategies hinge on a thorough understanding of how malicious events spread within an organization. Unlike traditional models that largely focus on external breaches, a comprehensive approach must map the pathways of internal contagion-how a compromised system can quickly infect others across a network. This internal propagation isn’t simply a matter of technical vulnerabilities; it’s heavily influenced by organizational structure, employee behavior, and existing security protocols. By modeling these internal dynamics, security teams can identify critical nodes-systems or individuals whose compromise would have the most cascading effect-and prioritize resources accordingly. Ignoring the internal dimension of cyber risk leaves organizations vulnerable to far more damaging and widespread events than external threats alone might cause, as a single compromised endpoint can rapidly escalate into a firm-wide crisis.

A comprehensive understanding of cyber risk requires moving beyond models focused solely on external breaches and embracing a framework that acknowledges the potent force of internal contagion. Recent analysis reveals that cyber-events are demonstrably more likely to spread within an organization than to originate from external sources, highlighting the critical role of internal network architecture, employee behavior, and existing security protocols in determining overall vulnerability. This isn’t to diminish the threat of external attacks, but rather to emphasize the complex interplay between both forces; an external intrusion, even if initially contained, can quickly cascade through a network if internal defenses are inadequate. Consequently, effective mitigation strategies must prioritize not only perimeter security, but also robust internal segmentation, proactive threat hunting, and comprehensive employee training to limit the propagation of cyber-events once they gain a foothold.

The GuidePoint Security 2025 report indicates a continuing and evolving threat landscape dominated by ransomware attacks, as exemplified by the GRIT 2025 group.

Mapping the Cascade: A Granular and Stochastic Modeling Approach

The modeling framework represents firms not as monolithic entities, but as aggregates of independent subunits, allowing for a more nuanced analysis of risk propagation. This granular approach facilitates the tracing of cyber events as they move between these subunits, identifying critical pathways and potential bottlenecks within the organizational structure. By modeling interactions at this detailed level, the framework moves beyond aggregate risk assessments and provides insights into how localized incidents can escalate into systemic failures. Each subunit is treated as a node capable of both receiving and transmitting cyber events, with the probability of transmission determined by inter-subunit connectivity and inherent vulnerability factors. This disaggregated representation enables the quantification of risk at various levels within the firm, supporting targeted mitigation strategies and improved resilience planning.

A stochastic approach is implemented to model cyber-event propagation due to the inherent randomness and uncertainty involved in such incidents. Unlike deterministic models which produce a single outcome, our framework generates multiple possible event scenarios, each with an associated probability. This is achieved through the use of probabilistic functions to govern event arrival and spread, acknowledging that the timing and impact of cyber events are not fixed but rather subject to chance. The stochastic element allows for the quantification of risk by providing a distribution of potential outcomes, enabling a more realistic assessment of potential impacts compared to methods assuming a single, predictable trajectory. This approach is crucial for understanding the range of possible consequences and developing robust mitigation strategies.

The modeling framework categorizes firms into one of three states – Susceptible, Infected, and Removed – based on principles derived from epidemiological modeling, specifically the SIR model. Susceptible firms represent those not yet impacted by a cyber event, while Infected firms have experienced a successful attack and are potentially propagating it to others. Removed firms represent those that have mitigated the attack, implemented sufficient defenses, or ceased operations due to the event, thus preventing further propagation. Transitions between these states are governed by probabilistic rates, allowing for the simulation of cyber-event spread as a dynamic process within the firm population.

The Cox process is implemented to model the arrival of cyber events as a point process where the rate of events at any given time is itself a random variable. This contrasts with Poisson processes which assume a constant arrival rate. Specifically, the intensity function $\lambda(t)$ of the Cox process governs the instantaneous rate of event occurrence and is realized from a Gamma process, allowing for time-varying and correlated event arrivals. This approach enables the modeling of scenarios where event rates cluster in time, or exhibit dependencies, providing a more realistic representation of cyber risk compared to models with fixed or independent event rates. The use of a Gamma process to drive the intensity function ensures non-negative rates and allows for analytical tractability in certain cases, facilitating risk assessment and mitigation strategies.

The simulation demonstrates the dynamic evolution of infected subunits as a percentage of the total population <span class="katex-eq" data-katex-display="false">h_{\star}</span>. — The simulation demonstrates the dynamic evolution of infected subunits as a percentage of the total population $h_{\star}$ .

Quantifying Systemic Exposure and Its Implications for Insurance

A robust quantification of systemic cyber risk is achieved through the integration of a granular firm structure, a Susceptible-Infected-Recovered (SIR) model, and stochastic methods. The granular firm structure represents the interconnectedness of organizations, detailing dependencies and potential transmission pathways. The SIR model, adapted from epidemiology, tracks the spread of cyber incidents through this network, classifying firms as susceptible, infected, or recovered based on incident status. Stochastic methods are then applied to simulate numerous incident scenarios, accounting for uncertainties in attack success rates, recovery times, and network configurations. This combined approach allows for the calculation of key risk metrics, such as the probability of multiple firms being simultaneously impacted by a cyber event, and provides a more comprehensive assessment of systemic risk than traditional, non-networked approaches.

The systemic risk model leverages ‘Stylized Facts’ – empirically supported observations from economics and cybersecurity – to improve the accuracy of simulations. These facts include principles like the power-law distribution of firm sizes, the prevalence of common vulnerabilities exploited across multiple organizations, and the tendency for financial contagion to follow established network topologies. Specifically, the model incorporates the observation that larger firms possess greater connectivity and therefore represent more significant nodes in systemic risk transmission. Similarly, it acknowledges the economic principle that firms with similar risk profiles are more likely to fail concurrently under correlated shocks. By grounding the model in these established principles, the resulting simulations are more reflective of real-world behavior and yield more reliable risk assessments.

The Aggregate Exceedance Probability (AEP) is a core metric for quantifying systemic cyber risk and assessing the solvency of insurance portfolios. Calculated through Monte Carlo simulations of the integrated firm structure and SIR model, AEP represents the probability that total insurance claims will exceed a specified threshold within a given timeframe – typically one year. This value is crucial for insurers as it directly informs capital adequacy requirements and reinsurance strategies. AEP is not a simple summation of individual firm exceedance probabilities; it accounts for correlated failures and the complex network of interdependencies between firms, providing a more accurate assessment of portfolio-level risk than traditional methods. The metric allows insurers to estimate potential losses with defined confidence levels, aiding in the pricing of cyber insurance policies and the management of overall systemic exposure.

Analysis indicates that systemic cyber risk is primarily driven by internal transmission pathways – the spread of compromise within a single organization – rather than external propagation between firms. This finding challenges prior assumptions that focused heavily on interconnectedness between organizations as the dominant risk vector. Specifically, simulations demonstrate a correlation between firm size and both the extent of internal transmission – meaning larger firms experience broader impact from a single initial compromise – and the resulting insurance claim amounts. This suggests that larger organizations, due to their complex internal networks and greater asset exposure, are more susceptible to widespread internal breaches, leading to substantially higher financial losses and, consequently, larger insurance payouts.

The exact <span class="katex-eq" data-katex-display="false">AEP</span> curve (blue) and its approximation (red) both demonstrate the total losses in € million. — The exact $AEP$ curve (blue) and its approximation (red) both demonstrate the total losses in € million.

The study’s exploration of cyber contagion through a stochastic SIR model mirrors the broader principles of systemic behavior observed in complex networks. Just as biological systems exhibit patterns of infection and recovery, so too do firms within a connected digital ecosystem. Simone de Beauvoir noted, “One is not born, but rather becomes a woman.” This sentiment, when applied to the firm growth dynamics presented, suggests that a firm’s resilience isn’t inherent, but becomes realized through its adaptation to external pressures – in this case, the ‘infection’ of cyberattacks and its internal transmission, particularly impacting larger firms as the model indicates. The granular approach, revealing how aggregate risk emerges from individual firm vulnerabilities, highlights the importance of understanding these emergent properties.

Where Do We Go From Here?

The coupling of firm growth with epidemic-style propagation, as demonstrated by this work, reveals a predictable, yet frequently overlooked, pattern: systemic risk isn’t merely about interconnectedness, but about the structure of that connection. The finding that internal transmission dominates suggests a focus on internal vulnerabilities – a seemingly obvious point, perhaps, but one often lost in the rush to model external threats. The model, however, remains an abstraction. Real firms aren’t homogeneous nodes, and the ‘infection’ isn’t a single binary state. Future iterations should explore heterogeneity in firm size, sector, and security posture, allowing for a more nuanced understanding of cascading failures.

A persistent challenge lies in calibrating the model with empirical data. Cyberattack data is notoriously incomplete and biased, often reflecting reported incidents rather than actual compromise rates. Further research should investigate methods for inferring underlying infection rates from incomplete observations, perhaps leveraging techniques from disease surveillance. The Cox process component offers a framework for modeling spatial-temporal dependencies, but its full potential remains largely untapped, particularly in the context of evolving threat landscapes.

Ultimately, the true test of this, and similar, models will be their predictive power. Can they anticipate not just the likelihood of a large-scale cyber event, but also its structure – which firms will be affected, and how will the damage propagate? The current framework provides a solid foundation, but the field must move beyond simply describing patterns to actively forecasting them. It is a continuous cycle, after all: observation, hypothesis, experiment, and analysis, endlessly repeating.

Original article: https://arxiv.org/pdf/2603.15369.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/

Unveiling Hidden Pathways: Beyond Perimeter-Based Cyber Defense

Mapping the Cascade: A Granular and Stochastic Modeling Approach

Quantifying Systemic Exposure and Its Implications for Insurance

Where Do We Go From Here?

See also: