Cybercrime is now one of the defining financial risks of our time. But the problem for insurers is not simply that cyber losses are growing. It is that the categories used to understand cyber attacks may not help predict what future losses will cost.

The global cost of cybercrime was estimated to be around US$10.5 trillion (A$15 trillion) in 2025; a figure that, if cybercrime were a country, would make it the world's third-largest economy after the United States and China. For individual organisations, the financial pain can be acute: IBM's 2024 Cost of a Data Breach Report found the global average cost of a data breach reached US$4.88 million (A$6.95 million), a 10% jump from the previous year and the largest annual increase since the pandemic, with 70% of breached organisations reporting that the incident caused significant or very significant disruption to their operations.

The insurance industry has responded to this threat in kind. According to Munich Re, the global cyber insurance market totalled US$15.3 billion (A$21.8 billion) in 2024, with the reinsurer projecting that global premium volume will more than double by 2030, growing at an average annual rate of more than 10%.

Behind every premium sits a model, and behind every model sits a question that most practitioners have never stopped to interrogate: are the classification systems used to sort and label cyber threats actually any good at predicting future losses? That question turns out to be more uncomfortable than the industry might expect.

New research from UNSW Business School, Macquarie University and University of California, Santa Barbara subjected the most widely used cyber risk classification systems to a test they are rarely designed to face: predicting the future. The findings challenge some of the most entrenched assumptions in cyber risk modelling and carry direct consequences for how organisations price insurance, allocate capital, and manage their exposure to one of the fastest-moving threats in the modern risk landscape.

“This research fits in the more general stream of research of cyber risk quantification,” said research co-author Dr Matteo Malavasi, a lecturer in the School of Risk and Actuarial Studies at UNSW Business School. “Looking at the literature, there are many classifications of cyber risks used for different purposes and contexts, but overall, there is a lack of consistency on ‘which’ classification should be used for a given purpose. With this research, we wanted to identify, or to provide evidence in support of, which classification should be used for forecasting purposes (with the implication of insurance pricing: if my model can predict better future cyber risk, then my pricing is more accurate, and then I can provide better insights to decision makers).”

The gap between labelling risk and forecasting it

Organisations and insurers have long relied on what researchers call "taxonomies" (structured systems for categorising cyber events). A taxonomy is, in essence, a filing system for threats. The idea is that if you can group similar attacks together, you can study their patterns, estimate their costs, and plan accordingly.

The problem is that most taxonomies were built for a different purpose. They were designed to help organisations identify and manage risks, not to forecast how much a future attack might cost. The researchers do not argue that taxonomies are useless. Rather, they show that a classification system designed to organise incidents, support governance, or guide operational response is not automatically suitable for actuarial forecasting.

Learn more: Data breach reporting crisis: How delays impact cyber insurance risks

The research, published in Insurance: Mathematics and Economics, makes a pointed distinction between these two goals. The research paper, Cyber risk taxonomies: statistical analysis of cybersecurity risk classifications, was co-authored by UNSW Business School’s Dr Matteo Malavasi, together with the University of California, Santa Barbara’s Professor Gareth Peters and Macquarie University’s Professor Stefan Trück, Professor Pavel Shevchenko, Associate Professor Jiwook Jang and Professor Georgy Sofronov.

The researchers tested seven distinct classification approaches across a dataset of more than 165,000 cyber loss events drawn from the Advisen Cyber Loss Database, spanning 2008 to 2021 and covering more than 62,000 affected entities. They used a rolling window analysis (essentially re-running their models year by year, training on past data and testing against future outcomes) to measure how well each classification predicted real-world losses out of sample. The "out of sample" distinction matters: a model that fits historical data well can still fail badly when applied to events it has not yet seen.

What the data revealed about popular classification systems

Across multiple testing approaches, most classification systems performed no better at predicting future loss severity than a model with no classification at all, or than one based on randomly assigned categories. "Almost all classifications exhibit years where their forecasting ability is either lower or indistinguishable from one of the models with a random classification or no classification," the authors noted in their research paper.

"Classifications help in explaining and drafting plans, such as: 'if a cyber breach happens, then do this,' but not so much in predictive or forecasting the risk"

MATTEO MALAVASI

The systems tested included event-based approaches such as the widely used Advisen classification (which groups threats into 14 categories) and the Romanosky system (four categories); operational risk-based frameworks that treat cyber events as a subtype of broader operational risk, following Basel banking standards; and impact-based systems derived from frameworks published by the US National Institute of Standards and Technology (NIST) and the Australian Cyber Security Centre (ACSC). These impact-based systems are "dynamic": they update their classifications over time rather than applying fixed labels. The researchers expected dynamic systems to perform better. In most cases, they did not.

One classification did show meaningful results across all four statistical tests applied: the ACSC-derived "Type and Importance" system, which maps threats by the nature of the attack and the significance of the targeted organisation. Even here, the advantage was modest, reaching statistical significance at the 5% level but not at the more demanding 1% threshold. The Romanosky system also showed some advantage when the analysis focused specifically on the distribution of large losses, where extreme events dominate.

Dr Malavasi explained: “Classifications help in explaining and drafting plans, such as: 'if a cyber breach happens, then do this,' but not so much in predictive or forecasting the risk.”

Why treating cyber as "just another operational risk" falls short

One of the study's more pointed findings concerns the treatment of cyber risk as a subset of operational risk: the standard approach under Basel II banking frameworks, and one widely adopted in risk management more broadly. The Eling classification, which maps cyber events into operational risk categories such as "system," "people," "internal processes," and "external events," performed poorly at forecasting severity throughout the study period.

The researchers argued this reflects something fundamental rather than a modelling choice. Cyber losses exhibit what statisticians call "heavy-tailed" behaviour (meaning catastrophic events occur more frequently than standard models predict, and the most extreme losses can be enormous relative to the average). The mathematics of extreme value theory, which the researchers used to model these tails, suggested that cyber risk sits in a different statistical territory from conventional operational risk. For operational risk, effective models typically need to focus on the top 10% of losses to capture the relevant tail behaviour. For cyber risk, the same effect kicks in at around the 50th percentile, meaning the extreme events that drive total losses are far more prevalent in cyber than in other operational categories.

"In cyber risk, labels are useful – but they are not a substitute for validated loss models"

GARETH PETERS

Treating the two as equivalent, the study found, can obscure rather than illuminate the actual exposure. The authors noted that their results aligned with other research, arguing "that, despite similar transmission channels, cyber risk's unique nature warrants separate treatment”.

Dr Malavasi noted that treating cyber risk as a case of operational risk may underestimate risks. “For example, a bank modelling cyber risk as an operational risk may underestimate the capital required to absorb tail events, increasing their exposure to large-scale or contagion events,” he said.

A case study in premium mispricing

To illustrate, the researchers constructed a case study using the profile of a financial services company based in the United States, with more than 500 employees and annual revenue of US$1 billion ($A1.4 billion), to examine how the choice of classification system affects the premiums a risk-averse decision-maker would be willing to pay for cyber insurance coverage.

Learn more: Company directors fall short of cyber security skills mark

Using data from 2010 to 2014 to simulate cyber risk distributions for 2015, the researchers calculated insurance premiums under each classification system and compared them with premiums derived from a model with no classification and from one that randomly allocates risk types. When classifications were used to model both frequency and severity simultaneously, the resulting premiums varied widely across systems; yet those differences were not statistically distinguishable from one another. In other words, the choice of classification produced materially different premium figures, but none could be shown to be more defensible than the others.

Frequency refers to how often cyber incidents occur; severity refers to the size of the financial losses when they do. When the researchers instead applied classifications only to frequency modelling (and left severity unclassified), the differences in premium outcomes narrowed substantially. The extreme 'heavy-tailed' nature of cyber losses (that is, the outsized influence of rare but catastrophic events) dominated the severity distribution, effectively swamping the discriminating power of any classification system.

For practitioners, this finding sounds a note of caution: using the same classification framework for both frequency and severity modelling may yield premiums that appear precise but lack a statistical basis. A more defensible approach separates the two; severity is modelled without classification inputs, and frequency-based classification adjustments are applied on top.

What this means for risk managers and decision-makers

For business leaders, risk professionals, and insurers, the research highlighted important points. Organisations that rely on threat taxonomies for risk management purposes (identifying attack vectors, planning responses, communicating with boards) can continue to do so with confidence. The study affirmed that "the benefit of cyber risk types for business risk management purposes and business motivated objectives remains strong." Classification systems retain genuine value for operational decisions.

Where organisations should exercise more caution is in extending those same classification systems to quantitative forecasting. Using threat categories as inputs to statistical models for premium pricing, capital allocation, or loss estimation carries the risks the study exposed. The classification may not be adding signal; it may be adding noise, or it may be obscuring the tail behaviour that drives the largest losses.

Insurers, in particular, should consider building severity models that stand alone, without classification inputs, and then layering frequency-based adjustments on top. This is a structural change to how many current models are built, but the research suggests it would produce more reliable pricing outcomes.

Learn more: When AI becomes a weapon in the cybersecurity arms race

There is also a data quality argument embedded in the findings. The researchers noted that the models underwriting that market may be resting on classification frameworks that do not perform as advertised. Investing in richer, more granular data collection (particularly data tied to actual monetary losses rather than counts of affected records) was identified as a priority for improving model reliability over time.

“The broader lesson is not that cyber taxonomies should be abandoned,” said Prof. Peters. “It is that they should be used for the purposes they are good at: organising threats, supporting governance, and guiding operational response. When the task is forecasting financial losses, especially severe losses, insurers and risk managers need to test whether the categories add predictive signal. In cyber risk, labels are useful – but they are not a substitute for validated loss models.”