In an era of relentless digital threats, many organizations still allocate their cyber resources using traditional risk tools or even rule of thumb—treating threats in isolation and failing to connect financial trade-offs with the actual architecture of their networked systems. This disconnect can leave companies dangerously exposed, even with significant spending.

A new study titled "Cyber Risk Assessment for Capital Management," published in the Journal of Risk and Insurance, confronts this critical flaw head-on. It introduces a novel framework that fuses network-level analysis with actuarial modeling to transform how leaders allocate limited funds across security investments, insurance, and capital reserves, providing a scientifically grounded path to correct budgeting missteps of the past.

The research team comprises Feng Runhuan, chair professor at Tsinghua University's School of Economics and Management; Wing Fung Chong, associate professor at The University of Hong Kong; Hu Zhaoxuan, Ph.D. student at Cornell University; and Zhang Linfeng, assistant professor at The Ohio State University. Their approach is designed for decision-makers who need to understand not only how risks propagate across interconnected systems but also how to balance spending and risk transfer under real budget constraints.

At the heart of the study is a two-pillar framework. The first pillar is a cyber risk assessment built on cascade modeling. It integrates external threats, system vulnerabilities, existing security controls, asset exposure, and incident impacts into a unified view of the network. By employing a tensor-based loss model, the assessment quantifies potential losses over the budgeting horizon and captures how attacks can cascade through systems, which reveals interconnected pathways and hidden failure modes that conventional, siloed methods often miss.

The second pillar focuses on capital management optimization. Instead of treating investment, insurance, and reserves as separate decisions, the framework brings them together in a single optimization model that targets the overall financial impact. It incorporates opportunity costs, budget constraints, and risk preferences, and uses a weighted objective with Pareto-efficient trade-offs to identify configurations that minimize total expected impact. This formalization moves beyond rule-of-thumb budgeting to an economically grounded allocation strategy.

Empirical analysis of historical cyber incident data supports several practical insights. In the absence of budget constraints, a diversified strategy that combines investment, insurance, and reserves tends to minimize financial impact. Under tighter budgets, however, direct costs may fall while the overall exposure rises, especially when reserves are insufficient to absorb adverse outcomes. The optimal mix is sensitive to the price landscape and organizational posture: the cost of security solutions and insurance premiums, the firm's opportunity costs, and managerial preferences can materially shift the recommended allocation.

The authors also highlight notable differences across firm sizes. Smaller organizations, facing stricter budget limitations, are more likely to rely on reserves, whereas larger firms more often adopt diversified strategies that balance risk reduction, transfer, and retention. Crucially, the authors emphasize the importance of active network scanning as part of risk assessment; without it, companies may underestimate potential attack paths and residual risk.

The study is the first to integrate structural information about network systems with actuarial cyber risk modeling for capital allocation. It offers a decision-making blueprint that respects both the economic and technological realities of modern organizations, proving that an optimal cyber budget is not a guessing game but a calculable strategy. For corporate leaders, insurers, and regulators, the message is clear: by integrating structural network intelligence with formal capital optimization, we can move from reactive, siloed spending to proactive, resilient financial defense.

The question is no longer simply, "Is your cyber budget wrong?" but rather, "Are you ready to use the right framework to fix it?"

Source: Department of Finance, School of Economics and Management, Tsinghua University

Editor: Ren Zhongxi