METHODS FOR THE IDENTIFICATION OF CYBER RISKS: AN ANALYSIS BASED ON PATENT DATA

The problem of fast-rising cyber-risks become very important in the era of the Fourth Industrial Revolution. Cyberrisks cause not only high losses but also break the chain of economic relations between companies and their customers. Besides, cyber risks change their form and structure rapidly, so the tools of risk management must be adequate. That is why the problem of cyber-risk identification and assessment has gotten attention and become so actual. The purpose of this study is to outline new approaches to identifying and estimating cyber-risks based on the dates of the World International Property Organization (WIPO). In order to conduct our study, we will use various tools and techniques such as: citation analysis, cluster analysis, and visualization. We have analyzed the patent information from the groups of “Electric digital data processing”, “Transmission of digital information” and data processing systems or methods, specially adapted for financial purposes. In our findings, we analyze the technical and economic significance of patents. Our work has led us to conclude that the number of methods of cyber risk identification that were the objects of applications granted by WIPO has a strong connection with the number of cyber-attacks from 2010 to 2017. That is why the innovative methods that were granted have a wide spectrum of influence and could be used in different stages of risk management. We selected patents that based on cyber risk identification and assessment from the data of WIPO and divided these patents into clusters. This helps us in understanding the trends and characters of innovative activities directed to successful management of cyber risks. JEL Classification Numbers: O31, G32; DOI: http://dx.doi.org/10.12955/cbup.v6.1163


Introduction
Over the past decades, the development of the Internet has revolutionized the ways of communication, which became a major factor in worldwide economic growth and a powerful tool for ensuring the Fourth Industrial Revolution. On the one hand, it has made it possible for enterprises and private individuals around the world to benefit from the efficiency, speed and convenience of digital transactions and the exchange of information, but, on the other hand, it has increased the likelihood of financial losses, data leakage and reputational losses due to cybercrime. The cyber-threat problem has been officially recognized worldwide as one of the five key threats to humanity since 2012. So, in the 2012 Global Economic Forum report cyber-attacks ranked fourth on the scale of threats (2017, p. 4). Furthermore, in a next report of the Global Economic Forum in 2017, a new type of cyber-threat was mentioned -data theft and fraud (2017, p. 4). The annual increase in the number of cyber-attacks and financial losses from these attacks increases the focus on methods for identifying cyber-risk in order to assess the probability of financial losses. It is worth noting that the methodology used by enterprises, including IT companies, is rather confidential. This is due to the fact that hackers can immediately improve their criminal techniques on the basis of such information. Therefore, the industry that's engaged in the development of innovative solutions for assessing cyber-risk is in constant development.

Literature review
In modern economic literature many scientific works are devoted to the issue of evaluating cyber-risk. The amount of scientific research has increased 3 fold from 2010 to 2017, according to data from Google academy 3 . But most papers focus on the core of cyber-risk or cyber-threats from the cyber security point of view. In recent years, the worldwide economic opinion on the issue of cyber-risk has been considered in various ways: -as systematic risks in the activities of financial institutions and in financial markets by Kopp et al. (2017); -as a component of operational risks of companies by Gereth et al. (2017) and Cebula et al. (2010); -as the probability of occurrence of events in the field of information assets, computer and communication resources by the Committee on Payments and Market Infrastructures and International Organization of Securities Commissions (2016); -as probable crimes committed through the Internet by Federal Bureau of Investigation (2016). One of the most complete theoretical studies is the work of M. Eling (2017), in which 209 literary positions on the subject of cyber-risk are reviewed. In this case, the author identified 7 areas of study of cyber-risks.
There are few studies that analyze the methods of identifying and assessing financial losses from the implementation of cyber-risks in business. One of the reasons for the existence of such a deficit is the interdisciplinary spectrum of the subject of research: the financial evaluation of the effects of cyberattacks, which combines both the informational and financial spheres. The second reason is the lack of clear boundaries of exposure and the spread of the effects of cyber-risk. The place of the appearance or creation of cyber risk can not coincide geographically with the place of its influence and realization This kind of international character in displaying cyber-risk requires an in-depth study of how the business environments in different countries function. Important roles in the study of cyber risk assessment play consulting, insurance companies and information and software companies (eg, AON, Pricewaterhausecopers, Deloitte, Earnst and Young, Society of Actuaries, International Association, Allianz). With cyber risks and its adverse financial consequences increasing, more attention is paid to this threat from both public and commercial institutions (eg, Federal Bureau of Investigation, the Bank for International Settlements). Table 1 summarizes key English-language studies on cyber risk assessment. Calculated the expected loss due to cyberattacks using collective risk modeling. Classifies the losses due to each of these attacks into four classes using a 2 × 2 matrix based on the probability and severity of attacks Source: Author Cybercrime is divided into two groups: cyber-dependent crime and cyber-enabled crime. Cyberdependent crime refers to crimes committed only with the use of information and communication technology devices, which are both a tool and a purpose of the crime (for example, the development and distribution of malicious software for financial gain, hacking to steal, damaging or destroying data and / or network activity). Cyber-enabled crime is a traditional crime that can be magnified by using a computer, computer network, or other forms of information technology (for example, cyber-enabled fraud and data theft). It is worth noting that the concept of cyber-risk can be viewed in a narrow or a broad sense. In the narrow sense, cyber-risk is connected to operational threats to information and technology assets that adversely affect the privacy, availability and integrity of information or information systems. Broadly speaking, cyber-risk is a threat to interactive digital networks used to transmit, modify, and store information (cyber space). In our opinion, cyber risk is an operational risk that involves direct or indirect damage by economic agents as a result of their operation in cyberspace.

Data and Methodology
We used the data of the World International Property Organization to analyze innovative methods for identifying and assessing cyber-risks. This approach to using the number of patents as an indicator of innovation has already been substantiated in the scientific works of Hall, Jaffe, Trajtenberg (2005), Scherer (1965), Schmookler (1966), Griliches (1984), and Lerner (2002). But we must point out that some part of these methods is unknown because the inventors protect their inventions by not patenting them, or the inventions do not pass the qualification requirements of the patent office. To be granted, patents must be: novel, non-obvious, useful. Part I We identified 197 patents that involve different aspects of cyber risk assessment techniques. The main criterion for first selection was the keywords "cyber risk" in the abstract or title. So we got patents from the subclasses of: H04L - (111) In Part II, we explored the financial services patent quality for different types. The methodology is otherwise the same as the Part I methodology described above. We examined whether the patents from the class G06Q with more academic citations are more likely to be litigated. As mentioned by Hall, Jaffe and Trajtenberg (2005) patent citations enable: -the quantitative analysis along geographical, institutional dimensions.
the estimation of "importance" of individual patents (both technological and economic). Part II also includes the proposition of a cluster structure of the cyber risk assessment activity that is based on the patent dates.

Results and Discussion
The results of the analysis showed that most inventions relate to the technical aspect of cyber-risk ( Figure 1). Most patents show the technical aspect of the impact, realization and consequences of cyber threats. Some patents only partly relate to risk assessment, offering auxiliary tools for identifying, fixing and understanding cyber-threats (a likelihood of a cyber-threat, the real-time export of cyber-security risk information, the interface of information about cyber risk). Business processes that characterize the financial implications of risk implementation are hardly represented in the patents. This confirms the idea that the problem of underwriting cyber-risk is an obstacle to the development of insuring this risk. From the point of view of the probability theory, cyber risk is characterized by significant difficulties of underwriting since it has a very broad sphere of influence and consequences of implementation. In literature, this issue takes a separate niche, since the insurability of risk is the starting point for choosing the method of managing this risk. The main criteria for the insurability of cyber-risk are the ability to determine the maximum losses, average losses for one case, and losses from the "domino effect". The highest number of citations was noted for patents: the Cybercontinuous Learning Information Feedback (CCLIF): A quantified methodology system to assess the IT architecture and cyber operations risk -41; Probabilistic model for cyber risk forecasting -17; Critical / vulnerability / risk logic analysis methodology for business enterprise and cyber security -39; An online portal for improving cybersecurity risk scores -12. Based on the patent data, an analysis of their purpose and classification, we have created three clusters that characterize the system of cyber risk assessment (Figure 2). The clusters include the main structural elements that ensure the functioning of the cyber-risk management system. Key clusters include: network security architecture, programs or data against unauthorized activity, and organizational models of risk management. The first patents that included cyber risk assessment methods appeared in 2005. The proposed inventions were not directly aimed at risk assessment, but only partially reflected risk. In most patents, risk assessment is an element of the overall cyber risk management system. Therefore, for an analysis of the modern approaches to assessing cyber-risk, we based our analysis on an accessible description of the patents. We underlined several methods of cyber risk assessment, which was possible to eliminate: -Cyber risk assessments based on the Monte Carlo methods of estimating the costs for predicting losses and systemic risk. Outputs of the wide variety of simulations that include mitigating actions representing the threat mitigation measures of the organization, for a given moment or period of time, determine a measure of impact of cyber risks to the organization (World Intellectual Property Organization, 2017); -Cyber risk assessments based on the cyber-attack risk index ("defining a set of cyber risk issues and the value of the degree of risk a corporate entity suffers from the corporate risk issues, an impact score of the corporate risk issue, weighted score from the risk value and the impact score"). This approach enables real-time cyber security risk assessment (World Intellectual Property Organization, 2017a); -Cyber risk assessments based on a calculated threat intensity and a potential impact on an enterprise or organization. the threat intensity may be calculated based on a subjective evaluation by a cyber threat analyst of one or more threat frequencies, threat likelihood, and threat capability associated with a cyber threat (World Intellectual Property Organization, 2018); -Cyber risk assessments determining the cyber-risk exposure level for the application based upon the security assessment result sample and a set of parameters; sorting a plurality of risk exposure levels according to an expected loss and a probability of the application being compromised; adjusting the risk exposure levels to account for interconnections and trust relationships between business critical applications, wherein determining the cyber-risk exposure level further comprises the probability of the application being compromised and the expected loss when the application has been compromised (World Intellectual Property Organization, 2016). Some methods of assessing cyber-risk are based on an analysis of user responses and on the basis of their conclusions (Systems and Methods for Cyber Security Risk Assessment, 2017) or simulating cyber-offender behavior based on real-time feedback from the target network (Synthetic Cyber-risk Model for vulnerability determination, 2016). In 2017, the Probabilistic Model for Cyber Risk Forecast Probabilistic Model for Cybersecurity was patented. This technique defines linear and nonlinear threats for network-dependent systems. In insurance, it is proposed to use an analysis based on data bases (Big

Conclusions
Patents are not only a method of protecting intellectual property, but also an important source of information for assessing the dynamics of the development of various economic phenomena. We tried to analyze the development of methods for assessing cyber-risk because this is an actual problem. Particularly important is the full identification and assessment of possible negative consequences. The complexity of the solution of this issue is associated with the complex technical and economic nature of cyber-risk. As shown by a cluster analysis, the structure of patents for the period 2008-2017 can be distinguished in three main clusters: network security architecture, programs and date against unauthorized activity, and organizational models of risk management. A dynamic increase in the number of patents, which includes the description of methods for assessing cyber-risk, is due to the growth of the number and of the costs of cyber-attacks and cyber-incidents. The analysis of the cores of methods shows that the structure and mechanism of evaluation becomes more specialized. This is due to the improvement of the methods of cyber-attacks and the narrowing of their scope.
One of the obstacles to the distribution of innovative methods for assessing cyber-risk is the long time it takes to receive the "granted" status. On average, it's about three years. Given that cyber-threats quickly change their form and effect simultaneously with the introduction of cyber-security, the proposed methods may lose their relevance on the market. References