Skip to main content

Department of Computer Science Publishes AXIS Insurance-Sponsored White Paper on Supplementary Cyberrisk Quantification Approach


The Department of Computer Science and AXIS Insurance, a business segment of AXIS Capital Holdings Limited (NYSE:AXS), today announced the publication of a white paper titled 'Calculating residual cyberrisk' which explores alternative methods of quantifying cyberrisk. With the publication of this study, Oxford and AXIS invest in the advancement of cyberrisk modeling across cyberthreats to better anticipate, prepare and improve overall cyber resilience.

The research was conducted by Professor Sadie Creese and Professor Michael Goldsmith and sponsored by AXIS. The full white paper, which identifies a preliminary Cyber Value-at-Risk (CVaR) model and articulates key insights from the Department’s preliminary research, can be found here . 

Sadie Creese said, 'All organisations face cyberthreats today, and the proposed CVaR helps estimate cyberrisk and allocate resources toward optimal control configuration. The proposed CVaR model is an analytical milestone in research on the quantification of cyberrisk, and we are very pleased to present our early insights today.' 

The Department’s research proposes the CVaR model, an evolution of the traditional Value at Risk ('VaR') methodology which takes into account potential losses, probability of losses, and timeframe.

The CVaR model augments existing analytical solutions by:

  • Articulating cyberrisk in financial terms, supporting commercial decision making, and helping create balance between protecting an organization and operating a business;


  • Generating data that allows businesses to make decisions about their risk appetite, cybersecurity investments, and other risk mitigation and transfer strategies more confidently;


  • Predicting the potential losses arising from cyberattacks and illustrating the pros and cons of control-mitigation strategies and configurations; and


  • Identifying and quantifying residual risk, helping calculate insurance limits and coverages.


The proposed CVaR model builds upon VaR with three additional variables: control effectiveness, control dependencies and harm propagation. The Department has created an algorithm for calculating CVaR for an organisation.

Dan Trueman, Global Head of Cyber and Technology at AXIS, added, 'Our team at AXIS is proud to continue our longstanding partnership and support of Oxford’s Department of Computer Science in publishing critical research to help improve understanding of cyberrisk quantification and mitigation. Through this partnership and the efforts we are leading through the AXIS Cyber Center of Excellence, we are committed to helping combat the significant threats posed by cyberrisk.'

Launched in 2018, the AXIS Cyber Center of Excellence offers protection and mitigation solutions to counter global cyberthreats and attacks through education and awareness training. For more information, please click here .

For more information about AXIS Capital, visit