A cyber risk prediction model using common vulnerabilities and exposures

The cyber risk from malicious external attackers is a significant socio-economic problem. Cyber risk prediction is particularly difficult, given the constantly changing attack vectors. This study presents a model that automatically predicts cyber risks. The model is only based on common vulnerabilities and exposures (CVE) data and supervised prediction algorithms. This approach eliminates expert opinion bias in cyber risk prediction. Our supervised data-driven model, 𝐶𝑦𝑅𝑖𝑃 𝑟𝑒𝑑, CVE data into cyber risk groups by mapping the textual description field of the database into relevant Wikipedia article titles. Then 𝐶𝑦𝑅𝑖𝑃 𝑟𝑒𝑑 aggregates the occurrence and severity of extracted topics for the desired time unit and produces a time series fed to supervised regressors for prediction. The risks are calculated using predicted occurrence and impact. Finally, the cyber risks are ranked by their score, and the top ten risks are presented. The proposed model is evaluated, and the results are discussed.