Risk Management in Environment, Production and Economy

The term "risk" is very often associated with negative meanings. However, in most cases, many opportunities can present themselves to deal with the events and to develop new solutions which can convert a possible danger to an unforeseen, positive event. This book is a structured collection of papers dealing with the subject and stressing the importance of a relevant issue such as risk management. The aim is to present the problem in various fields of application of risk management theories, highlighting the approaches which can be found in literature

High-dimensional and causal inference

High-dimensional and causal inference are topics at the forefront of statistical research. This thesis is a unified treatment of three contributions to these literatures. The first two contributions are to the theoretical statistical literature; the third puts the techniques of causal inference into practice in policy evaluation.In Chapter 2, we suggest a broadly applicable remedy for the failure of Efron’s bootstrap in high dimensions is to modify the bootstrap so that data vectors are broken into blocks and the blocks are resampled independently of one another. Cross-validation can be used effectively to choose the optimal block length. We show both theoretically and in numerical studies that this method restores consistency and has superior predictive performance when used in combination with Breiman’s bagging procedure. This chapter is joint work with Peter Hall and Hugh Miller.In Chapter 3, we investigate regression adjustment for the modified outcome (RAMO). An equivalent procedure is given in Rubin and van der Laan [2007] and then in Luedtke and van der Laan [2016]; philosophically similar ideas appear to originate in Miller [1976]. We establish new guarantees when the procedure is applied in designed experiments (where the propensity score is known a priori) and confirm that the procedure is doubly robust. RAMO can be implemented in only a few lines of code and it can be immediately combined with existing regression models, including random forests and deep neural networks, used in classical prediction problems. This chapter is joint work with Bin Yu and Jasjeet Sekhon.In Chapter 4, we investigate the specific deterrent effect of traffic citations. In Queensland, Australia many speeding and red-light running offenses are detected by traffic cameras and drivers are notified of the citation, not at the time they commit the offense, but when the citation notice is delivered by mail about two weeks later. We use a regression discontinuity design to assess whether the chance of crashing or recidivism changes at the moment of notification. We analyzed a population of nearly 3 million drivers who committed camera-detected offenses. We conclude that there is not a significant change in the incidence of crashes but there is a marked decrease in recidivism of about 25%. This chapter is joint work with David Studdert and Jeremy Goldhaber-Fiebert

Real Cyber Value at Risk: An Approach to Estimate Economic Impacts of Cyberattacks on Businesses

To compete in today’s digitized economy, companies rely on computer programs to manage processes efficiently and bring their services directly to customers. However, these tools increase not only business opportunities but also the risk of falling victim to cyber attacks. Consulting firms and academic literature provide several approaches to manage this risk exposure. Nonetheless, most solutions fail to provide individualized, quantitative attack cost estimates based on real-world empirical data. Especially Small and Middle-Sized Enterprises (SME) struggle to quantify their attack exposure due to limited resources and a lack of IT knowledge. This thesis addresses this gap in the current literature by proposing the novel Real Cyber Value at Risk (RCVaR) framework. Consisting of three components, the RCVaR provides a monetary, annualized cost and risk prediction for an individual firm. Thus, addressing the issue of individual risk perception and allowing cross-domain risk comparisons. Evaluating the cost predictions on previously “unseen” data from real-world incidents shows that the RCVaR achieves an Absolute Percentage Error (APE) of 2%. The evaluation further proves that the model reflects quantitative real-world attack cost behavior. To portray the risk component of the RCVaR, the newly proposed Cyber Value at Risk (CVaR) is integrated into the model. In contrast to previous research, the CVaR is not computed with Monte Carlo simulations but on the basis of actual historical quantitative data. Both, cost and risk predictions, are tailored towards SMEs and are easily accessible over a web application. The last contribution of this thesis is a Federated Learning (FL) methodology to address the prevalent lack of realworld cost incident data in cyber security economics. Comparing the performance of different FL models against traditional centralized networks suggests that the process can successfully learn cost prediction functions. Consequently, Federated Learning presents a viable solution to the data scarcity issue. In conclusion, the Real Cyber Value at Risk provides a novel and cost-effective approach to obtain quantitative cost and risk measures that integrate seamlessly into the company’s overall budget planning process

Incident-Specific Cyber Insurance

In the current market practice, many cyber insurance products offer a coverage bundle for losses arising from various types of incidents, such as data breaches and ransomware attacks, and the coverage for each incident type comes with a separate limit and deductible. Although this gives prospective cyber insurance buyers more flexibility in customizing the coverage and better manages the risk exposures of sellers, it complicates the decision-making process in determining the optimal amount of risks to retain and transfer for both parties. This paper aims to build an economic foundation for these incident-specific cyber insurance products with a focus on how incident-specific indemnities should be designed for achieving Pareto optimality for both the insurance seller and buyer. Real data on cyber incidents is used to illustrate the feasibility of this approach. Several implementation improvement methods for practicality are also discussed

Risk Management

Every business and decision involves a certain amount of risk. Risk might cause a loss to a company. This does not mean, however, that businesses cannot take risks. As disengagement and risk aversion may result in missed business opportunities, which will lead to slower growth and reduced prosperity of a company. In today's increasingly complex and diverse environment, it is crucial to find the right balance between risk aversion and risk taking. To do this it is essential to understand the complex, out of the whole range of economic, technical, operational, environmental and social risks associated with the company's activities. However, risk management is about much more than merely avoiding or successfully deriving benefit from opportunities. Risk management is the identification, assessment, and prioritization of risks. Lastly, risk management helps a company to handle the risks associated with a rapidly changing business environment

Analyzing Granger causality in climate data with time series classification methods

Attribution studies in climate science aim for scientifically ascertaining the influence of climatic variations on natural or anthropogenic factors. Many of those studies adopt the concept of Granger causality to infer statistical cause-effect relationships, while utilizing traditional autoregressive models. In this article, we investigate the potential of state-of-the-art time series classification techniques to enhance causal inference in climate science. We conduct a comparative experimental study of different types of algorithms on a large test suite that comprises a unique collection of datasets from the area of climate-vegetation dynamics. The results indicate that specialized time series classification methods are able to improve existing inference procedures. Substantial differences are observed among the methods that were tested

Security Aspects in Modern Web Applications

World Wide Webin taustalla olevat tekniikat kehitettiin alun perin helpottamaan tiedon jakamista. Tämä jaettu tieto oli aluksi muuttumatonta tai harvoin muuttuvaa, mutta webin yleistyminen muutti tilanteen. Yleistyminen teki web-selaimesta nopeasti yleismaailmallisen ohjelmiston sovellusten tuottamiselle ja käyttäjälle välittämiselle. Vaikka nämä web-sovelluksiksi kutsuttavat ohjelmistot olivat alkujaan työpöytäsovelluksia monin tavoin huonompia, muuttui tilanne nopeasti. Web-sovelluksissa käytettävät tekniikat, kuten JavaScript ja CSS, sekä webselainten moninaisuus muodostavat yhdessä erin aisten kysymysten sekamelskan, jota vastaavaa ei työpöytäsovelluksissa ole. Eräs tärkeä kysymys on, miten sovellusten käyttäjien lähettämä ja käyttämä tieto turvataan. Tässä diplomityössä tutkitaan ja kuvaterään web-sovelluksen tietoturvallisuutta ja tietoturvaratkaisuja. Arvioiminen vaatii tiet astä sekä yleisistä tietoturvallisuuskysymyksistä että erityisesti web-sovelluksiin liittyvistä kysymyksistä. Ensimmäisenä tutustutaan tietoturvallisuuden peruskysymyksiin ja käsitteisiin, joiden ymmärtäminen on välttämätöntä. Perusteiden jälkeen käsillään pääsynhallintaa ja sovellusohjelmistojen tietoturvallisuutta. Ensimmäinen osa päättyy web-sovellusten ja niihin liittyvien tietoturvallisuuskysymysten esittelyyn. Jälkimmäinen osa diplomity tä soveltaa käsiteltyjä teorioita ja menetelmiä erään web-sovelluksen tapaustutkimuksessa. Tapaustutkimuksessa kuvataan ja arvioidaan sovelluksen tietoturvallisuutta sekä lopuksi esitellään löydettyjä haavoittuvuuksia ja ratkaisuja näihin haavoittuvuuksiin. Vaikka joidenkin ohjelmistojen tietoturvallisuuden arviointimenetelmien soveltamisessa olikin ongelmia, saatiin tapaustutkimuksen tuloksena tärkeää tietoa heikkouksista ohjelmiston tietoturvallisuudessa ja hyviä esityksiä näiden heikkouksien poistamiseksi. Esitykset toteuttamalla parannettiin sekä nykyistä tietoturvallisuutta että vakuututtiin siitä, että heikkouksia esintyy jatkossa vähemmän.Technologies behind the World Wide Web were created initially to ease sharing of static data in form of web pages. Popularity of the Web grew rapidly and led to adoption of web browser as a universal client for application delivery. Though initially inferior to desktop applications, these applications have caught up with their desktop counterparts in features and usability. These applications, called web applications, use multiple web technologies such as JavaScript and CSS and this multiplicity of web technologies combined with multiplicity of web browsers creates a unique brew of issues not found on the desktop. One of these issues is how data send and used by the applications' users is protected. In this thesis, security in one mature web application is described and assessed. Such an assessment requires knowledge of information security aspects both in the broader sense concerning all information systems and in the sense of aspects specific to web applications. Therefore, first introduced are the fundamental concepts of information security, building blocks for all the other sections. The fundamentals are followed by discussion of access control and security aspects in applications. The background part is concluded by discussion of web applications in general and of security questions specific to them. The latter part explores and applies these theories and methods in a case study of a mature web application. The case study first describes, then evaluates the subject and its security and concludes with discussion of some of the found vulnerabilities and solutions to them. Although there were some problems in application of security assessment methods, assessment results provided valuable information on the application's weaknesses and improvement proposals. Implementation of the proposals both improved current security and also gave assurance of fewer weaknesses in the future