Digitization increases business opportunities and the risk of companies being victims of devastating cyberattacks. Therefore, managing risk exposure and cybersecurity strategies is essential for digitized companies that want to survive in competitive markets. However, understanding company-specific risks and quantifying their associated costs is not trivial. Current approaches fail to provide individualized and quantitative monetary estimations of cybersecurity impacts. Due to limited resources and technical expertise, SMEs and even large companies are affected and struggle to quantify their cyberattack exposure. Therefore, novel approaches must be placed to support the understanding of the financial loss due to cyberattacks. This article introduces the Real Cyber Value at Risk (RCVaR), an economical approach for estimating cybersecurity costs using real-world information from public cybersecurity reports. RCVaR identifies the most significant cyber risk factors from various sources and combines their quantitative results to estimate specific cyberattacks costs for companies. Furthermore, RCVaR extends current methods to achieve cost and risk estimations based on historical real-world data instead of only probability-based simulations. The evaluation of the approach on unseen data shows the accuracy and efficiency of the RCVaR in predicting and managing cyber risks. Thus, it shows that the RCVaR is a valuable addition to cybersecurity planning and risk management processes.

翻译：数字化在拓展商业机遇的同时，也使企业面临遭受毁灭性网络攻击的风险。因此，对于希望在竞争激烈的市场中生存的数字化企业而言，管理风险敞口和制定网络安全策略至关重要。然而，理解企业特定风险并量化其相关成本并非易事。当前方法无法提供针对网络安全影响的个性化、定量化货币估算。由于资源有限及技术专长不足，中小型企业乃至大型企业都深受影响，难以量化其网络攻击风险敞口。因此，必须采用新方法支持理解网络攻击造成的财务损失。本文介绍了真实网络风险价值（RCVaR）方法，这是一种利用公开网络安全报告中的真实世界信息来估算网络安全成本的经济学方法。RCVaR从多种来源识别最显著的网络风险因素，并整合其量化结果以估算企业特定网络攻击成本。此外，RCVaR扩展了现有方法，基于历史真实数据（而非仅基于概率模拟）实现成本与风险估算。该方法在未见数据上的评估显示了RCVaR在预测和管理网络风险方面的准确性与有效性。因此，研究表明RCVaR是网络安全规划与风险管理流程的有力补充。