This paper provides the first large-scale data-driven analysis to evaluate the predictive power of different attributes for assessing risk of cyberattack data breaches. Furthermore, motivated by rapid increase in third party enabled cyberattacks, the paper provides the first quantitative empirical evidence that digital supply-chain attributes are significant predictors of enterprise cyber risk. The paper leverages outside-in cyber risk scores that aim to capture the quality of the enterprise internal cybersecurity management, but augment these with supply chain features that are inspired by observed third party cyberattack scenarios, as well as concepts from network science research. The main quantitative result of the paper is to show that supply chain network features add significant detection power to predicting enterprise cyber risk, relative to merely using enterprise-only attributes. Particularly, compared to a base model that relies only on internal enterprise features, the supply chain network features improve the out-of-sample AUC by 2.3\%. Given that each cyber data breach is a low probability high impact risk event, these improvements in the prediction power have significant value. Additionally, the model highlights several cybersecurity risk drivers related to third party cyberattack and breach mechanisms and provides important insights as to what interventions might be effective to mitigate these risks.

翻译：本文首次基于大规模数据驱动分析，系统评估了不同属性对网络攻击数据泄露风险的预测能力。此外，鉴于第三方引发的网络攻击事件急剧增加，本文首次通过定量实证证据表明，数字供应链属性是企业网络风险的重要预测因子。本研究利用旨在反映企业内部网络安全管理质量的外部网络风险评分，但在此基础上引入受第三方网络攻击场景及网络科学概念启发的供应链特征。本文的主要定量结果表明：相较于仅使用企业自身属性，供应链网络特征能显著提升企业网络风险的预测能力。具体而言，与仅依赖企业内部特征的基准模型相比，供应链网络特征使样本外AUC提升2.3%。考虑到每起网络数据泄露属于低概率高影响的风险事件，这种预测能力的提升具有重要价值。此外，该模型揭示了与第三方网络攻击及泄露机制相关的若干网络安全风险驱动因素，为制定有效缓解此类风险的干预措施提供了重要启示。