Oxford University
research project

Cyber value at risk
(CVaR) quantification

The project began with looking at the quantification of cyberrisk using the Value at Risk (VaR) methodology. With its roots in the financial services industry, the model used just three variables to quantify risk potential losses, probability of those losses and the associated time frames to quantify financial risk. However, Oxford proposed a new take on the model — one that looked beyond these three key measures to other variables such as control effectiveness, control dependencies and threat propagation. By expanding the number of variables, the new model would give a clearer understanding of the residual risk of businesses and help predict the losses arising from cyber incidents.


Following consultations with industry stakeholders, Oxford proved that the proposed approach was worth pursuing. So university researchers built a draft model and developed the tool for calculating CVaR.

The model was tested by applying it to anonymized real-life claims examples to see how it performed.

AXIS also ran an event with IBM where several enterprise networks were created and penetration testers attacked the networks, providing data to test and validate the model’s ability to predict losses, measure control effectiveness and illustrate harm propagation.

Download report

Next steps

The research team will develop the predictive capabilities of the model, test the impact and effectiveness of cyber hygiene activities, and determine how the application of threat intelligence data can improve our understanding of harm propagation in the face of different risk controls.

We will also explore the application of the model in supply chain risk and the calculation of aggregated risk.

Our findings will be published in White Papers towards the end of 2020.

If you would like more information or to get involved, please contact

[email protected]

World Economic Forum (WEF)

Future series: Cybercrime 2025

AXIS is sponsoring the University of Oxford – Oxford Martin School, to partner with The World Economic Forum on a joint report - Future Series: Cybercrime 2025. The project is being run by Professor Sadie Creese of the Department of Computer Science and Global Cyber Security Capacity Centre.

The Challenge

The Forum’s Global Risks Report 2019 has ranked financially motivated cyber attacks among the top five global risks in the world today. Recognizing that the world is challenged by the unprecedented technological change driven by the Fourth Industrial Revolution, the Future Series: Cyber 2025 report was launched at the WEF’s Annual Cybersecurity Meeting in 2019 to answer a single question, will our individual and collective approach to managing cyber risks be sustainable in the face of the major technology trends taking place in the near future?


Workshops are being run with global participants to identify the key systemic risks and cybersecurity challenges that will result in the security ecosystem from these emerging technologies. Based on this work, key recommendations for enterprise and policy leadership will be proposed to help identify and build potential mitigation strategies. The final report will be presented at the WEF’s Annual Cybersecurity Meeting held in Geneva in November 2020. It is envisaged that the output of the final report will support key cybersecurity messaging at the Forum`s Annual Meeting at Davos.

For more information or to get involved, contact [email protected]

Lloyd’s Register Foundation (LRF)

AXIS is supporting the University of Oxford and the Lloyd’s Register Foundation with their Foresight Review into Operational Cybersecurity Technology for the Internet of Things (


The LRF and University of Oxford are running workshops for experts involved in managing risk for connected systems, IoT manufacturers and those developing cyber security solutions. These sessions are intended to help develop recommendations for achieving operational cyber security for industrial IoT. The ultimate report is part of the Lloyd’s Register Foundation Foresight Review series, and is designed to provide a plain-English overview of emerging risks to help Boards, policy-makers and other stakeholders make decisions about emerging technology.

Workshops have been run in Singapore, Oxford and New York. They are chaired by Sadie Creese, Professor of Cyber Security at the University of Oxford; Robert Hannigan, director of GCHQ until 2017.

If you would like more information or to get involved, contact [email protected]