Quantitative-Automated Risk Consulting in the Cyber Space

State: Open
Published: 2024-06-03

This thesis is at the intersection of Quantitative Risk Management and Cybersecurity. As the economy becomes more digitized, the threat of data leaks, business interruption and lawsuits due to cyber attacks increases and substantially threatens firms. Especially, Small and Middle-Sized Enterprises are vulnerable due to their lack of expertise in the cyber space. To mitigate this risk, companies purchase cyber insurance, which requires the insured party to pay a premium to the insurer. The insurer requires estimations about the potential cost structure, attack probabilities, and their impact to determine a premium that accurately reflects the company's risk.

This Master Thesis aims to explore and propose novel methods to estimate these attack probabilities and economic impacts by utilizing real-world data. More specifically, cyber attack news and market data must be processed to estimate cost distributions and improve the Real Cyber Value at Risk (RCVaR) model.


    • You will have the opportunity to work in the emerging field of cybersecurity, using quantitative methods to estimate the economic costs of cyber attacks;

    • This Master’s thesis uses data from a consulting firm that collaborates closely with UZH, allowing students to investigate and address real-world challenges by applying research methodology;

    • You will work at the intersection of Finance and Cybersecurity, which provides a multidisciplinary view of trending fields.

Every master’s student at the Institute of Informatics (IfI) is eligible to apply for these positions, though certain skills are advantageous:

    • Proficiency in data manipulation and analysis using Python, focusing on financial data. You are willing to learn about statistical analysis such as P-Value, Volatility and Skewness.

    • Knowledge of financial markets and cyberattack processes, along with an understanding of the consulting process. Familiarity with Value-at-Risk and Expected Shortfall concepts is beneficial.

    • Experience in software development and basic knowledge of computer networks/cybersecurity.

    • Some knowledge of deep learning is beneficial.

How to apply:

    • Send your CV and your transcript of records with the subjects from your Master’s program to the following email: fabian.kuenzler@uzh.ch. It is also possible to adapt this topic to a BA thesis’ in case of interest.


M. F. Franco, F. Künzler, J. von der Assen, C. Feng, and B. Stiller. Rcvar: An economic approach to estimate cyberattacks costs using data from industry reports. Computers & Security, 139, 103737, 2024. Elsevier.

A. Erola, I. Agrafotis, J. Nurse, L. Axon, M. Goldsmith, and S. Creese. A System to Calculate Cyber-Value-at-Risk. Computers & Security, 113:102545, 2021. Elsevier.

S. Tweneboah-Kodua, F. Atsu, and W. Buchanan. Impact of Cyberattacks on Stock Performance: A Comparative Study. Information & Computer Security, 26(5):637– 652, 2018. Emerald Publishing Limited.

M. F. Franco. CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment. PhD thesis, Communication Systems Group (CSG), University of Zurich, February 2023.

M. F. Franco, L. Z. Granville, B. Stiller: CyberTEA: a Technical and Economic Approach for Cybersecurity Planning and Investment; 36th IEEE/IFIP Network Operations and Management Symposium (NOMS 2023), Miami, USA, May 2023, pp. 1-6.

20% Design, 70% Implementation, 10% Documentation
Proficiency in data manipulation, Knowledge of financial markets and cyberattack processes, Experience in software development

Supervisors: Muriel Figueredo Franco

back to the main page