Hi tutors, I would appreciate if you could please help me regarding the above mentioned question. Part iii asks about "Describe the information SSSIC would need to model cyber risk." With this command verb (when compared to the command verb taxonomy), says about "Express, fully and clearly, the details / facts of". As answer structure, I was thinking of: Process how to model - i.e., probability and severity making reference to any IT policy that the insurer has or any ERM documents such as risk register and risk reports. Then talking about frequency making use of GEV/GDP to quantify the probability and then talking about severity. Data sources (TRAINERS acronym) and any limitations (credibility vs reliability). This is how far i would have gone for 6 marks given the question talks about data to model cyber risk, but the solution mentions only types of event, data on previous cyber event and potential scale of losses only. Is there something I am missing here? Part viii asks about "Discuss an alternative approach SSSIC might use to model the risk of significant loss from cyber risk". With the command verb (when compared to the command verb taxonomy), says about " Write about in some detail, taking into account different issues or points of view". I was thinking of talking about EVT and discussing about fitting a GEV and GPD given the question talks about approach to model risk of such loss. However, the solution talks only about EVT and limitations about bulk of data. Is there something I am missing here? Thanks for your time.
Hi Darshan, Part (iii) asks you to describe data that would be needed. An answer to such a 'describe' instruction needs to refer to both generic and specific data requirements. Generically, as you say, data is needed on the past frequency and severity of such events. Specifically, the data needs to relate to cyber events such as denial of service etc , both at the company or at other companies in the industry. The question doesn't ask for a comprehensive identification of data sources - it just asks what data is needed - although the examiners' solution does mention these at a high level (e.g. reinsurers' data). You also mention that you would add in limitations of various data sources, but that isn't required for a 'describe' instruction. It would have been appropriate had the instruction been 'discuss'. The question doesn't ask what you would do with the data, so it isn't necessary to talk about how you would model, e.g. using an extreme value distribution. In the tutorials we noted that a 'discuss' instruction should be responded to with a 'multi-dimensional' answer. As examples, sometimes this involves taking different stakeholder views ('different points of view') , and sometimes it involves considering advantages and disadvantages ('different issues'). Here in part (viii) we are asked to discuss 'an' (singular) alternative, and a good discussion of EVT or scenario analysis would have scored [3]. The question is not asking for a description of how we would do EVT or scenario analysis - so describing how we might fit a GEV or GPD distribution isn't required. The examiners' solution with respect to EVT focuses on data issues, but I expect that marks would have been awarded for a discussion of any other issues particularly associated with the application of EVT, e.g. the subjectivity involved in the fitting process. OK? Best wishes David
Thanks so much David - makes sense. Appreciate the way you highlighted the contrast between "Describe" and "Discuss".
