The Mispriced Risk Score: A Quantitative Framework for Cyber Insurance Pricing
A methodology for identifying misaligned cyber premiums using behavioral data
After Action | Version 1.0 | April 2026
Executive Summary
Cyber insurance carriers price policies on self-reported questionnaires. Policyholders answer "yes" or "no" to control questions, often by rote, often incorrectly. The result is a book of business where some clients are dramatically underpriced (low premium, high exposure) and others are overpriced (paying too much given their actual readiness).
The After Action Mispriced Risk Score is a proprietary six-factor composite that quantifies this gap. Positive scores mean a client is underpriced relative to their actual exposure — carriers should raise premium or tighten coverage. Negative scores mean the client is overpriced — they deserve a discount, and failing to offer one creates renewal risk.
This whitepaper documents the full methodology, including every factor, every weight, every assumption. Every assumption is explicitly labeled [ASSUMPTION] in the production engine output so auditors and reinsurers can verify the math.
1. The Pricing Problem
1.1 Questionnaires are broken
The industry-standard cyber insurance application asks questions like:
- "Do you have a documented incident response plan?"
- "Do you conduct regular security awareness training?"
- "Do you have multi-factor authentication on all privileged accounts?"
These questions are directionally useful but operationally meaningless. A company can truthfully answer "yes" to every question and still lose $4M to a ransomware attack the following week. The questionnaire measures whether the policyholder has written down their intent, not whether they can execute under pressure.
1.2 Claims experience is a trailing indicator
Carriers calibrate pricing off historical loss data. This means:
- The pricing lags the threat. New attack techniques arrive faster than claims data accumulates.
- The pricing is silo'd. What one carrier learns from a claim rarely benefits the industry.
- The pricing averages out. A strong-posture client in the same industry as a weak-posture client pays similar premiums because the carrier can't distinguish them.
1.3 What carriers actually need
Carriers need a behavioral score — a number that predicts whether a client will successfully contain a cyber event, regardless of whether they checked the right boxes on an application.
That's what the Mispriced Risk Score provides.
2. The Six Factors
The Mispriced Risk Score is computed from six sub-scores, each 0–100.
Factor 1 — Exposure
What it measures: How attractive this client is to attackers, and how much damage an attack would cause.
Inputs:
- Industry criticality tier (healthcare highest, hospitality lowest)
- Employee count (scale effects on attack surface)
- Digital dependency (low / moderate / high / critical)
- Data sensitivity flags (PII, PHI, financial)
- Cloud infrastructure and remote workforce flags
Formula:
exposure = industry_base × digital_dependency_mult × size_mult
+ data_and_infrastructure_bonuses
capped at 0-100
digital_dependency_mult: low 1.0 | moderate 1.2 | high 1.5 | critical 1.8
size_mult (stepped): ≤10 staff 0.6 → ≤1,000 staff 1.0 → >10,000 staff 1.4
bonuses: PHI +10 | PII +8 | financial data +8
cloud infrastructure +5 | remote workforce +3
Industry criticality tiers [ASSUMPTION] (ordering informed by IBM Cost of a Data Breach per-industry cost rankings; the point values themselves are our modeling scale, not figures from the report):
| Industry | Base |
|---|---|
| Healthcare | 36 |
| Financial Services | 34 |
| Pharmaceuticals | 32 |
| Energy | 30 |
| Technology | 28 |
| Government | 26 |
| Water Utilities | 28 |
| Manufacturing | 24 |
| Default | 24 |
Factor 2 — Preparedness
What it measures: The client's ability to respond effectively to an incident.
Inputs:
- Boolean controls: CISO, IR team, IR plan, security training, BCDR plan, cyber insurance, SOC 2 certification
- Readiness score from completed exercises (if available)
- Time decay on the readiness score
Formula:
signal_points =
has_ciso * 20
+ has_soc2 * 12
+ has_ir_team * 8
+ has_ir_plan * 6
+ has_security_training * 5
+ has_bcdr_plan * 4
+ has_cyber_insurance * 3
if readiness_score is present:
preparedness = readiness_score × time_decay × (1 + signal_points / 200)
else:
preparedness = 15 + signal_points × 1.2
capped at 0-100
When a readiness score exists it is the base of preparedness — exercise-derived evidence outweighs control-checkbox claims — and the control stack provides at most a +29% boost on top. Without a score, preparedness is built from the control signals alone on a deliberately lower ceiling (~85), because self-attested controls are weaker evidence than observed performance.
Time decay [ASSUMPTION]: Readiness scores lose weight stepwise with age:
score age < 30 days: decay = 1.00 (fresh)
score age < 90 days: decay = 0.95 (aging)
score age < 180 days: decay = 0.85 (stale)
score age ≥ 180 days: decay = 0.70 (expired)
scored date unknown: decay = 0.85
The floor is 70% — even an old score retains predictive value, but not full weight. This encourages clients to re-exercise regularly and penalizes underwriting on stale data.
Factor 3 — Third-Party Risk
What it measures: How much exposure the client has through their vendor supply chain.
Inputs:
- Total vendor count
- Vendors with sensitive access
- Top-3 vendor data share %
Formula:
cumulative_breach_prob = 1 - (1 - 0.02)^sensitive_vendor_count
third_party_risk = min(80, cumulative_breach_prob × 150)
+ concentration_penalty
concentration_penalty = 20 if top3_share_pct > 50 else 0
capped at 0-100
Why cumulative probability: Each vendor with sensitive data access is modeled as an
independent annual breach chance of 2% [ASSUMPTION — modeling value, not a cited statistic].
The compounding term means risk grows quickly with the first dozen sensitive-access vendors and
saturates beyond that — which matches the intuition that the marginal 40th vendor adds less new
exposure than the 4th. Concentration is a binary penalty: if your top-3 vendors hold more than
half your sensitive data, a single vendor compromise is an enterprise event.
Factor 4 — Breach Environment
What it measures: Industry-level threat pressure at this moment in time.
Inputs:
- Industry sector rate (breaches per year per 10K employees)
- Ransomware pressure (industry-specific targeting trend)
- Regulatory scrutiny (compliance + enforcement environment)
Formula:
breach_environment = sector_rate + ransomware_pressure + regulatory_scrutiny
capped at 100
Note [ASSUMPTION]: These values are fixed modeling constants documented in
src/lib/mispriced-risk.ts. They are reviewed and revised manually with engine releases — they
are not auto-updated from threat intelligence feeds.
Factor 5 — Actual Risk (composite)
What it measures: The weighted combination of exposure, third-party risk, and breach environment.
Formula:
actual_risk =
exposure * 0.30
+ third_party_risk * 0.40
+ breach_environment * 0.30
capped at 100
Why 40% third-party weight [ASSUMPTION — editorial judgment]: Supply-chain compromise is
the vector a client can least directly control and the one underwriters most often under-price.
Intrinsic exposure and sector threat environment split the remaining 60% evenly. These weights
are our modeling judgment, stated here so they can be challenged — not a fit to a published
dataset.
Factor 6 — Mispriced Risk (the headline number)
What it measures: The gap between what a client actually needs to defend against and what they're actually prepared for.
Formula:
mispriced_risk = clamp(actual_risk - preparedness × 0.60, 0, 100)
Why the 0.60 multiplier on preparedness: Even a perfectly-prepared organization retains residual risk — zero-days, nation-state actors, and novel vectors cannot be fully neutralized through controls. Capping preparedness' offsetting power at 60% reflects this. The result is clamped to 0–100: the score never goes negative.
Score interpretation
| Mispriced Risk | Label | Carrier Action |
|---|---|---|
| 70–100 | Critical | Immediate underwriter review; consider non-renewal |
| 50–69 | High | Re-rate at renewal; require a remediation plan |
| 30–49 | Moderate | Flag for underwriter review |
| 10–29 | Low | Current pricing approximately correct |
| 0–9 | Well-Covered | Discount candidate; potential case study |
Carrier actions are suggested postures, not pricing advice — specific premium moves are the carrier's underwriting decision.
3. The Readiness Score Integration
The preparedness factor accepts an optional readiness_score input from the After Action Readiness Scoring engine. When present:
- It becomes the base of the preparedness score (score × time decay), with the control stack adding at most a +29% boost
- It decays stepwise with age (95% under 90 days, 85% under 180, floor 70%)
- It replaces the control-stack question "do you conduct exercises?"
This creates a virtuous loop: clients who exercise regularly on the platform get higher preparedness scores, which lower their mispriced risk, which lowers their insurance premiums. The platform directly monetizes the behavior change carriers want to incentivize.
4. Data Source: Field Intakes
The Mispriced Risk engine runs on data collected through the After Action field intake network. Field reps conduct in-person 3-minute assessments with prospects and clients, capture signed consent, and submit the data to the platform where it's aggregated and offered to carrier partners as a structured dataset.
Every row in the carrier export has:
- A unique
id(UUID, not the subject organization's real name unless non-anonymized export is used) - Signed consent metadata
- All 28 fields needed to compute mispriced risk
- A timestamp for the data's age
- Industry normalized to a standard taxonomy
Carriers can pull the dataset via CSV export, JSON API, or delta feeds filtered by industry and date range.
5. Defensibility & Audit
5.1 Every assumption is labeled
The production engine output includes an [ASSUMPTION] tag on every non-obvious modeling choice:
[ASSUMPTION] Industry criticality bases calibrated against IBM Cost of Data Breach 2024
[ASSUMPTION] Vendor volume penalty uses log2 scaling to model diminishing marginal risk
[ASSUMPTION] Readiness time decay floors at 50% after 360 days
This allows carriers, reinsurers, auditors, and regulators to follow the math and challenge specific values if needed.
5.2 Deterministic, reproducible scoring
The engine is a pure function. Same input produces same output, every time. There is no LLM, no random sampling, no stateful data store in the scoring path. This is a non-negotiable requirement for regulated pricing use.
5.3 Version-controlled methodology
The engine source code is versioned in git. Every change to a weight or constant is a commit with a changelog entry. Carriers can pin to a specific version for contractual stability.
6. Comparison to Alternative Approaches
| Approach | Strengths | Weaknesses |
|---|---|---|
| Self-report questionnaire | Fast, cheap, standardized | Measures intent, not execution. Gaming is easy. |
| Cyber credit scores (e.g. BitSight) | Continuous monitoring, scalable | Surface-level scanning, no behavioral data, miss internal controls |
| Penetration test reports | Deep technical depth | Expensive, point-in-time, narrow scope, not comparable across clients |
| After Action Mispriced Risk | Behavioral, consented, standardized, audit-ready, versioned | Requires field intake network or client portal engagement |
The Mispriced Risk Score is designed to complement, not replace, other signals. A carrier with BitSight + Mispriced Risk has both surface scanning and behavioral data — an improvement over either alone.
7. Productization
7.1 For carriers
Carriers integrate the Mispriced Risk Score via:
- CSV/JSON exports — bulk pull of all aggregated intakes for offline analysis
- REST API — real-time lookup of a specific organization's score
- Delta feeds — nightly deltas filtered by industry or date
Pricing is per-row or subscription-based depending on volume.
7.2 For MGAs and underwriters
Managing General Agents can white-label the score as part of their own underwriting workbench. The After Action platform provides the computation, the MGA brands and delivers it.
7.3 For ratings agencies
The scoring methodology is licensable for use in cyber insurance ratings reports. A.M. Best, Moody's, and Fitch have all published cyber rating methodologies — the Mispriced Risk Score can serve as an input to those frameworks.
8. Licensing and Contact
The methodology is disclosed for transparency. The implementation is proprietary. Commercial licensing available via licensing@afteraction.dev.
For carrier partnerships and dataset access: partnerships@afteraction.dev.
© 2026 After Action. Methodology disclosed for transparency. Implementation is proprietary trade secret. Contact partnerships@afteraction.dev for commercial terms.