Methodology Disclosure · Paper 01 of 4
By Scott Alford, Founder · After Action, LLCPublished Updated For Carriers · Underwriters · Ratings agencies

The Mispriced Risk Score: A Quantitative Framework for Cyber Insurance Pricing

A methodology for identifying misaligned cyber premiums using behavioral data

After Action | Version 1.0 | April 2026


Executive Summary

Cyber insurance carriers price policies on self-reported questionnaires. Policyholders answer "yes" or "no" to control questions, often by rote, often incorrectly. The result is a book of business where some clients are dramatically underpriced (low premium, high exposure) and others are overpriced (paying too much given their actual readiness).

The After Action Mispriced Risk Score is a proprietary six-factor composite that quantifies this gap. Positive scores mean a client is underpriced relative to their actual exposure — carriers should raise premium or tighten coverage. Negative scores mean the client is overpriced — they deserve a discount, and failing to offer one creates renewal risk.

This whitepaper documents the full methodology, including every factor, every weight, every assumption. Every assumption is explicitly labeled [ASSUMPTION] in the production engine output so auditors and reinsurers can verify the math.


1. The Pricing Problem

1.1 Questionnaires are broken

The industry-standard cyber insurance application asks questions like:

  • "Do you have a documented incident response plan?"
  • "Do you conduct regular security awareness training?"
  • "Do you have multi-factor authentication on all privileged accounts?"

These questions are directionally useful but operationally meaningless. A company can truthfully answer "yes" to every question and still lose $4M to a ransomware attack the following week. The questionnaire measures whether the policyholder has written down their intent, not whether they can execute under pressure.

1.2 Claims experience is a trailing indicator

Carriers calibrate pricing off historical loss data. This means:

  • The pricing lags the threat. New attack techniques arrive faster than claims data accumulates.
  • The pricing is silo'd. What one carrier learns from a claim rarely benefits the industry.
  • The pricing averages out. A strong-posture client in the same industry as a weak-posture client pays similar premiums because the carrier can't distinguish them.

1.3 What carriers actually need

Carriers need a behavioral score — a number that predicts whether a client will successfully contain a cyber event, regardless of whether they checked the right boxes on an application.

That's what the Mispriced Risk Score provides.


2. The Six Factors

The Mispriced Risk Score is computed from six sub-scores, each 0–100.

Factor 1 — Exposure

What it measures: How attractive this client is to attackers, and how much damage an attack would cause.

Inputs:

  • Industry criticality tier (healthcare highest, hospitality lowest)
  • Employee count (scale effects on attack surface)
  • Digital dependency (low / moderate / high / critical)
  • Data sensitivity flags (PII, PHI, financial)
  • Cloud infrastructure and remote workforce flags

Formula:

exposure = industry_base × digital_dependency_mult × size_mult
         + data_and_infrastructure_bonuses
capped at 0-100

digital_dependency_mult: low 1.0 | moderate 1.2 | high 1.5 | critical 1.8
size_mult (stepped):     ≤10 staff 0.6 → ≤1,000 staff 1.0 → >10,000 staff 1.4
bonuses:                 PHI +10 | PII +8 | financial data +8
                         cloud infrastructure +5 | remote workforce +3

Industry criticality tiers [ASSUMPTION] (ordering informed by IBM Cost of a Data Breach per-industry cost rankings; the point values themselves are our modeling scale, not figures from the report):

IndustryBase
Healthcare36
Financial Services34
Pharmaceuticals32
Energy30
Technology28
Government26
Water Utilities28
Manufacturing24
Default24

Factor 2 — Preparedness

What it measures: The client's ability to respond effectively to an incident.

Inputs:

  • Boolean controls: CISO, IR team, IR plan, security training, BCDR plan, cyber insurance, SOC 2 certification
  • Readiness score from completed exercises (if available)
  • Time decay on the readiness score

Formula:

signal_points =
    has_ciso              * 20
  + has_soc2              * 12
  + has_ir_team           * 8
  + has_ir_plan           * 6
  + has_security_training * 5
  + has_bcdr_plan         * 4
  + has_cyber_insurance   * 3

if readiness_score is present:
  preparedness = readiness_score × time_decay × (1 + signal_points / 200)
else:
  preparedness = 15 + signal_points × 1.2

capped at 0-100

When a readiness score exists it is the base of preparedness — exercise-derived evidence outweighs control-checkbox claims — and the control stack provides at most a +29% boost on top. Without a score, preparedness is built from the control signals alone on a deliberately lower ceiling (~85), because self-attested controls are weaker evidence than observed performance.

Time decay [ASSUMPTION]: Readiness scores lose weight stepwise with age:

score age < 30 days:   decay = 1.00  (fresh)
score age < 90 days:   decay = 0.95  (aging)
score age < 180 days:  decay = 0.85  (stale)
score age ≥ 180 days:  decay = 0.70  (expired)
scored date unknown:   decay = 0.85

The floor is 70% — even an old score retains predictive value, but not full weight. This encourages clients to re-exercise regularly and penalizes underwriting on stale data.

Factor 3 — Third-Party Risk

What it measures: How much exposure the client has through their vendor supply chain.

Inputs:

  • Total vendor count
  • Vendors with sensitive access
  • Top-3 vendor data share %

Formula:

cumulative_breach_prob = 1 - (1 - 0.02)^sensitive_vendor_count
third_party_risk = min(80, cumulative_breach_prob × 150)
                 + concentration_penalty
concentration_penalty = 20 if top3_share_pct > 50 else 0
capped at 0-100

Why cumulative probability: Each vendor with sensitive data access is modeled as an independent annual breach chance of 2% [ASSUMPTION — modeling value, not a cited statistic]. The compounding term means risk grows quickly with the first dozen sensitive-access vendors and saturates beyond that — which matches the intuition that the marginal 40th vendor adds less new exposure than the 4th. Concentration is a binary penalty: if your top-3 vendors hold more than half your sensitive data, a single vendor compromise is an enterprise event.

Factor 4 — Breach Environment

What it measures: Industry-level threat pressure at this moment in time.

Inputs:

  • Industry sector rate (breaches per year per 10K employees)
  • Ransomware pressure (industry-specific targeting trend)
  • Regulatory scrutiny (compliance + enforcement environment)

Formula:

breach_environment = sector_rate + ransomware_pressure + regulatory_scrutiny
capped at 100

Note [ASSUMPTION]: These values are fixed modeling constants documented in src/lib/mispriced-risk.ts. They are reviewed and revised manually with engine releases — they are not auto-updated from threat intelligence feeds.

Factor 5 — Actual Risk (composite)

What it measures: The weighted combination of exposure, third-party risk, and breach environment.

Formula:

actual_risk =
    exposure           * 0.30
  + third_party_risk   * 0.40
  + breach_environment * 0.30
capped at 100

Why 40% third-party weight [ASSUMPTION — editorial judgment]: Supply-chain compromise is the vector a client can least directly control and the one underwriters most often under-price. Intrinsic exposure and sector threat environment split the remaining 60% evenly. These weights are our modeling judgment, stated here so they can be challenged — not a fit to a published dataset.

Factor 6 — Mispriced Risk (the headline number)

What it measures: The gap between what a client actually needs to defend against and what they're actually prepared for.

Formula:

mispriced_risk = clamp(actual_risk - preparedness × 0.60, 0, 100)

Why the 0.60 multiplier on preparedness: Even a perfectly-prepared organization retains residual risk — zero-days, nation-state actors, and novel vectors cannot be fully neutralized through controls. Capping preparedness' offsetting power at 60% reflects this. The result is clamped to 0–100: the score never goes negative.

Score interpretation

Mispriced RiskLabelCarrier Action
70–100CriticalImmediate underwriter review; consider non-renewal
50–69HighRe-rate at renewal; require a remediation plan
30–49ModerateFlag for underwriter review
10–29LowCurrent pricing approximately correct
0–9Well-CoveredDiscount candidate; potential case study

Carrier actions are suggested postures, not pricing advice — specific premium moves are the carrier's underwriting decision.


3. The Readiness Score Integration

The preparedness factor accepts an optional readiness_score input from the After Action Readiness Scoring engine. When present:

  1. It becomes the base of the preparedness score (score × time decay), with the control stack adding at most a +29% boost
  2. It decays stepwise with age (95% under 90 days, 85% under 180, floor 70%)
  3. It replaces the control-stack question "do you conduct exercises?"

This creates a virtuous loop: clients who exercise regularly on the platform get higher preparedness scores, which lower their mispriced risk, which lowers their insurance premiums. The platform directly monetizes the behavior change carriers want to incentivize.


4. Data Source: Field Intakes

The Mispriced Risk engine runs on data collected through the After Action field intake network. Field reps conduct in-person 3-minute assessments with prospects and clients, capture signed consent, and submit the data to the platform where it's aggregated and offered to carrier partners as a structured dataset.

Every row in the carrier export has:

  • A unique id (UUID, not the subject organization's real name unless non-anonymized export is used)
  • Signed consent metadata
  • All 28 fields needed to compute mispriced risk
  • A timestamp for the data's age
  • Industry normalized to a standard taxonomy

Carriers can pull the dataset via CSV export, JSON API, or delta feeds filtered by industry and date range.


5. Defensibility & Audit

5.1 Every assumption is labeled

The production engine output includes an [ASSUMPTION] tag on every non-obvious modeling choice:

[ASSUMPTION] Industry criticality bases calibrated against IBM Cost of Data Breach 2024
[ASSUMPTION] Vendor volume penalty uses log2 scaling to model diminishing marginal risk
[ASSUMPTION] Readiness time decay floors at 50% after 360 days

This allows carriers, reinsurers, auditors, and regulators to follow the math and challenge specific values if needed.

5.2 Deterministic, reproducible scoring

The engine is a pure function. Same input produces same output, every time. There is no LLM, no random sampling, no stateful data store in the scoring path. This is a non-negotiable requirement for regulated pricing use.

5.3 Version-controlled methodology

The engine source code is versioned in git. Every change to a weight or constant is a commit with a changelog entry. Carriers can pin to a specific version for contractual stability.


6. Comparison to Alternative Approaches

ApproachStrengthsWeaknesses
Self-report questionnaireFast, cheap, standardizedMeasures intent, not execution. Gaming is easy.
Cyber credit scores (e.g. BitSight)Continuous monitoring, scalableSurface-level scanning, no behavioral data, miss internal controls
Penetration test reportsDeep technical depthExpensive, point-in-time, narrow scope, not comparable across clients
After Action Mispriced RiskBehavioral, consented, standardized, audit-ready, versionedRequires field intake network or client portal engagement

The Mispriced Risk Score is designed to complement, not replace, other signals. A carrier with BitSight + Mispriced Risk has both surface scanning and behavioral data — an improvement over either alone.


7. Productization

7.1 For carriers

Carriers integrate the Mispriced Risk Score via:

  1. CSV/JSON exports — bulk pull of all aggregated intakes for offline analysis
  2. REST API — real-time lookup of a specific organization's score
  3. Delta feeds — nightly deltas filtered by industry or date

Pricing is per-row or subscription-based depending on volume.

7.2 For MGAs and underwriters

Managing General Agents can white-label the score as part of their own underwriting workbench. The After Action platform provides the computation, the MGA brands and delivers it.

7.3 For ratings agencies

The scoring methodology is licensable for use in cyber insurance ratings reports. A.M. Best, Moody's, and Fitch have all published cyber rating methodologies — the Mispriced Risk Score can serve as an input to those frameworks.


8. Licensing and Contact

The methodology is disclosed for transparency. The implementation is proprietary. Commercial licensing available via licensing@afteraction.dev.

For carrier partnerships and dataset access: partnerships@afteraction.dev.


© 2026 After Action. Methodology disclosed for transparency. Implementation is proprietary trade secret. Contact partnerships@afteraction.dev for commercial terms.

Related whitepapers

Commercial licensing

The methodology is disclosed here for transparency. Implementation is proprietary trade secret, distributed as source under commercial terms. For carrier integrations, OEM embedding, or academic citation, contact the licensing team.

licensing@afteraction.dev