The Mispriced Risk Score: A Quantitative Framework for Cyber Insurance Pricing

A methodology for identifying misaligned cyber premiums using behavioral data

After Action | Version 1.0 | April 2026

Executive Summary

Cyber insurance carriers price policies on self-reported questionnaires. Policyholders answer "yes" or "no" to control questions, often by rote, often incorrectly. The result is a book of business where some clients are dramatically underpriced (low premium, high exposure) and others are overpriced (paying too much given their actual readiness).

The After Action Mispriced Risk Score is a proprietary six-factor composite that quantifies this gap. Positive scores mean a client is underpriced relative to their actual exposure — carriers should raise premium or tighten coverage. Negative scores mean the client is overpriced — they deserve a discount, and failing to offer one creates renewal risk.

This whitepaper documents the full methodology, including every factor, every weight, every assumption. Every assumption is explicitly labeled [ASSUMPTION] in the production engine output so auditors and reinsurers can verify the math.

1. The Pricing Problem

1.1 Questionnaires are broken

The industry-standard cyber insurance application asks questions like:

"Do you have a documented incident response plan?"
"Do you conduct regular security awareness training?"
"Do you have multi-factor authentication on all privileged accounts?"

These questions are directionally useful but operationally meaningless. A company can truthfully answer "yes" to every question and still lose $4M to a ransomware attack the following week. The questionnaire measures whether the policyholder has written down their intent, not whether they can execute under pressure.

1.2 Claims experience is a trailing indicator

Carriers calibrate pricing off historical loss data. This means:

The pricing lags the threat. New attack techniques arrive faster than claims data accumulates.
The pricing is silo'd. What one carrier learns from a claim rarely benefits the industry.
The pricing averages out. A strong-posture client in the same industry as a weak-posture client pays similar premiums because the carrier can't distinguish them.

1.3 What carriers actually need

Carriers need a behavioral score — a number that predicts whether a client will successfully contain a cyber event, regardless of whether they checked the right boxes on an application.

That's what the Mispriced Risk Score provides.

2. The Six Factors

The Mispriced Risk Score is computed from six sub-scores, each 0–100.

Factor 1 — Exposure

What it measures: How attractive this client is to attackers, and how much damage an attack would cause.

Inputs:

Industry criticality tier (healthcare highest, hospitality lowest)
Employee count (scale effects on attack surface)
Digital dependency (low / moderate / high / critical)
Data sensitivity flags (PII, PHI, financial)
Cloud infrastructure and remote workforce flags

Formula:

exposure = industry_base                          [0-40]
         + size_factor(employee_count)            [0-15]
         + digital_dependency_multiplier * 10     [0-10]
         + data_sensitivity_sum                   [0-20]
         + cloud_flag * 5                         [0-5]
         + remote_flag * 5                        [0-5]
         + pii_flag * 3 + phi_flag * 5 + financial_flag * 4
capped at 100

Industry criticality tiers [ASSUMPTION] (calibrated against IBM Cost of Data Breach 2024 per-industry ratios):

Industry	Base
Healthcare	36
Financial Services	34
Pharmaceuticals	32
Energy	30
Technology	28
Government	26
Water Utilities	28
Manufacturing	24
Default	24

Factor 2 — Preparedness

What it measures: The client's ability to respond effectively to an incident.

Inputs:

Boolean controls: CISO, IR team, IR plan, security training, BCDR plan, cyber insurance, SOC 2 certification
Readiness score from completed exercises (if available)
Time decay on the readiness score

Formula:

preparedness = control_stack_score                [0-60]
             + readiness_score_contribution       [0-40]

control_stack_score =
    has_ciso              * 10
  + has_ir_plan           * 12
  + has_ir_team           * 8
  + has_bcdr_plan         * 8
  + has_security_training * 7
  + has_cyber_insurance   * 6
  + has_soc2              * 9

readiness_score_contribution =
  (readiness_score / 100) * 40 * time_decay_factor

Time decay [ASSUMPTION]: Readiness scores older than 180 days decay linearly:

days_since = (now - readiness_scored_at) / 86400000
if days_since > 180:
  decay = max(0.5, 1 - (days_since - 180) / 360)
else:
  decay = 1.0

The floor is 50% — even a year-old score retains some predictive value, but not full weight. This encourages clients to re-exercise regularly and penalizes carriers who underwrite on stale data.

Factor 3 — Third-Party Risk

What it measures: How much exposure the client has through their vendor supply chain.

Inputs:

Total vendor count
Vendors with sensitive access
Top-3 vendor data share %

Formula:

third_party_risk =
    vendor_volume_penalty      [0-30]
  + sensitive_access_penalty   [0-40]
  + concentration_penalty      [0-30]

vendor_volume_penalty = min(30, log2(vendor_count + 1) * 5)
sensitive_access_penalty = min(40, sensitive_vendor_count * 5)
concentration_penalty =
  if top3_share_pct >= 60: 30
  if top3_share_pct >= 40: 20
  if top3_share_pct >= 25: 10
  else: 0

Why logarithmic on vendor count: Doubling the vendor count doesn't double the risk — each marginal vendor adds less exposure than the last. Logarithmic scaling reflects the diminishing effect.

Factor 4 — Breach Environment

What it measures: Industry-level threat pressure at this moment in time.

Inputs:

Industry sector rate (breaches per year per 10K employees)
Ransomware pressure (industry-specific targeting trend)
Regulatory scrutiny (compliance + enforcement environment)

Formula:

breach_environment = sector_rate + ransomware_pressure + regulatory_scrutiny
capped at 100

Note [ASSUMPTION]: These values are updated quarterly from threat intelligence feeds (CISA KEV, sector ISACs, published breach reports). Current values are documented in src/lib/mispriced-risk.ts.

Factor 5 — Actual Risk (composite)

What it measures: The weighted combination of exposure, third-party risk, and breach environment.

Formula:

actual_risk =
    exposure          * 0.50
  + third_party_risk  * 0.25
  + breach_environment * 0.25
capped at 100

Why 50% exposure weight: Intrinsic organizational attributes (industry, size, data types) are the biggest predictor of incident probability and severity. Third-party and environmental factors amplify or dampen the base rate but don't override it.

Factor 6 — Mispriced Risk (the headline number)

What it measures: The gap between what a client actually needs to defend against and what they're actually prepared for.

Formula:

mispriced_risk = actual_risk - (preparedness * 0.80)

Why the 0.80 multiplier on preparedness: Even a perfectly-prepared organization retains some residual risk — you cannot fully neutralize exposure through controls alone. Capping preparedness' offsetting power at 80% reflects this reality and prevents the score from going to extreme negatives.

Score interpretation

Mispriced Risk	Label	Carrier Action
> 50	Critical	Immediate premium increase or non-renewal
30–50	High	Raise premium 20-40% at renewal
10–30	Moderate	Flag for underwriter review
-10 to 10	Balanced	Current pricing approximately correct
-30 to -10	Overpriced	Offer 5-10% discount to prevent churn
< -30	Well-Covered	Offer 10-25% discount, case study candidate

3. The Readiness Score Integration

The preparedness factor accepts an optional readiness_score input from the After Action Readiness Scoring engine. When present:

It contributes up to 40 points to the preparedness total
It decays linearly after 180 days (floor 50%)
It replaces the control-stack question "do you conduct exercises?"

This creates a virtuous loop: clients who exercise regularly on the platform get higher preparedness scores, which lower their mispriced risk, which lowers their insurance premiums. The platform directly monetizes the behavior change carriers want to incentivize.

4. Data Source: Field Intakes

The Mispriced Risk engine runs on data collected through the After Action field intake network. Field reps conduct in-person 3-minute assessments with prospects and clients, capture signed consent, and submit the data to the platform where it's aggregated and offered to carrier partners as a structured dataset.

Every row in the carrier export has:

A unique id (UUID, not the subject organization's real name unless non-anonymized export is used)
Signed consent metadata
All 28 fields needed to compute mispriced risk
A timestamp for the data's age
Industry normalized to a standard taxonomy

Carriers can pull the dataset via CSV export, JSON API, or delta feeds filtered by industry and date range.

5. Defensibility & Audit

5.1 Every assumption is labeled

The production engine output includes an [ASSUMPTION] tag on every non-obvious modeling choice:

[ASSUMPTION] Industry criticality bases calibrated against IBM Cost of Data Breach 2024
[ASSUMPTION] Vendor volume penalty uses log2 scaling to model diminishing marginal risk
[ASSUMPTION] Readiness time decay floors at 50% after 360 days

This allows carriers, reinsurers, auditors, and regulators to follow the math and challenge specific values if needed.

5.2 Deterministic, reproducible scoring

The engine is a pure function. Same input produces same output, every time. There is no LLM, no random sampling, no stateful data store in the scoring path. This is a non-negotiable requirement for regulated pricing use.

5.3 Version-controlled methodology

The engine source code is versioned in git. Every change to a weight or constant is a commit with a changelog entry. Carriers can pin to a specific version for contractual stability.

6. Comparison to Alternative Approaches

Approach	Strengths	Weaknesses
Self-report questionnaire	Fast, cheap, standardized	Measures intent, not execution. Gaming is easy.
Cyber credit scores (e.g. BitSight)	Continuous monitoring, scalable	Surface-level scanning, no behavioral data, miss internal controls
Penetration test reports	Deep technical depth	Expensive, point-in-time, narrow scope, not comparable across clients
After Action Mispriced Risk	Behavioral, consented, standardized, audit-ready, versioned	Requires field intake network or client portal engagement

The Mispriced Risk Score is designed to complement, not replace, other signals. A carrier with BitSight + Mispriced Risk has both surface scanning and behavioral data — an improvement over either alone.

7. Productization

7.1 For carriers

Carriers integrate the Mispriced Risk Score via:

CSV/JSON exports — bulk pull of all aggregated intakes for offline analysis
REST API — real-time lookup of a specific organization's score
Delta feeds — nightly deltas filtered by industry or date

Pricing is per-row or subscription-based depending on volume.

7.2 For MGAs and underwriters

Managing General Agents can white-label the score as part of their own underwriting workbench. The After Action platform provides the computation, the MGA brands and delivers it.

7.3 For ratings agencies

The scoring methodology is licensable for use in cyber insurance ratings reports. A.M. Best, Moody's, and Fitch have all published cyber rating methodologies — the Mispriced Risk Score can serve as an input to those frameworks.

8. Licensing and Contact

The methodology is disclosed for transparency. The implementation is proprietary. Commercial licensing available via licensing@afteraction.dev.

For carrier partnerships and dataset access: partnerships@afteraction.dev.