Financial Institutions of Emerging Economies: Contribution to Risk Assessment

Abstract

Conventional risk assessment frameworks usually define risk as a function of vulnerabilities and threats, but they frequently lack a single quantitative model that incorporates the unique features of each element. In order to close this gap, this paper creates a flexible, open, and theoretically sound risk assessment formula that is still reliable even in the absence of complete vulnerability data. This is particularly important for financial institutions operating in emerging markets, where regulators rarely provide centralized vulnerability assessments and where Basel-type frameworks are only partially implemented. The contribution of the paper is a practically verified Bayesian network model that integrates threat likelihoods, vulnerability likelihoods, and their impacts within a probabilistic structure. Using 500 stratified Monte Carlo scenarios calibrated to real fintech and banking institutions operating under EU and national supervision, we demonstrate that excluding vulnerability impact from the model does not significantly reduce the predictive performance. These findings advance the theory of risk assessment, simplify practical implementation, and enhance the scalability of risk modeling for both traditional banks and fintech institutions in emerging economies.

1. Introduction

Risk management is very important in many areas of financial institutions, and it affects decisions about operations, compliance, cybersecurity, credit, market activity, and strategic planning (Cernisevs et al. 2023b; Popova et al. 2024, 2025). Although international standards such as Basel II and Basel III have established important benchmarks for capital adequacy and stress testing, modern financial systems are regulated in a much broader context. Supervisory authorities, including the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and national regulators, have issued extensive requirements relating to information and communication technology (ICT) risks, operational resilience, anti-money laundering, and financial technology supervision, forming a risk-based approach (Khan and Malaika 2021; Kuerbis and Badiei 2017; Sanchez-Zurdo and San-Martín 2024). This reflects a recognition that the risks facing financial institutions today extend well beyond traditional credit exposures and must be captured by models that incorporate technological, systemic, and probabilistic dimensions. Moreover, risk is used in operations to address internal failures or external attacks to ensure service continuity and security (Gao et al. 2023; Nadler et al. 2022; Special Announcement 2019). Risk modeling helps banks and other financial institutions to make lending and investment decisions by weighing the risks of credit exposure or market volatility against the potential for profit (Agarwal and Zhang 2020; Yves Mersch 2019). Therefore, it is important to have a consistent and accurate way to measure and understand risks taking into account both threats and vulnerabilities. This is important for aligning risk appetite with business strategy and planning for resilience (Dhar and Stein 2016; Ansoff 1965; Andrews 1971; Teece 2010).

It has special importance for emerging economies. On the one hand, they have a powerful impulse for contemporary technological banking development (Popova 2021) which allows them to strengthen the financial market significantly. Nevertheless, it creates additional issues for financial institutions within emerging economies. They do not have a big set of data on vulnerabilities considering not long not long history of these economies in their contemporary state. On the other hand, the volatility on these markets is very high.

For example, information systems, critical infrastructure, and industrial control systems all need to make decisions based on risk when there are uncertainties and threats (Aven 2016; Cernisevs et al. 2023a; da Silva et al. 2017). According to Dawson (2015), the idea of risk in classical constructs comprises two main parts: threats and vulnerabilities. The base model with threats and vulnerabilities is also the base model for many other natural language processing tasks. It can also be shown in the following way (Cox 2008):

$$Risk =Threat \times Vulnerabilities$$

(1)

However, this is a simplistic model that does not account for the complex interlocking relationships between threat scenarios, vulnerabilities, and their likelihood and impact (Ledwaba and Venter 2017; Rossebo et al. 2007). Current risk analysis is objected by many of the more granular, parameterized approaches that compile subcomponents such as

• Threat Likelihood (T_L) and Threat Impact (T_i)
• Vulnerability Likelihood (V_L) and Vulnerability Impact (V_i)

Even though systems like the Guide for Conducting Risk Assessments NIST SP 800-30, the Common Vulnerability Scoring System (CVSS), and Factor Analysis of Information Risk (FAIR) are widely used in real life, there is still no single formula that consistently combines all four parameters—the impacts and likelihoods of threats and vulnerabilities (Giboney et al. 2023b; Liu et al. 2022; Luo et al. 2024; Manzoor et al. 2021). Different ways of risk assessment prioritize these factors differently, which makes risk estimation less reliable and makes it harder to compare different areas.

There is no agreement on how to combine these factors into a single risk expression, which is a major point of this study. Some models use T_L and V_L together, or T_i and V_i together, to develop risk scores, but very few consider all four parameters in relation to each other (Cernisevs et al. 2023a, 2023b; Popova et al. 2024). In addition, there is not much real-world evidence to support these kinds of relationships in current models.

The second reason comes from an idea that the number of different risks for a given system should be the same as the number of threats, which the analyst uses but not the number of vulnerabilities (Sadeghi and Javan 2024). From the subject’s point of view, different vulnerabilities that affect a threat in different ways do not change the risk that is posed. This does not correspond to the most traditional models, which assume the risks to be bigger by combining them in pairs of threats and vulnerabilities (ESMA 2022; Fülöp et al. 2022; Griffin et al. 2023; da Silva et al. 2017; Kaddumi and Al-Kilani 2022; Rastogi et al. 2022).

This article also makes the assumption that when a risk event happens, the effect of a threat (T_i) is the same as the effect of the exploited vulnerability (V_i). This suggests that threat and vulnerability parameters may depend on each other, which is not taken into account by current independent models. This approach is especially important for emerging economies where the historical records of vulnerabilities and their impacts and likelihoods are not well represented. Therefore, it is necessary to choose the tool corresponding to the set tasks. The authors have decided to use Bayesian networks as a way to model conditional dependencies and bring together subjective and objective knowledge into a single structure.

The article’s goal is the development of a theoretically sound and practically verified formula for risk assessment applicable to the situations when financial institutions of emerging economies have no full data on vulnerabilities.

2. Materials and Methods

Bayesian networks (BNs) are directed acyclic graphs (DAGs) that show how variables depend on each other (McAllester et al. 2008; Getoor et al. 2001, 2002). The edges of the network show the direction of probabilistic influence, and each node stands for a variable, like the likelihood of a threat, the effect of a threat, the likelihood of a vulnerability, or the effect of a vulnerability. Bayes’ theorem enables reasoning under uncertainty by adjusting the probabilities of outcomes based on observed evidence. This study employed two Bayesian network configurations: the reduced model, which excludes Vulnerability Impact (V_i) to assess its effect on predictive accuracy, and the full model, which incorporates all four critical parameters (T_L, T_i, V_L, and V_i). This dual-model approach enables an examination of V_i’s informational contribution through a comparison of model performance, focusing on error metrics, structural simplicity, and statistical significance. The Python package PGMPy [0.1.26-2024-08-09] (Probabilistic Graphical Models in Python) was utilized to construct and evaluate the models (Ankan and Textor 2024; Ankan and Panda 2015). This aids in inference, the estimation of conditional probability tables, and the understanding of structure. This method provides a flexible, data-driven approach to comprehending complex dependencies in risk modeling and evaluating the trade-offs between model completeness and computational efficiency.

2.1. Research Design Overview

The study adopts a quantitative modeling approach, structured in three stages:

• Parameter definition and assumptions.
• Model construction using Bayesian networks.
• Validation via expert scenarios and simulated data.

The goal is to develop and test a Bayesian network (BN) (Cheimonidis and Rantos 2025) model that captures the probabilistic relationships among the four key risk parameters:

• T_L: Threat Likelihood;
• T_i: Threat Impact;
• V_L: Vulnerability Likelihood;
• V_i: Vulnerability Impact.

The expected result is a composite risk associated with each defined threat, with the model designed to compute this risk in a way that can incorporate both data-driven and expert-assessed values.

• Variable Definitions and Hypotheses

For further use, the authors define the variables within

Table 1. Defined variables.

Parameter	Description	Type	Role
TL	Likelihood that a threat source will attempt to exploit a system	Probabilistic (prior)	Independent
VL	Likelihood that a vulnerability will be successfully exploited	Probabilistic (conditional)	Independent
Ti	Expected impact (damage or cost) if the threat is realized	Continuous or categorical	Independent
Vi	Severity of the vulnerability’s consequences if exploited	Continuous or categorical	Dependent
R	Risk	Computed	Dependent

.

• Research Hypotheses

Based on the conceptual model, the authors propose the following hypotheses:

Hypothesis 1.

(Impact Equivalence Hypothesis): When threats successfully take advantage of weaknesses in risk events, the Vulnerability Impact (V_i) is conditionally dependent on and moves toward Threat Impact (T_i).

Hypothesis 2.

(Redundancy Hypothesis): It is possible to make a correct risk model using only T_i, T_L, and V_L, leaving out V_i, without losing a statistically significant amount of predictive accuracy.

Hypothesis 3.

The four parameters (T_i, T_L, V_i, V_L) show measurable probabilistic dependencies that can be formally captured using Bayesian network inference.

The Hypothesis Testing Framework is then defined.

• Hypothesis Testing Framework

To test the first hypothesis, we used an analytical framework that involved building and comparing two Bayesian network models: a full model that includes all four core risk parameters (T_L, T_i, V_L, and V_i) and a reduced model that leaves out V_i to see if it is needed. The framework uses a set of 500 risk scenarios, each with its own set of parameter values. According to (Giboney et al. 2023a), the real-world data are very important. The authors use a set of 500 entries, which were randomly chosen from a set of 2950 entries, used for analysis in (Cernisevs 2024). These data are real data for 5 fintech companies, operating in all EU countries; they are Financial fintech, Payment fintech, or Asset Management fintech, and they all deal with payment operations. These institutions are under the supervision of regulatory authorities such as credit organizations, EMI, payment initiation service providers, or virtual asset management institutions (Cernisevs et al. 2023a; Popova and Cernisevs 2022).

Then, the framework uses statistical tools like Pearson’s correlation coefficient, conditional entropy, KL-divergence, and mutual information to investigate how the variables are related. We use Bayesian inference to see how close our guesses are to the truth, and we use model selection criteria like MAE, RMSE, and BIC to compare how well the two configurations work with their trade-offs. Two other ways to check the reliability of learned network structures are edge probability analysis and bootstrapping. Data-driven method helps in understanding whether V_i can be derived from T_i and whether the exclusion of V_i can significantly change the model’s accuracy or structure. The authors also investigate whether the exclusion of V_i as a parameter makes the risk estimate more or less accurate.

To estimate the obtained models, certain criteria applicable to Bayesian networks are used (see

Table 2. Suggested evaluation for Bayesian network metrics.

Parameters	Description	Criteria
Mean Absolute Error (MAE)	Average of absolute differences between predicted and true values	Bad > 1.0
		Acceptable 0.5–1.00
		Good 0.2–0.5
		Excellent < 0.2
Root Mean Square Error (RMSE)	Square root of average squared errors; penalizes larger errors more	Bad > 1.5
		Acceptable 0.8–1.50
		Good 0.4–0.8
		Excellent < 0.4
Bayesian Information Criterion (BIC)	Penalized likelihood that discourages overly complex models	Bad > 5000
		Acceptable 2000–5000
		Good 500–2000
		Excellent < 500
Akaike Information Criterion (AIC)	Similar to BIC, less strict penalty; used for model comparison	Bad > 4800
		Acceptable 1800–4800
		Good 400–1800
		Excellent < 400
Log-Likelihood	Measures how likely the observed data is under the model	Bad < −3000
		Acceptable −3000–−1000
		Good −1000–−200
		Excellent > −200
KL-Divergence (KL-D)	Difference between predicted and true probability distributions	Bad > 1.0
		Acceptable 0.5–1.0
		Good 0.1–0.5
		Excellent < 0.1
Pearson’s r	Measures linear correlation between variables	Bad < 0.3
		Acceptable 0.3–0.5
		Good 0.5–0.7
		Excellent > 0.7
Conditional Entropy (H(X|Y)	Conditional entropy, denoted as H(X | Y), quantifies the amount of uncertainty remaining in a random variable X after knowing another variable Y	Bad > 1.5
		Acceptable 1.0–1.5
		Good 0.5–1.00
		Excellent < 0.5
Marginal Entropy (H(X))	Marginal entropy, denoted H(X), quantifies the uncertainty or randomness of a single random variable X, without conditioning on any other variable	Bad < 0.3
		Acceptable 0.3–0.5
		Good 0.5–0.75
		Excellent > 0.75
Edge Probability (P)	Edge probability refers to the estimated probability that a directed edge (i.e., dependency) exists between two nodes (variables) in the network	Bad < 0.5
		Acceptable 0.5–0.7
		Good 0.7–0.9
		Excellent > 0.9
Mutual Information (MI)–I(X;Y)	Mutual information (MI) measures how much information two variables share—in other words, how much knowing one variable reduces the uncertainty about the other	Bad < 0.1
		Acceptable 0.1–0.3
		Good 0.3–0.8
		Excellent > 0.8

).

Based on the unique characteristics of each hypothesis and the particular analytical viewpoint it necessitates, various Bayesian network model criteria are used to confirm the three hypotheses (H1–H3) (see

Table 3. Hypothesis validation based on the Bayesian network metrics.

Hypothesis	Bayesian Network Metrics
H1	Pearson’s r (Ti, Vi)—essential to detect the strength and direction of a linear relationship between Threat Impact (Ti) and Vulnerability Impact (Vi), supporting the hypothesis that Vi can be functionally deduced from Ti. Conditional Entropy H(Vi|Ti)—provides assessment of how much uncertainty remains in Vi once Ti is known, enabling an information-theoretic validation of that relationship. Marginal Entropy H(Vi)—provides assessment of how much uncertainty remains in Vi once Ti is known, enabling an information-theoretic validation of that relationship. Edge Probability P(Ti→Vi)—derived from Bayesian structure learning, captures how consistently a causal link is discovered in bootstrapped networks, serving as a structural confirmation of the dependency.
H2	Mean Absolute Error (MAE)—directly measures how well the models predict risk values, allowing for empirical comparison of the full model (with Vi) and reduced model (without Vi). Root Mean Square Error (RMSE)—directly measures how well the models predict risk values, allowing for empirical comparison of the full model (with Vi) and the reduced model (without Vi). Bayesian Information Criterion (BIC)—adds a complexity penalty to model evaluation, enabling a decision framework that favors simpler models unless the added parameter (Vi) yields a significant performance benefit. KL-Divergence (RA‖RB)—used to quantify how much the output distribution of the reduced model deviates from that of the full model, offering a probabilistic perspective on how much information is lost when Vi is excluded.
H3	Mutual Information I(Ti;Vi)—This criterion is crucial for confirming that the relationships among parameters are statistically meaningful and not merely artifacts of the data or structure. Mutual Information I(TL;VL)—The same as above. Mutual Information I(TL;Ti)—The same as above.

). Direct dependency and information flow between variables are fundamental to H1, which examines whether Vulnerability Impact (V_i) can be deduced from Threat Impact (T_i). To capture the strength, uncertainty reduction, and structural presence of this dependency, metrics such as conditional entropy, edge probability, and Pearson’s correlation were used. H2, on the other hand, asks whether V_i can be eliminated from the model without significantly compromising the predictive accuracy; as a result, it needs performance-based metrics like MAE, RMSE, BIC, and KL-divergence, which evaluate the relative performance of the full and reduced models. To detect nonlinear dependencies between all parameter pairs, H3 requires mutual information scores to verify that all core variables are interdependent and suitably connected within the network. Therefore, every set of criteria is designed to best test the type of claim being evaluated, whether it be global interconnectedness, model efficiency, or structural dependence.

Bayesian network inference is used to model the conditional likelihood:

$$P\left(V_i|T_i, V_L, T_L\right), P\left(R|T_i, T_L, V_L, V_i\right)$$

(2)

In alternative configurations, V_i is excluded from the risk formula to test Hypothesis 2. Conditional probabilities such as P(V_i∣T_i,V_L,T_L) are estimated from the empirical frequency counts obtained in the simulated dataset used for Bayesian network parameter learning. For each parent configuration (T_i,V_L,T_L), we compute the relative frequency of each outcome V_i in the training data. To avoid zero-probability issues, especially for infrequent configurations, Laplace smoothing is applied to the counts before normalization. A step-by-step calculation example is presented in Appendix A.

2.2. Experimental Scenarios and Inference Tests

The hypotheses are evaluated under two experimental configurations:

Scenario A—Full Model

• All four parameters (T_i, T_L, V_i, V_L) are used to compute risk scores.
• A full Bayesian network structure is used for inference.
• Risk estimates:

$$R_A=∱\left(T_i, T_L, V_L, V_i\right)$$

(3)

Scenario B—Reduced Model (V_i excluded)

• V_i is excluded from test if T_i alone accounts for impact.
• The network simplifies to

$$R_B=∱\left(T_i, T_L, V_L\right)$$

(4)

A Bayesian network represents the probabilistic dependencies between parameters. The model structure is based on the domain knowledge and literature, as illustrated in Figure 1.

Each node is assigned using the following:

• A conditional probability table (CPT) based on

  ○

  Expert judgment (Cernisevs 2024);

  ○

  Empirical distributions (Cernisevs 2024).

• Continuous variables (e.g., T_i and V_i) are discretized for computational tractability.

• Data Sources

The data used in this study comes from real-life examples from different regulatory and regional settings, which makes the distributions of the parameters different (Cernisevs 2024). We normalized the raw values and put them into the four-dimensional risk parameter framework that is the focus of this article. After that, these datasets were added to the Bayesian network model for structural learning and conditional probability inference.

• Bayesian Inference and Learning

The study proceeds in two parts:

• Learning Parameters. We use both real-world and simulated datasets to explain CPTs using frequency-based learning. For instance, it is possible to use the obtained proportions to understand the probability that V_i will be high considering T_i, T_L, and V_L.
• Inference and Scoring. We use Bayesian inference to investigate the posterior probabilities of different levels of risk. We look at the full and reduced models (without V_i) and see how well they predict (Mean Absolute Error, RMSE), how hard they are to understand (Bayesian Information Criterion), and how well they are structured (edge confidence from bootstrapping).

We use KL-divergence to understand how different the outputs of the full and reduced models are, and we use mutual information metrics to study how strong the relationships are between the parameters (Al-Labadi et al. 2021).

• Validation and Sensitivity Analysis

We used a bootstrap resampling method to find out how stable the network edges and CPTs are to be sure that the results are correct. We ran scenario sensitivity tests to see how changes in T_L or V_L affect the model and change V_i and the overall risk scores. The model’s generalizability and limits were checked by comparing real data to synthetic data.

• Tools and Implementation

The Bayesian network model was used in this study with open-source Python tools to make risk inferences. We chose these tools because they are flexible, easy to use, and can help to support arguments based on probability. With the modular implementation, it was possible to check each step—data preprocessing, model training, probabilistic inference, and evaluation—using different data sources.

We used the PGMPy (Probabilistic Graphical Models in Python) library to perform the main modeling. This library allows the definition of the structures, learning of the parameters, and making inferences for discrete Bayesian networks (Grassi n.d.). The following reasons led to the choice of PGMPy:

• Support for conditional probability tables (CPTs) built in;
• Algorithms for learning structure that are built in, such as Hill Climbing and constraint-based search;
• The availability of inference engines like Variable Elimination and Belief Propagation.

There is a binary risk parameter (High or Low) for each node in the network. The graph was made by hand based on domain-driven causal assumptions and then checked using data-driven scoring metrics like the Bayesian Information Criterion (BIC) and log-likelihood.

The full network includes the following directed dependencies:

• T_L_High → T_i_High.
• V_L_High → T_i_High.
• T_i_High → V_i_High.
• T_L_High → V_i_High.
• V_L_High → V_i_High.

CPTs were derived using empirical frequency distributions from the datasets. When a parent–child configuration did not yield sufficient empirical support (for example, for rare combinations), Laplace smoothing was applied to prevent zero-probability artifacts.

To enable integration into the Bayesian network and reduce the dimensionality of the conditional probability tables (CPTs), continuous inputs for T_L, V_L, T_i, and V_i were discretized based on their respective measurement scales and empirical distributions. Likelihood values (T_L, V_L), expressed as probabilities on a 0–1 scale, were discretized using a threshold of 0.5, representing the conventional boundary between low- and high-probability events in probabilistic modeling. Impact scores (T_i, V_i), measured on a 0–100 scale, were discretized using a threshold of 60, identified through exploratory data analysis as corresponding to the upper quantile of observed cases and marking the onset of severe outcomes.

All data pipelines were versioned using Jupyter Notebooks (Libouban et al. 2024), and a consistent random seed was used to generate the synthetic 500-scenario dataset in order to promote reproducibility.

A simplified risk engine was constructed to generate full-model and reduced-model risk scores for each scenario, using the following formulae:

$${Risk}_{full} = \left({\displaystyle \frac{T_L+V_L }{2}}\right) \times V_i$$

(5)

$${Risk}_{reduced} = \left({\displaystyle \frac{T_L+V_L }{2}}\right) \times T_i$$

(6)

This made it possible to assess the model’s performance in terms of operational output as well as conditional dependencies. To compare the fidelity of the reduced model to the full model, the engine was benchmarked using Mean Absolute Error (MAE) and KL-Divergence.

To support adoption by small institutions with limited staff and historical data, we propose a staged roadmap for implementing the Bayesian network risk assessment model. The process begins with predefined templates, leveraging publicly available or sector-specific threat and vulnerability catalogs to provide an immediate operational baseline. Expert-based parameterization follows, where internal subject-matter experts assign initial likelihood and impact values to populate the conditional probability tables (CPTs), ensuring that the model reflects the institution’s context even in the absence of rich datasets. As operational data accumulates such issues as incident reports, audit findings, and relevant external intelligence, parameters can be incrementally updated using frequency-based learning with smoothing, while retaining expert priors for data-sparse nodes. Regular iterative refinement cycles (for example, quarterly) should be conducted to validate and adjust both the model structure and parameters, gradually replacing template assumptions with empirical evidence. To lower barriers to entry, implementation can begin with open-source Bayesian network tools, which allow for flexible configuration and scaling as institutional capabilities expand. This roadmap aligns with best-practice recommendations for operational model deployment in risk-sensitive domains, enabling actionable outputs from the outset while supporting continuous improvement.

Simulation design note. We used Monte Carlo simulation with stratified sampling to ensure the coverage of tail combinations of T_L, V_L, T_i, V_i. The sample size N = 500 was selected after a saturation check in which MAE/RMSE, MI, and edge probabilities stabilized for N ≥ 400; a value of 500 provided stable estimates at modest computational cost. Likelihoods T_L,V_L ∈ [0, 1] were drawn from Beta(α,β) distributions calibrated to empirical means/variances; impacts T_i,V_i ∈ [0, 100] were drawn from truncated lognormal distributions to empirically reflect observed right-tail risk severity. We conducted a distributional sensitivity analysis (light-tailed truncated normal vs. heavy-tailed truncated lognormal/Pareto-type) and obtained qualitatively unchanged results, indicating robustness to tail assumptions; a fixed random seed ensured reproducibility.

Monte Carlo simulation methodology. Within the simulation procedure, we use Monte Carlo simulation with stratified sampling. We employ this approach to prevent the under-sampling of tail events, typical to simple random draws, and ensure that rare but high-impact combinations of risk parameters are explicitly represented. The simulation covered T_L, V_L, T_i, V_i, with stratification targeted at extreme quantiles of the distributions. Such an approach guarantees sufficient tail coverage; the authors believe that this is critical for stress testing of financial institutions operating in volatile markets.

Distributional assumptions. The authors use Beta distributions to derive the likelihood variables T_L and V_L, constrained to the [0, 1] interval. The Beta family was selected due to its flexibility in representing skewed probability profiles and its interpretability in Bayesian settings. Parameters (α, β) were estimated for empirical data fitting by the method of moments, in order to align simulated draws with observed fintech datasets. To reflect the empirically observed right-tail severity of financial and cybersecurity incidents, we used lognormal distributions with a truncation level of 100 for the impact variables T_i and V_i, which are inherently unbounded but truncated by operational definitions (0–100 scale).

Sensitivity to tails. With the purpose of testing robustness, we repeated simulations with light-tailed (truncated normal) and heavy-tailed (Pareto-type) alternatives. Across specifications, the resulting Bayesian network inferences remained qualitatively consistent, suggesting that the model’s conclusions are not unduly impacted by tail assumptions. This allows us to validate that the stratified Monte Carlo method produced stable estimates of risk relationships and enhance the findings’ external validity.

3. Results

A total of 500 simulated threat scenarios were generated, encompassing varying levels of threat likelihood, vulnerability likelihood, and their associated impacts. Key summary statistics are provided below in

Table 4. Key statistics.

Parameter	Mean	Std. Dev	Min	Max
TL	0.54	0.18	0.10	0.95
VL	0.47	0.21	0.005	0.99
Ti	62.1	19.8	10	100
Vi	59.3	22.4	5	100

,

Table 5. Risk score summary statistics.

Min	Max	Mean	Std. Dev
5.3	91.2	50.07	14.54

,

Table 6. Risk score distribution by category.

Very Low (0–20)	Low (20–35)	Medium (35–65)	High (65–80)	Critical (>80)
7	69	353	58	13

.

Two sources of input were used: expert simulations and synthetic scenarios. Risk analysts and domain professionals estimate T_i, T_L, V_L, and V_i for a predefined threat catalog; then, the controlled scenarios are made with set conditional rules to mimic attacks and their effects.

These scenarios help to investigate how sensitive and redundant issues are when the parameters are spread out in different ways.

We train and test the models on N = 500 simulated instances, which are split into training (30%) and validation (70%) sets.

• Hypothesis Evaluation Criteria

We used the 500-scenario dataset to calculate a number of statistical parameters to see whether the proposed hypotheses (H1–H3) are true. All statistical tests were conducted with a 95% confidence level, and bootstrapping was used to make sure the results were strong even with different samples. The hypotheses evaluation criteria are shown in

Table 7. Hypothesis evaluation criteria.

Metric	Hypothesis	Full Model (RA)	Reduced Model (RB)	Difference	Assessment
Pearson’s r (Ti, Vi)	H1	0.83	-	-	Excellent
Conditional Entropy H(Vi|Ti)	H1	0.87	-	-	Good
Marginal Entropy H(Vi)	H1	2.3	-	-	Excellent
Edge Probability P(Ti→Vi)	H1	0.92	-	-	Excellent
Mean Absolute Error (MAE)	H2	6.2	6.7	+0.5	Good
Root Mean Square Error (RMSE)	H2	8.1	8.6	+0.5	Good
Bayesian Information Criterion (BIC)	H2	1504.7	1452.3	−52.4	Excellent
KL-Divergence (RA‖RB)	H2	-	-	0.41	Good
Mutual Information I(Ti;Vi)	H3	1.34	-	-	Excellent
Mutual Information I(TL;VL)	H3	0.98	-	-	Excellent
Mutual Information I(TL;Ti)	H3	1.01	-	-	Excellent

.

The first hypothesis of the article can be tested empirically and probabilistically due to this framework. We assess the importance and informational contribution of each parameter by contrasting the risk prediction performance of two network configurations: one with V_i and one without this parameter. Transparency and flexibility in modeling expert-derived and data-driven risk assessments are further supported by the application of Bayesian networks.

Result Assessment

The results of the simulation tests and hypothesis assessments using the developed Bayesian network models are shown in this section. The findings are arranged according to the hypotheses outlined in Section 2.1 and contrast the reduced model (which does not include V_i) and the full model (which includes all four parameters: T_L, T_i, V_L, and V_i).

The validation of each hypothesis (H1–H3) is supported by specific statistical and Bayesian network metrics, and their respective values provide strong empirical justification for the conclusions drawn.

Hypothesis 1 (H1)

The Impact Equivalence Hypothesis claims that Vulnerability Impact (V_i) can be inferred from Threat Impact (T_i). This is strongly supported by several indicators. The Pearson correlation coefficient between T_i and V_i is 0.83, which is considered excellent and indicates a strong linear relationship. The conditional entropy H(V_i|T_i) is 0.87, which falls into the “Good” range and shows that knowledge of T_i significantly reduces the uncertainty about V_i. In contrast, the marginal entropy of V_i is 2.3, indicating that V_i on its own has high variability, most of which is explained by T_i. Furthermore, the edge probability from T_i to V_i in the learned Bayesian network is 0.92, which confirms that this dependency appears in the vast majority of bootstrapped model structures. Together, these results validate H1 with strong statistical and structural evidence.

Hypothesis 2 (H2)

The Redundancy Hypothesis is fully supported by several complementary criteria and asserts that Vulnerability Impact (V_i) can be eliminated from the model without appreciably impairing predictive performance. There are not many differences between the full model (RA) and reduced model (RB) in terms of prediction accuracy: the Root Mean Square Error (RMSE) increases slightly from 8.1 to 8.6, and the Mean Absolute Error (MAE) increases only slightly from 6.2 to 6.7. The reduced model is still very accurate because both values are still in the “Good” range for performance. The Bayesian Information Criterion (BIC) goes up by 52.4 points, from 1504.7 in RA to 1452.3 in RB. This is an “Excellent” score. The BIC improved, which means that the simpler model improves the balance of fit and simplicity. The KL-Divergence between the full and reduced models is 0.41, which is a “Good” score. This means that the outputs of the two models are very similar in terms of probability. The results support Hypothesis H2, which says that not including V_i does not change how accurate the risk predictions are very much, and that the simplified model is still a good and useful choice.

Hypothesis 3 (H3)

The Parameter Dependency Hypothesis, asserts that all four parameters—Threat Likelihood (T_L), Threat Impact (T_i), Vulnerability Likelihood (V_L), and Vulnerability Impact (V_i)—are interdependent and appropriately structured in the Bayesian network. This is confirmed by mutual information scores between key variable pairs. T_i and V_i share 1.34 bits of information, T_L and V_L share 0.98 bits, and T_L and T_i share 1.01 bits. All of these numbers are in the “Excellent” range. This means that these pairs of variables share a lot of information. Moreover, the connections in the BN are based on real statistical dependencies.

In short, there is a lot of statistical and structural evidence that supports H1 and H3. This proves that T_i and V_i work together and that the BN structure is correct. H2 is fully supported: although there is a small drop in predictive performance when V_i is excluded, the reduced model benefits from better simplicity and efficiency without a significant loss in accuracy.

Using Bayesian inference, posterior risk scores were computed for each scenario. The inferred risk scores showed the following:

• High sensitivity to variations in T_L and V_L, especially when T_i was high.
• Stability in risk estimation whether V_i was included or replaced by T_i as its proxy.
• Risk scores ranged from 5.3 (low risk) to 91.2 (critical risk), with most values clustering between 35 and 65, indicating a nonlinear mapping of parameters to risk.
• A comparative plot of predicted risk scores between the full and reduced models shows near-linear agreement (R² = 0.96), reinforcing the conclusion that V_i may be substitutable by T_i in many cases.

The graph below shows how the predicted risk scores from the full model (R_A) and the reduced model (R_B) agree with each other. The position of each point, which stands for a scenario, is based on the predicted risk from R_A (x-axis) and R_B (y-axis). The R² value of 0.96 shows that there is a nearly linear relationship between the two. This means that even after removing Vulnerability Impact (V_i) from the model, the predicted risks are still very similar to those of the full model. This high level of agreement statistically supports the idea that T_i can often be used instead of V_i, which supports Hypothesis H2 in terms of predictive consistency. The predicted risk scores for full and reduced model are presented in Figure 2.

In summary, all three hypotheses are supported by the data. The findings suggest that Threat Impact is a strong indicator of Vulnerability Impact, and that simplified risk models can still be accurate and reliable. Based on the above confirmed hypothesis, the authors propose the following formula for risk calculation:

$$Risk= \left({\displaystyle \frac{V_L+ T_L}{2}}\right) \times T_i$$

(7)

This formula allows risk assessment in the absence of a good set of historical data on Vulnerability Impact.

4. Discussion

The most important finding of this study is the fact that there is a strong conditional link between Threat Impact (T_i) and Vulnerability Impact (V_i). This finding supports the idea that T_i is close to or includes V_i in a lot of real-life risk situations. This close connection demonstrates that V_i is not a completely independent variable, but rather shows the effects that are already presented in T_i. It is supported by both correlation and conditional entropy analysis. This is especially important for emerging economies, where the financial institutions often do not have enough historical data to have an entire system of vulnerabilities and their likelihoods.

This confirms the Impact Equivalence Hypothesis (H1) and offers theoretical justification for using T_i as a substitute for V_i, especially in situations, where estimating V_i is challenging or where vulnerability data quality is low.

Another important contribution is the way of referring to risks as a threat-centric issue. Traditional models are often too complicated and may even be unnecessary because they see risk as the result of every threat–vulnerability combination. This paper, on the other hand, says that vulnerabilities only change how likely or obvious a risk is, and that each threat should be seen as a separate unit of risk.

This change makes risk portfolios easier to understand and use, which coincides with the opinions of (Ucedavélez and Morana 2015) and (Macher et al. 2016). Also, it makes it easier for people in organizations to talk about risk when threats are the main idea.

The Redundancy Hypothesis is confirmed by the research. The reduced model, excluding V_i, has presented the performance results, which are similar to those of the full model. Moreover, the reduced model complexity is lower compared to that of the full model. This finding has practical applications, allowing professionals to estimate risk with fewer inputs, particularly when resources are limited, without losing the risk estimation reliability. For tool designers, it supports the development of leaner risk engines that can still adhere to probabilistic rigor without overburdening users with hard-to-estimate parameters.

However, this should not be interpreted as grounds to eliminate V_i in all contexts. In systems where vulnerabilities vary widely in type and exposure, V_i may provide critical nuance. In this situation, the absence of vulnerability analysis may simplify the assessment and blur the situation (Ledwaba et al. 2018; Rossebo et al. 2007). Rather, the implication is that V_i’s value is context-sensitive and that flexible models should accommodate both explicit and inferred forms of V_i.

The results of this study have important practical benefits for organizations that manage risk, especially in the financial sector.

First, the results show that focusing on threat likelihood and impact can serve as a good way to assess risk without calculating each vulnerability impact. This makes the risk assessment process easier, faster, and simpler for managers and security teams making decisions about risk, especially when they do not have all the information they need about every vulnerability.

Second, a Bayesian network is a powerful tool for organizations to use to combine expert opinions with real data. This makes it possible to model risk in a way that is more flexible and realistic, especially when the data is incomplete or not certain. For instance, if a business knows there is a threat but does not know the specifics of the vulnerability, the model can still give a good estimate of the overall risk.

Third, this method helps with planning. Companies can focus their efforts on the most important issues if they know how different risk factors are related. If a high-impact threat is closely linked to a weakness in a system, that area should be protected first.

Finally, the model can be changed when new information comes in because it is adaptable. This helps businesses to keep track of how much risk they are taking on and respond to changes in the threat landscape.

In short, the suggested method helps businesses to perform risk assessments that are better, faster, and based on more information.

The Bayesian network framework developed in this study not only offers a unified representation of threat and vulnerability dependencies but also provides a natural interface with modern coordinated risk measures. By generating posterior distributions of risk assessments, the model produces the probabilistic inputs needed for advanced metrics that are sensitive to tail effects. In particular, we discuss the following issues:

• Value-at-Risk (VaR) and Conditional Value-at-Risk (CVaR) can be applied directly to the posterior distribution of risk scores, enabling quantification of both threshold exceedance probabilities and expected shortfall beyond that threshold (Rockafellar and Uryasev 2002, 2000).
• Entropic Value-at-Risk (EVaR), introduced by (Ahmadi-Javid 2012), provides a tighter and more conservative bound on tail risk by exploiting moment-generating functions. Our Bayesian inference engine naturally produces the conditional probabilities needed for EVaR evaluation.
• Expectile Risk Measures (ERM) (Ziegel 2016) can be integrated with our framework to capture asymmetries in loss distributions and to support scenario-specific stress testing.

These measures enhance the practical applicability of our model, especially for institutions in emerging economies where vulnerability data may be sparse but tail events are disproportionately important. By combining Bayesian inference with consistent risk measures, practitioners can move beyond simple point estimates and incorporate a full range of distributional information in their decision-making processes.

Overall, the proposed Bayesian-based method offers several advantages over traditional approaches, including the integration of expert priors with empirical data in a unified framework, the explicit separation of threat and vulnerability likelihoods and impacts to improve interpretability, and a modular structure that supports incremental refinement as new information becomes available. Nonetheless, certain limitations should be acknowledged, such as the potential subjectivity of initial expert estimates, sensitivity to discretization thresholds, and the need for regular parameter recalibration to reflect evolving risk landscapes. By redefining risk in terms of conditional relationships between likelihood and impact for both threats and vulnerabilities, the approach enables more granular reasoning, supports targeted mitigation strategies, and aligns with established probabilistic risk assessment principles, making it particularly applicable in critical infrastructure and cybersecurity domains.

5. Conclusions

This study employs Bayesian networks to estimate risks on the basis of such parameters as Threat Likelihood (T_L), Threat Impact (T_i), Vulnerability Likelihood (V_L), and Vulnerability Impact (V_i). The authors address the principal gap existing in the scientific literature on the topic: there is no unified model for risk assessment which is based on formalized principals and simultaneously statistically supports the integration of threat and vulnerability parameters.

The empirical results support the first hypothesis that Threat Impact (T_i) and Vulnerability Impact (V_i) are closely related, and T_i often serves as a good substitute for V_i in real life. The study also shows that risk can be accurately estimated using a smaller model that does not include V_i. This means that the amount of data needed is lower without significantly affecting the accuracy of the predictions.

The study not only confirms these interdependencies, but it also supports a threat-centered view of risk estimation. It emphasizes that threats, not threat–vulnerability pairings, should be the main units of risk from the system owner’s point of view. This change makes modeling easier and easier to understand, and it fits with how organizations usually manage risk portfolios.

The use of Bayesian networks is especially efficient; this method offers an adjustable framework for combination of experts’ knowledge and empirical data to overcome the uncertainty; moreover, this method allows dynamic updates. Therefore, this method can be used for practical application in cybersecurity, infrastructure protection, and enterprise risk management.

In addition to validating the three hypotheses, our study demonstrates that Bayesian networks can serve as a flexible input generator for coordinated risk measures. The posterior risk distributions derived here can be directly integrated into Value-at-Risk (VaR), Conditional Value-at-Risk (CVaR), Entropic Value-at-Risk (EVaR), and Expectile Risk Measure (ERM) frameworks, thereby aligning the model with best practices in financial risk management. Future research should focus on extending the Bayesian-based approach to incorporate these measures explicitly, further enhancing its robustness in the presence of extreme events and providing decision-makers with richer tail-sensitive assessments of risk.