Threatonomics

Does Resilience use your company data to train AI?

by David Meese , Director, Security and Risk Services
Published

Understanding our approach to data, modeling, and AI in cyber risk quantification

In an era where “AI training” has become synonymous with data collection, we get this question a lot: “Does Resilience use our company data to train AI models like ChatGPT?”

The short answer? No. But the full answer reveals something more interesting about how we approach cyber risk modeling and why we chose a different path.

What is AI, anyway?

When most people hear “AI,” they think of systems like ChatGPT that learn by consuming vast amounts of data. But AI isn’t a single tool—it’s an entire toolbox. And for cyber risk quantification, we’ve chosen a very different instrument: Bayesian networks.

Think of the difference this way: ChatGPT is like a student learning a new language by reading millions of books. Our Bayesian network is more like a detective building a web of clues—it doesn’t “learn” in the traditional sense, but rather uses mathematical reasoning to connect evidence and calculate probabilities.

The science behind our approach

Our Bayesian network approach rests on three core principles that distinguish it from machine learning models. Rather than letting algorithms discover patterns in data, we build structured mathematical frameworks that mirror how risk actually propagates through organizations. Here’s what that looks like:

1. Expert-designed architecture

Our models aren’t trained by feeding them raw data and hoping they figure things out. Instead, they’re carefully architected by human experts using a principle called decomposition. We take the enormously complex question of “What’s our cyber risk?” and break it down into hundreds of smaller, answerable questions like:

  • Is multi-factor authentication enforced on critical systems?
  • How quickly does the organization patch vulnerabilities?
  • What’s the maturity of the incident response program?

2. Cause and effect mapping

The real power lies in how these factors connect. Our Bayesian network maps the probabilistic relationships between security controls, threat vectors, and potential financial impacts. When you implement a new security control, the model can calculate exactly how that change affects your overall risk profile.

3. Reasoning with evidence

Here’s where data becomes powerful: it serves as evidence that helps the model reason about specific situations. Every signal, from automated security tool integrations to platform assessments, feeds into a unique instance of the model, creating a precise, mathematical understanding of risk.

Your data journey

The process is designed around a simple principle: your data should benefit you first and most.

Step 1: You provide the evidence 

Through seamless integrations and assessments, you share data points (we call them “signals”) about your security posture.

Step 2: We quantify your risk 

These signals feed directly into your company-specific statistical model, which calculates the financial risk associated with your unique security environment.

Step 3: You get actionable intelligence 

The output is your Loss Exceedance Curve (LEC)—a clear visualization of your financial risk—and your Cyber Action Plan (CAP), a risk-reduction-prioritized list of security initiatives.

The more complete your signals, the more precise your risk analysis becomes. It’s a direct, transparent value exchange.

The population health model of cyber risk

While your data powers your individual risk analysis, we also use anonymized, aggregated insights to continuously improve our models. Think of it like population health research:

  • Your doctor uses your specific test results to diagnose and treat you
  • Public health officials use anonymized data from thousands of patients to understand disease trends and refine medical guidelines

We apply the same principle to cyber risk. By analyzing broad, anonymized patterns across our client base and claims portfolio, we can refine our understanding of emerging threats and control effectiveness—without ever exposing individual company data.

This approach creates what we call the virtuous cycle of resilience:

  • You benefit from increasingly accurate, personalized risk insights and clearer improvement strategies
  • We benefit from building a more stable insurance program based on better risk understanding
  • All clients benefit from continuously evolving models that provide sharper insights year after year

Building partnership through transparency

At Resilience, we believe that true partnership requires complete transparency about how we handle your most sensitive asset: your data. Our statistical modeling approach isn’t just more privacy-conscious than traditional AI training—it’s more effective for the specific challenge of cyber risk quantification.

When you’re choosing a cyber risk partner, you’re not just selecting a vendor: you’re choosing an approach to understanding and managing risk. We’ve chosen the path of the detective over the student, precision over pattern-matching, and transparency over black boxes.

Because in cyber risk, the stakes are too high for anything less than complete clarity about how your data creates value for your organization.

About the Author
David Meese , Director, Security and Risk Services

You might also like

What the Collins Aerospace outage reveals about vendor risk

On September 19, 2025, chaos erupted at airports across Europe—but not because of weather, strikes, or mechanical failures. Collins Aerospace’s MUSE platform, the digital backbone handling passenger check-in and baggage processing from Heathrow to Dublin, went dark after a ransomware attack. Within hours, major airports including Brussels, Berlin, and Dublin were forced to revert to […]

New insights on the evolving threat landscape, from our 2025 Midyear Cyber Risk Report 

The cybersecurity world is experiencing an unexpected paradox in 2025. While cyber insurance claims in the Resilience portfolio dropped by 53% in the first half of the year—suggesting that organizations are getting better at preventing attacks—the financial damage from successful incidents has actually increased. Our latest 2025 Midyear Cyber Risk Report reveals that when cybercriminals […]

The seven places you should be looking when building your vendor list

In our first post, we established why comprehensive vendor discovery matters and how most organizations approach it incorrectly. Today, we’re diving into the practical mechanics: the seven data streams that can reveal vendor relationships hiding in your existing systems. The key insight is to start with data you already have rather than surveys or questionnaires. […]

How to get people to care about security when they don’t report to you

Getting executive sign-off on a new control? Hard. Getting peer buy-in on security initiatives when they don’t report to you? Harder. In modern organizations, cybersecurity professionals often find themselves in the ultimate matrix of organizational challenges: you need buy-in from every department within the organization – operations, sales, HR, and finance – but none of […]

Why vendor discovery matters now (and how most organizations get it wrong)

The average enterprise relies on hundreds—sometimes thousands—of third-party vendors to operate. Yet when security leaders are asked for a complete inventory of these vendors, the response is often a patchwork of spreadsheets, outdated procurement lists, and educated guesses. This vendor blindness isn’t just an operational inconvenience—it’s a critical business risk that’s becoming increasingly expensive to […]

The healthcare cybersecurity crisis that’s costing organizations millions in damages

The U.S. healthcare sector faces an unprecedented cybersecurity crisis. With 168 million healthcare records breached in 2023 and ransomware attacks surging 32% in 2024, the industry confronts threats that have evolved beyond data theft to sophisticated campaigns capable of paralyzing critical patient care infrastructure. Despite these trends, cybersecurity often receives insufficient leadership attention. A 2025 […]