Since its original release in 2020, the Information Risk Insights Study has expanded upon its extensive analysis of a huge historical dataset in the IRIS series, shining light on topics like extreme loss events and massive multi-party incidents.


Now, thanks to sponsorship from the Cybersecurity & Infrastructure Security Agency (CISA), the IRIS is back – bigger and better than ever for a 2022 update and expansion. The new study analyzes 77,000 cyber events, $57 billion in reported losses, and 72 billion compromised records. We explore common patterns among those events and identify threat techniques that contributed to their success.

The Information Risk Insights Study (IRIS) 2022, spearheaded by the Cyentia Institute, delves into the complexities of cyber risk management by analyzing a vast dataset of over 77,000 cyber events that have affected 35,000 organizations, resulting in $57 billion in financial losses and compromising 72 billion data records over the past decade. This comprehensive study aims to dispel the prevalent fear, uncertainty, and doubt (FUD) surrounding cyber risk decisions by providing data-driven insights and rigorous analysis. The 2022 edition of IRIS has significantly enhanced its analytical techniques and enriched its data quality, offering deeper insights into the frequency and financial impact of cyber incidents across various sectors and organization sizes.

The report highlights that cybersecurity incidents are on the rise, with a 44% increase in the average number of publicly reported events per month over the last decade. The healthcare and finance sectors are the most affected, experiencing significantly more incidents than industries like mining and agriculture. However, the hospitality and information services sectors top the list in terms of the likelihood of experiencing at least one cyber event in a year. The study also reveals that while large organizations with over $100 billion in annual revenue are more likely to experience multiple security incidents, the relative impact on smaller firms is disproportionately greater. Despite common beliefs, financial losses attributed to cyber events have not increased over the past 20 years. The study uses terms like cyber event, loss event, and incident interchangeably to refer to events that impact the confidentiality, integrity, or availability of a firmu2019s information assets, encompassing a range of occurrences from data breaches and ransomware infections to insider misuse and physical threats.

Key Findings

  • Cybersecurity incidents are growing in frequency, with a 44% increase in the average number of events publicly reported each month over the last decade.
  • The Healthcare and Finance sectors have the most incidents, with 76X more events than the least-breached industries of Mining and Agriculture.
  • Large organizations with over $100B in annual revenue are 32X more likely to have multiple security incidents in a single year than smaller firms.
  • The typical financial cost reported for a cyber event is $266K, but the top 5% of loss events balloon to $52M.
  • Valid Accounts, Phishing, and Exploit Public-Facing Applications are the three most common MITRE ATT&CK initial access techniques observed across all incidents.