The Information Risk Insights Study (IRIS)

Cyber risk quantification has been plagued by FUD (fear, uncertainty, and doubt) for far too long and our research series, the Information Risk Insights Study, is dedicated to clearing away these fears by leveraging real-world data and rigorous analysis focused on key aspects and challenges of managing cyber risk. We’re incredibly grateful to our partners and sponsors for making the IRIS research possible.

Information Risk Insights Study 2022

A Clearer Vision for Assessing the Risk of Cyber Incidents

Since its original release in 2020, the Information Risk Insights Study has expanded upon its extensive analysis of a huge historical dataset in the IRIS series, shining light on topics like extreme loss events and massive multi-party incidents.

Now, thanks to sponsorship from the Cybersecurity & Infrastructure Security Agency (CISA), the IRIS is back – bigger and better than ever for a 2022 update and expansion. The new study analyzes 77,000 cyber events, $57 billion in reported losses, and 72 billion compromised records. We explore common patterns among those events and identify threat techniques that contributed to their success.



Information Risk Insights Study (IRIS) Risk Retina® Threat Event Analysis

Offering a detailed exploration of incident patterns, threat actors, financial impacts, actor trends across sectors and sizes, threat actor varieties, threat actions (including ATT&CK TTPs), VERIS Action Categories, ATT&CK Tactics & Techniques, top initial access techniques, and much more.

With the IRIS Risk Retina® Threat Event Analysis, the Cyentia Institute is raising the bar in cyber risk assessment, empowering organizations to make informed decisions and fortify their defenses effectively.

IRIS Risk Retina for Nonprofits

Data to support NPO’s cyber risk quantification

IRIS Risk Retina® is a service derived from our IRIS research that provides real-world data to support cyber risk quantification. This Risk Retina contains key risk parameters for annualized event frequency and loss magnitude as well as common incident patterns that historically impact nonprofit organizations. Nonprofits face many challenges, and we hope this report makes managing cyber risk a little less fraught with uncertainty.


IRIS Tsunami

The wake of damage following large multi-party incidents

We studied the 50 largest multi-party incidents over the past several years to understand their causes and consequences from beginning to end. This report identified cyber events involving multiple organizations and sought to understand who was behind them, what happened, how the after-effects propagated through the supply chain, and the financial losses for all parties involved.


IRIS 20/20 Xtreme

Analyzing the 100 largest losses of the last 5 years

The Information Risk Insights Study (IRIS) 20/20 “Xtreme” edition continues the IRIS series with in-depth analysis of the 100 largest cyber loss events of the last 5 years. If you’re looking for stats on how often major security incidents occur, how much they cost, what makes them worse, who’s behind them, and how they go down, then this is the study for you! Click the tab below for a sample of what’s in store in the full report.


IRIS 20/20

The Original, Clear Vision for Assessing the Risk of Cyber Incidents

The IRIS 20/20 aims to clear the fog of FUD surrounding cyber risk and help managers see their way to better data-driven decisions. This first-of-its-kind study leverages a vast dataset from Advisen spanning tens of thousands of breaches over the last decade. Our extensive analysis of that dataset yields valuable insights about the frequency and financial impact of cyber incidents to organizations of all types and sizes. Click the tab below for a taste of what’s in store in the full report.