The Information Risk Insights Study (IRIS)
Cyber risk quantification has been plagued by FUD (fear, uncertainty, and doubt) for far too long and our research series, the Information Risk Insights Study, is dedicated to clearing away these fears by leveraging real-world data and rigorous analysis focused on key aspects and challenges of managing cyber risk. We’re incredibly grateful to our partners and sponsors for making the IRIS research possible.
Information Risk Insights Study 2022
Since its original release in 2020, the Information Risk Insights Study has expanded upon its extensive analysis of a huge historical dataset in the IRIS series, shining light on topics like extreme loss events and massive multi-party incidents.
Now, thanks to sponsorship from the Cybersecurity & Infrastructure Security Agency (CISA), the IRIS is back – bigger and better than ever for a 2022 update and expansion. The new study analyzes 77,000 cyber events, $57 billion in reported losses, and 72 billion compromised records. We explore common patterns among those events and identify threat techniques that contributed to their success.
IRIS Risk Retina for Nonprofits
Data to support NPO’s cyber risk quantification
IRIS Risk Retina® is a service derived from our IRIS research that provides real-world data to support cyber risk quantification. This Risk Retina contains key risk parameters for annualized event frequency and loss magnitude as well as common incident patterns that historically impact nonprofit organizations. Nonprofits face many challenges, and we hope this report makes managing cyber risk a little less fraught with uncertainty.
IRIS Tsunami
The wake of damage following large multi-party incidents
We studied the 50 largest multi-party incidents over the past several years to understand their causes and consequences from beginning to end. This report identified cyber events involving multiple organizations and sought to understand who was behind them, what happened, how the after-effects propagated through the supply chain, and the financial losses for all parties involved.
IRIS 20/20 Xtreme
Analyzing the 100 largest losses of the last 5 years
The Information Risk Insights Study (IRIS) 20/20 “Xtreme” edition continues the IRIS series with in-depth analysis of the 100 largest cyber loss events of the last 5 years. If you’re looking for stats on how often major security incidents occur, how much they cost, what makes them worse, who’s behind them, and how they go down, then this is the study for you! Click the tab below for a sample of what’s in store in the full report.
IRIS 20/20
A Clearer Vision for Assessing the Risk of Cyber Incidents
The IRIS 20/20 aims to clear the fog of FUD surrounding cyber risk and help managers see their way to better data-driven decisions. This first-of-its-kind study leverages a vast dataset from Advisen spanning tens of thousands of breaches over the last decade. Our extensive analysis of that dataset yields valuable insights about the frequency and financial impact of cyber incidents to organizations of all types and sizes. Click the tab below for a taste of what’s in store in the full report.
The Information Risk Insights series is an ever-expanding suit of reports; if you’d like to sponsor one of the future studies and be a part of the work that we do at the Cyentia Institute, please reach out and share your ideas.
The median cost of these 50 extreme multi-party events stands at a whopping $90M. To put that in perspective, the typical incident runs a comparably measly $200K.
The median number of organizations impacted in these cyber tsunami events is 31, but we recorded swells enveloping as many as 800 secondary victim firms.
System intrusions were by far the most common type of incident, and they also impacted the largest number (57%) of downstream organizations.
Ransomware lags as a distant second in terms of frequency but ran up 44% of the recorded financial losses across the 50 tsunami events in this study.
Cracked and stolen credentials were the most common (50% of incidents) and costly (68% of losses) initial access technique.
Exploitation of public-facing applications led to more collateral victim organizations (63%) compared to any other initial access vector.
Aggregated data and shared systems were the most common ways in which cyber loss events propagated from primary to secondary victim organizations.
Supply chain compromises led to the biggest share of recorded financial losses ($7.4 billion) and the largest number of secondary victim firms.
Organized cyber criminal groups were ultimately responsible for 80% of all collateral damage to downstream firms.
State-affiliated actors were behind one out of five incidents and caused the majority of financial losses, with over $10 billion recorded on their tab!
Insiders and third parties contributed to 34 of the 50 extreme events we analyzed in this study. Those 34 events carry a combined price tag of $17.3 billion—99% of all recorded losses!
The median loss for incidents meeting our qualifications for “extreme” is $47M, with just over one-in-four exceeding $100M; five events racked up $1B or more in losses. 
Relative to annual corporate revenues, losses from these events range from less than 0.1% to nearly 100 times the affected firm’s revenue!
Response costs, lost productivity, and fines and judgements are the most common forms of loss in extreme events.
Firms that bungle the incident response process show costs that are nearly 2.8 times larger than those without signs of poor response.
Apart from hard costs, 27 events were reported in U.S. Securities and Exchange Commission (SEC) filings, 25 triggered executive changes, and 23 prompted government inquiry.
Data breaches, ransomware, fraud, and cryptocurrency theft are by far the most common and costliest types of extreme cyber events.
One in five of the largest losses over the last five years are attributed to state-affiliated actors. All told, they’re responsible for 43% of all monetary losses in this study!
A single campaign, NotPetya, was responsible for nearly 20% of all financial losses across these 103 extreme events.
tolen passwords and other credential-related attacks led to more incidents (46) and more total losses ($10B) than any other threat action.
Remote access malware planted by actors contributed to the second-highest totals for event frequency (31) and losses ($9.2B).
Web application attacks placed third in frequency (25 events; $2B), but exploitation of known and patchable vulnerabilities ranked third in cost (22 events; $8B).
Over 60% of the Fortune 1000 had at least one public breach over the last decade. On an annual basis, we estimate one in four Fortune 1000 firms will suffer a cyber loss event. That ratio approaches 50% for the Fortune 250.
Moving beyond mega-corporations, the probability of cyber incidents drops substantially. SMBs have breach rates below 2% and are orders of magnitude less likely to suffer several in a year.
The likelihood of breaches also varies by industry. Government agencies, administrative and information services, and financial and management firms have the highest rates. Construction, agriculture, and mining occupy the lower end of the frequency spectrum.
The traditional method of estimating breach losses—using a flat cost per record—is flat-out harmful. It results in $1.7 trillion of error due to overestimating losses compared to actual recorded values. We demonstrate a better method for more accurate cyber risk assessments.
We can use the number of exposed records to estimate breach losses, but it’s probabilistic rather than deterministic. An exposure of 1,000 records has a 6% chance of exceeding $10M. By comparison, a massive breach of 100M records has a better than 50% chance of racking up at least $10M in losses.
Financial losses following a cyber event typically run about $200K, but 10% of breaches exceed $20M. The cost of extreme events (95th percentile) to the mega corporations in the Fortune 250 approaches $100M (or more).
Typical and extreme losses differ substantially among industries. The information services and retail sectors show abnormally high losses that exceed many other sectors by a factor of 10.
Cyber events show harsh economies of scale. A $100B enterprise that experiences a typical cyber event ($292K) should expect a cost that represents 0.000003% of annual revenues. A mom and pop shop that brings in $100K per year, on the other hand, will likely lose one-quarter of their earnings ($24K) or more.
Based on these frequency and loss estimations, we assess that there’s a 6% chance that a Fortune 1000 firm will lose $100M or more in a 12-month period due to cyber events. These are the type of probabilistic risk statements we’re aiming to support in this study.