At Cyentia Institute, we seek to advance cybersecurity knowledge and practice through data-driven research and services. Below you’ll find a gallery of our partners and publications that showcase our unique ability to produce content that’s both rigorous and engaging. If any of these spark ideas for your own research project, we’d be glad to discuss how we might help!
Partner: Cobalt
Partner: Veracode
Security debt continues to rise, even as organizations adopt more tools and resources. Understanding why this happens is essential to building an effective strategy. This report explores five key risk metrics that define security maturity, revealing where the most and least prepared organizations stand. It also introduces a new approach to remediation, showing how AI and smarter prioritization can reshape security backlogs and improve long-term resilience.
Partner: Mimecast
Partner: NopSec
Partner: First.Org
Cyentia and XM Cyber offer an in-depth look into the current state of cybersecurity risks, building on the continuous analysis of over 40 million exposures and extensive attack paths observed in real-world enterprise settings. The report sheds light on common exposure patterns and attack techniques that are relevant to both cloud and on-premises infrastructures, providing actionable best practices and recommendations to improve your security measures and reduce the risk of breaches.
Highlights from the report include:
With 90% of experts prioritizing third-party risk management, our joint report with RiskRecon covers based on input from 112 risk management professionals. This important research delves into the challenges of expanding supply chains, rising incidents of third-party breaches, and growing non-cyber risks.
Discover why the Cyentia and RiskRecon paper is your essential guide to navigating the complexities of vendor risk management, inside you’ll find:
Download The State of Third-Party Risk Management now to gain invaluable insights and strategies for mitigating third-party risks effectively.
In the latest 2024 analysis, the State of Software Security version 14 brings into focus the escalating challenge of security debt in software applications, sounding an alarm for global organizations. The race for rapid development and breakthrough innovation has inadvertently fostered a growing pile of unresolved security risks, termed as security debt. Our research delves deep into the dynamics of how flaws are introduced, the timelines for their fixes, and the broader implications of accumulating security debt. This year’s focus pivots on assessing the actual dangers posed by security debt, evaluating its priority for resolution, and determining the most efficient approaches for tackling it.
Risk to the Nth-Party Degree: Parsing the Tangled Web pioneers a transformative approach to supply chain analysis, surpassing traditional third-party evaluations. The report maps the intricate dependencies and relationships that constitute the backbone of your supply chain, going beyond visible nodes. Our collaborative report with Risk Recon offers a comprehensive view of vulnerabilities and optimization opportunities delivering actionable insights and strategic recommendations, empowering organizations to fortify their supply chains against disruptions and navigate the complexities of the modern business landscape with resilience.
Our recent analysis of MITRE ATT&CK techniques uncovered significant gaps in reporting, emphasizing the need for a more comprehensive threat-informed defense. The findings from the report underscore the challenges within the cybersecurity landscape, including rapid updates, tactic-technique ambiguities, and the underreporting of sub-techniques.
To empower your cybersecurity strategies, download our full report for an in-depth understanding of ATT&CK techniques.
Sometimes small events can have far-reaching consequences, such as when one organization’s security incident affects third parties and the broader supply chain. We call these effects “ripple events” and have been studying them for years.
Our latest collaborative study with RiskRecon analyzes nearly 900 historical ripple events to identify the top MITRE ATT&CK techniques used. We seek to understand how these ripples occur and propagate, so your organization doesn’t get swept up in their wake.
In the world of cybersecurity, organizations often rely on assumptions when it comes to evaluating the security practices of their vendors. But what does the actual cybersecurity standing look like between businesses and their vendors? In a groundbreaking study conducted by RiskRecon and Cyentia Institute, security assessments across more than 50,000 B2B relationships were examined, shedding light on the truth.
Partner: Cisco
The latest installment in the P2P research series delves into the intricacies of the “Cybersecurity and Infrastructure Security Agency’s Binding Operational Directive 22-01,” the KEV (Known Exploited Vulnerabilities).
The KEV has emerged as a pivotal source of information on vulnerabilities and attacker activities. Serving as a cornerstone for cybersecurity strategies, the KEV compels attention due to its direct influence on risk reduction. The Cyentia Institute and Cisco’s collaborative effort delivers a comprehensive exploration of the KEV, unraveling its significance and contextualizing it within the broader landscape of cybersecurity data.
Looking to improve your organization’s security posture and protect your critical assets from cyber threats? Then XM Cyber’s annual research report, Navigating The Paths of Risk: The State of Exposure Management in 2023, is a must-read! In collaboration with research firm Cyentia Institute, we have uncovered key insights and statistics collected from tens of thousands of attack path assessments.
The most urgent question facing CISOs today is not “will I be attacked?” (yes) or “when will I be attacked?” (today), but “how will I be attacked?” As security professionals, we often live and die by the release cycle of the latest vulnerabilities. In this report, sponsored by F5 Labs, we take a step back and examine the universe of vulnerabilities and how it’s changed in the last 20 years with vulnerabilities increasing number and widening variety.
High-risk users are the top quartile of users in an organization who have had at least one instance of risky behavior, or event. So where do high-risk users hide? The answer to this question seems to be “everywhere.” However, it’s a little more nuanced than that.
This latest Cyentia Institute Report, in partnership with Elevate Security, analyzed nearly eight years’ worth of data—from June 2014 to July 2022, and answers the questions: What makes workers high risk? What are their riskiest behaviors? And More!
What is security resilience and why is it so important? We answer these questions & more in our latest report with Cisco Secure. We took a deep dive into seven critical success factors that boost security resilience according to more than 4,700 IT and security pros across the globe so you can learn how to be more resilient.
SecurityScorecard and the Cyentia Institute teamed up to analyze data from SecurityScorecard’s Automatic Vendor Detection on over 230,000 organizations for clues about the underlying conditions that exacerbate third and fourth-party risk. By measuring the extent of digital supply chains and investigating the prevalence of security incidents among third and fourth-party vendors, this report takes a look at how the effects of exposure yield insights on how to better manage risk.
In our collaborative report with RiskRecon our goal is to offer a view on the state of compliance in today’s typical organization. We examine the rate of noncompliance among a typical organization’s assets, the compliance standards that are hardest for organizations to adhere to, how well compliance tracks against the overall risk surface, and the most common security controls causing non-compliance.
We’re thrilled to partner with Arete in this second installment of the Investigative Cybercrime Series to focus on reigning in ransomware trends and tactics amongst different ransomware families in our ongoing research effort to unmask insidious cyber threats and lessen their impact on insurers and the organizations they cover.
Sponsors: Cybersecurity & Infrastructure Security Agency (CISA) and the Lawrence Livermore National Laboratory
The IRIS is back – bigger and better than ever for a 2022 update and expansion. The new study analyzes 77,000 cyber events, $57 billion in reported losses, and 72 billion compromised records. We explore common patterns among those events and identify threat techniques that contributed to their success.
The Cyentia Institute partnered with Securonix to analyze how organizations are using their Cloud SIEM with the goal of quantifying our assumptions and findings in a way that can help organizations calibrate what’s going on in their environments and help them hone the efficiency and effectiveness of their threat detection.
In this report, we look at what distinguishes the firms that measure and manage cyber risk well from those that struggle the most. Armed with this knowledge, Third-Party Risk Management (TPRM) professionals can take into account the totality of their risk surface and how it impacts the overall security performance of an organization.
Partners: Arete
We’re thrilled to partner with Arete in this first major installment of the Investigative Cybercrime Series to focus on ransomware trends, and the financial exposure faced by past and future victims. We discuss specifics on ransom demands and payments, victims’ industry and implemented controls, likelihood to pay, reasons for payment, and more!
Partners: Security Scorecard
The Fast and the Frivolous uses a massive dataset from SecurityScorecard that spans 1.6 million organizations. We analyze billions of internet-exposed assets to measure the speed of vulnerability remediation over a three-year period. In this report, you’ll find some of the lessons we learned.
Free Risk Retina
IRIS Risk Retina® is a service derived from our IRIS research that provides real-world data to support cyber risk quantification. This Risk Retina contains key risk parameters for annualized event frequency and loss magnitude as well as common incident patterns that historically impact nonprofit organizations.
Partners: Elevate Security
In this report, we leverage a dataset from Elevate Security spanning 15m events associated with 168k users across nearly 4k organizational departments to clarify what exactly makes a ‘risky user’. We’ll present some concrete numbers so you can understand how your users or departments measure up to everyone else. Finally, we’ll see that some types of risky behavior are likely indicative of other kinds.
Partners: Veracode
We looked at the entire history of active applications, not just the activity associated with the application over one year. By doing so, we can view the full life cycle of applications, which results in more accurate metrics and observations. Aside from looking at the past, we also imagined the future by considering practices that might help improve application security.
Partners: Kenna Security
We do two very important and timely things in this report. We first explore ways to measure exploitability for individual vulnerabilities—and far more importantly—entire organizations. Second, we create a simulation that seeks to minimize organizational exploitability under varying scenarios combining vulnerability prioritization strategies and remediation capacity. Bottom line: If you’re looking for proven ways to squeeze the most risk reduction from your vulnerability management (VM) efforts, this report is for you.
Partners: Cisco
For this second edition of Cisco’s Security Outcomes Study, we conducted an independent, double-blind survey of over 5,100 IT professionals in 27 countries. We asked all respondents about their approaches to the five key drivers of cybersecurity program success, uncovered through extensive prior research.
Partners: CyberGRX, Interos, RiskRecon
We identified 50 of the largest multi-party cyber incidents over the past several years in an effort to understand their causes and consequences from beginning to end. Tsunami draws from the same rigorous methodology in the rest of the IRIS series. We started with a huge dataset of cyber loss events, identified those that involved multiple organizations, and then researched each event to understand who was behind it, what happened, how the after effects propagated through the supply chain, and the financial losses for all parties involved.
Partner: RiskRecon
A continued look at “ripple events” – multi-party security events – examining the size and frequency of these events, firmographics, as well as the velocity of spread of such events. In this second edition of the Ripples report, we bolster the evidence gathered in our first analysis of not only the risks associated with third-party direct vendors and partners but also the dangers posed to the rest of the supply chain.
Partner: F5 Labs
Cybersecurity is always about perspective, and that’s doubly true when talking about application security. Applications constantly change and so too do the philosophies and practices used to develop and protect them. This study is an attempt to stitch together a more complete view of application exploits in security incidents.
Partner: Veracode
Get best practices on managing your open source libraries in our State of Software Security v11: Open Source Edition report. Based on 13 million scans of more than 86,000 repositories, SOSS v11: Open Source Edition gives you a unique perspective on the open source libraries in codebases today, how organizations are managing the security of these libraries, and best practices on using open source code securely.
Partner: Kenna Security
Do exploit code releases help or harm defenders? We decided to put this hotly contested debate to the test. The seventh volume of the Prioritization to Prediction series produced in conjunction with the Cyentia Institute attacks this debate from all angles. Poring over Kenna Security’s own threat and vulnerability intelligence, anonymized platform data, and Fortinet exploitation data, we analyzed over 6 billion vulnerabilities affecting 13 million active assets across nearly 500 organizations.
Partner: Elevate Security
In this provocative report, Cyentia Institute launches its first annual study on human cybersecurity risk in the workplace, in partnership with Elevate Security. This unprecedented report aggregates data from 114,000 end users across 2,000 organizational departments between 2018 and 2020. Cyentia analysts highlight key lessons to be learned from the data about measuring and managing the human attack surface.
Partner: RiskRecon
This short study aims to measure the value of better information for third-party risk assessments. We developed four models to assess vendor risk posture and compare the power of those models to identify which vendors represent the greatest risk to sourcing organizations.
Readers will come away knowing what information is most useful for security assessments and how much improvement you can expect from having that information.
Partner: Cisco
Cisco’s 2021 Security Outcomes Study pulled together the experiences of over 4,800 IT, security, and privacy professionals around the world. This document is an offshoot of the larger study that focuses on small and midsize businesses (SMBs). Discover how SMBs compare to larger enterprises when it comes to security and what key factors contributed to successful security planning.
Partner: Cisco
What makes a successful cybersecurity program? Is there evidence that security investments achieve measurable outcomes? How do we know what actually works and what doesn’t? These are the types of burning questions guiding this study that includes over 4,800 IT and security professionals from 25 countries around the world. We asked those participants about their organization’s level of success across 11 measurable outcomes and 25 security practices.
Partner: RiskRecon
This new report that looks at how IoT devices affect the risk surface of commercial organizations. This study used RiskRecon’s dataset of millions of hosts controlled by more than 35k firms to examine: the prevalence of IoT devices within organizations, what types of devices we see, how the presence of insecure IoT devices can correlate with other types of cybersecurity problems.
Partner: Kenna Security
The 6th volume of the Prioritization to Prediction series produced in conjunction with the Cyentia Institute explores the lifecycle of 473 vulnerabilities with evidence of exploitation in the wild. Learn what really happens after a vulnerability is discovered. This report reveals surprising insight into when and where attackers and defenders have momentum, the effectiveness of responsible vulnerability disclosure and exploit development, and much more.
Partner: VisibleRisk
The Information Risk Insights Study (IRIS) 20/20 “Xtreme” edition analyzes the 100 largest cyber loss events of the last 5 years. If you’re looking for stats on how often major security incidents occur, how much they cost, what makes them worse, who’s behind them, and how they go down, then this is the study for you!
Our goal is to continue clearing the fog of FUD surrounding cyber risk and help managers see their way to better data-driven decisions
Partner: RiskRecon
During the spring and summer of 2020, we conducted workshops with over 150 third-party risk management practitioners to understand the challenges facing their vendor risk management programs, examine what they’re doing to meet those challenges, and identify factors that drive their success. We share what we learned in this report and hope it helps organizations better plan, develop, and improve their third-party risk management programs.
Partner: Veracode
Over the past 11 years, Veracode has explored the challenges in secure application development in the annual State of Software Security report. The goal of our analysis was to identify how developers can continue making applications better and more secure. We found that most apps are still vulnerable, fix rates remain slow, and that vulnerabilities in third-party libraries are a growing problem. We also uncovered data that highlights developer actions that dramatically improve fix rates, even under less than ideal conditions.
Partner: RiskRecon
The Internet Risk Surface series analyzes data from RiskRecon spanning over five million Internet-facing hosts from ~20,000 organizations as well as major hosting providers around the world. The primary goal is to explore dimensions of interconnectivity, interdependence, and risk exposure that define the era of digital transformation. This report leverages that same dataset and methodology but focuses exclusively on the risk surface of the healthcare sector (and sub-sectors).
Partner: Kenna Security
We’ve been working with Kenna Security for over two years to research and improve the state of vulnerability management at the enterprise level. That groundbreaking research, which has appeared in our Prioritization to Prediction (P2P) series, has provided vital contributions to the industry. We’ve recently released snapshots of key findings for the manufacturing, healthcare, finance, and technology sectors. Get ’em while they’re hot!
Partner: RiskRecon
We examine the prevalence of unsafe network services across millions of systems from 40,000 commercial and public institutions. Without tipping our hand, you might find it surprising what these organizations expose to the Internet for all to see. Perhaps even more importantly, we also look at whether these services forebode other, more inherently risky, security issues across the networks of the organizations in this analysis.
Partner: RiskRecon
In this report, we zoom in on the state of TLS 1.2 implementation across the Internet. We leverage RiskRecon’s unique scan data on millions of web servers around the world to see where the rollout of TLS 1.2 is going smoothly and where it is meeting resistance. Additionally, we show that not supporting TLS 1.2 isn’t just bad for the customers visiting unsupported websites, but can be an indicator of other security problems within an organization.
Partner: Veracode
This special supplement to Veracode’s annual State of Software Security report focuses exclusively on the security posture of the open source libraries found in applications. This analysis, which examined 351,000 external libraries in 85,000 applications, found that open source libraries are, as expected, ubiquitous in applications, and that they do in fact contain risky code. But it also unearthed some good news about ways to keep track of and alleviate that risk.
Partner: Kenna Security
Kenna Security and Cyentia have led the charge in applying data science to vulnerability management to guide better technology, strategies, and decision making. Volume 5 in the P2P series applies this approach to the various devices and underlying software that comprise the modern enterprise IT infrastructure to reveal for the first time, how vulnerable device categories are and understand how successful vendor and enterprise remediation efforts are in practice.
Partner: Advisen
The IRIS 20/20 aims to clear the fog of FUD (fear, uncertainty, and doubt) surrounding cyber risk and help managers see their way to better data-driven decisions. This first-of-its-kind study leverages a vast dataset from Advisen spanning tens of thousands of breaches over the last decade. Our extensive analysis of that dataset yields valuable insights about the frequency and financial impact of cyber incidents to organizations of all types and sizes.
Partner: RiskRecon
The Internet Risk Surface series analyzes data from RiskRecon spanning over five million Internet-facing hosts from ~20,000 organizations as well as major hosting providers around the world. The primary goal is to explore dimensions of interconnectivity, interdependence, and risk exposure that define the era of digital transformation. This report leverages that same dataset and methodology but focuses exclusively on the risk surface of the financial sector (and sub-sectors).
Partner: RiskRecon
This report analyzes data gathered on over 800 multi-party cyber incidents observed over the last decade. These so-called “ripple events” are different than traditional security breaches because they don’t just impact a single organization, but spawned secondary loss events affecting thousands of organizations downstream in the supply chain. We demonstrate that such incidents are increasing in frequency and that associated losses are much higher than single-party incidents.
Partner: Veracode
For the past decade, Veracode’s State of Software Security report has provided the security industry’s clearest picture of software security risk. For Volume 10, we analyzed the data collected from 1.4 million scans, 85,000 applications, and nearly 10 million security findings. The resulting metrics represent the industry’s most comprehensive set of application security benchmarks. This volume focuses on the accumulation of security debt – unresolved flaws – over time.
Partners: Kenna Security, Virginia Tech, RAND
Prioritization of vulnerability remediation efforts predominantly rely on expert opinion, severity scores, and incomplete data. This paper produces a data-driven framework for assessing the probability that a vulnerability will be exploited in the wild within the first twelve months after public disclosure. This scoring system has been designed to be simple enough to be implemented by practitioners without specialized tools or software, yet provides accurate estimates of exploitation.
Partner: Kenna Security
What matters in vulnerability management (VM)? What enables some programs to achieve higher levels of performance and greater success than others? These are the kinds of questions we want to answer in this fourth volume of the Prioritization to Prediction (P2P) series. We combine survey and observational data to test how internal VM program factors affect actual remediation performance measures. We hope this combo of “soft” and “hard” analysis yields valuable insights for vulnerability management programs.
Partner: RiskRecon
“Are we safer on-prem or in the cloud?” Who hasn’t asked this question? The benefits of migrating data, workloads, applications, and business processes to the cloud are incredibly compelling. But as a steady string of headlines reporting large data exposures from cloud environments suggest, those benefits don’t come risk-free. Is the risk worth it? To help you answer that for your organization, we leverage a massive dataset supplied by RiskRecon spanning 18,000 organizations and over 5 million hosts yielding 32 million security findings.
Partner: Siemplify
While there’s widespread agreement that many SecOps programs aren’t where they need to be performance wise, there’s less consensus on exactly where they should be and how best to get there. To help break this stalemate, Siemplify commissioned the Cyentia Institute to examine where organizations are on their journey to SecOps maturity. What are the critical challenges? How are programs of different types and sizes addressing these challenges? Where are they finding success? What does success look like?
Partner: Global Cyber Alliance
This research quantifies the loss avoidance attributable to DNS firewalls.
Not only do we find that DNS firewalls are an effective security control,
the availability of open or free DNS firewalls make the solution very cost
effective. Moreover, online tutorials and relative ease of configuration
makes implementation of this effective security control simple, even for
home or personal use. In summary, DNS firewalls could have mitigated one-third of the incidents we studied and could have prevented $10 billion in losses in those incidents.
Partner: RiskRecon
The Digital Transformation ushered in many operational and strategic benefits for modern organizations. It also fundamentally changed our dependence upon the internet and a myriad of interconnected 3rd and 4th parties for key business activities. Exploring and measuring the resulting “internet risk surface” is the purpose of this report. To do that, we analyze a fascinating dataset spanning millions of internet-facing hosts from thousands of firms and major hosting providers around the world. It is the first offering from an ongoing research initiative between RiskRecon and the Cyentia Institute.
Partner: Kenna Security
This third volume in the Prioritization to Prediction series picks up where we left off in our last report, which analyzed vulnerability remediation timeframes across a sample of 12 firms. But this time we expand that analysis to roughly 300 organizations of different types and sizes. We leverage a technique called survival analysis to draw out important lessons about remediation velocity and capacity, and identify top performers to understand what sets them apart. Overall, our goal is to understand what it means to survive—nay thrive—in the race of vulnerability remediation.
Partner: Kenna Security
The first volume of the Prioritization to Prediction report series proposed a model for predicting which of the myriad vulnerabilities published were most likely to be exploited, and thus deserving of priority remediation. In this new report, we seek to apply and test those findings in the real world using data extracted from hundreds of production environments inundated with billions of vulnerabilities. As you can imagine, that dataset holds many valuable lessons for vulnerability management programs looking to efficiently reduce risk. Overall findings suggest that smarter remediation decisions lead to real, measurable improvements.
Partner: Focal Point
Last year’s study sought to break down walls between cybersecurity leaders and corporate directors. This edition continues chipping at those walls, but expands the scope to include a broader set of stakeholders and topics relevant to this important goal. Research questions for this study are: 1) How is cyber risk perceived relative to other types of risk? What factors alter this perception? 2) What cyber risk information is reported to the board? What drives dialogue and value? 3) How is cyber reporting viewed by the board? What drives confidence and satisfaction? 4) How does cyber risk reporting and reception vary across roles and organizations?
Partner: Veracode
The State of Software Security report provides the industry’s clearest picture of software security risk. In the last year, Veracode scanned over 2 trillion lines of code to bring you metrics that represent the industry’s most comprehensive set of application security benchmarks. The goal with Volume 9 was to delve deep into the statistics that show how long it takes for different types of vulnerabilities to get fixed, and to understand why certain risks linger for as long as they do. To effectively do this, Veracode partnered with the data scientists at Cyentia Institute to truly understand and tell the story around vulnerability fix behavior.
Partner: Global Cyber Alliance
Since June 2016, the Global Cyber Alliance (GCA) has been working to accelerate adoption of DMARC,
an email security standard, by providing a set of easy-to-use tools and campaigns to drive deployment. This paper investigates and measures the economic benefit from that work. We have chosen to focus on Business Email Compromise (BEC) because it is a rapidly growing issue, with high direct losses, and relevant data is available for analysis from multiple sources1. We derive a conservative minimum bar estimate for the loss avoidance tied to GCA’s initiatives and discuss the potential scale of other benefits gained from DMARC.
Partner: Kenna Security
One of the biggest challenges in vulnerability management relates to prioritization. Given the long list of open vulnerabilities, which are most likely to be exploited, and thus deserving of priority remediation? Answering this question based on numerous sources of historical data is the goal of this study. We review data sources relevant to vulnerability remediation and examine timelines surrounding key milestones. Identifying attributes that correlate with exploitation comes next on the docket. The last section measures the outcomes of several remediation strategies and develops a model that optimizes overall effectiveness.
Partner: Cybrary
It is common knowledge that our industry suffers from a critical shortage of skilled cybersecurity professionals. Finding people to fill the gap is easy; finding people with the right skills is not. This report shares findings from a survey conducted of more than 3,100 IT, security and other non-technical professionals. It explores their learning habits, levels of personal and organizational preparedness, and factors that improve their confidence and defensive capabilities. If finding and keeping talent is a challenge for your organization, then you will definitely want to add this to the top of your reading list.
Partner: Respond Software
The Voice of the Analyst Study focuses on the human side of the SOC to build understanding, share insights, and empower SOC teams to be the best they can be. We explore what drew analysts to the SOC, whether expectations are met, how they spend their time, which activities they find challenging and valuable vs. tedious and wasteful. We conclude the study with data-driven recommendations on which SOC activities offer the best “bang for the buck,” which ones warrant additional investment, and which are most suitable for automated decisioning and workflow orchestration.
Partner: RSA Conference
Partner: Focal Point Data Risk
The Cyber Balance Sheet seeks to break down walls between cybersecurity leaders and Boards of Directors. We analyze scores of interviews to gather perspectives, characterize key issues, identify possible solutions, and draw these two critical groups of people together through greater understanding and purpose. Our findings show we still have a long way to go; even basic questions on the value of cybersecurity show little consensus. We detail findings under 6 “Balance Points,” which each provide a set of specific recommendations for finding the balance.
