UPDATE We found a sponsor for this study and research has begun. Thanks to all those who expressed interest in it. Don’t fret if you’d still like to partner with us on future research projects – there will be more opportunities!
In mid March, the Cyentia Institute published the 2020 Information Risk Insights Study (IRIS 20/20). The study aimed to clear the fog of FUD surrounding cyber risk and help managers see their way to better data-driven decisions. This first-of-its-kind study leveraged a vast dataset from Advisen spanning tens of thousands of breaches over the last decade. Our extensive analysis of that dataset yielded valuable insights about the frequency and financial impact of cyber incidents to organizations of all types and sizes.
The IRIS 20/20 was a labor of love for the Cyentia team and something we’ve wanted to do for the cyber risk community for quite some time. And we’re honored that many readers have found it to be a valuable contribution (see examples One, Two, Three, Four, and Five). In particular, the estimates pertaining to the cost of cyber incidents seems to be resonating with many readers. For example, the chart below creates a distribution around the total financial costs recorded for roughly 2000 cyber loss events. Next time you’re asked what a breach will likely cost, “A couple hundred thousand dollars” is a simple and sound answer backed by lots of evidence. It’s also totally appropriate to add, “But there’s a 10% chance it could be 100x higher than that (or more).”
Those typical losses that comprise the bulk of the distribution are by no means insignificant, but most risk managers harbor much more concern over the rare yet extreme losses in the far right side of that tail. Such events could materially impact the bottom line of the organization, and thus represent critical risks that must be managed in some way.
But how can extreme loss events be managed most effectively? What’s the nature of these events? Which scenarios are most common? How do they occur and who’s behind them? What types of organizations are most commonly impacted? Do extreme losses directly result from the incident, the victim organization’s handling of it, or the downstream/secondary consequences that follow? Many other important questions abound for which cyber risk managers need answers. And we intend to find some of those answers by diving back into the IRIS dataset – but we can’t do it alone.
We’re looking for one or more organizations interested in partnering with us to financially sponsor a critically-important study on extreme cyber loss events. Sponsorship partners will help us identify additional research questions, enable in-depth analysis of the data, and support publication of our findings in a high-quality report that carries the IRIS 20/20 torch forward. It’s a unique opportunity to support impactful research that will benefit many organizations and security practitioners.
If interested in sponsoring this study of extreme cyber loss events, contact us at research -at- cyentia.com. Thanks for considering, and we look forward to partnering with you.