AuditBoard’s 2023 Digital Risk survey of 130+ risk leaders found, most organizations are struggling to mature their risk management capabilities. . Our survey explored the digital risk management programs and technologies that organizations currently rely upon to better understand their digital risk landscape and digital risk management maturity, integration, and technology adoption.

The Professional Services sector includes a broad array of organizations. Although there are no strict criteria for considering a company to be in this sector, there is general agreement that inclusion requires specialized training and experience, and, in many cases, qualification by exam and licensing managed by either national or state authorities. Using our 5-year dataset, we have analyzed 1,500 Professional Services claims dated 2017 through 2021. Professional Services sector incidents account for 20% of all claims in the dataset.

The 2024 Cybersecurity Risk Report from the FAIR Institute shows broadly positive trends compared to last year’s survey. At the FAIR Institute, they believe that effective cyber risk management can only be achieved through transparent and defensible risk analysis using a standard such as FAIR and quality cyber risk data.

We identified 50 of the largest multi-party cyber incidents over the past several years in an effort to understand their causes and consequences from beginning to end. Tsunami draws from the same rigorous methodology in the rest of the IRIS series. We started with a huge dataset of cyber loss events, identified those that involved multiple organizations, and then researched each event to understand who was behind it, what happened, how the after effects propagated through the supply chain, and the financial losses for all parties involved.

This study leverages a vast dataset spanning over 77,000 cyber events experienced by 35,000 organizations over the last decade. This dataset is drawn from Advisen’s Cyber Loss Data, which contains over 138,000 cyber events collected from publicly verifiable sources.

This report provides an analysis of the DNS queries blocked by Protective DNS, finds commonalities among the end users that are protected, and uses a financial model to estimate the value of the threat prevention provided by Protective DNS to the UK economy.

This free public report from the Cyentia IRIS Risk Retina series clears away the fog of FUD, providing parameters for frequency and loss of publicly discoverable cyberevents in the nonprofit sector.

A continued look at “ripple events” - multi-party security events - examining the size and frequency of these events, firmographics, as well as the velocity of spread of such events.

A meta-analysis of industry reports on the variety and forms of application exploits used in security incidents.

The IRIS 20/20 Xtreme is a follow-up to the IRIS 20/20 study earlier this year, this time focusing on the 100 largest cyber incidents of the last five years, totaling $18 billion in reported losses and 10 billion compromised records. This report breaks down the costs, categorizes incident types, identifies the actors behind these events and the actions they employed, and improves understanding of how these events impacted the organizations involved.

A survey-driven report of over 150 third-party risk practitioners to understand the challenges facing their programs, the actions those professionals are taking to address the challenges, and identify success factors.

Using breach information from Advisen, this report seeks to fill in missing gaps in the loss frequency and impact side of quantitative risk analysis. Using real world reported data on publicly-discoverable breaches, commonly held myths of cost per record estimates are debunked and replacement hard statistics are given to replace incorrect estimates.

Using breach data from Advisen, this report defines ripple effects of breaches as the impacts on companies more than one degree of separation from the company directly affected by the breach. As vendor relationships are both broad and deep, a breach in any one company in a network can have distant effects on companies not directly related. The implications upon third party risk management are explored.

The Cisco 2018 Privacy Maturity Benchmark Study was created in conjunction with Cisco’s Annual Cybersecurity Benchmark Study, a double-blind survey completed by more than 3600 security professional in 25 countries and across all major industries. The privacy specific questions focused on a subset of nearly 3000 respondents who were familiar with the privacy processes at their organizations. Participants were asked about the makeup of their privacy teams, maturity level of their privacy processes, and the impact (if any) they experienced related to delays in the sales cycle due to customer data privacy concerns. We also analyzed responses to other questions regarding cyber events to understand which organizations had been breached in the last year and the size of any losses from these events.

To determine real-world costs posed by DDoS attacks in 2014, Incapsula commissioned a survey to gauge real organizations’ experiences with them. By compiling these statistics, they hoped to provide some perspective. Additionally, they wanted to underscore the importance of investing in a truly impenetrable mitigation solution.

The purpose of the research, in this report, is to understand how organizations qualify and quantify the financial risk to their tangible and intangible assets in the event of a network privacy or security incident.

This study claims to be the first systematic discussion of potential risk transfer options for cyber risks. They compare several risk transfer options, including insurance, reinsurance and alternative risk transfer. Moreover, they discuss the potential role of the government and the capacity of insurance pools to improve insurability.

Today’s threat landscape is rapidly evolving, which means it is simply not enough for organizations to roll out an annual security training program and then pat themselves on the back for a job well done. Companies need to consistently invest in training and keep their employees updated on the latest vulnerabilities.