I thought I’d try something different and share some thoughts on the Cyentia Institute’s latest report, the Information Risk Insights Study. It’s increasingly clear in cyber that we need to ask better questions rather than simply keep leaping to what we think the answers might be. This study delivers on that:

I’d recommend you read the full report, so I’m not going to summarize it exhaustively. Rather, here are a few thoughts on some of the observations I found most interesting. You might have different takes entirely. 

Are Security Incidents Becoming More Common?

The answer is of course yes, indeed a 650% increase since 2008. But not all types of incidents are following the same trend. Ransomware has clearly happened and continued to increase. Good old fashioned APT and criminal driven system intrusions have continued to rise with some occasional dips. Accidental disclosures have dropped. Insider misuse is down, but in any case was never matching the perception of it being the biggest source of risk. Ransomware, as a crime of opportunity likely needs no explaining. Similarly, I’m not surprised by the drop in accidental disclosures given how much controls many organizations have implemented and just how much has been built into common office productivity, communication and collaboration suites. Insider risk might be a bit puzzling but I think most of the common prior insider risks have been data exfiltration which have been substantially mitigated in the adjacent efforts to stop accidental disclosures. 

My only question overall here, across each of the incident types, is whether we are asking the right question of security incidents becoming more common. This report essentially asks the question: has the absolute number of security incidents increased? A more interesting question might be whether the relative number of security incidents has increased. I’ve discussed this here, the notion is whether we should be seeing even more absolute numbers of incidents? In other words, is the ratio of incidents to the number of possible incidents (relative to attack surface) growing or shrinking? So back to that 650% growth in incidents since 2008. The question then is whether the digital surface area of the planet increased by more than 650% since 2008. The answer is, of course, yes. Now I don’t know how to represent what subset of that would be considered a genuine attack surface, but I suspect we should be actually surprised by the relative lack of incidents proportionate to that vs. being surprised at a 650% growth.

The final question then, if that is the case, is whether we have less incidents than we might because our attackers are choosing not to exploit all weaknesses (because of capacity constraints or otherwise) or is it because we have in fact implemented a ton of controls. It might be a bit of both. 

Do Incident Trends Differ Across Organizations?

Again, this is an interesting story. Incidents involving small and medium size businesses (SMBs) are far more common but relative incident frequency for large enterprises is much higher. This is, of course, driven by there being way more SMBs than large organizations in the absolute counts. It could also be driven by a potential measurement bias that the larger organizations might be more targeted by more concentrated attacks (vs. being targets of opportunity). It could also be because their maturity means they will more likely detect issues, and because of various rules they are more likely to (have to) report it. Other future interesting questions here would be to also ask the rate at which incidents are successfully repelled by different tiers of organizations: what is the “dog that didn’t bark?”

Is the Probability of Incidents Increasing?

There is some fascinating data here. Particularly that the probability of a <$100M company experiencing an incident has doubled but the chance for a very large corporation >$100B has dropped by a third since 2008. The story here might be the common cyber poverty line analogy exacerbated by trends like ransomware mercilessly going after targets of opportunity against the backdrop of mega corporations having better and better baseline hygiene that, for a lot of them, put them out of reach of many of the threat actors that are reliant on their own commodity economics. 

Have Security Incidents Gotten More Costly?

Yes, incidents cost more, 15x more since 2008. Again, no surprises here, and I would think the main driver is a massive increase in inherent risk due to the digitization of businesses. That is, when an incident occurs it is more likely to disrupt some business process that has a total or major digital dependency. Similarly, fines and associated incident costs have risen substantially. It would be interesting to look at the question of whether incident cost net of insurance has increased. I think the answer would still be yes. 

Bottom line: things are getting worse in absolute terms but it’s not clear they are getting worse relative to what the situation might be. If that is the case then it’s not clear if that is because of attackers’ capacity (too many targets to exploit) or because we have actually made real progress. I suspect the answer is a bit of both - but it’s clear we need to keep asking better questions of ourselves.