There are surprisingly few songs about risk-based decision making and the knowledge required to do it well. “The Gambler” is one of them, and we’ve probably earwormed more than one reader with that catchy refrain. But have you ever noticed how The Gambler comes to know the things he needs to know? According to the lyrics, he stakes it all on “the way they held their eyes.” If that sounds like a less-than-ideal basis for risky decisions to you, we agree. Perhaps that’s why he later confesses “the best that you can hope for is to die in your sleep.” We’re writing this report to help cyber risk takers avoid The Gambler’s fate of futility. The cards might indeed be stacked against defenders, and adversaries have grown adept at hiding their tells. But there are ways to improve the odds of winning. In short, those ways involve leveraging better data to gain better knowledge to build better models that ultimately lead to better decisions for successfully managing cyber risk.
This report links together that chain of “better,” starting with a vast dataset spanning tens of thousands of cyber loss events over the last decade. Our analysis of those events yields important lessons—and baseline model inputs—about the frequency and impact of breaches to organizations of all types and sizes. We’ve included some of those findings on the next page, but they’re just a taste of what’s in store in the pages that follow. Are you ready to make cyber risk less of a gamble? Excellent! We are too. Let’s do this.