2025年信息风险洞察研究（英）

Information Risk Insights StudyIt's About Time5022IRISTHE CYENTIA INSTITUTE CYENTIA.COM2IRIS 2025 IT'S ABOUT TIMEARE SECURITY INCIDENTS BECOMING 1 MORE COMMON?Q2Q3Q4Q5Q6Q7Q4DO INCIDENT TRENDS DIFFER ACROSS ORGANIZATIONS?7IS THE PROBABILITY OF INCIDENTS INCREASING?12HAVE SECURITY INCIDENTS GOTTEN MORE COSTLY?16DO TRENDS DIFFER AMONG EVENT TYPES?20ARE INTRUSION METHODS CHANGING OVER TIME?23WHAT ARE WE MISSING FROM CURRENT EVENTS?27AMETHODOLOGY & INCIDENT PATTERNS32TABLE OF CONTENTSThe Cyentia Institute is a research firm working to improve cyber risk management through our analytical services and data-driven research publications. You can download the IRIS 2025 and find related content at www.cyentia.com/iris.IntroductionWelcome to the 2025 edition of the (roughly) biennial Information Risk Insights Study (IRIS). The last one was in 2022, so it’s about time we got this to you. Thanks for your patience.Fittingly, time is of the essence in this IRIS. Not just because it’s a tad overdue, but because it’s literally about time—cyber risk trends over time, to be specific.Cybersecurity is ever-changing, and there’s an implicit assumption that risk is always increasing. But is it?Are cyber events occurring at greater frequency? Is an organization more likely to have a breach now than 15 years ago? Which types of incidents have become more common over time? Have the financial impacts of cyber events increased or decreased? Are risk factors trending the same way for all sectors and sizes of organizations?We explore these questions and more by analyzing a huge historical dataset of cyber events and losses from 2008 through 2024. As always, our goal is to dispel the fog of FUD surrounding cyber risk so you can see it more clearly and manage it more effectively. Thanks for reading!AcknowledgementsThe Cyentia Institute wishes to acknowledge and thank the Cybersecurity Division and the Office of the Chief Economist at the Cybersecurity and Infrastructure Security Agency (CISA) for sponsoring this study. It is our sincere hope that this research will aid community efforts to manage cyber risk.“Time isn't a straight line... It's all bumpy wumpy.”1~The Eleventh Doctor47121620232732THE CYENTIA INSTITUTE CYENTIA.COM3IRIS 2025 IT'S ABOUT TIMEKEY FINDINGSLike what you see? Join the vision!We intend to continue the IRIS in the future to discover even more insights for managing information risk. If you’d like to join in that effort by contributing relevant data or sponsoring research, please reach out to us via the contact form at www.cyentia.com/iris.On average, 3,000 significant security incidents are publicly reported or discovered each quarter. That’s a 650% increase over the last 15 years.Cyber events affecting smaller businesses are far more common overall, but relative to population size, the rate among the largest corporations is 620 times higher.The annual probability of any given organization experiencing a cyber event has almost quadrupled since 2008.The prob