Cyber ​​Risk Index: comparing companies in terms of cyber security

The process of studying the security of companies from cyber threats is complicated by the fact that there are no objective criteria by which to compare. To address this issue, Trend Micro has partnered with the Ponemon Institute to develop the Cyber ​​Risk Index (CRI), a security assessment methodology that helps security leaders and teams compare their level of security with competitors. In this post, we will talk about how the CRI is calculated and what data is needed to calculate it, as well as provide the CRI data for 2020.


Since objective criteria showing the level of a company’s security against cyber attacks have not yet been developed, we use a survey that is conducted among IT and information security professionals to build a cyber risk index. In 2020, respondents from Europe and the Asia-Pacific region were included, which suggests that CRI 2020 has become global. The survey results became the basis of the index, which reflects the willingness of companies to respond to cyberattacks.

To construct the index, we used the answers of 2,795 respondents, which is 4.1% of the total number of respondents within the sample of 67,679 people. The responses of 211 respondents were excluded from the final sample due to lack of reliability.

We received 33% of responses from companies with fewer than 100 employees. Another 33% of the answers are from companies with 100 to 999 employees, and the remaining 35% are from larger companies with 1,000 or more employees.

The industry classification of the respondents includes 15 sectors. The largest of them are:

  • financial services – 13%,

  • healthcare and pharmaceuticals – 10%,

  • services – 9%,

  • industry / manufacturing – 9%,

  • retail trade – 9%,

  • technologies and software – 9%.

Sectors of the economy of the companies included in the CRI.  Source: Trend Micro.
Sectors of the economy of the companies included in the CRI. Source: Trend Micro.

CRI calculation

The cyber risk index is calculated as the difference between the cyber preparedness index and the cyber threat index. At the same time, the cyber readiness index shows the level of preparedness of the organization to defend against cyber attacks, and the cyber threat index represents the state of the threat landscape at the time of calculating the CRI.

Cyber ​​Readiness Index

To calculate it, the respondents’ answers to 31 questions about various safety-related factors in the organization are used. Examples of questions:

  1. What is the organization’s security budget sufficient to protect data assets and IT infrastructure?

  2. Do the organization’s IT security personnel have sufficient knowledge, skills and experience to protect information assets and IT infrastructure?

  3. Do business leaders view IT security as a top business priority?

  4. Does the head of the organization’s IT security department report to senior management?

  5. Are the CEO and Board of Directors of the organization actively involved in safety management?

  6. Does the organization spend significant funds on training employees in safety requirements?

  7. Does the organization spend significant resources on assessing the security risks of third parties, including the cloud and the entire supply chain?

  8. Is my organization’s cybersecurity service capable of detecting zero-day attacks?

Answers to questions are scored as follows:

  • Strongly Agree = 10 points;

  • Agree = 7.5 points;

  • Not sure about the answer = 5 points;

  • Disagree = 2.5 points;

  • Strongly disagree = 0 points.

Cyber ​​Threat Index

Takes into account the answers to 10 questions related to events in the company during the year. Examples of questions:

  • Q1. How many individual customer data loss or theft incidents have occurred in your organization in the past 12 months?

  • Q2. How many individual data security breaches related to information asset leaks have occurred in your organization in the past 12 months?

  • Q3. How many successful cyberattacks have occurred in your organization’s networks and / or corporate systems in the past 12 months?

Some of the questions in the cyber threat index allow assessing the risks associated with the data used in the company, the most likely threats for the company, the consequences of cyber incidents and the most vulnerable areas of the company’s infrastructure.

Limitations of the technique

Since both the Readiness Index and the Cyber ​​Threat Index are based on survey results, there are inherent limitations to such studies that need to be considered. The most common limitations for surveys:

  • Bias in responses. Current results are based on a sample of survey results. We sent out polls to a representative sample, which resulted in 2,795 usable answers, but there is always the possibility that other employees of the organizations have a significantly different opinion from the respondent.

  • Sampling frame offset. Accuracy is based on contact information and the degree of representativeness of the list of respondents who are IT or IT security practitioners. Results may not be completely objective due to external events and also due to the fact that we collected data over the Internet. It is possible that a telephone survey will give very different results.

  • Subjectivity of results. The quality of the survey is based on the reliability of the confidential responses received from the subjects. While the questions are designed to balance subjectivity, there is always the possibility that the subject did not provide accurate answers.

Key findings from CRI 2020

Despite the existing limitations, the cyber risk index provides a fairly objective picture of the level of security of companies in different regions.

All regions participating in the study showed an increased risk of vulnerability to cyberattacks, which reflects a negative CRI value. The highest level of risk compared to other regions is in the United States. This is due to the fact that the United States had a lower level of cyber readiness compared to other regions. The main cybersecurity risk factors facing enterprises can be categorized into five categories

Cybersecurity risks:

  • phishing and social engineering,

  • click-jack,

  • extortionists,

  • fileless attacks,

  • botnets,

  • man-in-the-middle attacks.

Data Risks:

  • failure to detect zero-day attacks,

  • failure to stop most cyber attacks.

Personnel risks:

  • the company’s management does not view safety as a competitive advantage,

  • The cybersecurity leader of the organization (CISO) does not have sufficient authority and resources to increase the level of security of the company.

Infrastructure risks:

  • IT and information security services do not own information about the physical location of business-critical data and applications,

  • IT and information security services are not involved in determining the acceptable use of potentially vulnerable technologies (such as mobile, cloud, social networks, IoT devices) in the workplace.

Operational risk:

  • unavailability to deal with data leaks,

  • delays in testing and installing security patches.

Cyber ​​Readiness and Cyber ​​Threat Indexes in 2020.  Source: Trend Micro
Cyber ​​Readiness and Cyber ​​Threats Indexes in 2020. Source: Trend Micro

Our results show that global businesses have very high chances of being affected by a cyber attack:

  • probability of leaking customer data in the next 12 months: 75%;

  • probability of compromising critical data in the next 12 months: 77%;

  • Probability of one or more successful cyberattacks in the next 12 months: 83%.

Best practices for protecting your business from cyberthreats

Given the current threat landscape and based on the lessons learned from the CRI calculation process, global businesses can still significantly minimize their risks by implementing best security practices. These include:

  • building a security system based on critical data by focusing on managing the risks and threats that can be directed at this data;

  • minimizing infrastructure complexity and improving consistency across the entire security stack;

  • change in the position of top management of companies in terms of the perception of security as a competitive advantage;

  • improving the protection of the business environment, including proper protection of BYOD, IoT and industrial IoT devices, and cloud infrastructure;

  • investing in new talent and existing security personnel to help keep pace with the rapidly changing threat landscape and improve retention rates;

  • validation of existing security solutions using the latest technologies to detect current threats such as ransomware and botnets;

  • formation of a functional, scalable and dynamic IT security architecture.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *