“The FAIR Institute 2024 Cybersecurity Risk Report leverages our most extensive data set ever and
            applies  advanced  techniques  in  quantitative  analysis  to  reveal  the  underlying  risk  factors  that
            organizations need to understand to mount their most cost-effective defenses against data breach and
            other loss events,” said Nick Sanna, President of the FAIR Institute.

            “The insights within demonstrate the value of CRQ to empower organizations to manage their cyber loss
            exposure in the financial terms that boards and senior management understand. It’s especially timely
            considering  the  rules  on  disclosure  of  material  cyber  risk  adopted  by  the  Securities  and  Exchange
            Commission (SEC) in 2023, a powerful signal to public companies to improve their cyber risk reporting
            practices, and move to a data-driven, risk-based approach based on a transparent, defensible model
            such as FAIR,” adds Sanna.




            Key Findings

            The Report is augmented by material from the EY 2023 Global Cybersecurity Leadership Insights
            Study, based on interviews with 500 C-suite and cybersecurity leaders, that reveals valuable insights
            into the traits of “Secure Creators” who successfully implement cybersecurity programs.

               •  The two top industries by average loss exposure are Public Administration and Healthcare, driven
                   by a relatively high probability of loss event.
               •  Systems Intrusion and Insider Error are the top 2 risk themes for small businesses, while Basic
                   Web Application Attacks and Social Engineering top the list for large enterprises.
               •  Bigness raises risk. A large organization  - measured in revenue and employee count  - has a
                   higher likelihood and severity of cyber loss events compared to a mid-market firm. For example,
                   a large healthcare company has a better than 50% chance of a serious insider-error event in a
                   year versus 26% for a mid-size company in the same sector.
               •  Businesses  could  reduce  loss  exposure  to  data  breaches  by  as  much  as  80%  by  basic
                   improvements in security posture (such as patching or securing endpoints) and reduction of data
                   retention.

            In response to the new rules from the SEC on material cyber risk, the FAIR Institute Cybersecurity Risk
            Report  also  introduces  the  FAIR  Materiality  Assessment  Model  (FAIR-MAM™),  the  only  standard
            taxonomy to comprehensively define what forms of losses contribute to the measure of materiality in
            financial terms.
            For a complimentary copy of the Report, please click on the link.




            About the FAIR Institute

            The FAIR Institute is a research-driven not-for-profit organization dedicated to advancing the discipline
            of cyber and operational risk management through education, standards, and collaboration. The driver







            Cyber Defense eMagazine – December 2023 Edition                                                                                                                                                                                                          77
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.