Kelly-white-authorRiskRecon’s cybersecurity rating model strongly predicts the breach event frequency to expect from companies in different rating tiers. Based on analysis of the RiskRecon ratings and breach event data of nearly 46,000 companies, companies in the “F” rating tier have four times higher breach event frequency than do companies in the “A” rating tier.

Blog-PredictingDataBreachFrequencyRiskRecon did not set out to build a model to predict data breach events. Rather, the rating model is designed to measure the quality of the organization’s cybersecurity risk management as observed in the reality of “known good” and “known poor” risk management performance. For example, banks are known to manage risk better than universities. You can read about RiskRecon’s rating model here https://www.riskrecon.com/cybersecurity-risk-rating-model.

Though RiskRecon did not intentionally build its rating model to predict breach events, the model does strongly predict the frequency that breach events will occur. Go figure, companies that measurably demonstrate good cybersecurity risk management practices have much lower rates of breach events than those that do not. Let’s dive in.

The Methodology

RiskRecon’s study of ratings and breach event frequency, conducted in December 2020, was based on analysis of 45,641 companies for which RiskRecon maintains analyst-trained assessment profiles. These companies span all industries – retail, financial, healthcare, public administration, education, manufacturing, professional services, and so forth. For each of these companies, RiskRecon had identified 5,464 data breach events.

For each company, RiskRecon removed the impact of any breach events on the company’s rating. This left company ratings to only reflect the quality of their cybersecurity risk management. RiskRecon then divided companies into rating bands, along the A – F rating scale, and calculated the breach event frequency per band.

The Results

RiskRecon rates companies cybersecurity risk management performance on an A – F rating scale, with F being the lowest rating. For each rating tier, RiskRecon calculated the breach event frequency across three time spans: events occurring in the last two years, in the last five years, and breach events occurring across all time.

Data Loss Events per Company – Last Two Years

When factoring only data loss events occurring in the last two years, companies rated as “A” had two data breach events per 100 companies, while companies rated as “F” had eight breach events per 100 companies. F-rated companies have a 4x higher rate of breach events compared with A-rated companies.

\Data-Loss-Event-Rate-Last-2-Years

Data Loss Events per Company – Last Five Years

When factoring only data loss events occurring in the last five years, companies rated as “A” had three data breach events per 100 companies, while companies rated as “F” had twelve breach events per 100 companies. Again, F-rated companies have a 4x higher rate of breach events compared with A-rated companies.

Data-Loss-Event-Rate--Last-5-Years

Data Loss Events per Company – All Time

When factoring all data loss events occurring across all time, companies rated as “A” had six data breach events per 100 companies, while companies rated as “F” had twenty breach events per 100 companies. F-rated companies have a 3.3x higher rate of breach events compared with A-rated companies.

Data-Loss-Event-Rate---All-Time1200

Conclusion

RiskRecon’s security ratings and insights make it easy to understand and act on your cybersecurity risks across your own enterprise, your third-party partners, and beyond. RiskRecon’s ratings and data are valuable beyond assessing the security risk performance of an organization. As shown here, they go beyond ratings to strongly inform you regarding the breach event frequency that can be expected for each rating tier. Lower ratings correlate to much higher breach event frequencies, with F-rated companies having as much as a 4x higher rate breach events compared with A-rated companies.

You can download the full details of our findings from the RiskRecon Academy