Predicting Ransomware Event Frequency with RiskRecon Cybersecurity Ratings and Insights

Introduction

Third-party risk management teams are charged with protecting the organization’s assets across hundreds and sometimes thousands of organizations. Which vendors represent the greatest risk and what should I do about it? RiskRecon’s ratings and insights help answer these questions, making it easy to understand and act on your third-party cybersecurity risks.

RiskRecon’s cybersecurity rating model strongly predicts the ransomware event frequency to expect from companies in different rating tiers. Based on analysis of the RiskRecon ratings and ransomware events occurring across 118,000 companies, companies in the “F” and “D” rating tier have a blended rate of 16.6 times higher ransomware event frequency than do companies in the “A” rating tier.

RiskRecon did not set out to build a model to predict ransomware events. Rather, the rating model is designed to measure the quality of the organization’s cybersecurity risk management as observed in the reality of “known good” and “known poor” risk management performance. For example, banks are known to manage risk better than universities. You can read about RiskRecon’s rating model here https://www.riskrecon.com/cybersecurity-risk-rating-model.

Again, though RiskRecon did not intentionally build its rating model to predict ransomware events, it does strongly predict the frequency that ransomware events will occur. Go figure, companies that measurably demonstrate good cybersecurity risk management practices have much lower rates of ransomware events than those that do not. Let’s dive in and talk about the methodology, the results, and why it matters to you.

The Methodology

RiskRecon enumerated ransomware events occurring January 2019 – June 2021 that were publicly reported through Internet news sources. Limiting the population to these events helped ensure that the ransomware events were material enough to be of public interest and provide reasonable assurance that events were not false positives. Further, RiskRecon limited events to those in which systems were encrypted in the attack, intentionally excluding events in which only data was stolen, and a ransom was sought. RiskRecon covers data loss to rating correlation in another study (https://www.riskrecon.com/predicting-breach-frequency).

From this set of organizations, RiskRecon identified the subset of organizations for which RiskRecon had ratings and underlying assessments at the time of the ransomware event – a total of 225 events across 225 organizations. RiskRecon then recorded the rating (A – F scale) of the organization at the time of the event. For each company, RiskRecon removed the impact of any breach events on the company’s rating. This left company ratings to only reflect the quality of their cybersecurity risk management.

Analysts compared this data against the total population of RiskRecon’s 118,478 companies for which RiskRecon maintains analyst-trained assessment profiles.

The Results

RiskRecon ratings are very strongly correlated to ransomware events, with “F” and “D”-rated companies having a blended ransomware event frequency 16.6 times higher than “A”-rated companies.

Companies rated as “A” had 0.41 ransomware events per 1,000 companies, 0.041% of the population. In comparison, “F” had 4.47 ransomware events per 1,000 companies, 0.45% of the population. Interestingly, “D” rated companies had the highest rate of ransomware events at 7.65 per 1,000 companies, 0.765% of the population.

Even setting aside the rating population percentages, the lowest rated companies had a higher event count than the highest rated companies. “F” and “D” rated companies had an event count of 74, whereas “A” and “B” rated companies had an event count of 60. This is despite “A” and “B” rated companies having a population 7.3 times larger than the “F” and “D” rating population!

Why it Matters to You

You are charged with protecting your organization’s risk interests across a growing number of vendors and partners, commonly numbering into the hundreds and, sometimes in some cases, into the thousands. You have limited resources to manage your third-party risks.

RiskRecon’s cybersecurity ratings and insights make it easier for you to understand and act on your risks. This study demonstrates the power of using RiskRecon’s ratings and insights to objectively understand the quality of your vendor and partner cybersecurity risk management. Companies that measurably demonstrate good cybersecurity risk management practices have much lower rates of bad outcomes.

  • Ransomware events – This study demonstrates that “F” and “D” rated companies have a 16.6 times greater frequency of ransomware events than “A”-rated companies.
  • Data breach events – In an earlier study (https://www.riskrecon.com/predicting-breach-frequency), RiskRecon demonstrated that “F”-rated companies had a data breach event rate four times greater than “A”-rated companies.

RiskRecon’s objective insights help direct you towards the material issues that require remediation and the root cause security program gaps to address. Once you have completed your engagement, RiskRecon automatically monitors vendor progress, enabling you to hold your vendors accountable to protecting your risk interests well.