Cyber Reports to Forecast Risk
Verizon's DBIR vs Cyentia's IRIS
Hot take:
The Verizon DBIR isn’t that useful; it’s more news than intelligence.
The Cyentia IRIS has news, but it’s more of an intelligence report; something you can make resource decisions with.
In my cybersecurity first principles book, I make the case that the absolute cybersecurity first principle that everybody in the infosec profession should be pursuing, regardless of the vertical they reside in and regardless of their size, is this:
Reduce the probability of material impact due to a cyber event in the next 3-5 years.
Assuming that’s true, then being able to forecast the current probability, and estimating how that probability might change day-to-day, is a fundamental skill that we should all be familiar with. I explain how to do it in Chapter Six. But to do the forecasting, you need data.
The 2025 Verizon Data Breach Investigations Report (DBIR)
I’ve been a fan of the Verizon Data Breach Investigations Report (DBIR) from almost the very beginning. Indeed, the report has been a must-read for the infosec profession for the past decade.
According to this year’s version, the DBIR focuses on the analysis of anonymized cybersecurity incident data that Verizon collects every year from almost a hundred data contributors. 2025 marks the 15th anniversary of the VERIS framework (Vocabulary for Event Recording and Incident Sharing), which Wade Baker, Alex Hutton and Chris Porter introduced to the world back in 2010. VERIS is the statistical foundation for the DBIR.
Don’t get me wrong. This year’s version of the DBIR is a well researched and beautifully presented summary of 22,052 real-world security incidents and 12,195 confirmed data breaches from the past year that occurred inside organizations of all sizes and types. But I’ve always assumed that the DBIR was an intelligence report. To me, that means that after I’ve read it, I should be able to make one or more decisions based on the intelligence within it. I should able to decide to continue my current course or change depending on how I read the information. Since the DBIR’s underlying data is the statistics of incidents and breaches, I should be able to use it to update my forecast on the current probability of cyber material impact.
After reading the 2025 DBIR (twice now), I’m not sure what I do with the information. Nothing immediately comes to mind that either confirms what I’m doing or compels me to change. And if I can’t make a decision with the information, the DBIR is not an intelligence report. It’s more like news.
For example, the summary of findings highlights
The growth of software vulnerabilities.
An increase in ransomware attacks including small businesses.
A rise in third party attacks.
Espionage, as a motivation, was more prevalent.
Bring Your Own Devices (BOYD) are a source for credential stealing.
AI might be a problem in the future.
The meat of the report contains many gorgeous graphs describing the details of the summary and individual sections depicting what’s happening in important verticals and specific regions around the world.
It’s all interesting but does not help me make any decisions. Like I said, it’s news and it’s primarily tactical. There is no discussion of strategic purpose or intent. It feels like a throwback to the 2000s and early 2010s when we were still trying to scare organizational leadership about the threat to get more resources for our infosec programs; the old Fear, Uncertainty, and Doubt (FUD) gambit that I have used myself in the past.
In 2025, we are well past the need for FUD. Organizational leadership is aware that cyber attacks are happening. What is missing is the analysis of the actual risk to the business. We’re not getting that with the DBIR.
The Cyentia Information Risk Insight Study 2025
I discovered Cyentia and their IRIS report while I was writing my Cybersecurity First Principles book. I was wrestling with the idea on how to improve cyber risk forecasting.
Two CyberCanon Hall of Fame books captured my attention: the 2014 CyberCanon Hall of Fame Book “Measuring and Managing Information Risk: A FAIR Approach” by Jack Freund and Jack Jones and the 2016 CyberCanon Hall of Fame Book, “How to Measure Anything in Cybersecurity Risk” by Douglas Hubbard and Richard Seiersen.
Those two books convinced me that there was a better way then using heat maps to scare senior leaders into giving me resources for my infosec program. The authors opened my ideas to a new world of cyber risk forecasting utilizing terms that business leaders understand.
I’ve told this story many times before, but, although I love those two book, my frustration while reading them was that they are both theoretical. I kept waiting for the chapter at the end that explained how to do it in the real world. That chapter never came so I decided to write it in my own book (Chapter Six - Risk Forecasting).
Superforecasting: Outside-In and Inside-Out
But I needed a more realistic methodology. I got it in the 2015 CyberCanon Hall of Fame book, “Superforecasting: The Art and Science of Prediction” by Philip Tetlock and Dan Gardner. In an essence, by understanding that risk is a measure of uncertainty, forecasters can estimate the probability of material impact of a cyber event using the fundamentals of Bayes Algorithm, Fermi Estimates, and the value of Outside-In analysis and Inside-Out Analysis.
Outside-In Analysis is the base case. What’s the probability that any organization like mine will be hit with a material cyber event? Once you know that number, risk forecasters use Inside-Out Analysis to adjust it based on the defensive posture of the organization. But you need to do the Outside-In Analysis first. That’s where the Cyentia IRIS reports come in.
Cyentia
The Cyentia Institute is a research firm working to improve cyber risk management through analytical services and data-driven research publications. Interestingly, one of its co-founders is Wade Baker. He was on the original DBIR team back in 2010 and helped develop the VERIS framework (Vocabulary for Event Recording and Incident Sharing). Also, Jack Freund just recently joined Cyentia as an Executive Fellow. Jack is a co-authors of the CyberCanon Hall of Fame book, “Measuring and Managing Information Risk” mentioned above.
Cyentia’s calculations rely on cyber loss data collected by Zywave (formerly Advisen). According to the IRIS, the Zywave data contains over 150,000 security incidents and associated financial losses spanning decades derived from publicly available sources, such as breach disclosures, public company filings, litigation details, and Freedom of Information Act requests. Cyentia believes that it is the most comprehensive source of cybersecurity incidents and losses available.
The IRIS
In this year’s IRIS report, the executive summary is similar to the DBIR; kind of newsy; kind of FUDy. Things like
3,000 significant security incidents reported each quarter (let’s call them material incidents), a 650% increase over the last 15 years.
The Outside-In forecast that any given organization will experience a material cyber event has almost quadrupled since 2008.
Cyber losses have multiplied 15-fold
Compromising user credentials remains the most common intrusion technique over the last decade
But the meat of the report is when it transforms itself into an intelligence report. We get that intelligence from two data points within the report: probability and range of losses.
A Slight Detour about the Intelligence I Need
According to the Hubbard/Seiersen book, a simple model to forecast the expected loss from a future material cyber event is
x = lognorm.inv (probability, mean, standard_dev)
where
X: The forecasted revenue loss
Probability: The probability of a material cyber event
Mean: The range of revenue losses divided by 2 as in
(ln(Upper Bound Revenue Loss) + ln(Lower Bound Revenue Loss))/2
Standard Deviation: An approximation of standard deviation as in
(ln(Upper Bound Revenue Loss) − ln(Lower Bound Revenue Loss))/3.29
In order to use that formula, we need two values: The probability of a material cyber event and the range of potential losses. That’s the intelligence I need.
The probability of a material cyber event (The General Case)
When I did this calculation for by book back in 2022 (Chapter 6), I forecasted 17%. As any good Superforecaster nerd knows, this is our Bayesian prior. But we also know that, as new evidence emerges, we adjust this forecast up or down depending on the evidence. I liked my calculation back then but the 2025 IRIS gives us more evidence with this chart:
It shows how the Outside-In probability forecast for any organization having a cyber incident has grown from 2.5% in 2008 to 9.3% in 2024. This data is what I’m talking about in terms of intelligence. It’s no longer just news. I can use that number to make some decisions.
Since my prior three years ago was 17%, do I just throw that number out and adopt the IRIS 9.3% number? The question you have to ask yourself is how confident are you in the new IRIS number?
A trick to use is whether you would spend $100 of your own money betting that the new number is correct. If you would, then yes, just adopt the IRIS number. If no, keep dropping your prior down until you would bet $100 of your own money. This is a gut call and the main reason there is uncertainty in the decision. But in the world of risk forecasting, get use to the idea of uncertainty. Just because we are using probabilities doesn’t mean we automatically get accuracy and precision. What we do get though is a good enough answer so that we can make some resource decisions in terms of the people, process, and technology triad.
In my case, I’m willing to bet $100 that the IRIS number is more correct than my 17% number. If I'm doing the Outside-In forecast today, 9.3% is the value I’m using for the probability variable in the Hubbard/Seiersen formula.
The Range of Potential Losses
The next variable to fill is the range of potential losses due to a material cyber event. Specifically, I need the upper and lower bounds of the range. This IRIS chart fills the need nicely.
In 2014, the upper bound is $28.5M and the lower bound is $2.9M. Again, with this IRIS, I’m getting intelligence; not just news.
Takeaway
Because of the 2025 IRIS, I now have enough evidence to fill in the variables to the Hubbard/Seiersen model:
x = lognorm.inv (probability, mean, standard_dev)
The answer, X in this formula, is one value. But, I take this formula, Hubbard and Seiersen call it a Probability Distribution Function (PDF), and put it into a Monte Carlo Simulation and now I can build a Loss Exceedance Curve to show my senior leadership. That Loss Exceedance Curve becomes the basis for all discussions around funding, risk tolerance, and what exactly is a material cyber event for our organization. How to do that will be a discussion for another day.
But the takeaway here is that the 2025 Cyentia IRIS is an intelligence report. It has news in it like that Verizon DBIR, but I can use the intelligence pieces to make resource decisions in terms of the people, process and technology triad. The Verizon DBIR is a well-researched report, but it’s just news. In my mind, it’s not a must read any more.
Sources
C. David Hylender, Philippe Langlois, Alex Pinto, Suzanne Widup, 2025. 2025 Data Breach Investigations Report [Report]. Verizon Business. URL https://www.verizon.com/business/resources/reports/dbir/
Staff, 2025. Information Risk Insight Study 2025 [Analysis]. Cyentia Institute. URL https://www.cyentia.com/iris2025/
References
Ben Rothke, 2016. Book Review: Measuring and Managing Information Risk: A FAIR Approach [CyberCanon Hall of Fame Book Review]. Cybersecurity Canon Project. URL: https://cybercanon.org/measuring-and-managing-information-risk-a-fair-approach/
Bob Clark, Douglas Hubbard, Richard Seiersen , 2017. Author Interview: “How To Measure Anything in Cybersecurity Risk” - Cybersecurity Canon 2017 [Video]. YouTube. URL
Bryan Smith, 2019. How to Read Loss Exceedance Curves in RiskLens [Explainer]. RiskLens. URL https://www.risklens.com/resource-center/blog/reading-loss-exceedance-curves
Douglas Hubbard, Richard Seiersen, 2016. How to Measure Anything in Cybersecurity Risk [Book]. Goodreads. URL https://www.goodreads.com/book/show/26518108-how-to-measure-anything-in-cybersecurity-risk
Jack Freund, Jack Jones, 2014. Measuring and Managing Information Risk: A FAIR Approach [Book]. Goodreads. URL https://www.goodreads.com/book/show/22637927-measuring-and-managing-information-risk
J. Carlos Vega, Aleksandra Scalco, Ph.D., 2025. Cybersecurity First Principles: A Reboot of Strategy and Tactics [CyberCanon Candidate Book Review]. CyberCanon. URL https://cybercanon.org/cybersecurity-first-principles-a-reboot-of-strategy-and-tactics/
Mike Clayton, 2020. What is a Monte Carlo Simulation? [Explainer]. Online PM Courses - YouTube. URL
Philip Tetlock, Dan Gardner, 2015. Superforecasting: The Art and Science of Prediction [Book]. Goodreads. URL https://www.goodreads.com/book/show/23995360-superforecasting
Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Amazon. URL https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics-ebook/dp/B0C35HQFC3/ref=sr_1_1
Rick Howard, 2025. The Theory That Would Not Die: How Bayes’ Rule Cracked the Enigma Code, Hunted Down Russian Submarines, and Emerged Triumphant from Two Centuries of Controversy [Candidate Book Review]. CyberCanon. URL https://cybercanon.org/the-theory-that-would-not-die-how-bayes-rule-cracked-the-enigma-code-hunted-down-russian-submarines-and-emerged-triumphant-from-two-centuries-of-controversy/
Rick Howard, Steve Winterfeld, 2025. How to Measure Anything in Cybersecurity Risk [CyberCanon Hall of Fame Book Review]. CyberCanon. URL https://cybercanon.org/how-to-measure-anything-in-cybersecurity-risk/
Sharon Bertsch McGrayne, 2011. The Theory That Would Not Die: How Bayes’ Rule Cracked the Enigma Code, Hunted Down Russian Submarines, and Emerged Triumphant from Two Centuries of Controversy [Book]. Goodreads. URL https://www.goodreads.com/book/show/10672848-the-theory-that-would-not-die
Staff, n.d. About Zywave [Homepage]. Zywave. URL https://www.zywave.com/about-us-zywave/
Staff, 2021. Fermi Problem Explained [Explainer]. Inch by Inch Stories. URL