How does your industry compare when it comes to the financial loss exposure of cyber threats?

computer image of code and numbers

Business leaders must understand cyber risk to provide effective oversight of a cyber-resilient organization. Image: Unsplash/Artem Bryzgalov

Nicola (Nick) Sanna
President and CEO, RiskLens
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:


Listen to the article

  • While 83% of company boards say they've improved their understanding of cyber risks, many struggle to keep pace with changing cyber threats.
  • Business leaders must understand the economic drivers and impact of cyber risk, to provide effective oversight of a cyber-resilient organization.
  • Substantial improvements to security posture and a reduction in the number of records at risk can reduce losses by 60% and event probability by 67%.

As the growing financial impact of cybersecurity breaches continues to reach astronomical heights, corporate and government leaders are increasingly looking for ways to better understand what this means for their organizations.

According to the 2022 NACD Public Company Board Practices and Oversight Survey, while 83% of boards say that they have improved their understanding of cyber risk compared to the two years prior, the same survey reveals that boards are struggling to keep pace with oversight of the onslaught of changing cyber threats.

And keep pace they must, as the continued digitalization of business services to better connect with customers, suppliers and employees and drive growth is being met with state-of-the-art cyber threats. In 2022, attackers spared no industry, sector or organization, no matter how sophisticated.

A technology leader like Uber was compromised – reportedly by a teenager from the Lapsus$ group – along with technology-poor institutions such as schools in Jackson County, Michigan, which were closed for days after a ransomware attack.

Risk themes continued to evolve in insidiously creative ways, from insider misuse (Meta employees were revealed to be ransoming Facebook and Instagram accounts), to ransomware (not just double but triple extortion), to business email compromise (no longer just criminals impersonating a known source via email, but adding voicemail compromise with deep fakes).

Facing this whirl of bad news, cyber risk leaders, corporate executives and corporate directors need to understand the economic drivers and impact of cyber risk, to provide effective oversight of a cyber-resilient organization in the pursuit of strategic goals, as highlighted in the World Economic Forum’s Principles for Board Governance of Cyber Risk.

The 2023 RiskLens Annual Cybersecurity Risk Report provides reference data on the impact of top cyber threats across key industries, based on actual 2022 events. The reference organization used for the study is an organization in North America with up to 1,000 employees and up to $1 million in revenue.

Government and healthcare the most impacted

The top two industries by financial loss exposure are public administration and healthcare, whose overall exposure was driven by high event probabilities and moderate losses. Public administration, particularly local governments in the US, are the least well-protected among industry categories, often due to budget constraints.

Average event probability, loss and exposure across simulations
Average event probability, loss and exposure across industries. Image: RiskLens

They are also among the most likely to be targeted by cyber attackers and, in recent years, have been heavily hit with ransom and encryption attacks causing lengthy disruptions of vital services and revenue sources such as payments for parking tickets or construction permits.

For their part, healthcare providers and payers play a high-stakes game in the cyber risk landscape, with sensitive data (sometimes in the hands of third-party vendors) and patient care at risk, all under the oversight of the US federal government’s HHS Office of Civil Rights (OCR) watching – and fining – for violations of HIPAA.

Ransomware does not rank first in cyber threats

When considering both the per-event losses and event probabilities, the study provides findings that might be counterintuitive for many:

  • Consider the top two themes by probability: insider error and insider misuse. While these are often the most likely events across industries, they aren’t in the top three most expensive losses per event.
  • Similarly, the most expensive theme by loss is system intrusion, however, it is substantively less probable than the top three most likely themes.
  • The threat that cyber risk overseers need to pay the most attention to is basic web application attacks, which are relatively probable and relatively expensive on a per-event basis.
Average event probability, loss and exposure across simulations
Average event probability, loss and exposure across simulations. Image: RiskLens

The report also reveals the top two cyber threats per industry, as follows:

  • Accommodation and food services: system intrusion, web application attacks
  • Educational services: web application attacks, insider error
  • Finance and Insurance: insider error, web application attacks
  • Healthcare: insider error, insider misuse
  • Information: web application attacks, social engineering
  • Manufacturing: insider misuse, web application attacks
  • Professional services: insider misuse, system intrusion
  • Public administration: web application attacks, insider misuse
  • Retail: web application attacks, insider error

How is the Forum tackling global cybersecurity challenges?

How organizations can reduce their cyber exposure

The study also examined the possible effect of cybersecurity posture changes and amounts of records such as personally identifiable information and credit card numbers. For the sake of this study, cybersecurity posture changes leverage the scores of SecurityScorecard, a leading security ratings firm.

The key takeaway is that substantial improvements to security posture and a reduction in the number of records at risk can reduce losses by 60% and event probability by 67%. If applied jointly, these two levers can reduce overall exposure by 88%.

You can access the full details of the study by downloading the report from the RiskLens website.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

The rise of smart contracts and strategies for mitigating cyber and legal risks

Jerome Desbonnet and Oded Vanunu

July 16, 2024

About Us



Partners & Members

  • Sign in
  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum