Why cyber resilience must be measured, not assumed

In 2025, 72% of organizations reported an increase in cyber-risks and 35% of small businesses said their cyber resilience was insufficient. This represents a sevenfold increase since 2022.

Companies can’t prevent every cyber incident and so being able to minimize the impact is just as, or even more, important as preventing incidents from happening in the first place. The focus shouldn’t be: "How do we stop every attack?", but rather: "How do we survive any attack?"

This is cyber resilience in practice: an organization’s ability to minimize the impact of a significant cyber incident on its primary goals and objectives.

So, if resilience is about outcomes, how can an organization know if it’s truly resilient? How can leaders prove resilience to boards, insurers, regulators, employees – and to themselves?

Failure to understand an organization’s cyber resilience posture can leave it exposed. And without measurement, weaknesses can remain hidden until a major incident exposes them. Taking a reactive, rather than proactive, approach creates a vicious cycle that drains resources, making less effort available for the very thing that would prevent more incidents.

By measuring cyber resilience, however, an organization can better protect itself and its wider ecosystem from the effects of cyberattacks.

Measurement helps to describe the world beyond vague terms such as "long", "heavy" or "soon". While it’s not possible to quantify everything, businesses can rely on data for anything that can be measured, which allows them to understand the status quo and prioritize actions that will enable agility.

The true value of measurement lies in how it informs people and choices. It gives executives clarity for investment decision making, provides regulators with credible evidence of resilience, builds customer trust in products and services, and helps teams to focus on the most impactful improvements to any processes they are measuring. Data underpins better decision making and provides a foundation for multiple stakeholders to build a shared understanding of the resilience of the organization's ecosystem. This is how measurement becomes the language that connects strategy, compliance, customer confidence and day-to-day practice.

To date, no single comprehensive framework exists to measure cyber resilience holistically. Instead, the current landscape consists of multiple overlapping but partial approaches – such as cyber maturity models, threat-led testing frameworks and operational resilience frameworks – each covering specific dimensions of the cyber-resilience challenge.

Cybersecurity frameworks like ISO 27001 and CIS Controls focus on assessing cyber hygiene and maturity, for example. Threat-led testing schemes such as CBEST and frameworks or methodologies like STAR-FS and MITRE's ATT&CK Evaluations emphasize adversarial simulation and detection capabilities. Meanwhile, frameworks like the Basel principles boost resilience and recovery and planning, while FAIR helps quantify and prioritze cyber-risk .

Measuring cyber resilience requires moving beyond static assessments and security-focused benchmarks. It should integrate technical, human and organizational factors, while remaining adaptive to evolving threats and contexts.

Key principles for measuring cyber resilience include:

The World Economic Forum’s Cyber Resilience in Industries initiative unites perspectives from industry, government, academia and civil society to build a shared approach to measuring cyber resilience. The initiative draws on lessons from existing frameworks, identifying critical gaps and developing actionable cybersecurity insights for leaders. By fostering collaboration across sectors, the initiative aims to advance consistent, measurable improvements in organizational and systemic cyber resilience.

As digital ecosystems grow, interconnections deepen and threat actors become more sophisticated, the cost of unmeasured cyber resilience will continue to rise. Waiting for a breach to reveal weaknesses could cost a company millions of dollars or even drive it out of business.

To avoid this, core business functions must become cyber-resilient, it should not just be seen as an IT concern. Embedding measurement into operational cyber routines – just like it’s embedded in financial audits or risk assessments – will enable the necessary shift from reactive crisis management to proactive risk mitigation. This is how cyber resilience becomes part of an organization’s DNA, not just a last resort when systems fail.