Results and Analysis

Thank you.

You will soon receive an email with a link to confirm your access. When you click to confirm from your email, your document will be available for download.

If you do not receive an email within 2 hours, please check your spam folder.

Thank you.

You may now close this message and continue to your article.

  • Introduction

    The results found in this and subsequent sections within the report are based on a dataset collected from a variety of sources, including cases provided by the Verizon Threat Research Advisory Center (VTRAC) investigators, reports provided by our external collaborators, and publicly disclosed security incidents. The year-to-year data will have new incident and reach sources as we continue to strive to locate and engage with additional organizations that are willing to share information to improve the diversity and coverage of real-world events. This is a sample of convenience,3 and changes in contributors—both additions and those who were not able to contribute this year—will influence the dataset.

    Moreover, potential changes in contributors’ areas of focus can shift bias in the sample over time. Still other potential factors, such as how we filter and subset the data, can affect these results. All of this means that we are not always researching and analyzing the same population. However, they are all taken into consideration and acknowledged where necessary within the text to provide appropriate context to the reader.

    Having said that, the consistency and clarity we see in our data year-to-year gives us confidence that while the details may change, the major trends are sound.

    We believe it is fair to say that one of the primary lessons that 2020 had to teach us was that it is often futile to attempt to predict the future. However, not trying to predict it is not the same thing as giving up on scenario planning and preparing your organization for probable outcomes to the best of your ability. The DBIR is not in the business of prediction,4 but it can go a long way to help you shape your response strategy in the face of an uncertain future.

  • The DBIR is not in the business of prediction,4 but it can go a long way to help you shape your response strategy in the face of an uncertain future.

  • Consider Figure 9 for instance; it’s your run-of-the-mill DBIR chart with all the slanted bar-charted goodness, courtesy of our Misuse action varieties.5 We have a few big things up top, and a lot of stuff near the end.

    One valid way to interpret this is that the top bar or two are the norm of what may happen, namely in this example “Privilege abuse” and “Data mishandling”. Those are the Action varieties that are understood to be so common that, if they were to cause a breach, someone (most likely on a bird website) would say, “That organization should have known better.”

  • Figure 9
  • Suffice it to say, there’s a great deal of inequality in the frequencies of the varieties shown. Those small bars are the extraordinary and uncommon attacks that could happen but are unlikely. If they were to cause a breach the victim would claim, “It was an advanced attack. There was nothing that anyone could have done.”6

    However, if you take all those small bars on the Action varieties and add their breach frequencies together, you get Figure 10. Now it doesn’t look quite so uncommon anymore, does it? In fact, in this example it appears that a breach is just as likely to be caused by one of our myriad exceptions as it is to be caused by our second most likely Action variety.

    But does breach data always behave like this? Rather than show you lots of bar charts,7 we’re going to condense that concept down into a single number. Figures 11 and 12 show some data with different levels of inequality. We use the word “inequality” not by chance, but to introduce the fact that we can calculate the Gini coefficient8 to represent this long tail behavior.

  • The Gini coefficient is a measure of statistical dispersion most commonly used to represent the income or wealth inequality within a nation or other group of people.9

  • The Gini coefficient is a measure of statistical dispersion most commonly used to represent the income or wealth inequality within a nation or other group of people.9 While it uses a lot of math none of us can be bothered with, it ultimately represents a completely equal outcome, where everyone has the same income (in other words, the “income per person” chart is a horizontal line), as a 0, and a world where one individual has all the income (in other words all we have on the chart is a huge vertical spike somewhere) as a 1.

    Let’s bring this closer to our subject matter by looking at some security related data, like how often your SIEM generates a group of critical alerts that need immediate review. Anecdotally, you could attest that happens exactly “every time you are on-call,” but humor us for a moment. In Figure 11, we generated some simulated example data that is perfectly smooth and looks horizontal on the chart—this  one has an equality score of 0 (perfectly equal). Figure 12 has actual data representing the time interval between critical SIEM events, and it is extremely spikey.10 It has a Gini equality score of 0.95, demonstrating a huge variation time between events. It’s not just you: critical SIEM events fall into everyone’s laps indiscriminately.

  • Figure 10
  • Figure 11
  • Figure 12
  • This complicated mathematical setup is to convey the reality that in the DBIR data (incident and non-incident alike) is very unequal,11 but at least we can measure it. Figure 13 shows the equality scores for Action, Actor, Asset, and Attribute varieties and vectors over the last seven years. The scores range from about 0.73 to 0.94, or as we would say here, “high.” Breach data may seem likely to always be the same, but some varieties are more equal than others.

    The reality is you don’t need a crystal ball, a neural network or next gen AI to tell you what the norm12 is. You can do that for yourself and plan accordingly. On the other hand, you can’t solution your way out of the long tail. It is made up of a legion of little things that happen only rarely—they are the exceptions to the norm. Well, maybe you can if you have enough money. And some organizations that are in critical roles to our society have no choice but to try to do so. But from a purely monetary value, if you look at what breaches cost in the Impacts section, it’s not a wise use of your organization’s resources to engineer solutions for every single possible exception.13

  • …an ideally optimized solution would be to engineer solutions for the norm, and train your security operation teams to handle the exceptions.

  • Armed with the knowledge of what is the norm and what is the exception, an ideally optimized solution would be to engineer solutions for the norm, and train your security operation teams to handle the exceptions. Turns out humans are very flexible problem-solvers, and most love a good challenge occasionally.

    The next time we are up against a paradigm-shifting breach that challenges the norm of what is most likely to happen, don’t listen to the ornithologists on the blue bird website chirping loudly that “We cannot patch manage or access control our way out of this threat,” because in fact “doing the basics” will help against the vast majority of the problem space that is most likely to affect your organization.

    Read on to learn what the normal actor has been up to for the last year, and pick out the areas where you can improve, against both the norm and the exception. Because the only way to predict the future is to change it yourself.

  • Figure 13
  • Actor

    “All the world’s a stage,” and our threat actors “all have their exits and their entrances.” We must admit that they seem to know their cues very precisely. However, at this point the analogy breaks down a bit, as rather than “playing their many parts”14 we seem to keep viewing the same performance repeated ad infinitum, as if forced to endlessly re-watch a recorded musical theater presentation on a streaming service.15

    It seems clear that our External actors are not giving up their close-ups, as they continue year after year to dominate the Actor types in breaches as illustrated in Figure 14. As a reminder to our readers, the Internal type shown here will include breaches in which both Misuse actions (where the mythical winged internal threats live in our taxonomy) and Error actions (the oopsies) occurred.

    Of course, an External actor breaking into an organization by leveraging illicitly obtained credentials or other illegal access to pivot internally may initially resemble an internal threat before detailed incident forensics are engaged. But even though the call may be coming from inside the house, there is still a stranger on the line.

    As in past years, financially motivated attacks continue to be the most common (Figure 15), likewise, actors categorized as Organized crime continue to be number one (Figure 16).

  • As in past years, financially motivated attacks continue to be the most common (Figure 15), likewise, actors categorized as Organized crime continue to be number one (Figure 16).

  • Figure 14
  • Figure 15
  • Figure 16
  • However, since 2015 it is relatively common for State-sponsored actors to also crave that cold hard cash16 as the Financial motives for those actors have fluctuated between 6% and 16% of recorded breaches. Given this result, it should come as no surprise when you glance at Figure 17 and find that the two most common cybercrime terms found on criminal forums are bank account and credit card related.

    Even as awareness of supply chain attacks has increased over the last few months, the overall percentage of incidents with a Secondary motive—where the ultimate goal of an incident was to leverage the victim’s access, infrastructure or any other asset to conduct other incidents—has decreased slightly as a percentage from last year. There are two caveats here that should be kept in mind: The associated growth year-over-year of Financially motivated breaches, and that most Secondary motive breaches reported to us are simple in nature (which suggests the catastrophic ones on everyone’s minds are still very much the exception). 

  • Figure 17
  • However, Secondary is still in second place (fittingly enough) as a top Actor motive, as Figure 18 demonstrates. So, if you are a software developer or service provider that has assets that could be repurposed in that manner, please make sure you are paying the proper attention to the operational parts of your organization.

  • In the same way automation may be helping you scale up your defensive operations, it can also help attackers scale up their offense.

  • In the same way automation may be helping you scale up your defensive operations, it can also help attackers scale up their offense. Figure 19 illustrates the relative occurrence of attack types in honeypot data. Near the top of the attacker’s opportunistic sales funnel, we see scanners. Down near the bottom are where the Remote Code Execution (RCE) attacks reside. Regardless of their placement in the figure, automation is likely to assist attackers in moving potential victims from the top of the funnel to the bottom. As such, it’s important to limit your public facing attack surface, through asset management, defensive boundaries, and intelligent patching.

  • Figure 18
  • Secondary motive subset

    In the Secondary Motive subset, we had an additional 24,913 incidents of which only one was a known breach. In all of these incidents, web apps were attacked with a secondary motive by External actors. Beyond that, we know very little.

  • Figure 19
  • Action

    Do we have an action-packed section for you, folks! Step right up, make room in the back so everyone can see! Figures 20 and 21 will reveal all you need to know about the frequency of Action varieties for the past year.

    We do not want to divert all of your attention from the brand-new incident patterns. So we saved additional details on how those Actions manifested in the wild for you to dig your teeth into there.

    Talking the talk and acting the action

    It would be impolite on our part not to address the virulent elephant17 in the room, so we have centered this initial analysis of Actions on evaluating how adapting to life in a pandemic-stricken world has impacted the threat landscape. The DBIR team released a COVID-19 Threat Landscape Trends article18 in the middle of last year, and it is only fair that we revisit how our speculations (see how we avoided the word predictions?) fared.

  • Figure 20
  • Figure 21
  • Figure 22 shows how the Actions we highlighted in that article varied in relation to last year’s report. We highlighted Phishing, Use of stolen creds, Ransomware and Errors as Action varieties that could possibly increase.

    Even in a year as unexpected as 2020, there are some things we can trust to stay the same. Phishing remains one of the top Action varieties in breaches and has done so for the past two years. Not content to rest on its scaly laurels, however, it has utilized quarantine to pump up its frequency to being present in 36% of breaches, (up from 25% last year). This increase correlates with our expectations given the initial rush in phishing and COVID-19-related phishing lures as the worldwide stay-at-home orders went into effect.

  • “ [Phishing] has utilized quarantine to pump up its frequency to being present in 36% of breaches, up from 25% last year”

  • Phishing continues to walk hand-in hand with Use of stolen credentials in breaches as it has in the past. Admittedly, we expected to see an increase here due to a larger remote workforce. However, the numbers have remained in the region of 25% of breaches, which is still a significant number.

  • The major change this year with regard to action types was Ransomware coming out like a champ and grabbing the third place in breaches (appearing in 10% of them, more than doubling its frequency from last year).

  • The major change this year with regard to action types was Ransomware coming out like a champ and grabbing third place in breaches (appearing in 10% of them, more than doubling its frequency from last year). This is also something we discussed, but this may have less to do with the changes in working arrangements than it does the shift in tactics of the actors who “named and shamed” their victims.

    These actors will first exfiltrate the data they encrypt so that they can threaten to reveal it publicly if the victim does not pay the ransom. We are not sure if this breach double-dipping is permitted in the Threat Actor Code of Conduct, but there has been no evidence that they have one anyway.

    The final piece of this puzzle pertains to Error actions, where we opined that we would see an increase, but actually had a decrease this year to 17% of breaches (from 22%). This breaks a three-year streak of either staying the course or increasing. Granted, the absolute number of Error breaches did increase from 883 to 905. However, as a proportion of the dataset, Error decreased due to the rapid growth of Social breaches.

    Of course, we here on the team secretly blame each other for this miscalculation on our part, as any team would. Still, both in relative and absolute terms, this is a significant value and is on par with Malware-related breaches as Figure 23 demonstrates, and it should certainly be front and center in your control definition strategy.

  • Figure 22
  • Figure 23
  • Actions have consequences19

    A data point we started collecting over the past few years pertains to the results of Actions, which provide some interesting insights especially when you consider it as a complement to our ongoing attack chain research. For example, a threat actor might perform a Use of stolen credentials or Phishing action to Infiltrate a victim organization, but then deploy Malware in order to Exfiltrate the data they had their sights on.

    The heatmap in Figure 24 shows how our most frequent results relate to our top-level Action categories.

    Points of interest here are how well those findings align with the attack chain information that is present in some of the incidents we analyze. If an Action is concentrated into Infiltrate, it is closer to the top of the first actions in a chain chart, as shown in Figure 25, while Exfiltrate will correlate with the last one. Misuse actions are different, as they often assume or require legitimate access to the Asset that was breached, and, as such, are very focused into Exfiltration. With regard to Malware, well, given the Swiss Army Knife behavior of modern variants, it looks like you can eat your cake and have it too.20

  • Figure 24
  • Figure 25
  • Shared access is double access

    Another noteworthy change this year is the increase in rank of Desktop sharing as the vector of a Hacking action to second place. As Figure 28 demonstrates, it is completely overshadowed by Web application as the attack vector. But it is now on the 5% threshold and we recommend attention to the authentication security of those. Notably, 89% of the Hacking varieties in this vector involved some sort of credential abuse (Use of stolen creds or Brute force).

  • Figure 26
  • Assets

    If, after looking at Figures 27 and 28, you had to double check that you weren’t still in 2020, you would be forgiven. Servers are still dominating the Asset landscape due to the prevalence of web apps and mail services involved in incidents. And as social attacks continue to compromise people (they have now pulled past user devices), we begin to see the domination of phishing emails and websites delivering malware used for fraud or espionage.

    However, we can glimpse the impact of a world where the flickering flames of digital transformation have slowly built into a sizable inferno when we review the Assets involved in breaches. Figure 29 shows that there is a large gap between Person and User devices as the most breached Assets, and the decline of User devices is statistically verifiable in relation to the previous two years. This result makes sense when we consider that breaches are moving toward Social and Webapp vectors, and those are becoming more server based, such as gathering credentials and using them against cloud-based email systems.

    A related result that will likely not be surprising is that this year, external cloud assets were more common than on-premises assets in both incidents and breaches. Now before you put that in your marketing brochure for your next gen AI21 cloud security product, there were 10 times as many Unknowns (quite plainly incidents where the information on the location of the assets was not available) as there were cloud assets. That is more than enough to tip the scales in the other direction if we’d known more about what happened. Still, in a sample of random organizations, 17% that had a web presence had internet-facing cloud assets.22. If it was not obvious by now, cloud assets deserve a seat at the grown-up security table and a piece of your budget pie.23

    Even the median random organization with an internet presence has 17 internet-facing assets (Figure 30). Figure 30 gives you an idea of how vulnerable those organizations are. Most had no vulnerabilities at all. Furthermore, one might think that more recent vulnerabilities would be more common.24 However, as we saw last year, it is actually the older vulnerabilities that are leading the way.25

    Rather than selecting out of something like the Alexa top 1 million domains, we randomly sampled a database of hundreds of millions of companies worldwide. Out of a million companies, only 1.4% had a web presence (a domain connected to the organization). It’s easy to forget that the average security-conscious organization might be quite different from the average company.

  • Figure 27
  • Figure 28
  • Figure 29
  • Rather than selecting out of something like the Alexa top 1 million domains, we randomly sampled a database of hundreds of millions of companies worldwide. Out of a million companies, only 1.4% had a web presence (a domain connected to the organization). It’s easy to forget that the average security-conscious organization might be quite different from the average company.

  • Figure 30
  • Figure 31
  • Figure 32
  • Figure 33
  • Figure 34
  • These older vulnerabilities are what the attackers continue to exploit

  • These older vulnerabilities are what the attackers continue to exploit. Figure 32 shows the discovery years of vulnerabilities that attackers attempted to exploit in bulk as seen from the perspective of honeypots. If Tom Brokaw were writing this report, he’d call them the greatest generation of vulnerabilities. Eternal Blue is a crowd favorite, which shows that the amount of time since discovery does not really factor into why actors target vulnerabilities. Instead, it seems to be simply a matter of what capabilities exploiting a vuln provides to the attacker, along with the robustness of current working exploits and payloads.26

    So, what’s a good, clean-cut, security-conscious organization to do? Based on Figure 33, the patching performance this year in organizations has not been stellar. Granted, it’s never been great.27 There are several likely hypotheses to explain why this year might be underperforming.

  • The ideal state for any organization is to patch smarter, not harder

  • The ideal state for any organization is to patch smarter, not harder, by using vulnerability prioritization not necessarily to improve security, but to improve the organization’s productivity. Every patch that has to be applied means you are that much farther from putting down the keyboard and picking up the d-pad.28 Anything you can do to avoid patching vulnerabilities that do not improve your security keeps you just as secure but involves much less work (and less chance of burnout from your employees or service providers).

    Mobile phones made the list in Figure 28 at the beginning of this section. As with last year, this finding is somewhat anticlimactic as the vast majority are simply lost phones. Still, that’s not quite the end of our mobile foray. We also have mobile data on malicious URLs and APKs29 in Figure 34. What we found, in short, was that you don’t have to be a large organization to have a good chance that one of your members that received a malicious URL or even installed a malicious APK.30


    The Attributes are the Confidentiality, Integrity and Availability (aka the CIA31 Triad) violations of the impacted asset. Whether it is a confirmed data breach in which the confidentiality of the data was compromised, or an integrity incident, such as altering the behavior of a person via phishing, the actions against the assets result in CIA violations. First, let’s discuss Confidentiality and the types of data that are most frequently compromised.

  • As we have pointed out in previous reports, Credentials remain one of the most sought after data types.

  • As we have pointed out in previous reports, Credentials remain one of the most sought-after data types (Figure 35). Personal data is a close second. Considering that Personal data includes items such as Social Security numbers, insurance related information, names, addresses, and other readily monetizable data, it is little wonder that attackers favor them as they do. They are also useful for financial fraud further down the line, not to mention their resale value.

    We do not mean to imply that attackers are the only way data is compromised. Sadly, we cannot discount the ability of our own employees to make mistakes, thereby contributing to the problem. However, they are less likely to involve credentials, and more likely to involve other data such as Personal information, (Figure 36).

  • Figure 35
  • Figure 36
  • Moving on to Integrity violations (Figure 37), these are usually the result of a Social or Malware action. For the Social actions, Phishing and Pretexting will alter the behavior of their targeted victim. In some cases, Pretexting results in the initiation of a Fraudulent transaction, causing money to go where it was not supposed to. With the prevalence of Phishing and Pretexting in our dataset this year (43% of breaches) it is no surprise that Alter behavior ranks first among the Integrity violations.

    But we must not forget the Malware actions. Software installation comes in second place due to the high number of System Intrusion pattern cases that had a Malware component. Most commonly these were directly installed by the actor after system access—usually after a Hacking action such as the Use of stolen creds or Brute force.

    Finally, we arrive at our Availability violations (Figure 38). The most common is Obscuration, which is what you get when ransomware is installed and the encryption is triggered. Loss is our second most common violation, and results from either a lost or stolen asset, as you no longer have access to that data.

  • Figure 37
  • Figure 38
  • Timeline

    This year we decided to take a look at which breach types take the longest to discover (Figure 39). Traditionally, this has been insider Privilege Misuse. However, when looking at this year’s data (largely due to the insight provided by the new patterns), we found that the differences between Privilege Misuse and System intrusion were negligible. Both were present in the longest to discover breaches.

    In contrast, the breaches that are the fastest to discover appear to be those where it becomes readily apparent something is wrong. Examples include Stolen assets, because the employee found evidence of a break-in, and Errors, where the employee had that sinking feeling that they screwed up, and reported it in the hopes that it could be quickly contained. These are both internal methods of discovery, and if you don’t already have an easy and fast way for your people to report these kinds of breaches, you should look into it. Why not cultivate your employees to be your early warning system when it can have a great return on investment? The other end of the spectrum for discovery methods is when the threat actor involved makes the “notification” in the form of a ransom note that appears on screen.

    Finally, we were also curious what kind of data was the fastest to be compromised, and that turns out to be Credentials. This is particularly the case in Phishing, which typically goes after the victim’s credentials for use in gaining further access to their chosen victim organization.

  • Figure 39
  • Impact

    Many hands make for light work

    Attackers continue to profit substantially from the adversity that befalls breach and incident victims. And while that profit is certainly of interest,32 what really concerns us is how the amounts tally up on the other side of the transaction. Figure 40 illustrates the range of loss from various types of incidents based on adjusted losses reported to the FBI Internet Criminal Complaint Center (IC3).33 In this figure, each dot represents half a percent of incidents. First and foremost, according to IC3 data, is the fact that whether the attack was a Business Email Compromise (BEC), Computer Data Breach (CDB), or a ransomware attack, a large percentage of incidents did not actually result in a financial loss (42%, 76%, and 90% respectively).

    When losses did occur, they were not of the one-size-fits-all variety. Following the rules of good business, we expect attackers to charge what the market can bear. For a small organization that is usually a small amount. For a large organization, however, losses can be much more substantial. When examining breaches that included a reported loss, 95% of BECs fell between $250 and $985,000 dollars with $30,000 being the median. That is a pretty big range, you say? Maybe so, but CDB ranges were even wider with 95% falling between $148 and $1.6 million, and a median loss of $30,000. Finally, for ransomware the median amount lost was $11,150, and the range of losses in 95% of the cases fell between $70 and $1.2 million.

  • Figure 40
  • Let us state this in a somewhat different manner: If you only consider the bottom-half (everything below the medians that we just mentioned), CDBs are often associated with bigger losses than are ransomware events. This finding, when coupled with the 90% of ransomware incidents that did not result in any loss, could be telling the story that organizations are no longer paying the ransoms. It must also be kept in mind that this loss data includes individuals as well as organizations, which is another potential reason for the numbers being smaller. Unfortunately, we do not have a sufficient level of detail to distinguish between the two. There is also the specter of potential bias toward underreporting of larger ransoms. If, however, organizations are skipping the ransom, the low payout ranges could have been yet another contributing factor for the rise of the ransomware “name and shame” threat actors witnessed in late 2019.

  • ...when the IC3 RAT acts on BECs, and works with the destination bank, half of all US-based business email compromises had 99% of the money either recovered or frozen, whereas and only 11% had nothing at all recovered.

  • In a “glass half full” view of the above situation, there is some possible good news in that there is a chance you can reverse the mass migration of your funds to other environs. The IC3 Recovery Asset Team (RAT) can sometimes assist victims in the freezing of lost funds for possible recovery. In Figure 41, we see that when the IC3 RAT acts on BECs, and works with the destination bank, half of all US-based business email compromises had 99% of the money either recovered or frozen, whereas only 11% had nothing at all recovered. If your organization experiences an incident, we highly recommend that you contact the local branch of your national law enforcement and seek their assistance. Or, better yet, get to know them before the breach occurs! 

    Of course, direct losses are not the sole cost one encounters due to a breach. Apart from the damage done by the attacker, there remains the expense of Digital Forensics and Incident Response (DFIR) and legal counsel. Figure 42 provides an idea of what to expect in these areas based on cyber insurance34 claims. Each dot represents 2% of incidents. As you can see, 50% of incidents had no associated forensics costs. When forensics costs were present, 95% fell into the range of $2,400 to $336,500. Slightly fewer incidents had no associated legal costs, (36%). For the remaining 64%, 95% of the legal costs fell between $800 and $54,000.

    It should be pointed out that insurance data can be somewhat biased. For instance, insurance may not cover legal costs or penalties. There may also be an additional deductible not covered in the overall costs. Of course, to address the elephant in the room,35 it is unlikely that your insurance will cover the damage to your company’s reputation. And depending on several factors such as disclosure requirements, the size of the breach, and other things hiding in the fine print, that damage can be considerable.

    Various studies have arrived at very different conclusions regarding the impact on stock price from a breach in the days immediately following a breach, including 2.53% (Rosati, Cummins, Gogolin, van der Werff, & Lynn, 2017), 5% (Cambell, Gordon, Loeb, & Zhou, 2003), 2.1% (Cavusoglu, Mishra, & Raghunathan, 2004), and 1% (Goel & Shawky, 2009). The findings of these studies are helpful, but they don’t shed much light on what happens in the long term. Figure 43 may help to illuminate the matter somewhat.

  • Figure 41
  • Based on data collected by comparitech.com36, breached companies underperformed the NASDAQ (a U.S. Stock Market) by about 5% after six months, though if you look at 95% of companies the performance was anywhere from 48% under to 39% over performing. If we look two years into the future of those organizations (after the breach), those downward trends continued, suggesting that perhaps the breach wasn’t actually the cause, but the symptom.37

    To answer the question, “what might a breach cost in total?” we ran 1,000 Monte Carlo simulations using bootstrap sampling on breaches we had cost information about on this year’s dataset like the good data nerds we are. Fourteen percent of the simulated breaches had no impact. Of the 86% that were impacted, Table 1 captures the results. What you do with these numbers is, of course, up to you. While you could plan for the median breach of $21,659, a better option might be to plan for the middle 80% of breach impacts, $2,038 to $194,035. Or better yet, be prepared for the most common 95% of impacts, between $826 and $653,587. If you add to that an organizational devaluation of around 5% (from Figure 43), then you just may have yourself a tangible figure you can plan around.

  • Percent of
    Lower Upper

    Median $21,659

    80% $2,038 $194,035

    95% $826 $653,587

    Table 1 - Simulated Breach Costs

  • Figure 42
  • Figure 43
  • About the FBI

    Herbert Stapleton
    Deputy Assistant Director, FBI Cyber

    Over the past decade, the cyber threat has grown exponentially with nation state and cyber criminals increasing the scale, scope, and level of sophistication of their cyber attacks. Addressing this kind of complex and agile environment requires a more comprehensive response than any one single government agency, business, technology, or data source can provide. Instead, an interwoven architecture of combined capabilities from across public agencies and the private sector must be leveraged to protect critical infrastructure and impose risk and consequences on attackers.

    The FBI is committed to sharing as much as possible about cyber threats as quickly as possible so the public is alerted and prepared. We strive to be viewed as an indispensable partner, using our unique authorities as a law enforcement agency and member of the United States Intelligence Community to enable government operations against our cyber adversaries and allow the public to enhance their security posture. Because of our unique authorities, world-class capabilities, enduring partnerships, and presence we can conduct investigations, collect intelligence, and interact with victims – all in pursuit of attribution. Attribution is what allows the U.S. government to impose risk and consequences on our adversaries and prioritize our operations with our partners, including the private sector. Cyber [Combatting cyber crime] is the ultimate team sport and we all must be committed to using every tool we have at our disposal to address the cyber threat.

    Of utmost importance to the FBI, and a key component of our foundational cyber strategy, is the ability to share relevant and actionable information with our government partners, the international community, private industry, and the public. But, we also rely on the information received from our partners, private industry, and victims to develop a broader picture of cyber threats. The Internet Crime Complaint Center (IC3) serves as a reliable, convenient, tool for submitting information to the FBI about suspected internet-facilitated criminal activity, while also developing effective partnerships with law enforcement and private sector entities. Information provided to the IC3 is further analyzed, resulting in investigative leads or the identification of new or emerging cyber threats. We share what we’ve learned through our analysis of IC3 data with the public and private industry through PSAs, alerts and reports such as the DBIR.

    For the 2021 DBIR, the FBI’s IC3 focused on supplying data specifically for business email compromises/ email compromises (BEC/EAC), and other data breach incidents reported to IC3. In recent years, the FBI’s IC3 has observed that BEC/EAC and data breach incidents trend more towards victimizing corporations and/or private sector entities and less on targeting a single individual. IC3 recognizes that the public plays a central role in IC3 being able to understand how cyber criminals are evolving. By submitting a cyber related complaint, the public is assisting the FBI in addressing those specific complaints, as well as, identifying the critical details of developing cyber threat trends.

  • 3 Convenience sampling is a type of nonrandom sampling that involves the sample being drawn from that part of the population that is close at hand or available. More details can be found in our “Methodology” section.

    4 Though we do suggest you put your money on "Trail Blazer" in the third.

    5 Where are my insider threat fans at? Whoop whoop!

    6 This report makes no claim about the validity of such a statement. Please refer to our official spokesperson and legal counsel. The data privacy of our readers is of the utmost importance to us.

    7 And completely obliterate our page count budget.


    9 A less well-known fact is that the wish for wealth redistribution led to the term "Gini in a bottle." Not really, but it would have been cool if it did.

    10 A technical term of art in Data Science, we assure you.

    11 We deeply apologize to the junior U.S. senator from Vermont for the fact that the top 3% of varieties are responsible for 87% of the breaches.

    12 You’re reading the DBIR, and that is a great step in the right direction, if we may say so.

    13 This argument does not consider potential incidents where loss of life or the security of individuals is concerned, as it would make no sense to assign a monetary value to that, and would, in fact, be callous and cruel.

    14 As You Like It, William Shakespeare.

    15 Anyone know if the Cyber+ trademark is available?

    16 Or the hot ethereal cryptocurrency.

    17 Viruphant? Eleplent?


    19 Just like your Momma said.

    20 Mmm…cake.

    21 Emphasis on the “Artificial” not on “Intelligence.”

    22 See the sidebar for what we mean by ‘random organizations."

    23 A terrible “pie in the sky” joke was edited out here. You are welcome!

    24 You know, because of patching.

    25 Just don’t call them “boomer vulnerabilities,” or you will start a fight. They might even tell you to get off their lawn.

    26 As we write this section, a Microsoft Exchange Remote Code Execution Vulnerability (CVE-2021-26855) is being actively and massively exploited that has all the ingredients to also be part of this growing background noise of exploitation activity in the internet.

    27 2017 DBIR, Figure 56.

    28 Or your kid, or your running shoes, or something else that keeps you sane.

    29 Android apps.

    30 Observant readers may have noticed the assets section missing anything about Information Technology (IT) vs. Operational Technology (OT) assets. That’s because it was largely missing from our dataset as well. We’ve heard those OT breaches are somewhere, but they’re not in our dataset.

    31 Not the CIA that keeps the alien presence on the DL, the other kind.

    32 It would be fascinating to analyze profitability of different types of attacks from the perspective of the threat actors, but not only do we not believe we have the data necessary; we are not sure if this analysis would benefit the threat actors more than the defenders.


    34 For an additional fee, the Verizon will provide a version of the DBIR that replaces all instances of "Cyber" with "Security." See your local Verizon representative for details.

    35 Another elephant? This is a pachyderm-filled space!

    36 More precisely, Paul Bischoff’s (@pabischoff) blog post at

    37 Dr. Frank N. Furter nods approvingly.

Let's get started.