In the second half of 2022, we again ran the Trend Micro Cyber Risk Index (CRI) to gauge the shifts in how organizations viewed their cyber risk. We included North America, Europe, Asia-Pacific, and Latin/South America, giving us a truly global view of the cyber risk organizations are dealing with today. For the first time ever, the CRI moved into the moderate range with a score of +0.01.
The CRI is a collaborative effort between Trend Micro and the Ponemon Institute to survey respondents. In the 2H'2022, we surveyed over 3,700 businesses across the four regions of many sizes and industries. The CRI looks to identify the cyber risk level organizations have based on two areas:
- Their ability to prepare for cyber-attacks targeting them (cyber preparedness index - CPI)
- The current assessment of the threats targeting them (cyber threat index - CTI)
These two are used to calculate the overall cyber risk of an organization based on a -10 to +10 scale, where negative results represent a higher risk level. Effectively we calculate the CRI by subtracting the CTI from the CPI (CRI = CPI – CTI).
The Global and Regional CRI
The current global cyber risk index is at +0.01, considered a moderate risk level and higher than 1H'2022 when it was -0.15. Globally, this means many organizations have been doing better at preparing for an attack (CPI). In this iteration, we also saw an improvement in the CTI, meaning respondents felt the threat landscape improved. This may be due to ransomware appearing to drop during the second half of 2022.
Digging into each of the four regions, North America's CRI was the most elevated of the regions coming in at -0.10, with their CPI worsening negligibly from 5.30 to 5.29 (a lower CPI number means higher risk), and their CTI dropped from 5.63 to 5.39 (a lower CTI means lower risk). While the CRI improved from -0.33 to -0.10, the improvement is due to the respondents indicating the CTI was more improved than the CPI worsened and is still in the elevated range.
Europe's overall CRI improved from -0.12 to +0.12, which put them in the moderate range and was the most positive of all regions. Europe's preparedness improved from 5.05 to 5.39, but their threat index was worse, 5.17 in 1H to 5.27 in 2H, but due to their preparedness overcoming the threat landscape led to a better CRI.
Asia/Pacific saw their cyber risk move into the moderate risk level again after a brief moment in the elevated risk level due to a significant decrease from the second half (-0.11 to +0.05). Their improved CRI was mainly due to an improved CPI going from 5.33 to 5.47. Like Europe, their threat risk (CTI) got slightly worse going from 5.44 to 5.42.
Latin/South America's risk stayed the same from the first half, staying at an elevated risk level of -0.03. While the CRI remained the same, their CPI did worsen very slightly (5.27 to 5.22), and their CTI improved slightly (5.30 to 5.25).
Essentially, this means that businesses in North America and Latin/South America are reportedly the least prepared to effectively stop or respond to cyber threats in the second half. Since businesses across all four regions seem to face equal levels of risk (moderate cyber preparedness index and elevated cyber threat index), they are all close to the 0.00 level today. But it is good to see the regional and global risk improve. Still, all must continue looking for ways to improve their preparedness as it is difficult to change the malicious actors and the threat landscape as these are out of most businesses' capabilities.
The Details of the 2H'2022 CRI
The infographic shares a lot of the details found in the first half CRI survey. https://www.trendmicro.com/en_us/security-intelligence/breaking-news/cyber-risk-index.html#
Here I want to investigate some of the responses around the risks we found in people, processes, and technology.
Based on the results, these are the areas of preparedness that most need work to address the perceived areas of highest risk, meaning these questions were answered with the lowest scores (highest risk):
- People: "My organization's senior leadership does not view security as a competitive advantage."
- Process: "My organization's IT security function doesn't have the ability to unleash countermeasures (such as honeypots) to gain intelligence about the attacker."
- Technology: "My organization's IT security function does not have the ability to know the physical location of business-critical data assets and applications."
The number of breaches organizations suffered in the last 12 months and the likelihood of a breach occurring in the next 12 months have all improved since the 1H'2022 survey, contributing to a lower risk level globally.
The CRI is ongoing, and we are moving to a once-per-year report to show trends around the ability to prepare and withstand attacks. I'm looking forward to seeing how the global respondents may change their perceptions in the future.
Until then, enjoy the 2H'2022 CRI results, and if you want more information about how the survey is conducted, check out the methodology here. https://www.trendmicro.com/en_us/security-intelligence/breaking-news/cyber-risk-index.html