A Data-Driven View of Cyber Risk Structure: How Attack Pressure and Exposure Shape Damage

The analysis also showed that Attack Pressure had the strongest overall relationship with Damage. However, organizations operating under similar Attack Pressure conditions still showed substantial variation in Damage outcomes, which means there were some organizations facing intense Attack Pressure that still appeared to constrain damage relatively effectively.

This suggests that cyber damage may not be determined by attack volume alone and that Detection & Response Capability also plays a meaningful role in shaping outcomes. 

To help organize this relationship, TrendAI™ Research introduced a Cyber Risk Positioning Map that combines the Cyber Risk Index (CRI) with a supplementary Detection & Response Capability Score. Note that this is not a predictive model but rather a practical framework for understanding why organizations in similar attack environments could still experience different results, and where to focus security investment priorities. 

To examine how these relationships appear at a sector level, organizations were classified into six broader industry groups, and an industry cyber risk landscape was constructed using the mean values of Attack Index, Exposure Index, and Damage Months for each group.

Figure 2. The industry cyber risk landscape

The analysis showed meaningful differences in attack environments across industries, with Financial organizations and Technology, Media, and Communications organizations showing relatively high average Attack Pressure compared to other sectors.

Industry averages alone were not enough to explain actual organizational risk, as organizations within the same industry still showed wide variation in Attack Pressure, Exposure, and Damage outcomes. Industry context is useful for understanding broad tendencies, but it does not fully determine the risk faced by any individual organization.

More information on these groups can be found in the PDF.
 

Three operational principles follow from the data.

1. CRI becomes more actionable when interpreted together with Attack Pressure, Exposure, and the extent to which harmful activity can be constrained in practice.
2. The combination of Attack Pressure and Exposure is more informative than either factor alone. The same exposure level carries different practical weight depending on the surrounding attack environment.
3. Risk reduction requires action on two fronts. The first is reducing the conditions that make initial compromise more likely (vulnerabilities, misconfigurations, unnecessary surface area). The second is strengthening the ability to detect, investigate, and contain harmful activity before it develops into persistent damage.

Looking at the three principles through a driving analogy:
 

Driving through dangerous conditions does not automatically lead to an accident, but when harsh external conditions, vehicle weaknesses, and poor reaction capability combine, the likelihood of serious outcomes increases significantly.

Industry differences may also resemble different types of vehicles operating under different road conditions. A sports car, SUV, and heavy truck can face the same highway differently just as different industries face different operational realities, exposure conditions, and response challenges even when operating in broadly similar environments.

Figure 3. The Industry Cyber Risk Positioning Map.
Note: The numbers in each circle specify the sample size for each industry group.

In the Cyber Risk Positioning Map, organizations operating under different combinations of Attack Pressure, Exposure, and apparent damage containment can still occupy very different positions even when overall risk scores appear similar.

The map introduces an additional perspective by combining the CRI with the Detection & Response Capability Score to make it easier to visualize how severe the surrounding risk environment can be and how effectively harmful activity appears to be constrained in practice. The map provides a more operational and actionable way to interpret organizational risk conditions that can help organizations better understand how to improve their efforts:

• Organizations positioned toward the right side should focus on reducing exposure and understanding which external conditions drive their elevated CRI.
• Organizations positioned lower on the vertical axis should examine whether harmful activity is being constrained effectively relative to their Attack Pressure.
• Organizations in the lower-right corner should prioritize both simultaneously.

Over time, organizations can reassess their position as telemetry changes to track whether they are moving toward a more favorable risk structure or remaining static.

Download the PDF

One of the broader implications of this study is that the CRI becomes more actionable when organizations understand the underlying conditions contributing to it. What matters is not only the overall risk score, but also:

• The level of Attack Pressure surrounding the organization
• The Exposure conditions that may amplify risk
• The effectiveness with which harmful activity appears to be constrained

Industry context also proved useful for identifying broad tendencies in the attack environment, but substantial variation within the same industry confirmed that actual cyber risk is formed at the organizational level. We recommend that enterprises maximize TrendAI Vision One® solutions to understand their cyber risk through the lens of Attack Pressure, Exposure, and Detection & Response Capability to better determine:

• Whether Exposure reduction should be prioritized.
• Whether Detection & Response Capability requires additional investment.
• Whether both need to be strengthened together.

By viewing the CRI through this broader operational context, organizations may be better positioned to make clearer and more practical cyber risk decisions.