Is it a Myth That Cyber is the Top Risk?

Key Takeaways

• Cyber Risk Trends: Over the past few years, average cyber exposure as a percentage of revenue has been dropping, with the most recent figure at 1.32% in March 2025, down from 2.84% in 2022.
• Cyber Exposure vs. Cyber Risk: The decrease in cyber exposure reflects better risk management, such as improved ransom negotiations, cost economies, and countermeasures like third-party services.
• Context Matters: Averages across organizations don’t reflect individual risk levels. Companies must assess their own cyber risk rather than relying on broad surveys or reports.
• Potential vs. Current Exposure: There’s a distinction between potential (inherent) risk and current (residual) risk. Surveys typically reflect potential risk, while analyses like X-Analytics focus on actual, mitigated exposure.
• Control Risk: If the level of control risk (how likely it is that controls will fail) is unacceptable, cyber can become a top risk for an organization.

Deep Dive

In his most recent article, Norman Marks investigates whether cyber truly stands as the top risk for organizations today. While surveys consistently highlight cyber as one of, if not the leading risk, Norman dives deeper into the data and offers a unique perspective on whether this truly reflects the reality organizations face.

The Reality Behind Cyber Risk

Survey after survey shows cyber as one of, if not the top source of risk for organizations worldwide. But is it?

I have previously shared reports from IBM on the cost of a data breach. In their 2024 report with the Ponemon Institute (their latest), they tell us that the average cost of a breach last year was $4.88 million. This reflects the “experiences of 604 organizations and 3,556 cybersecurity and business leaders hit by a breach.” That doesn’t sound like a top risk to me!

I have been talking to the people at X-Analytics, a vendor of cyber risk management software. Over the last three years, their software (which is used, they say, by over a thousand organizations) has captured actual information from over 150,000 security incidents across 40,000 organizations. They have given me permission to share the results below.

What it says is that over the last twelve months, the average cyber exposure as a percentage of revenue has been just 1.32%. (1.24% is the average for the month of March.) It also says that the average by month as a percentage of revenue has been dropping since December 2023.

I asked them for some historical figures. These are the averages for the 12 months through the end of March:

• 2025 = 1.32%
• 2024 = 1.72%
• 2023 = 2.10%
• 2022 = 2.84%

X-Analytics explained:

Cyber exposure has been decreasing since the height of ransomware post-COVID. There are some reasons for this:

• Companies are better with negotiating ransom payments.
• There is an economy of scale across direct and indirect incident costs.
• Most regulatory fines are modest.
• Associated reputation damage is decreasing.
• Organizations are maturing, and many countermeasures are inherent via third-party products (such as cloud services, Swift Messaging, etc.)

Does this look like cyber is the #1 source of risk for most organizations? No.

BUT… Two things. First, these are averages across many organizations. Everyone needs to understand their own level of cyber risk. Do not rely on surveys like IBM’s, the analysis of X-Analytics and others, or the dramatic words of consultants eager to sell their services. Figure out your specific level of risk given your unique circumstances.

Second, we are talking about apples and apple pie. The first is raw and the second is cooked. I may be wrong, but when executives and others answer surveys about cyber risk, they are thinking of the level of risk without countermeasures. X-Analytics and IBM/Ponemon are looking at the current level of risk given the countermeasures actually in place. They call that “cyber exposure.”

Maybe apples and apple pie is a poor analogy. Maybe a medieval knight entering battle with and without a suit of armor. Maybe we should talk about “potential exposure” (I don’t like the term “inherent risk”) and “current exposure” (which some call “residual risk”).

The survey respondents are talking about potential, and the analyses are looking at current exposure or actual consequences. The difference represents the effect of the controls and other countermeasures in place. But then we have something called “control risk.” This is the likelihood that controls will fail such that the objective (managing the risk) is not achieved.

This gives us a number of possibilities:

• If the level of potential exposure (the range of effects on enterprise objectives) is acceptable, I would not expect cyber to be considered a top risk by management or the board.
• If the level of potential exposure is not acceptable but the level of current exposure is, then it might still be considered a serious risk.
• If the level of control risk (the possibility that controls will fail massively) is acceptable, then it might not be a serious risk.
• But if the level of control risk is not acceptable, I would expect cyber risk to be a top risk.
• If both the levels of potential and current exposure are unacceptable, it would be a top risk.

But there are many “top risks,” including the risk of a recession, adverse currency fluctuations, the failure to develop successful new products, the loss of key employees, and so on. It would take a lot, IMHO, for cyber to be the #1 risk.

When actual breaches have a minimal impact (with highly-publicized exceptions), I believe there are greater risks to worry about. But that’s just my opinion. What’s yours?

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.