Cyber risk is often discussed in headlines rising attacks, record-breaking breaches, increasing losses. But what does the data actually say?
To explore this, I analyzed 3,000 cybersecurity incidents across multiple industries between 2015 and 2024 using Python (Pandas and Matplotlib). The objective was to understand patterns in financial impact, sector exposure, and control effectiveness from a governance and risk perspective.
Are Attacks Increasing?
Interestingly, incident frequency remained relatively stable across the 10-year period. While there were natural fluctuations year to year, the dataset does not show sustained growth in attack volume.
From a risk management standpoint, this suggests steady exposure rather than escalating frequency — at least within this dataset.
Which Industries Are Most Affected?
Financial losses were broadly distributed across sectors.
Although IT recorded the highest total loss, the difference between industries was not dramatic. Banking, Government, Healthcare, Retail, and Telecommunications all showed comparable exposure levels.
This indicates that cyber risk is systemic rather than concentrated in one high-risk sector. It is a cross-industry issue.
Do Certain Controls Reduce Financial Impact?
When comparing median financial losses across defense mechanisms, no single control dramatically reduced impact.
Firewall-associated incidents showed slightly lower median loss, but the differences between controls were relatively small.
This reinforces a key governance principle: layered security matters more than relying on one solution.
Which Vulnerabilities Are Most Expensive?
Social engineering incidents showed the highest median financial loss, closely followed by zero-day vulnerabilities.
This highlights an important reality:
Cyber risk is both technical and human.
Organizations must invest not only in infrastructure and detection systems, but also in awareness, training, and behavioral risk management.
Overall Risk Interpretation
The data shows that:
- The number of incidents stayed fairly stable over time
- Cyber risk affects many industries, not just one
- Security controls perform at similar levels
- Human-focused attacks, like social engineering, tend to cause slightly higher financial losses
From a governance point of view, cyber risk is spread across sectors and comes from different sources. It is not caused by one single major threat.
This means organizations need a balanced approach combining strong technical controls, user awareness, and clear oversight from leadership. The pictures are below
If you are working in cyber risk or governance, I will be interested in your perspective: Are you seeing similar patterns in your sector? Write in the comments below
The full Jupyter Notebook and supporting files are available on GitHub: https://github.com/Iyetunde/Cyber-risk-analysis-2015-2024
