ALPS blog

The Cyber Risk Index 2020 with a global focus

By Jon Clay


The Cyber Risk Index (CRI), launched three years ago by Trend Micro in conjunction with the independent Ponemon Institute, has received a new global version. This year, Europe and Asia-Pacific have been added to the survey, meaning the risk index now offers a global view of the cyber risks that businesses need to cope with.

For the CRI, IT managers from companies of all sizes are surveyed to help determine the level of risk for organisations. It looks at two areas:

The ability of companies to prepare for attacks against them (Cyber Preparedness Index) and
The current assessment of threats targeting them (Cyber Threat Index).
These two indices are used to calculate the overall cyber risk for a company. The basis is a scale from -10 to +10, with negative values indicating a higher risk level.

The global CRI

The current global Cyber Risk Index stands at -0.41, indicating an elevated risk level.

Of the three main regions, the US has the highest risk level compared to Europe and Asia-Pacific. A closer look at the details shows that cyber preparedness is lowest in the US, which has led to the CRI being the highest overall. Surprisingly, the Cyber Threat Index was about the same in all three regions.

In essence, this means that companies in the US were reportedly the least prepared to effectively stop or respond to cyber threats. Since companies in all three regions appear to face threats to the same degree, the US thus had the highest CRI score overall.

The details of the results

The results also reveal the areas of greatest concern across all regions:

  1. In light of the global Covid 19 pandemic, many organisations appear to have felt that their preparedness was a key concern. According to respondents, the following four areas are of greatest concern: organisational misalignment and complexity, unwary insiders, cloud computing infrastructure and providers, and lack of skilled staff.
  2. Many companies have accelerated their adoption of cloud computing this year because of the pandemic. While this is a helpful response to be able to continue operating in the current circumstances, it can lead to greater disruption as new technologies and skills need to be learned. The responses above point to this challenge.
  3. Respondents reported being insufficiently prepared to prevent and mitigate most cyber-attacks, and also not being able to detect zero-day attacks at all. This represented a key area of preparedness that put the index at an elevated level of risk.
  4. Responses to the question about attacks in the past 12 months and future ones in the next 12 months do not bode well for 2021, with 76% of study participants globally having been affected by one or more successful attacks in the past 12 months and 23% by seven or more successful attacks. In addition, 83% say they think it is fairly to very likely they will suffer a successful attack in the next 12 months. Again, this seems to indicate that businesses are not adequately prepared to defend themselves against new attacks.
    The CRI is designed to help companies understand where their highest risks lie, as well as identify areas where they can improve their defensive capabilities. What attackers will do in the future cannot be changed, but the Cyber Threat Index can help understand whether attackers will be more aggressive.

For example, security researchers have produced the CRI three times now for the US, and it has remained consistent, 5.22 for 2018, 5.5 for 2019 and 5.22 for 2020, meaning that the areas that can move the CRI from a negative to a positive (less risk) score are in preparedness.

The following areas of preparedness still need the most work to address the greatest risks:

  • Ensure that the head of IT security (CISO) has sufficient authority and resources to establish a strong security posture
  • Improve the organisation’s ability to know the physical location of business-critical data assets and applications
  • Improvements in organisational misalignments and in the complexity of the security infrastructure
  • Train staff on cyber threats and ensure they see cyber security as a necessary part of their job
  • Adopt cloud computing infrastructure and work with providers to secure it. Train staff tasked with introducing these new technologies so they can implement them safely.
  • Improve the ability to detect and respond to new attacks and provide a more interconnected threat response infrastructure that limits the number of security solutions and provides visibility across the attack lifecycle.

The CRI is an ongoing project that is updated every year to show trends in attack preparedness. Interested parties can also use the website to check the CRI against the current results for their organisation:

In addition, there is the graphical summary of the CRI.

This entry was posted on December 15, 2020 by Marketing Alps in Cloud Security, Data Loss, Hacking, Technologiestrategy, Website Vulnerability. Tags: attack, malicious code, cybercrime, cybercriminals, malware, vulnerabilities, security threats.


Featured News