A Fresh Look at Web Application Attack Risk with Cyber Risk Quantification (CRQ)

February 16, 2023  Jeff B. Copeland

Web Application - RiskLens Cybersecurity Risk Report 2023Basic web application attacks – the smash and grab technique favored by financially motivated cyber attackers -- may seem less threatening than supply chain attacks or other brainier methods. But think again. According to the 2023 Cybersecurity Risk Report just out from RiskLens, web application attacks are both the costliest and most frequent events an organization is likely to experience in a year of cybersecurity risk management.

The RiskLens report applies cyber risk quantification, FAIR™ (Factor Analysis of Information) risk-scenario simulations and data gathered from industry sources such as the Verizon DBIR to rank seven risk categories across nine industries to give a clearer picture than ever before of the actual impact of top cyber risks. 

RiskLens Cybersecurity Risk Annual Report 2023 CoverOften when applying cyber risk quantification models to industry data sources, there is only a one-dimensional perspective, a focus on only the most expensive events or the most frequent events. The RiskLens study ranks risks by average loss exposure (per risk scenario), a summary of how losses play out probabilistically over 10,000 simulated years, incorporating both the magnitude of the loss and the probability of the events. It’s a very useful measurement for CISOs or other security leaders looking to plan security budgets or buy cyber insurance over time.

Why Basic Web Application Attack Leads the Cyber Risk Categories List 

The RiskLens report revealed that basic web application attack is both the relatively most probable and relatively most expensive type of cybersecurity risk management event, resulting in an average loss exposure figure of $5.1 million. That’s nearly twice the figure for a system intrusion attack event that could be more costly but less likely than a web application attack. 

RiskLens Cybersecurity Risk Report 2023 Top Sectors - Web Application Attack

 2023 RiskLens Cybersecurity Risk Report: Top 2 Industries for Basic Web Application Loss Exposure 

More findings on web application attacks from the RiskLens 2023 Cybersecurity Risk Report and the Verizon DBIR:

  • Among industry sectors, public administration faces the highest loss exposure from this attack form at $18.3 million. (RiskLens)
  • Government agencies face a surprisingly high probability of web application attack in a year at 27.7%. (RiskLens)
  • Over 80% of breaches initiated by web application attack can be attributed to stolen credentials. (Verizon)
  • While risk categories others have had big jumps, no other pattern has seen quite the consistent growth over time as basic web application attacks have over the past five years in terms of incidents. (Verizon).

Download the 2023 Annual Cybersecurity Risk Report now.

­RiskLens offers quantitative cyber risk management solutions built on the FAIR™ standard. Leverage RiskLens to understand your cyber risks in financial terms. Contact us for a demo.