In This Special Issue:

📊 Incident-Specific Frequencies: Use IRIS 2025 data to move beyond overall probabilities and understand which threats actually affect organizations like yours

🎯 The Complete IRIS Formula: Layer incident types from IRIS 2025 onto your base rates for targeted threat modeling

🗣️ Conversation Transformation: New conversation unlocks that are enabled with IRIS research instead of guesswork

🏠 Your Risk Analysis "Home Lab": Practice these IRIS-based skills even if your company doesn't do quantitative risk yet

Hi!

A few weeks ago in Issue 1, we explored Bayesian thinking and showed you exactly how to extract your organization's base rates from IRIS 2025. We walked through four use cases: establishing base rates, applying sector adjustments, calculating revenue-specific loss magnitudes, and factoring in risk trajectory. You learned the methodology - how to start with what you have and get better over time.

I enjoyed working with the IRIS report so much, I wanted to do one more practical application before Issue 2 drops in early August. Think of this as a quick follow-up that builds naturally on your foundation.

Thank you for reading,
Tony

The Missing Layer in Your Risk Analysis

Where We Are: In Issue 1, you've established your organization's sector-specific base rates using IRIS 2025 data. You now have solid, research-backed probabilities for experiencing a significant cyber incident.

The Next Layer: Those base rates tell you about overall incident likelihood, but they don't help you understand which types of incidents are most likely to affect organizations like yours. That's where incident-specific frequencies come in.

The Unlock: By layering incident-specific frequencies onto your base rates, you can move from "we have a 9.9% annual severe incident probability" to "we're most likely to face system intrusion (46% of incidents), followed by ransomware (35%), with accidental disclosure making up 3%."

This enables much more targeted conversations with leadership about where to focus security investments, what scenarios to prepare for, and how different threat types might impact your specific business operations.

IRIS 2025: Calculate Your Incident-Specific Risk

You've built your sector-specific base rates. Now let's drill one layer deeper to understand which types of incidents organizations in your sector actually experience.

The Complete Formula

Incident-Specific Risk = Base Rate × Revenue adjustment × Sector adjustment × Incident Type %

Step 1: Get Your Base Rate

Current annual probability of any incident: 9.3% (Figure 6, p. 11)

This is your starting point: the likelihood that a typical organization will experience any significant cyber incident that requires disclosure.

Step 2: Adjust for Your Revenue Size

Source: Figure A2, p. 34

Find your revenue-tier multiplier:

• Less than $10M: 0.60x

• $10M to $100M: 0.67x

• $100M to $1B: 0.80x

• $1B to $10B: 1.20x

• $10B to $100B: 2.49x

• More than $100B: 3.46x

Step 3: Adjust for Your Industry

Source: Figure A1, p. 34

Apply your sector-specific multiplier:

• Healthcare: 1.34x

• Financial: 1.44x

• Information: 1.55x

• Education: 1.60x

• Professional: 1.50x

• Manufacturing: 1.03x

• Utilities: 0.62x

• Retail: 1.19x

Note: These are a few of the sectors on page 34; refer to the report for the full list)

Step 4: Apply Incident Type Frequency

Source: Figure 2, p. 5

Current incident pattern breakdown (2024):

• System intrusion: ~46%

• Ransomware: ~35%

• DoS attack: ~8%

• Accidental disclosure: ~3%

• Insider misuse: ~2%

• Defacement: ~1%

• Scam or fraud: ~1%

• Physical threat: ~1%

• System failure: ~1%

Note: Percentages are approximate readings from Figure 2 and may not sum to exactly 100% due to rounding

Real-World Example

Healthcare organization, $500M revenue - Complete incident probability breakdown:

Steps 1-3: Calculate sector-adjusted base rate

• Step 1: Base rate = 9.3%

• Step 2: Revenue adjustment = 9.3% × 0.80 = 7.4%

• Step 3: Sector adjustment = 7.4% × 1.34 = 9.9%

Step 4: Calculate probabilities for all incident types

Using the sector and revenue-adjusted rate of 9.9%, here are the annual probabilities for each incident type:

• System intrusion: 9.9% × 0.46 = 4.6% (highest risk)

• Ransomware: 9.9% × 0.35 = 3.5% (second highest)

• DoS attack: 9.9% × 0.08 = 0.8%

• Accidental disclosure: 9.9% × 0.03 = 0.3%

• Insider misuse: 9.9% × 0.02 = 0.2%

• Defacement: 9.9% × 0.01 = 0.1%

• Scam or fraud: 9.9% × 0.01 = 0.1%

• Physical threat: 9.9% × 0.01 = 0.1%

• System failure: 9.9% × 0.01 = 0.1%

What this means:

Our large healthcare organization has:

• A 4.6% annual probability of system intrusion

• A 3.5% annual probability of ransomware

• Much lower probabilities for other incident types

Strategic insight: Security investments should prioritize credential protection and access controls (system intrusion defense) and backup/recovery capabilities (ransomware defense), as these represent over 80% of the organization's incident risk profile.

The Conversations This Enables

With CFOs/Finance:

Before: "We need more security budget because cyber threats are increasing."

After: "Industry data shows our organization has a 15% probability of losses exceeding $2M annually and 8% probability of exceeding $5M - both above our risk tolerance thresholds of 10% and 5% respectively. Here's how additional investments would bring us back within our acceptable risk parameters."

With Business Unit Leaders:

Before: "Everyone needs security awareness training because we're at risk."

After: "Research shows system intrusion represents 46% of incidents in our sector, with credential compromise being a primary attack vector. Our sector has an approximately 9.9% annual probability for severe incidents, making credential security is our highest-impact risk reduction opportunity. Here's how your team's practices affect our overall risk profile."

With Board/Executives:

Before: "Cyber risk is a major concern we need to address."

After: "Research shows large healthcare organizations face approximately 9.9% annual incident probability with $555K median costs. Our security program has moved us below our peers to approximately 8%. The 95th percentile scenario is $14.6M - here's our resilience strategy for extreme events."

What Really Changes

Notice what happened in every conversation? You stopped defending and started analyzing. You're no longer the person who "thinks cyber is risky" - you're the person who can speak the language of business to executives.

This is what mature risk management looks like: using peer-reviewed research with transparent methodology instead of anecdotes and fear.

🎯 Your Next Steps

1. Calculate your top 3 incident probabilities using this method

2. Multiply by potential loss estimates (see IRIS 2025 loss data by sector/revenue)

3. Upgrade your conversations: budgeting, insurance planning, and board presentations

4. Update annually as baseline probabilities and threat landscapes evolve

🏠 Homework: Pick One Conversation

Your assignment: Choose one conversation you need to have in the next two weeks where you've been struggling with credibility or budget approval.

1. Calculate your incident-specific probabilities using the formula above

2. Use the conversation frameworks to build your specific analysis

3. Lead with "Industry research shows..." instead of "I think..."

4. Watch how the conversation changes

The goal isn't perfection - it's moving from opinion to analysis.

Your Risk Analysis "Home Lab"

What if your company doesn't do quantitative risk analysis, but you still want to try these techniques?

Here's my recommendation: do this stuff at home anyway.

Other people in the security field always talk about having a "home lab" - spinning up VMs, practicing penetration testing, learning new tools. This is our version of a home lab: practicing quantitative risk analysis.

Why this matters:

• Skill development: These analytical skills transfer to every risk conversation you'll ever have

• Pattern recognition: The more assessments you build, the better you get at spotting what matters

• Confidence building: When you do get the chance to do this professionally, you're already practiced

• Career advancement: Quantitative risk skills are becoming table stakes for senior security roles

Practice scenarios to try:

• Pick a company from recent breach headlines and reverse-engineer their risk profile

• Model your previous employer's risk using public information

• Build risk comparisons between different sectors you're curious about

• Practice the conversation frameworks with industry colleagues

Think of it as professional development, not just a theoretical exercise. Every assessment you build makes you better at the next one.

🔑 Key Takeaways

For Leadership Conversations: Stop saying "we have high cyber risk." Start saying "Based on IRIS 2025 data, organizations like ours face a 4.6% chance of system intrusion and 3.5% chance of ransomware this year. These aren't generic estimates; they're based on what actually happened to similar organizations in our sector."

For Security Planning: Focus defensive investments on your top 2-3 calculated risks rather than spreading resources equally across all possible threats. In our healthcare example, system intrusion (4.6% probability) and ransomware (3.5% probability) represent over 80% of the incident risk profile.

For Budget Conversations: Use the complete formula (Base Rate × Revenue Factor × Sector Factor × Incident Type %) to move from opinion-based requests to real risk analysis. "Without this $200K investment, we have a 15% chance of losses exceeding $5M annually. With it, that drops to 8% chance of exceeding $2M" is a CFO conversation.

The way I framed risk above is called a loss exceedance statement. They are much stronger than heat maps because they:

• Show tail risk (the really bad scenarios CFOs worry about)

• Use probability language that executives understand from other business decisions

• Focus on the "what if we get unlucky" scenarios that keep leadership awake at night

• Mirror how insurance and financial risk is typically discussed in boardrooms

For Professional Development: Practice these calculations even if your company doesn't do quantitative risk yet. These analytical skills transfer to every risk conversation you'll ever have and are becoming table stakes for senior security roles.

What's Coming

A note on IRIS focus: I know we've spent significant time on IRIS 2025 between Issues 1 and 1.5. That's intentional. The last IRIS was published in 2022, and it's genuinely one of the most important resources a cyber risk analyst has. Getting the most value out of this research felt worth the deep dive.

But we're moving on from here. Issue 2 will shift focus to completely different things.

✉️ Contact

Have a question about this issue or risk analysis in general? Here's how to reach me:

• Reply to this newsletter, if you receive via email

• Comment below

• Connect on LinkedIn

• Contact form

Had success with any of the content here? Hit reply and share your story. These become case studies for future issues.

❤️ How You Can Help

• Forward this to someone who needs to upgrade their risk conversations

• Click the ❤️ or comment if you found this useful

• Tell me what topics you want covered next

If someone forwarded this to you, please subscribe to get future issues.

- Tony