📚 Data Sources & Citations
All simulation data is derived from the following peer-reviewed and industry-leading cybersecurity reports published in 2025.
IBM Cost of a Data Breach Report 2025
2025- ▸ Global avg cost of a data breach: $4.44M (down 9% from 2024 record)
- ▸ U.S. data breach cost reached record high of $10.22M
- ▸ Healthcare: $7.42M avg breach cost (highest industry)
- ▸ Financial services: $5.56M avg breach cost
- ▸ Ransomware avg cost: $5.08M
- ▸ Phishing: #1 initial attack vector at 16% of breaches
- ▸ AI/automation reduced breach costs by avg $1.9M and cut lifecycle by 80 days
- ▸ Organizations using zero trust saw $1.76M lower breach costs
- ▸ Avg breach lifecycle: 241 days (9-year low)
Sophos State of Ransomware 2025
2025- ▸ 32% of ransomware in 2025 began with exploited vulnerabilities
- ▸ 23% began with compromised credentials
- ▸ 18% began with phishing
- ▸ 50% of attacks resulted in data encryption - lowest in 6 years
- ▸ Mean recovery cost (excl. ransom): $1.53M (down 44% YoY)
CrowdStrike Global Threat Report 2026
2026- ▸ 89% increase in attacks by AI-enabled adversaries in 2025
- ▸ Average eCrime breakout time dropped to just 29 minutes
- ▸ 82% of detections in 2025 were malware-free
- ▸ Fastest recorded eCrime breakout time: 27 seconds
- ▸ ChatGPT mentioned 550% more than any other AI model in criminal forums
Verizon Data Breach Investigations Report (DBIR) 2025
2025- ▸ Human element is root cause of 68% of data breaches
- ▸ Median ransomware payment fell to $115,000
- ▸ 64% of ransomware victims refused to pay in 2024
- ▸ Use of stolen credentials remains top threat type
WEF Global Cybersecurity Outlook 2025
2025- ▸ 42% of organizations experienced a successful social engineering attack
- ▸ 47% cite AI adversarial capabilities as top GenAI concern
- ▸ 57% of CEOs rank ransomware as #1 organizational cyber risk
- ▸ Supply chain disruption: 2nd biggest concern among CISOs
Acronis Cyberthreats Report H1 2025
2025- ▸ Manufacturing was #1 targeted industry in Q1 2025 (15% of all cases)
- ▸ Number of publicly known ransomware victims in H1 2025 increased ~70% vs prior years
- ▸ Manufacturing and supply chain accounted for 20%+ of Cl0p ransomware campaign cases
Cloudflare DDoS Threat Report 2024-2025
2025- ▸ DDoS attacks increased by 46% in 2024 vs 2023
- ▸ Application-layer DDoS attacks increased 15% in Q2 2023
iProov Deepfake & Biometric Threat Report 2025
2025- ▸ 47% of organizations have experienced deepfake attacks
- ▸ AI-generated synthetic identities increasingly used in fraud
Fortinet 2025 Threat Landscape Report
2025- ▸ Global cybersecurity spending to grow 12.2% in 2025 (IDC)
- ▸ 85% of cybersecurity professionals attribute rising attacks to generative AI
- ▸ Cybercrime annual cost projected to reach $23 trillion by 2027
Varonis Cybersecurity Statistics 2025
2025- ▸ In 2025, automated/bot traffic accounts for 51% of all web traffic
- ▸ 820,000 IoT attacks per day in 2025
- ▸ Average ransomware payout rose to ~$1M in 2025
- ▸ Security AI reduced breach costs by 34%, saving $1.9M on average (IBM)
Cybersecurity Ventures / Cybercrime Magazine 2025
2025- ▸ Cybercrime projected to cost $10.5 trillion globally by 2025
- ▸ Ransomware remains the fastest-growing category of cybercrime
- ▸ 41% of ransomware families include AI-driven components (SQ Magazine)
CSIS Significant Cyber Incidents Timeline 2025
2025- ▸ 2025 saw major breaches at SimonMed (1.2M patients), Vietnam Airlines (23M records)
- ▸ Medusa, RansomHub, and Lynx among most active ransomware groups
- ▸ State-sponsored actors from Russia, China, North Korea remain highly active
Risk Vector's simulation engine uses a probabilistic Monte Carlo-style approach combined with the FAIR (Factor Analysis of Information Risk) framework for risk quantification. Attack probabilities, costs, and scoring are derived from published 2025 industry data and normalized within company size tiers for accurate peer comparison.
Measures the weighted coverage of active countermeasures against relevant threats. Each attack type is weighted by its relevance to the company's industry and size tier. Higher = better defended. (Deterministic — same inputs always produce the same score.)
Annualized Loss Expectancy (ALE) normalized against a same-size peer reference — the worst-case company in your size tier (healthcare industry, highest-risk state, zero defenses). This ensures a small business facing proportionally high risk scores appropriately, rather than appearing low-risk simply because its dollar exposure is smaller than an enterprise's. Preparedness reduces risk by up to 30%. (Deterministic. Based on FAIR framework ALE methodology, IBM 2025, Hiscox 2025.)
Reflects the outcome of this specific simulation run, benchmarked against the undefended ALE for your company profile. A score of 50 means losses equaled what's statistically expected with zero defenses; 100 means losses reached 2× the expected undefended loss — a catastrophic outcome. Uses a size-appropriate loss cap with minimum floors per company tier to prevent distorted results for low-revenue companies. (Stochastic — varies between runs. Based on FAIR ALE benchmarking, IBM 2025, Hiscox 2025.)
Total simulated losses are capped at 1.5× annual revenue or a size-tier minimum floor, whichever is higher. Floors reflect real-world data: Hiscox Cyber Readiness Report 2025 found that 1-in-6 small firms faced cyber losses exceeding $500K, regardless of revenue. The floor prevents a $80K-revenue company from having an unrealistically low $120K loss cap that triggers false catastrophic warnings on routine incidents.
Limitations: These are statistical estimates based on aggregated global data. Actual risk varies significantly based on specific organizational configurations, threat actor targeting, geopolitical factors, and factors not captured in aggregate statistics. This tool is intended for educational and planning purposes only — not as a substitute for a professional security assessment.
Last Data Update: February 2026, reflecting 2025 annual reports. Data will be refreshed as new reports are published.
| Industry | Avg Breach Cost | Primary Risk | Source |
|---|---|---|---|
| 🏥 Healthcare | $7.42M | Ransomware on patient data, long detection (279 days) | IBM Cost of Data Breach 2025 |
| 🏦 Financial Services | $5.56M | BEC, credential theft, regulatory fines | IBM Cost of Data Breach 2025 |
| ⚡ Energy / Utilities | $4.78M | ICS/OT attacks, supply chain compromise | IBM Cost of Data Breach 2025 |
| 💻 Technology | $4.88M | Zero-day exploits, IP theft, AI attacks | IBM Cost of Data Breach 2025 |
| 🏭 Manufacturing | $4.20M | Ransomware (15% of Q1 2025 cases), supply chain | IBM Cost of Data Breach 2025 |
| 🏛️ Government | $3.93M | Nation-state actors, DDoS, data theft | IBM Cost of Data Breach 2025 |
| 🎓 Education | $3.80M | Ransomware, credential stuffing, limited budgets | IBM Cost of Data Breach 2025 |
| 🛒 Retail | $3.48M | Payment card theft, phishing (58% of attacks) | IBM Cost of Data Breach 2025 |
| 🏨 Hospitality | $3.10M | POS malware, social engineering | IBM Cost of Data Breach 2025 |