Lies, Damned Lies, and Cybersecurity Statistics

Either Mark Twain or the 19th century British Prime Minister Benjamin Disraeli said, “There are three kinds of lies: lies, damned lies, and cybersecurity statistics.

There are three kinds of lies: lies, damned lies, and statistics.

“Mark Twain Quotes.” STANDS4 LLC, 2021. Web. 21 Jan. 2021. <>.

Parody aside, in the cybersecurity community statistics are used to tout all sorts of solutions, some dubious and others justified, but all try to use statistics to show the value of their products and services.

Statistics are like a drunk with a lamppost: used more for support than illumination.

“Sir Winston Churchill Quotes.” STANDS4 LLC, 2021. Web. 21 Jan. 2021.

To bring all the statistics that we use together in one place, along with the reference and basis for their statement, would go along the lines of Winston Churchill’s quote, “I only believe in statistics that I doctored myself” (which by the way was made up and incorrectly attributed to Churchill).

So, now that you are sufficiently armed with warnings through the use of disclosures cleverly disguised as parody and quotes, here is a collection of cybersecurity statistics that we have gathered. Season with salt to taste (take with a grain of salt)…

Cybersecurity Statistics in general

Here are some overall cybersecurity statistics that show the enormity of the cybersecurity issue:

  • Damage related to cybercrime is projected to hit $6 trillion annually by 2021. (Cybersecurity Ventures)
  • The worldwide information security market is forecast to reach $170.4 billion in 2022. (Gartner)
  • By 2020, security services are expected to account for 50% of cybersecurity budgets. (Gartner)
  • Smaller organizations (1–250 employees) have the highest targeted malicious email rate at 1 in 323. (Symantec)
  • 62% of businesses experienced phishing and social engineering attacks in 2018. (Cybint Solutions)
  • Hackers attack every 39 seconds, on average 2,244 times a day. (University of Maryland
  • 61% of organizations have experienced an IoT security incident. (CSO Online)

And then let’s put some cost figures into the light:

  • The average cost in time of a malware attack is 50 days. (Accenture)  The cost of lost business averaged $1.42 million. (IBM)
  • The average cost of a data breach is $3.92 million as of 2019. (Security Intelligence)
  • The average cost of a ransomware attack on businesses is $133,000. (SafeAtLast)
  • The average cost of a malware attack on a company is $2.6 million. (Accenture)
  • $3.9 million is the average cost of a data breach. (IBM)
  • Including turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill, the cost of lost business globally was highest for U.S. companies at $4.13 million per company. (Ponemon Institute’s Cost of Data Breach Study)

Here are some specifics associated with different threat vectors and breach statistics:

  • 52% of breaches featured hacking, 28% involved malware and 32–33% included phishing or social engineering, respectively. (Verizon)
  • 92% of malware is delivered by email.
  • Trojans make up 51.45% of all malware.
  • The average time to identify a breach in 2019 was 206 days. (IBM)
  • The average lifecycle of a breach was 314 days (from the breach to containment). (IBM)
  • In the 2019 DBIR, 94% of malware was delivered by email. (Verizon)
  • 34% of data breaches involved internal actors. (Verizon)
  • IoT devices experience an average of 5,200 attacks per month. (Symantec
  • In a different sample, 92% of malware is delivered by email. (CSO Online)
  • 65% of groups used spear-phishing as the primary infection vector. (Symantec)
  • 71% of breaches were financially motivated and 25% were motivated by espionage.  (Verizon)

Cybersceurity Skills Gap

ThreatGEN’s tag line, “OT Cybersecurity Skills Gap… Solved” shows our focus – cybersecurity skills. We use “cutting edge computer gamification to provide an exciting & modernized approach to cybersecurity training, both practical and cost effective” (see our ThreatGEN® Red vs. Blue page for more information) . You’d expect us to reference a lot of skills acquisition and related statistics, so here you go…

  • 82% of employers report a shortage of cybersecurity skills. (ISSA)
  • 61% of companies think their cybersecurity applicants aren’t qualified. (ISSA
  • The cybersecurity unemployment rate is 0% and is projected to remain there through 2021. (CSO Online)
  • By 2021, it’s projected that there will be 3.5 million unfilled cybersecurity jobs globally. (Cybersecurity Ventures)
  • Information Security Analysts job positions in the US are expected to grow 32% from 2018–28. (Bureau of Labor Statistics)
  • Computer Network Architect job positions in the US are expected to grow 5% from 2018–28. (Bureau of Labor Statistics)
  • 500,000 Data Protection Officers are employed (IAAP)
  • Since 2016, the demand for Data Protection Officers (DPOs) has skyrocketed and risen over 700%, due to the GDPR demands. (Reuters)
  • 43% of employees do not get regular data security training while 8% have never received any training (Small Business Trends referencing GetApp)
  • It’s predicted that by 2021, 100% of large companies globally will have a CISO position. (Cybersecurity Ventures)

Here are some interesting statistics that help explain the constant job churn and the huge amount of cybersecurity professionals that upgrade their skills constantly:

  • 66% of cybersecurity professionals struggle to define their career paths. (ISSA)
  • 60% of cybersecurity professionals aren’t satisfied with their current job. (ISSA)
  • 82% of CISOS report feeling “burned out” as professionals (Symantec)

Cybersecurity Statistics Compendiums

Here are a number of sources that list out multiples statistics that we have referenced:

And now for something totally different…

We interrupt this program to annoy you and make things generally more irritating.

Monty Python within an article by Best Life “25 Monty Python Quotes That Are Relevant Today

And, in holding true to the made up Churchill quote, let’s make up some statistics associated with gamification:

  1. 90% of all the gamification solutions for cybersecurity skills training aren’t gamifications (they’re videos or questions that masquerade as gamification).
  2. 75% of gamification solutions in general, not specifically for cybersecurity, are boring.
  3. 58.6% (hey, if you can’t be precise when you make up statistics, who can) of the Capture the Flag (“CTF”) competitions are really, “solve the puzzle and go to the next step” not true head to head, military (or Boy Scouts) style CTF’s.
  4. 66.9% more employees will understand cybersecurity spending if they engage in a heart pounding head-to-head CTF with a Red Team, especially if they are sitting in the office next to them.
  5. Like 122.9999% of people will love to trounce their co-workers on the Blue Team if they play ThreatGEN® Red vs. Blue gamification and beat their opponents within 20 turns.

Like we said, these are all made up statistics in this last section, but over the coming months, we will be adding true statistics gathered from our thousands of registered players over 50 countries world wide. We have begun gathering Level 1 statistics on game play within our ThreatGEN® Red vs. Blue gamification Professional, Educational, and Enterprise Editions with the advent of version 1.4.1. Detailed statistics are only available to the administrator for each registrant, but the aggregated game play statistics will be released.

About ThreatGEN

Founded in Sugar Land, Texas in 2017, ThreatGEN delivers a solution to bridge “the ICS Cybersecurity skills gap” utilizing its ThreatGEN® Red vs. Blue training and ThreatGEN OT Security Services. ThreatGEN® Red vs. Blue training uses cutting-edge computer gamification in ThreatGEN® Red vs. Blue to provide an exciting & modernized approach to industrial cybersecurity training, both practical and cost effective! ThreatGEN OT Security Services are delivered worldwide by world-renowned Operational Technology (OT) cybersecurity experts (we literally wrote the books industry uses) using strategically chosen partnerships to create a holistic service offering.

For more information, visit our company website at, follow us on LinkedIn at, or follow us on Twitter at

For further sales information, send an e-mail to

Derezzed Inc. D/B/A ThreatGEN
140900 Southwest Freeway #300
Sugar Land, Texas 77478
+1 (833) 339-6753

#cybersecuritytraining #gamification #cybersecurity #industrialcybersecurity #statistics #cybersecuritystatistics