网络风险结构的数据驱动视角：攻击压力与暴露面如何塑造损害

How Attack Pressure and Exposure Shape Damage Matsukawa BakueiPrincipal Threat Researcher, Forward-Looking Threat Research Table ofContents 4 Key takeaways 5 Introduction 9 14 Overall trends in cyber damage 23 Overview of industry-specific cyber risk 29 Organizational differences within the same 33 Principles of cyber risk management 38 Cyber Risk Positioning Map 44 Conclusion Executive summary The central message is clear: cyber risk cannot be understood through any singleindicator alone. The findings suggest that observed damage is shaped not only by howmuch attack pressure an organization faces, but also by how much exposure it has and This study examines how attack pressure, exposure, and observed damage-relatedactivity are associated across 2,014 enterprise-scale organizations worldwide thatcontinuously used TrendAI Vision One™ Cyber Risk Exposure Management (CREM) The analysis showed that Attack Pressure had the strongest observed relationship withDamage. At the same time, Exposure—defined in this study as the level of risk basedon vulnerabilities, misconfigurations, and exposed services—became more important The analysis also showed that industry is useful for understanding broad risk tendencies,especially differences in Attack Pressure. However, substantial variation remained evenwithin the same industry, which means industry context is informative, but not sufficient This perspective is valuable not only analytically, but also operationally. It provides amore interpretable view of why outcomes differ, making cyber risk easier to assess,explain, and prioritize in practice. For security leaders and other decision-makers, the Key takeaways 1.Attack Pressure and Exposure together were associated with up to a 3.3-folddifference in observed Damage, with an approximately 30% gap under high Attack Organizations with both low Attack Pressure and low Exposure averaged approximately2.9 Damage Months (defined in this study as the number of months in which later-stage attack activity was observed in an organization’s telemetry), while those withboth high Attack Pressure and high Exposure averaged approximately 9.6 Damage 2.Industry helps explain broad risk tendencies, but not the full risk of any individual At the industry group level, average differences in Exposure were relatively limited,while clearer differences appeared in average Attack Pressure. This indicatesthat industry can be a useful lens for understanding broad differences in attack 3.Differences in Damage are not explained by risk environment alone. TrendAI™, the global AI security leader and enterprise business unit of Trend Micro, empowers organizations with full AIThe findings suggest that differences in observed Damage areassociated not only with Attack Pressure and Exposure, but alsowith how effectively harmful activity is limited in practice.To organize this relationship in a practical way, thisstudy introduces a Cyber Risk Positioning Map that Copyright © 2026. Trend Micro Incorporated. All rights reserved. [REP00_Cyber_Risk_Structure_280526US] 1 Why do similar organizations experiencedifferent levels of damage? Even within the same industry, organizations of comparable size and with broadlysimilar IT environments do not always experience the same level of harmful activity orbusiness impact. In some cases, attacks are frequently observed and lead to persistent This raises a fundamental question: why doorganizations that appear broadly similarexperience different levels of damage? Putdifferently, the issue may not be only how Cyber risk cannotbe understood this may not be simply a question about attack volume, but about how differentelements of cyber risk are structured and how they interact. Why Attack Pressure alone may not explainDamage Cyber damage is often discussed in relation to the amount of attack activity anorganization faces. This is a reasonable starting point. In general, organizations However, whether Attack Pressure alone is sufficient to explain Damage remains anopen question. In practice, some organizations operating under high Attack Pressureshow relatively limited Damage, while others experience substantial Damage even when If so, the question is not whether Attack Pressure matters, but whether it is enough.The observed differences in Damage may instead reflect the influence of additional Exposure as an additional element of risk One important factor is organizational exposure. Vulnerabilities, misconfigurations, andexternally exposed services can increase the likelihood that attacks will succeed once This perspective is consistent with the broader work of TrendAI™ on proactive security.In the December 2024 report, Reducing Ransomware Risk Through Proactive AttackSurface Management: Enabling Proactive Cybersecurity, TrendAI™ Research highlighted The present study builds on that line ofwork by extending it into a single analyticalframework. Earlier work established tworelated p