Cyber Exposure Index

Research-driven project to visualize the biggest blind spots in cybersecurity

In this digitalized world, data is the new currency and the driver for all businesses. This change in the business landscape presents new risks and threats that require remediation. The Cyber Exposure Index is the first step in this mitigation and remediation as it identifies existing threats and makes them transparent.

Cyber Exposure Index

The Cyber Exposure Index is the result of a research project. It is still in its early stages, and we hope to develop it further in future. Data breaches are increasing exponentially, and as companies are ever more interconnected and dependency networks become more complex, the impacts of such breaches become greater. For example, a data breach in one organisation may expose 10,000 other organisations and even more individuals. To be able to respond and develop solutions to mitigate data breaches, we first need to understand their magnitude and impacts, which is why we support academics, students and independent security researchers in their missions to better understand cyber exposure.

The Cyber Exposure Index is based on data collected from publicly available sources in the dark web and deep web and from data breaches. From this data, signs of sensitive disclosures, exposed credentials and hacker-group activity against companies are identified. Companies are ranked based on the number of findings and identified risks divided by their employee counts.

The information presented on this site illustrates the magnitude of cyber exposure. It does not address any single company’s weaknesses or vulnerabilities, only the exposed data available from public sources within the observed period. If you notice inaccuracies in the parameters used to measure cyber exposure, please inform us, and we will update our database accordingly.

Timeline for Cyber Exposure Index updates

How companies are ranked in this index

Companies are ranked based on publicly available information gathered from the dark web and deep web and from published data breaches. The ranking process is as follows:

Company information, including industry, communication domains and employee counts, is fetched from stock exchanges.
The search for exposure is conducted based on company domain names. Anything that matches with the domain name is considered as a finding.
The findings are analysed by artificial intelligence algorithms to identify risks. Signs of sensitive disclosures, exposed credentials and hacker-group activity against a company are identified. Unidentified findings are not used to calculate the exposure score of a company.
Identified risk findings are given risk weights. Clear text passwords, attack campaigns against companies and leaked source code are considered to be high risks, encrypted passwords and sensitive disclosures have medium risks and targeted individuals (spam, phishing) considered as low risks.
Companies are given an exposure score based on their identified risks divided by their employee count for the last 12 months. A high-level indication of exposure is provided for the last 18 months.
For more detailed information, a Cyber Exposure Report can be purchased by the general public. Company findings are available for that particular company only.

Let us know if data is incorrect