2022 DBIR Master's Guide

Please provide the information below to view the online Verizon Data Breach Investigations Report.

The information provided will be used in accordance with our terms set out in our Privacy Notice. Please confirm you have read and understood this Notice.

By submitting the form, you are agreeing to receive insights, reports and other information from Verizon and affiliated companies in accordance with our Privacy Policy. California residents can view our California Privacy Notice.

Verizon may wish to contact you in the future concerning its products and/or services. If you would like to receive these communications from Verizon, indicate by selecting from the dropdown menu below. Please note that you can unsubscribe or update your preferences at any time.

Indicates a required field. The content access link will be emailed to you.

View only

Thank You.

Gracias.

You will soon receive an email with a link to confirm your access, or follow the link below.

Download this document

Gracias.

You may now close this message and continue to your article.

  • Hello, and welcome first-time readers! Before you get started on the 2022 Data Breach Investigations Report (DBIR), it might be a good idea to take a look at this section first. (For those of you who are familiar with the report, please feel free to jump over to the introduction) We have been doing this report for a while now, and we appreciate that the verbiage we use can be a bit obtuse at times. We use very deliberate naming conventions, terms and definitions and spend a lot of time making sure we are consistent throughout the report. Hopefully this section will help make all of those more familiar.


    VERIS resources

    The terms ‘threat actions’, ‘threat actors’ and ‘varieties’ will be referenced often. These are part of the Vocabulary for Event Recording and Incident Sharing (VERIS), a framework designed to allow for a consistent, unequivocal collection of security incident details. Here is how they should be interpreted:

    Threat actor: Who is behind the event? This could be the external “bad guy” that launches a phishing campaign or an employee who leaves sensitive documents in their seat back pocket.

    Threat action: What tactics (actions) were used to affect an asset? VERIS uses seven primary categories of threat actions: Malware, Hacking, Social, Misuse, Physical, Error, and Environmental. Examples at a high level are hacking a server, installing malware, or influencing human behavior through a social attack.

    Variety: More specific enumerations of higher-level categories - e.g. Classifying the external “bad guy” as an organized criminal group or recording a hacking action as SQL injection or brute force.

    Learn more here:


    Incident vs breaches

    We talk a lot about incidents and breaches and we use the following definitions:

    Incident: A security event that compromises the integrity, confidentiality or availability of an information asset.

    Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party.


    Industry labels

    We align with the North American Industry Classification System (NAICS) standard to categorize the victim organizations in our corpus. The standard uses two- to six-digit codes to classify businesses and organizations. Our analysis is typically done at the two-digit level and we will specify NAICS codes along with an industry label. For example, a chart with a label of Financial (52) is not indicative of 52 as a value. “52” is the code for the Finance and Insurance sector. The overall label of ‘Financial’ is used for brevity within the figures. Detailed information on the codes and the classification system are available here:

    https://www.census.gov/naics/?58967?yearbck=2012


    Being confident in our data

    Starting in 2019 with slanted bar charts, the DBIR has tried to make the point that the only certain thing about information security is that nothing is certain. Even with all the data we have, we’ll never know anything with absolute certainty. However, instead of throwing our hands up and complaining that it is impossible to measure anything in a data-poor environment, or worse yet, just plain making stuff up, we get to work. This year, you’ll continue to see the team representing uncertainty throughout the report figures.

    The examples shown in Figures 1, 2, 3 and 4 all convey the range of realities that could credibly be true. Whether it be the slant of the bar chart, the threads of the spaghetti chart, the dots of the dot plot or the color of the pictogram plot, all convey the uncertainty of our industry in their own special way.

    The slanted bar chart will be familiar to returning readers. The slant on the bar chart represents the uncertainty of that data point to a 95% confidence level (which is standard for statistical testing). In layman's terms, if the slanted areas of two (or more) bars overlap, you can’t really say one is bigger than the other without angering the math gods. 

    The dot plot is another returning champion, and the trick to understanding this chart is to remember that the dots represent organizations. If, for instance, there are 200 dots (like in Figure 3), each dot represents 0.5% of organizations. This is a much better way of understanding how something is distributed among organizations, and provides considerably more information than an average or a median. We added more colors and callouts to those in an attempt to make them even more informative.

    Spaghetti charts, and our relative newcomer, Pictogram plot, attempt to capture uncertainty in a similar way to slanted bar charts but are more suited for a single proportion.

    We hope they make your journey through this complex dataset even smoother than previous years.

  • PLEASE NOTE: While we have always listed the following facts in our Methodology section (because that is where this type of information belongs) we decided to also mention it here for the benefit of those who don’t make it that far into the report. Each year, the DBIR timeline for in-scope incidents is from Nov. 01 of one calendar year until Oct. 31, of the next calendar year. Thus, the incidents described in this report took place between Nov. 01, 2020 to Oct. 31, 2021. The 2021 caseload is the primary analytical focus of the 2022 report, but the entire range of data is referenced throughout, notably in trending graphs. The time between the latter date and the date of publication for this report is spent in acquiring the data from the 80 odd global contributors, anonymizing and aggregating that data, analyzing the dataset and, finally, creating the graphics and writing the report. Rome wasn’t built in a day, and neither is the DBIR.

  • Questions? Comments?

    Let us know! Drop us a line at dbir@verizon.com, find us on LinkedIn, tweet @VerizonBusiness with #dbir. Got a data question? Tweet @VZDBIR!

Let's get started.