US Cybersecurity Statistics and Data

Cybersecurity statistics in the United States encompass quantified measurements of threat activity, financial impact, workforce capacity, regulatory enforcement, and incident frequency across public and private sectors. These figures originate from federal agencies, standards bodies, and established research programs — and serve as the empirical foundation for risk assessments, policy development, and resource allocation decisions. The Digital Security Listings catalog reflects the service landscape these statistics describe. Understanding how cybersecurity data is collected, classified, and applied is prerequisite to interpreting any specific figure or trend within this sector.

Definition and scope

Cybersecurity statistics constitute a formal data category covering measurable outcomes from cyber threats, defenses, and regulatory activity across US networks, organizations, and critical infrastructure. The scope includes breach frequency, financial loss, incident response costs, workforce gaps, vulnerability counts, and enforcement actions.

The primary federal sources that generate or aggregate this data include:

Statistical scope boundaries matter for interpretation. Figures produced by federal agencies reflect reported incidents only — organizations operating under no mandatory reporting obligation may not appear in federal datasets. The Department of Health and Human Services (HHS) HIPAA Breach Notification Rule (45 CFR Part 164 Subpart D) mandates reporting only for covered entities experiencing breaches affecting 500 or more individuals, which structurally excludes smaller incidents from public tallies.

How it works

Cybersecurity statistics are produced through three distinct collection mechanisms, each with different coverage characteristics and reliability thresholds.

1. Mandatory regulatory reporting
Sector-specific statutes compel disclosure to federal agencies. The HHS Office for Civil Rights (OCR) publishes its breach portal listing healthcare breaches affecting 500 or more individuals. The Securities and Exchange Commission (SEC) finalized cybersecurity disclosure rules in 2023 requiring public companies to report material incidents within four business days of determining materiality (17 CFR Parts 229 and 249). Financial institutions subject to the FTC Safeguards Rule (16 CFR Part 314) must report breaches affecting 500 or more customers to the FTC.

2. Voluntary complaint and incident reporting
The FBI IC3 accepts voluntary reports from individuals and organizations. Its 2023 Internet Crime Report recorded $12.5 billion in losses from cybercrime complaints (FBI IC3 2023 Internet Crime Report) — a figure that reflects reported losses only and structurally undercounts actual financial harm.

3. Independent research and vulnerability tracking
NIST's NVD indexes CVE entries submitted through the MITRE Corporation's CVE Program. As of the period covered by NIST's published records, the NVD has catalogued over 200,000 CVE entries since the program's inception. IBM's annual Cost of a Data Breach Report — based on research conducted by the Ponemon Institute — reported a global average breach cost of $4.45 million in 2023, with the US recording the highest average of any country at $9.48 million (IBM Cost of a Data Breach Report 2023).

The NIST Cybersecurity Framework (CSF), available at csrc.nist.gov, structures how organizations categorize their security posture across five functions — Identify, Protect, Detect, Respond, and Recover — which in turn provides the taxonomic backbone many statistical programs use to classify incident types.

Common scenarios

Cybersecurity statistics surface in four primary operational contexts, each drawing on different data sources and methodologies.

Breach cost and financial impact analysis
Organizations conducting risk quantification reference IBM's Cost of a Data Breach Report alongside industry-specific data from HHS OCR, the SEC, and the FTC. Healthcare breaches consistently produce the highest per-record costs among sectors tracked in the IBM study — averaging $10.93 million per incident in 2023 (IBM Cost of a Data Breach Report 2023).

Regulatory compliance benchmarking
Federal agencies use OMB's annual FISMA report to measure agency-level security maturity. The 2022 FISMA report to Congress identified that federal agencies collectively managed over 23,000 operational information systems subject to FISMA requirements (OMB FISMA Report to Congress). This data drives budget allocation and remediation prioritization across the civilian Executive Branch.

Workforce gap measurement
The cybersecurity workforce shortage is quantified through the NIST National Initiative for Cybersecurity Education (NICE) and the non-profit organization Cyberseek, which operates under a cooperative agreement funded by NIST. Cyberseek's 2023 data indicated approximately 572,000 unfilled cybersecurity positions in the United States (Cyberseek, NIST NICE).

Threat landscape tracking
CISA's Known Exploited Vulnerabilities (KEV) catalog provides a continuously updated list of CVEs confirmed as actively exploited. Federal civilian agencies are required under Binding Operational Directive (BOD) 22-01 to remediate KEV entries within defined timeframes. The catalog functions as a statistical reference for prioritizing patching programs across both public and private sectors.

For context on how this data landscape connects to the professional service sector, the Digital Security Authority's purpose and scope page outlines the organizational framework within which these statistics apply.

Decision boundaries

Cybersecurity statistics vary substantially by collection methodology, reporting threshold, and sector coverage. Applying any figure without accounting for these boundaries produces unreliable conclusions.

Reported vs. actual incidence
Every federal dataset reflects reported incidents against a population of unreported ones. IC3 data is bounded by voluntary participation. HHS OCR data excludes breaches below the 500-individual threshold. SEC disclosures apply only to public companies. No single dataset captures total US cyber incident activity.

Financial figures: average vs. median
Cost-per-breach figures from IBM's Ponemon-based research represent arithmetic averages, which are sensitive to large outlier incidents. Median figures, where published, typically reflect lower values. Decision-makers using average figures for budget modeling without accounting for organizational size and sector risk profile may overstate or understate exposure.

Vulnerability counts vs. exploited vulnerability counts
The NVD catalogs all publicly disclosed vulnerabilities regardless of exploitation status. CISA's KEV catalog, by contrast, includes only CVEs with confirmed active exploitation. The distinction is operationally significant: NVD counts inform comprehensive patch management programs, while KEV counts inform emergency remediation priorities under BOD 22-01.

Workforce gap figures: job postings vs. structural shortfall
Cyberseek and similar workforce analyses rely on job posting data aggregated from employer listings. This methodology captures demand signal but does not account for positions that are budgeted but not yet posted, or roles that exist within organizations that do not publicly list open positions. Workforce shortage estimates are therefore lower-bound figures.

Sector-specific vs. cross-sector comparisons
Healthcare, finance, energy, and defense each operate under distinct mandatory reporting regimes. Comparing breach frequency or cost across sectors without normalizing for reporting obligations, organizational size, and data sensitivity produces category errors. The How to Use This Digital Security Resource page describes how sector-specific data is organized within this reference framework.

References

📜 3 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Digital Security Listings Coverage spans the full range of service categories recognized under the NIST Cybersecurity Framework — from managed detection... Digital Security Directory: Purpose and Scope This page defines the directory's inclusion criteria, classification logic, geographic scope, and navigation structure. How to Use This Digital Security Resource This page describes how the directory is organized, how content is classified and verified, and how different professional...