Frequency vs. Impact: When More Attacks Don’t Mean Greater Damage
Question: Your report shows that the most targeted sectors aren't always the most impacted. What does that say about sector-wise cyber resilience? Why are some less-targeted sectors experiencing greater consequences?
Sofia Scozzari, CEO & Founder of HackManac
The following top 2025 frequency rankings in our latest global report
- Government
- Military
- Law Enforcement
- Manufacturing
- Professional Services
Ranking by average severity instead
- Healthcare
- Wholesale/ Retail
- Come out on top
Gov/ Military/ Law Enforcement drops out of the top ten entirely. That gap is the most important signal in cybersecurity when assessing risk: frequency and impact of cyber attacks show different angles.
At the same time, less-targeted sectors aren't automatically more resilient. What actually drives the divergence is the type of threat and the attacker type, which also gives us the motivation behind it.
Not all threats are built to cause the same damage.
Vulnerabilities, particularly zero-days, are arguably the single most dangerous category we track:
- Unknown to vendors by definition
- They have no available patch
- Which leaves periodic proactive testing of the systems as the only realistic way to find and solve them before a threat actor does.
"Multiple techniques," usually the signature of APT groups running state-sponsored cyber espionage or information warfare operations, represent the second most dangerous threat in our 2025 data.
Ransomware remains a serious and disruptive threat, particularly with double extortion, where data theft is layered on top of encryption.
DDoS and web attacks sit at the opposite end: high visibility, low average impact, the kind of threat that generates headlines without proportional damage.
Even if severity of cyber attacks can add a further perspective to the scenario, CISOs need to see where risk is heading, not just where it sits today. To solve this problem, this year we decided to add two metrics based on our Estimated Severity Index.
Impact Momentum tracks the period-over-period rate of change in average severity for a given sector, technique, or actor class, telling you whether risk in that cohort is accelerating, stabilizing, or declining.
The Quiet Shift Index, on the other hand, flags clusters of activity where damage is disproportionate to observed attack volume, surfacing the slow-building, under-the-radar shifts that precede a wave of major incidents, before they show up as a spike in your monitoring.
Used together, these four layers (volume, severity, acceleration, and concentration) offer a full perspective of the cyber scenario to a CISO, a security manager, or any decision maker in the company:
- How often the organization is hit
- How badly
- Whether it's getting worse
A sector or a vendor relationship that looks "quiet" on volume can still be accumulating risk that a frequency-only dashboard will never catch.
In cybersecurity, resilience depends on understanding your own specific threat scenario, in order to size your defense strategy to the damage you're actually exposed to.




