A curated list of annual cyber security reports - Centralized cybersecurity information free from sales nuisance.
Definition: The state of being secure has a temporal dimension which security vendors utilize to stay relevant. CIO, CISO, and security leaders are faced with the challenge of sifting the valuable information from marketing material. Most, if not all, of this information sits behind a marketing wall that requires your business email address, which will promptly be inundated with communication requests.
Disclaimer: The reports in this collection are limited to content which does not require a paid subscription, membership, or service contract. There are a variety of different business models and drivers that would cause information to be put behind a paywall, I would like to respect those companies and individuals. Consult the original authors for licensing of any report content.
Limitations: This is not a collection of project based information such as white papers, intelligence reports, technical specifications, or standards. I welcome all user submitted uploads or report requests, but we should draw a box around this awesome list. All reports will be sourced from the original author when possible and uploaded to Hybrid Analysis for an additional level of confidence, result link will be included in the readme.md commit notes.
Acknowledgement: I would like to give recognition for other works that inspired this collection. Richard Stiennon and his annual analysis of the cybersecurity industry is much more comprehensive than this repository. Rick Howard and his cyber cannon list of must read books is a tremendous resource, at both leadership and practitioner levels.
Reports have been classified into two categories by the source of data.
- Analysis: Reports generated from quantifying and qualifying intelligence from sensor networks or services.
- Survey: Reports generated from observations and feedback from surveys or consulting engagements.
Annual reports are composed by a combination of paid and non-profit research both internal and external to the organization. Examples of paid and government sponsored research are listed as research consulting. Examples of sponsored and non-profit research include professional societies and standards organizations which are listed as working groups. Both of these research resource types rely on sponsorship that’s often commercial.
- Forrester Research is an advisory company that offers paid research, consulting, and event services specialized in market research for information technology.
- Gartner is a technology research and consulting firm which offers private paid consulting as well as executive programs and conferences.
- MITRE Corporation is an American not-for-profit organization which conducts research and development supporting various U.S. government agencies.
- Ponemon Institute is considered the pre-eminent research center dedicated to privacy, data protection and information security policy.
- SANS Institute is a private U.S. for-profit company which conducts research for consumers of their cybersecurity training and certifications.
- (ISC)² is a non-profit organization which conducts research for consumers of their cybersecurity training and certifications.
- ISACA is an international professional association focused on IT governance, which conducts research for and on behalf of the members.
- OWASP is a professional community that produces research concerning web application security, made freely available to the online community.
- ISO is an international organizational body composed of representatives which conduct closed research for creation of standards.
Please refer to the guidelines at CONTRIBUTING.md for details.