As the number and scale of cybersecurity incidents rise, the question for policymakers is no longer whether sectors are exposed, but rather which are most vulnerable—and why. For those responsible for risk assessment or regulatory oversight, clarity and precision matter. Narratives about cyber risk abound, but the task of translating these into actionable intelligence demands structured analysis. Here, the International Standard Industrial Classification (ISIC) system, though originally designed for economic analysis, offers a useful lens for categorizing and comparing cyber threats across industries.
The starting point is incident mapping. When a data breach or cybersecurity event is reported—whether by regulators, insurers, or the affected firms themselves—it is rarely classified according to sectoral coding standards. Instead, reports typically list the business name, a short sector description, perhaps an NAICS or SIC code in some regions, but less often the ISIC code used for international statistics. To move from anecdote to analysis, it is necessary to match each reported incident to an ISIC category, ideally at the four-digit level. This step can be tedious, involving cross-referencing business registers, scraping company websites, or relying on commercial datasets that already hold sectoral codes.
Take financial services (ISIC 6419) and IT services (ISIC 6201) as examples. Both are frequent targets for cybercriminals, though for different reasons and with differing patterns of incident. Mapping breach reports to these codes allows for more meaningful comparison, especially across jurisdictions where sector names and boundaries might otherwise differ. It also enables aggregation—summing incidents by ISIC code reveals which sectors are seeing the greatest absolute number of breaches, and, more tellingly, which have the highest incident rates relative to the number of firms operating in that sector.
But the real value comes from contextualizing breach data with firm-level information, especially firm size and revenue. A breach at a multinational bank is categorically different from one at a small local credit union, both in terms of potential impact and the likely regulatory response. Collecting or estimating firm size—whether by employee headcount, revenue band, or asset value—permits a more nuanced analysis. Datasets from business registries, tax authorities, or industry surveys can often be linked to incident reports via company identifiers or matching algorithms.
With this combined dataset, several avenues open up. One is to calculate incident rates per 1,000 firms by ISIC category, stratified by firm size. Another is to estimate the average and total losses per sector, either from published figures or, where unavailable, from modeling based on known breach costs. Both approaches help to identify sectors where not only the frequency but also the financial impact of breaches is disproportionate. For example, while IT services may see a high number of low-impact incidents, the rare breach in an energy utility or healthcare provider (ISIC 8610) can carry system-wide consequences.
Methodologically, some caution is required. Not all incidents are reported with equal diligence. Underreporting is a persistent problem, especially among small firms or in regions with weak regulatory mandates. The nature of the breach—ransomware, data theft, denial of service—may also affect reporting patterns, as may reputational concerns or ongoing litigation. Adjusting for likely underreporting, either through comparison with survey-based estimates or by applying correction factors based on sectoral reporting requirements, can improve the reliability of the analysis, though no method eliminates uncertainty altogether.
The goal is to move from raw counts to prioritized, risk-adjusted intervention. Regulators may use these insights to direct audits, update compliance guidance, or allocate resources for sector-specific support. Sectors with high incident rates but limited capacity to invest in cybersecurity—think small retailers (ISIC 4711) or local transportation firms (ISIC 4921)—may warrant proactive outreach or subsidized training programs. Conversely, sectors with high systemic risk, regardless of incident count, might demand stricter oversight or mandatory resilience testing.
For policymakers, integrating revenue data or firm scale into the mix adds further depth. A breach that affects firms representing a large share of sectoral turnover or critical infrastructure can justify stronger intervention than one that affects mostly micro-enterprises. Analysts should consider not just frequency, but concentration: a handful of breaches among the largest firms in a sector can have broader economic or national security implications than numerous incidents spread across smaller players.
The use of ISIC codes, when paired with rich firm-level data, also supports benchmarking across countries or regions. As more regulators standardize incident reporting and classification, international comparison becomes feasible. This not only highlights best practices but can also reveal outliers—sectors or geographies where incident rates are unusually high or low, signaling either unique vulnerabilities or perhaps simply differences in reporting.
There is, finally, an organizational challenge. Sectoral coding and incident reporting systems rarely speak the same language out of the box. Building and maintaining reliable mapping procedures, and ensuring that new types of incidents or business models are captured, requires ongoing collaboration between statistical offices, cybersecurity agencies, and industry groups. This work is not glamorous, but it underpins the more visible task of safeguarding economies against an evolving threat.
In the end, sectoral vulnerability to cyber risk is neither static nor uniform. Methodical, ISIC-based analysis provides a framework for seeing the problem in its true proportions—and, critically, for allocating limited regulatory attention where it will do the most good. The future will bring new threats, new business models, and perhaps new codes, but the need for clarity and precision in analysis will only grow.