Measuring Cyber Risk in the Italian Corporate Sector
A Banca d’Italia indicator of cybersecurity vulnerability designed to support creditworthiness evaluation
cyber risk, cybersecurity, cyber risk measurement, cyber risk taxonomy, cyber incidents, ransomware, data breach, corporate cybersecurity, cyber resilience, operational risk, credit risk assessment, probability of default, ICAS, Eurosystem collateral framework, Banca d’Italia, financial stability, non financial firms, cyber risk indicator, natural language processing, large language models, text mining, risk analytics, supply chain cyber risk, information security, corporate governance, digital operational resilience
Introduction
The progressive digitalization of production processes, corporate governance, and supply chains has profoundly altered the risk profile of non-financial firms. Information systems have become essential productive assets, tightly interwoven with operational continuity, data integrity, and market access. As a result, cyber risk has evolved from a technical concern confined to information technology departments into a material source of economic and financial vulnerability. Cyber incidents can disrupt business operations, compromise sensitive information, propagate through supplier networks, and generate persistent reputational and legal costs, with direct implications for firms’ cash flows and creditworthiness. Yet, despite its growing relevance, cyber risk remains largely absent from standard credit risk assessment frameworks for non-financial firms.
This gap reflects both conceptual and empirical challenges. Cyber risk is inherently multidimensional, combining exposure to malicious attacks, organizational preparedness, regulatory compliance, and the effectiveness of technological and procedural defenses. Moreover, much of the relevant information is embedded in unstructured textual sources such as financial statements, press coverage, and cybersecurity reports, rather than in standardized quantitative indicators. Traditional risk models, which rely primarily on financial ratios and historical defaults, are ill-suited to capture these features. As a consequence, the contribution of cyber risk to firms’ vulnerability is often underestimated or entirely overlooked.
Columba et al.1 address these challenges by developing a comprehensive indicator of cyber risk vulnerability for Italian non-financial firms, combining a novel, Italy-specific cyber risk taxonomy with large language models applied to financial statements, press coverage, and cybersecurity industry sources. The taxonomy captures six key dimensions of cyber risk: regulatory compliance, professional certifications, technological defenses, organizational processes, realized cyberattacks, and affiliations with national or international cybersecurity organizations. By systematically extracting and classifying information from financial statements, press articles, and specialized cybersecurity sources, the methodology transforms heterogeneous and unstructured textual data into a structured, firm-level measure of cyber vulnerability.
1 See: Banca d’Italia. (2026). Measuring cyber risk in the Italian corporate sector: A cyber risk vulnerability indicator for non-financial firms (MISP No. 75). URL. Abstract: This work proposes an indicator of cyber risk vulnerability for Italian non-financial firms, applying natural language processing and a large language model to data extracted from financial statements, news reports, and cyber industry reports. The indicator is based on a taxonomy tailored to Italy, addressing dimensions of cyber risk that so far have not been considered within a unified methodological framework. The new taxonomy captures, for a large and heterogeneous sample of firms, the occurrence of cyberattacks, the degree of firms’ regulatory compliance and the utilization of cyber defence technologies and security certifications. The aptness of including cyber risk in credit risk models is suggested by the data on cyberattacks in Italy, which have been on the rise since 2019. The negative impact of cyber incidents on firms’ vulnerability in the aftermath of an attack outweighs the mitigating effects of defensive actions, which require some time to have an impact. Also, firms tend to increase the amount of information on cyber risk in official reporting only after suffering an attack. Overall, the findings indicate that cyber risk may have material effects on business continuity and, hence, it has to be incorporated into credit risk assessments.
The empirical analysis covers the period from 2019 to 2024 and documents a sharp increase in both the frequency and diversity of cyberattacks affecting Italian non-financial firms. The results show that cyber risk is widespread and persistent across sectors, with particularly high exposure in manufacturing, professional services, and wholesale and retail trade. The proposed cyber risk index remains elevated over time, suggesting structural weaknesses in firms’ cybersecurity posture. Moreover, the evidence indicates that the negative impact of cyber incidents on firms’ vulnerability in the aftermath of an attack outweighs, in the short term, the mitigating effects of defensive actions, which tend to materialize only gradually. Firms also appear to increase the quantity and granularity of cybersecurity disclosure in their financial statements primarily after experiencing a cyberattack, highlighting the limits of self-reported information as a forward-looking risk signal.
By offering a systematic and replicable approach to measuring cyber risk exposure, this work contributes to the growing literature on the financial implications of cyber threats. More importantly, it lays the groundwork for the integration of cyber risk into credit risk assessment frameworks, such as the Banca d’Italia’s In-house Credit Assessment System. In doing so, the paper advances the view that cyber risk should be treated as a core component of firms’ overall risk profile, rather than as an external or ancillary consideration, and that modern risk assessment must increasingly rely on advanced analytical tools capable of extracting economic meaning from complex, unstructured data sources.
Empirical findings
The empirical analysis provides a comprehensive picture of the exposure of Italian non-financial firms to cyber risk and of the dynamics linking cyber incidents, disclosure behavior, and measured vulnerability. The findings consistently point to cyber risk as a structural and persistent feature of firms’ risk profiles rather than a transitory or idiosyncratic phenomenon.
Rising frequency and sectoral concentration of cyberattacks
The first salient result concerns the sharp increase in cyberattacks affecting non-financial firms over the period 2019–2024. The number of documented incidents in the sample rises from 14 in 2019 to 232 in 2023, with preliminary evidence for 2024 confirming that cyber risk remains elevated. On average, during the most recent years of the sample, one firm assessed within the In-house Credit Assessment System (ICAS) perimeter experiences a cyberattack approximately every two days. This acceleration mirrors international threat intelligence but is particularly relevant given that the sample is dominated by non-listed firms, which are typically less visible in global datasets.
Cyberattacks are unevenly distributed across sectors. Manufacturing emerges as the most affected sector, both in absolute terms and in growth rates, reflecting the expanded attack surface created by the diffusion of Industry 4.0 technologies and the convergence of IT and operational technology environments. Professional, scientific and technical services, wholesale and retail trade, and vehicle repair also exhibit high exposure, consistent with their reliance on digital processes, customer data, and extended supply chains. These patterns confirm that cyber risk is shaped by sector-specific operational models rather than by firm size alone.
Typology of attacks and underlying threat structure
The composition of cyberattacks further clarifies the nature of firms’ exposure. Ransomware is the most prevalent and severe threat across the sample, particularly in manufacturing, professional services, and retail sectors, where operational disruptions can be rapidly monetized by attackers. Data breaches are widespread across all sectors, indicating persistent weaknesses in data protection and access control. Phishing and malware attacks are especially prominent in sectors characterized by intensive human interaction with digital systems, highlighting the role of human vulnerability alongside technical flaws. The presence of advanced persistent threats, though limited to specific sectors such as manufacturing and mining, signals that some firms attract highly sophisticated adversaries targeting strategic assets and industrial know-how. Overall, the distribution of attack types aligns closely with EU and international threat assessments, providing external validation of the dataset.
Persistently high cyber risk vulnerability
The construction of the cyber risk index reveals a second critical finding: firms’ vulnerability remains persistently high throughout the observation period. After normalization, the average index value fluctuates narrowly around 82–83 between 2020 and 2023, with no evidence of a meaningful downward trend. This stability at elevated levels suggests that improvements in cybersecurity practices are, at best, keeping pace with the increasing intensity and sophistication of cyber threats rather than reducing overall exposure.
Distributional analysis reinforces this interpretation. Most firms cluster in the upper segment of the risk scale, with median values consistently above 85 and a narrow interquartile range. While the standard deviation of the index increases over time, indicating growing heterogeneity across firms, the lower tail of the distribution improves only marginally. The persistence of high maximum values close to 100 across all years further indicates that a subset of firms remains extremely vulnerable despite regulatory pressure and increasing awareness.
Structural weaknesses and uneven adaptation
The increase in dispersion of the cyber risk index points to diverging trajectories among firms. Some firms appear to strengthen their cybersecurity posture through investments in technologies, processes, and compliance mechanisms, while others lag behind, either due to limited capabilities, insufficient incentives, or organizational constraints. This heterogeneity suggests that cyber risk is not solely a function of external threats but also of internal governance, resource allocation, and strategic priorities. Importantly, the aggregate profile shows limited improvement, indicating that firm-level adaptations are insufficient to offset systemic exposure.
Sample coverage and representativeness
The analysis is based on the population of non-financial firms assessed within the Banca d’Italia’s ICAS and therefore does not aim to represent the entire Italian corporate sector. The sample is skewed toward medium and large firms, which account for the majority of observations, while micro and small enterprises are underrepresented. This reflects the ICAS perimeter and the availability of detailed financial statements, rather than a selection bias introduced by the methodology.
Disclosure dynamics and post-incident behavior
A central contribution of the paper lies in the analysis of how firms react to cyber incidents. The evidence shows that firms significantly increase both the volume and the diversity of cybersecurity-related disclosures in their financial statements following a cyberattack. Statistical tests confirm that references to regulations, certifications, technologies, processes, and even past attacks increase markedly in the post-incident reporting period. This behavior suggests that cyber incidents act as catalysts for disclosure and, in some cases, for formalizing cybersecurity practices.
However, this enhanced disclosure does not translate into an immediate reduction in measured vulnerability. On the contrary, the cyber risk index increases significantly after an attack. This result reflects the asymmetric weighting embedded in the scoring system: realized cyber incidents carry a larger negative contribution than the positive signals associated with defensive actions or compliance. The finding underscores a key empirical insight of the paper: the detrimental impact of a cyberattack on firms’ vulnerability outweighs, in the short term, the mitigating effects of post-incident responses.
Delayed effectiveness of defensive measures
The post-attack increase in the cyber risk index highlights the temporal mismatch between exposure and mitigation. While firms often react to incidents by strengthening governance structures, adopting technologies, or pursuing certifications, these measures require time to become operationally effective and to be reflected in observable outcomes. The index captures this lag by showing that defensive signals only partially offset the penalty associated with an attack within the same reporting window. This dynamic suggests that cyber resilience is cumulative and path-dependent rather than immediately responsive.
Robustness and validation
The paper evaluates the robustness of the proposed cyber risk indicator through multiple validation exercises. These include human audits of large language model classifications, sensitivity analyses based on perturbations of taxonomy weights, and comparisons with external benchmarks. The results show that the indicator remains stable under alternative specifications and that its main empirical patterns are not driven by model artefacts or classification noise.
Implications for risk assessment
Taken together, the findings indicate that cyber risk is a material, persistent, and unevenly distributed source of vulnerability for non-financial firms. The empirical evidence supports the inclusion of cyber risk in credit risk assessment frameworks, as cyber incidents have the potential to impair business continuity, affect financial performance, and increase default risk. Moreover, the reliance on external sources in addition to firms’ self-disclosure proves essential, as firms tend to provide more detailed information only after experiencing an attack. This reinforces the value of the integrated, AI-driven approach proposed by the authors in capturing both latent and realized dimensions of cyber risk.
Banca d’Italia’s credit evaluation framework
The analysis is explicitly framed within the context of credit risk assessment, although the paper does not estimate the impact of cyber risk on default probabilities. Instead, it develops a firm-level cyber risk vulnerability indicator intended to support future integration into existing credit evaluation frameworks, in particular the ICAS.
The paper documents that cyber incidents affecting non-financial firms have material consequences for business continuity, operational performance, and financial stability. These consequences are identified through the observed increase in cyber risk vulnerability following an attack and through the persistence of high vulnerability levels across firms and sectors. The authors emphasize that cyber incidents can disrupt operations, impair cash flows, and generate reputational and legal costs, which are factors traditionally associated with deteriorations in firms’ creditworthiness.
Within this framework, the cyber risk index is constructed as a synthetic measure that captures both realized cyber incidents and firms’ defensive and organizational characteristics. The index increases in response to confirmed cyberattacks and decreases with evidence of regulatory compliance, technological defenses, and structured cybersecurity processes. The asymmetric weighting of these components reflects the empirical observation that the negative effect of cyber incidents on vulnerability dominates, in the short term, the mitigating contribution of defensive actions.
The paper further shows that firms tend to increase the disclosure of cybersecurity-related information in their financial statements after experiencing a cyberattack. While this behavior signals heightened awareness and formalization of cybersecurity practices, the measured cyber risk vulnerability nonetheless increases in the post-attack period. This result is explicitly attributed to the scoring mechanism and to the empirical finding that defensive measures require time to produce observable effects, whereas the occurrence of an attack represents an immediate and concrete signal of vulnerability.
The authors state that the cyber risk index provides a basis for the future incorporation of cyber risk into probability-of-default estimation within ICAS. In operational terms, they outline that the indicator can be mapped into a firm-specific probability of experiencing a cyberattack and that the associated expected losses can be simulated and embedded into stressed financial statements. The resulting stressed financial information would then be used to derive a cyber-risk-adjusted probability of default, which would complement existing statistical and expert-based components of the ICAS framework.
Consistent with the scope of the paper, these elements are presented as methodological positioning rather than as empirical results. The contribution of the paper is therefore limited to the construction, validation, and empirical characterization of the cyber risk vulnerability indicator, while the quantitative estimation of its impact on credit risk metrics is explicitly left for future work.
Appendix A — Cyber risk
Definition adopted in the paper
For the purposes of this article, the definition of cyber risk strictly follows the conceptualization adopted in Measuring cyber risk in the Italian corporate sector: A cyber risk vulnerability indicator for non-financial firms. Cyber risk is defined as:
Any risk emerging from intentional attacks on information and communication technology systems that compromises the confidentiality, availability or the integrity of data or services.
This definition is explicitly adopted by the authors from Giudici and Raffinetti2 and is used consistently throughout the paper as the conceptual basis for the taxonomy, the algorithmic framework, and the construction of the cyber risk vulnerability indicator. It deliberately excludes accidental system failures, natural hazards, or purely operational disruptions not attributable to malicious intent.
2 See: Giudici, P., & Raffinetti, E. (2021). Cyber risk ordering with rank-based statistical models. AStA Advances in Statistical Analysis, 105(4), 469–484. DOI
Cyber risk in practice: a business-level overview
Cyber risk can be understood as the exposure that arises from the reliance of organizations on digital systems, data, and interconnected technologies for the execution of business processes.
Every modern organisation depends on information systems to manage customers, suppliers, finances, production, and decision-making. That dependency creates exposure: if digital systems are disrupted, compromised, or misused, the business may no longer be able to operate as intended. Cyber risk captures this possibility and the consequences that may follow.
Unlike purely technical failures, cyber risk is not limited to software bugs or hardware breakdowns. It includes deliberate malicious actions, human error, weaknesses in processes, and dependencies on third parties. For this reason, cyber risk is best understood as a business risk with technological roots, rather than as a purely technical issue.
Where cyber risk comes from
Cyber risk arises when four elements intersect.
First, there are assets. These are the things the business relies on and wants to protect: data, systems, services, intellectual property, and digital platforms that support daily operations.
Second, there are threats. These are events or actors that could cause harm, such as criminal attacks, fraud, insider misuse, or failures originating in suppliers and service providers.
Third, there are vulnerabilities. These are weaknesses that allow threats to materialise. Vulnerabilities can be technical, such as unpatched systems; organisational, such as unclear responsibilities; or human, such as lack of awareness or poor security practices.
Finally, there is impact. Impact refers to what would happen if a cyber event occurred. This may include operational downtime, financial loss, regulatory penalties, reputational damage, or loss of trust.
Cyber risk exists when valuable assets are exposed to credible threats through exploitable vulnerabilities in a way that could cause meaningful harm to the organisation.
Cyber risk versus cyber incidents
A cyber incident is an event that has already happened, such as a ransomware attack or a data breach.
An organisation may face significant cyber risk simply because it depends heavily on digital systems and lacks adequate safeguards, regardless of whether it has experienced an incident in the past. From a business perspective, cyber risk is therefore about exposure and preparedness, not just about reacting to past events.
Why cyber risk is a business issue
Cyber risk affects an organisation’s ability to achieve its objectives. It can interrupt operations, affect revenue, increase costs, and create legal or regulatory consequences. For these reasons, cyber risk belongs alongside financial, operational, and compliance risks.
Managing cyber risk requires decisions about priorities, investments, and acceptable levels of residual risk. These decisions cannot be made by technical teams alone. They require involvement from senior management and boards, who are responsible for understanding how digital dependencies support the business and what would happen if those dependencies were disrupted.
In practice, cyber risk is as much about governance and decision-making as it is about technology.
How organisations typically manage cyber risk
In most organisations, managing cyber risk follows the same logic used for other types of business risk.
The process usually starts by identifying what is critical to the organisation and what it depends on digitally. From there, attention is given to the most plausible ways those dependencies could fail or be exploited, and to the consequences such failures would have.
Not all risks can or should be eliminated. The objective is to reduce risk to a level that is understood and acceptable, using a combination of technical controls, processes, training, and oversight. Some level of residual cyber risk is inevitable and must be consciously accepted rather than ignored.
How this perspective relates to the article
The paper discussed in this article focuses on one specific and measurable dimension of cyber risk: exposure to intentional cyberattacks and the organisational factors associated with vulnerability. This narrow focus allows cyber risk to be quantified and compared across firms.
The broader perspective outlined in this appendix provides the practical context in which such measurement makes sense. It explains why cyber risk matters to business leaders and how it fits into everyday risk management and governance decisions.
Together, the two perspectives address both how cyber risk can be measured and why it matters for organisations.
Appendix B — Banca d’Italia ICAS: current role and future relevance for cyber risk
What ICAS is, in the Eurosystem context
The In-house Credit Assessment System operated by Banca d’Italia (often referred to as ICAS-BI) is a creditworthiness assessment system for Italian non-financial corporations. It is part of the Eurosystem credit assessment framework used to ensure that assets mobilised as collateral in monetary policy operations meet required credit standards3.
In practice, ICAS enables banks to mobilise as collateral certain credit claims (loans to non-financial firms) that might not be covered by other credit assessment sources. This role is especially relevant for banks that do not have internal ratings based models and rely on external sources accepted within the Eurosystem collateral framework. Banca d’Italia has operated ICAS since 20134.
What ICAS produces and how outputs are used
Banca d’Italia’s public documentation emphasises that ICAS is used by banks in the collateral context and that outputs are not published as a full public rating list. The system does not disclose the list of assessed firms, nor the detailed ratings or estimated probabilities of default. Instead, counterparties are informed of the Credit Quality Step (CQS) assigned to the firm within the Eurosystem credit assessment framework. These CQS categories are mapped to internal probability-of-default estimates but do not constitute publicly disclosed ratings comparable to those issued by commercial credit rating agencies.
ICAS assessments are used by commercial banks to support the mobilisation of loans as collateral in Eurosystem monetary policy operations, and to quantify the credit risk of those pledged loans within the collateral framework.
The internal architecture: statistical model plus expert assessment
Recent Banca d’Italia publications describe ICAS-BI as combining a statistical engine with an expert assessment module5.
5 See: Banca d’Italia (2025). The use of Banca d’Italia’s credit assessment system for Italian non-financial firms within the Eurosystem’s collateral framework (MISP No. 60). URL
A key reference states that ICAS-BI uses a statistical model producing monthly one-year probabilities of default for around 370,000 firms, and complements this with analysts’ expert assessments for a subset of roughly 4,000 firms per year.
A separate 2026 methodological note reiterates that the system consists of a statistical model (S-ICAS) and analysts’ evaluation, and compares S-ICAS with machine learning and deep learning alternatives6.
6 See: Banca d’Italia (2026). Credit Risk Assessment with Stacked Machine Learning (MISP No. 73). URL
“Future” in scope: what is explicitly stated in the cyber risk paper
The Banca d’Italia paper explicitly frames the proposed cyber risk vulnerability indicator as a potential future input into the ICAS expert assessment workflow. The authors state that further developments may involve integrating the cyber risk index, and a corresponding cyber risk–adjusted probability of default, into the set of early warning indicators monitored by analysts within the expert assessment module of ICAS.
This is the only forward-looking element discussed in this article that is directly grounded in the source paper. It reflects an explicit statement by the authors and should be interpreted as methodological positioning rather than as evidence of current implementation or empirically validated impact on credit risk metrics.
Appendix C — Toward a structured taxonomy of cyber risk in the Italian corporate sector
Why a taxonomy is needed
The article discusses cyber risk as a multidimensional source of business vulnerability. That is correct, but multidimensionality creates an immediate methodological problem: the observed cyber related facts are heterogeneous. A ransomware attack, a missing access control, compliance with regulation, an external certification, and a weak supplier are not observations of the same logical type. Without a taxonomy, they remain analytically adjacent but conceptually unordered.
For measurement purposes, cyber risk must therefore be decomposed into at least five distinct layers:
- what is exposed,
- what is weak,
- what can act against it,
- what actually happened,
- what business consequence followed.
This decomposition is consistent with ACN’s official distinction among assets, vulnerabilities, threats, events and incidents, and with ACN’s organization of cybersecurity capabilities into governance, asset management, risk management, identity and access management, security architecture and operations, event threat and incident management, workforce management, and business continuity and disaster recovery.
Taxonomic principle
The taxonomy proposed here is layered. Each cyber related statement should be classified according to the layer to which it belongs, not merely according to the vocabulary used in the sentence.
A complete cyber risk statement has the following structure:
A threat actor or threat mechanism exploits a vulnerability affecting an asset through a given attack path, generating an event or incident, with effects on confidentiality, integrity, availability, authenticity, or continuity, which then produce operational, financial, legal, strategic, or reputational consequences.
That structure is more rigorous than a flat list of attack types because it preserves causal order. ACN’s own materials support the distinction between observable event, threatening circumstance, exploitable weakness, and incident requiring response and communication7.
7 See: “Glossario - ACN
Proposed taxonomy for the risks cited in the article
Layer 1 — Asset and exposure domain
This layer identifies the assets and operational environments on which the firm depends and through which cyber risk exposure emerges. It answers the question: where can cyber risk materialize.
The primary classes are:
Operational technology and production environments. This includes industrial control, production systems, plant level automation, and cyber physical dependencies. It is relevant whenever the article refers to disruption of operations, manufacturing exposure, or convergence between IT and OT. ACN’s emphasis on asset identification and protection supports the need to distinguish this exposure class explicitly8.
Enterprise IT systems. This includes servers, endpoints, business applications, networks, cloud workloads, and collaboration platforms. It covers the general digital substrate of the firm9.
Data estates. This includes customer data, employee data, financial data, trade secrets, intellectual property, and regulated datasets. This class is necessary for statements concerning data breaches, sensitive information compromise, or access control failures. ACN’s incident and vulnerability framing supports treating data compromise as distinct from simple service disruption10.
Third party and supply chain dependencies. This includes software vendors, managed service providers, cloud providers, outsourced operations, and digital counterparties. ACN’s cyber risk management references third party and supply chain risk management explicitly, and ACN public reporting also highlights supply chain attacks as a meaningful class11.
Identity perimeter. This includes user identities, administrator identities, privileged accounts, service accounts, and authentication mechanisms. ACN treats identity and access management as a separate cybersecurity domain, so it should also be a separate exposure class in the appendix12.
8 See: Domini della cybersicurezza - Asset Management. Abstract: Nell’ambito dei domini di cybersicurezza, l’Asset Management consiste nell’insieme delle pratiche volte a identificare, classificare, configurare e proteggere gli asset di un’organizzazione. L’“Asset Management” ha lo scopo di mettere in sicurezza dai vettori di attacco cibernetici tutti gli asset dell’organizzazione. Le capability relative a questo dominio derivano dall’interazione di processi e controlli che da una parte si occupano di identificare quali sono e dove sono collocati gli asset da proteggere, dall’altra tracciano e monitorano le modifiche e gli aggiornamenti a cui gli asset sono soggetti. Sviluppare capability di cybersicurezza all’interno di questo dominio coinvolge diverse attività e tra le principali troviamo: (i) la creazione e aggiornamento dell’inventario degli asset, (ii) la classificazione degli asset e (iii) la gestione delle configurazioni.
9 See: Domini della cybersicurezza - Security Architecture, Engineering and Operations. Abstract: Il dominio Security Architecture, Engineering and Operations ha lo scopo di progettare, implementare e manutenere l’architettura dell’organizzazione, costituita dall’insieme di tutte le componenti che concorrono al mantenimento della cybersicurezza, al fine di ridurre il rischio cyber entro il livello accettato. In altre parole, tale dominio aiuta un’organizzazione a pianificare la cybersicurezza in modo olistico e integrato. Tale capacità deriva dalla definizione di un’infrastruttura di cybersicurezza che risponda alle caratteristiche e alle esigenze dell’organizzazione, nonché ai requisiti di sicurezza individuati. Tale dominio comprende le attività di alto livello, il cui scopo è quello di individuare e coordinare tra loro una serie di soluzioni tecnologiche, processi e controlli che permettano di assicurare la confidenzialità, l’integrità e la disponibilità delle informazioni, assicurandone la protezione dalle minacce cyber. Sviluppare capability di cybersicurezza all’interno di questo dominio coinvolge diverse attività e tra le principali troviamo: (i) definizione dei requisiti di sicurezza; (ii) Security by Design, (iii) Security by Default, (iv) patching e (v) backup.
10 See: Domini della cybersicurezza - Event, Threat and Incident Management. Abstract: Il dominio Event, Threat e Incident Management consiste nell’insieme delle pratiche volte a identificare, classificare, rispondere e comunicare gli eventi cyber. Le attività svolte nell’ambito di questo dominio hanno lo scopo di individuare e analizzare eventi anomali, verificare la presenza di incidenti di sicurezza e procedere con la gestione e il contenimento degli stessi. Tale capacità deriva dall’interazione di processi e controlli che da una parte si occupano di prevenire l’incidente monitorando ciò che accade all’interno dell’organizzazione, dall’altra definiscono le modalità attraverso le quali rispondere e contenere eventuali attacchi cyber. Sviluppare capability di cybersicurezza all’interno di questo dominio coinvolge diverse attività e tra le principali troviamo: (i) monitoraggio degli eventi, (ii) Cyber Threat Intelligence (CTI), (iii) gestione degli incidenti e (iv) reporting.
11 See: Domini della cybersicurezza – Cyber Risk Management. Abstract: Il dominio Cyber Risk Management consiste nell’insieme di pratiche volte alla gestione del rischio cyber entro un determinato livello conformemente a valutazioni svolte e obiettivi dell’organizzazione. Sviluppare capability di sicurezza all’interno di questo dominio coinvolge diverse attività, tra cui: (i) identificazione e analisi del rischio cyber, (ii) trattamento del rischio cyber, (iii) comunicazione del rischio cyber, (iv) gestione del rischio cyber di terze parti. Il “Cyber Risk Management” si integra all’interno dell’“Enterprise Risk Management” (ERM) per l’intera organizzazione ed ha lo scopo di definire e implementare un programma di gestione del rischio cyber che minimizzi la possibilità che l’organizzazione possa essere danneggiata dal verificarsi di attacchi cibernetici.
12 See: Domini della cybersicurezza - Identity and Access Management. Abstract: Il dominio di Identity and Access management ha lo scopo di governare e abilitare la mitigazione del rischio di accessi non controllati alle risorse organizzative. Tale capacità deriva dall’interazione di processi e controlli che assicurano, innanzitutto, che le utenze vengano create, configurate e dismesse in accordo con le procedure organizzative, che ad ogni utenza creata vengano associati unicamente i permessi necessari per lo svolgimento delle attività connesse al ruolo rivestito all’interno dell’organizzazione e che, per ogni risorsa presente all’interno dell’organizzazione, vengano definite le modalità di autenticazione più adeguate in base alla criticità delle risorse stesse. Sviluppare capability di cybersicurezza nel dominio dell’Identity and Access Management coinvolge diverse attività. Tra le principali in questo dominio, ci focalizziamo di seguito sulle seguenti: (i) provisioning delle utenze, (ii) revisione delle utenze; (iii) definizione delle modalità di autenticazione; ed infine (iv) deprovisioning delle utenze.
Layer 2 — Vulnerability and weakness domain
This layer classifies the condition that makes harm possible. It answers the question: what weakness is present.
The main classes are:
Technical vulnerabilities. Software flaws, exposed services, weak configurations, missing patches, insecure protocols, and implementation defects. ACN’s glossary and related guidance treat vulnerabilities as weaknesses in software, hardware, or processes that can be exploited.
Identity and access weaknesses. Weak authentication, inadequate authorization, excessive privileges, poor credential hygiene, absence of segregation of duties, or unmanaged privileged access. This class is justified by ACN’s dedicated IAM domain.
Architectural weaknesses. Flat networks, insecure trust relationships, poor segmentation, insecure remote access, inadequate hardening, or control misplacement. ACN’s Security Architecture, Engineering and Operations domain directly supports separating architecture from mere technology presence.
Organizational and process weaknesses. Missing policies, weak governance, inadequate incident handling, poor risk assessment, undefined roles, weak supplier governance, and immature change management. ACN’s glossary explicitly notes that vulnerabilities may also be organizational and process related, and ACN governance material reinforces this distinction13.
Human and workforce weaknesses. Low awareness, susceptibility to phishing, procedural noncompliance, and insufficient training. ACN has a dedicated workforce management domain, which makes this a proper category rather than a residual one14.
Continuity and recovery weaknesses. Weak backup design, poor recovery procedures, lack of tested continuity plans, and inability to restore critical services quickly. ACN treats business continuity and disaster recovery as a separate domain, so resilience gaps belong here15.
13 See: Domini della cybersicurezza - Cybersecurity Governance. Abstract: Il dominio Cybersecurity Governance consiste nell’insieme delle pratiche volte a definire e indirizzare le attività di cybersicurezza attraverso lo sviluppo di una strategia che consenta di realizzare gli obiettivi e la mission dell’organizzazione. Tale strategia deve essere, inoltre, monitorata e aggiornata al fine di mantenere un allineamento rispetto agli obiettivi e al contesto organizzativo, che potrebbero essere oggetto di cambiamento nel tempo. Inoltre, tale dominio è volto a organizzare e regolare le attività di cybersicurezza svolte all’interno dell’organizzazione tramite la definizione di politiche che stabiliscono i requisiti da rispettare per garantire la resilienza organizzativa. Sviluppare capability di cybersicurezza all’interno di questo dominio coinvolge diverse attività e tra le principali troviamo: (i) definizione della strategia di cybersicurezza, (ii) monitoraggio della strategia di cybersicurezza e (iii) definizione e mantenimento delle politiche organizzative.
14 See: Domini della cybersicurezza - Workforce Management. Abstract: Il dominio Workforce Management ha lo scopo di pianificare politiche e procedure per garantire la sicurezza informatica dei dipendenti all’interno dell’organizzazione e per gestire il personale sia interno che esterno. Lo scopo di questo dominio è di ridurre il rischio di attacchi informatici, proteggere i dati e le informazioni sensibili dell’organizzazione, monitorare e aggiornare regolarmente le politiche e le procedure di sicurezza e in generale, di creare una cultura della cybersicurezza all’interno dell’organizzazione. Sviluppare capability di cybersicurezza all’interno di questo dominio coinvolge diverse attività e tra le principali troviamo: (i) screening e hiring, (ii) onboarding e offboarding, (iii) training e awareness e (iv) assegnazione di ruoli e responsabilità.
15 See: Domini della cybersicurezza - Business Continuity and Disaster Recovery. Abstract: Il dominio Business Continuity and Disaster Recovery ha lo scopo di garantire la continuità operativa e il rapido ripristino delle infrastrutture IT critiche e dei dati e, in generale, mira a minimizzare i disservizi che conseguono ad un’interruzione o un disastro. Relativamente alle attività di Business Continuity l’obiettivo è quello di mantenere la continuità delle operazioni essenziali, qualora si verifichino situazioni di crisi o incidenti di sicurezza che causino l’indisponibilità dei sistemi per un certo lasso di tempo. In relazione alle attività di Disaster Recovery, lo scopo è quello garantire la capacità di ripristinare i sistemi compromessi nel modo più rapido e sicuro possibile. Inoltre, questo dominio comprende le attività volte ad effettuare dei test per verificare la completezza e l’efficacia delle procedure definite per assicurare la Business Continuity e la Disaster Recovery. Sviluppare capability di cybersicurezza all’interno di questo dominio coinvolge diverse attività e tra le principali troviamo: (i) esecuzione della BIA; (ii) Disaster e Recovery, (iii) Test dei piani di Disaster e Recovery.
Layer 3 — Threat and attack mechanism domain
This layer classifies what hostile or harmful mechanism acts on the weakness. It answers the question: what kind of adverse action is being attempted or executed.
The classes include:
Ransomware. The article already identifies ransomware as the dominant and most severe class in many sectors. ACN public references also identify ransomware as a central threat category in national reporting.
Malware more broadly. This includes trojans, remote access tools, infostealers, loaders, wipers, and other malicious code families. ACN publications and search indexed material refer explicitly to RAT and infostealer categories.
Phishing and social engineering. This includes phishing, spear phishing, and related credential theft or deception based mechanisms. ACN’s own search indexed material explicitly defines phishing within its taxonomy.
Data exfiltration and unauthorized access. This includes attacks whose core objective is theft or unauthorized acquisition of data or credentials. It is distinct from ransomware because the primary consequence is confidentiality loss rather than immediate extortion or unavailability. ACN’s glossary based distinction among event, incident, and vulnerability supports this class, even where the exact string “data exfiltration” is not separately visible in the snippet.
Distributed denial of service. ACN’s taxonomy snippet explicitly includes DDoS as a defined category.
Supply chain compromise. ACN’s taxonomy snippet also explicitly includes supply chain events as a distinct class using a supplier as attack vector. This is important because it is not reducible either to malware or to misconfiguration alone.
Advanced persistent threat activity. Your article refers to advanced persistent threats as a limited but important class affecting strategic sectors. This belongs under a threat sophistication class characterized by persistence, targeting, and operational discipline rather than by a single technical payload. ACN public materials refer to APT related categories in its indexed documents.
Layer 4 — Event and incident domain
This layer classifies what actually happened in observable terms. It answers the question: what occurrence was registered.
Following ACN’s distinction, an event is any observable cyber occurrence in a network or information system, while an incident is an event with actual or potential adverse impact requiring management, response, and communication. This distinction is critical in your appendix because your article combines realized attacks and broader vulnerability signals in a single indicator.
The practical classes are:
Suspicious event. Observable anomaly, alert, or indicator without confirmed business impact.
Security event with technical confirmation. Confirmed malicious activity or compromise indicator.
Cyber incident. Confirmed occurrence with effect on systems, services, data, or operations.
Major incident. Incident with material disruption, broad propagation, or significant business consequence. ACN’s notification related materials and incident taxonomy context support the importance of distinguishing notifiable or significant incidents from minor technical events.
Layer 5 — Impact domain
This layer classifies what security property or business function is affected. It answers the question: what damage dimension is involved. These impact categories correspond to the fundamental security properties traditionally used in information security analysis, particularly the confidentiality, integrity, and availability principles, extended to include authenticity and operational continuity in modern cyber-physical environments.
The core classes are:
Confidentiality impact. Unauthorized disclosure or theft of information.
Integrity impact. Unauthorized alteration, corruption, or falsification of data, systems, or decisions.
Availability impact. Service interruption, system outage, encryption of assets, denial of access, or impaired production.
Authenticity or trust impact. Compromise of identities, credentials, signatures, or trusted communication channels.
Operational continuity impact. Inability to continue critical business or industrial processes. ACN’s business continuity and disaster recovery domain supports treating continuity loss as a first class impact domain.
Layer 6 — Business consequence domain
This layer classifies why the incident matters economically. It answers the question: what firm level consequence follows.
The main classes are:
Operational disruption. Production stoppage, logistics disruption, inability to serve customers, delay in service delivery.
Financial loss. Direct remediation cost, ransom related cost, loss of revenue, cash flow stress, contractual penalties.
Legal and regulatory consequence. Notification obligations, regulatory scrutiny, sanctions exposure, litigation, and noncompliance cost. ACN’s NIS material and related obligations support the relevance of the compliance consequence class16.
Reputational consequence. Trust erosion with clients, suppliers, lenders, or markets.
Strategic consequence. Loss of intellectual property and industrial know-how, negotiating power, or competitive advantage.
Credit consequence. Deterioration in perceived resilience, governance quality, or operational continuity that may affect creditworthiness. This category is an analytical extension introduced for the purposes of this article, reflecting the integration of cyber risk into credit risk assessment frameworks. This class is not an ACN label but is necessary because your article is explicitly about credit evaluation use.
Layer 7 — Control and mitigation domain
This layer classifies the positive signals that reduce vulnerability. It answers the question: what countervailing evidence exists.
The classes are:
Governance controls. Cybersecurity strategy, roles and responsibilities, escalation paths, policies, oversight structures. ACN treats governance as its own domain.
Risk management controls. Formal risk assessment, risk treatment, prioritization, and alignment of controls to risk appetite. ACN has a dedicated cyber risk management domain.
Identity and access controls. Authentication, authorization, access review, privilege management, and identity lifecycle controls.
Architectural and technical controls. Secure architecture, segmentation, hardening, protective technologies, monitoring, and engineered safeguards.
Event detection and response controls. Logging, monitoring, classification, response processes, communication, and incident handling. ACN’s Event, Threat and Incident Management domain directly maps here.
Workforce controls. Awareness, role specific competence, staffing, and training.
Continuity and recovery controls. Backup strategy, recovery capability, tested restoration, resilience planning.
Assurance controls. Testing, assessment, audit, and validation. ACN’s assessment and testing domain supports separating these from operational controls17.
17 See: Domini della cybersicurezza - Assessment e Testing. Abstract: Il dominio Assessment and Testing consiste nell’insieme delle pratiche volte a valutare il livello di cybersicurezza dei propri asset. Questo dominio ha lo scopo di testare i vari componenti dell’organizzazione, di valutare l’efficacia delle misure di sicurezza implementate e di identificare potenziali vulnerabilità al fine di porvi rimedio. Infatti, attraverso i risultati dell’attività di “assessment” e “testing”, si potranno individuare le azioni più adeguate da implementare per correggere le vulnerabilità identificate che, se non sanate, potrebbero essere sfruttate da attori malevoli. In questo modo sarà possibile determinare se all’interno dell’organizzazione siano soddisfatti specifici obiettivi e requisiti di sicurezza o se siano necessari dei miglioramenti al fine di raggiungere gli obiettivi e i requisiti di cybersicurezza desiderati. Sviluppare capability di cybersicurezza all’interno di questo dominio coinvolge diverse attività e tra le principali troviamo: (i) Vulnerability Assessment, (ii) Penetration Testing e (iii) Analisi statica del codice.
Layer 8 — External assurance and institutional alignment domain
This layer classifies signals that do not directly stop attacks but indicate maturity or embeddedness in a larger security framework.
The classes are:
Regulatory compliance. Alignment with applicable cybersecurity obligations, especially NIS related obligations and risk based measures. ACN states that the NIS regime is in force and that the required measures follow a risk based approach.
Professional certifications and formal attestations. Certifications do not equal security, but they are observable maturity signals. This aligns with the article’s use of certifications as a separate dimension of the index.
Affiliation with cybersecurity organizations or national structures. Participation in recognized national or international ecosystems can function as a coordination and information sharing signal. ACN explicitly frames information sharing and common taxonomy as national coordination enablers.
How the risks cited in the article should be categorized
Using the taxonomy above, the major risk references in the article can be reclassified precisely:
Ransomware is not a vulnerability category. It is a threat and attack mechanism. Its primary impact class is availability and operational continuity, with possible secondary confidentiality and financial effects.
Data breach is not an attack vector. It is primarily an impact and incident outcome category centered on confidentiality loss, often enabled by access control weaknesses, malware, phishing, or supplier compromise.
Phishing is not an impact. It is a threat delivery and social engineering mechanism, usually exploiting workforce and identity weaknesses.
Advanced persistent threat activity is not just a malware subtype. It is a higher sophistication threat class characterized by persistence, targeting, and strategic intent, often associated with theft of know how or long dwell time compromise.
Regulatory compliance is not a realized risk event. It is a control and external assurance signal that may reduce vulnerability but does not, by itself, prove operational resilience. ACN’s risk based compliance logic supports this treatment.
Professional certifications are not direct security outcomes. They are assurance proxies. They belong in the mitigation and external assurance layer, not in the attack layer.
Technological defenses are not impact categories. They belong in the control layer, specifically under architectural and technical controls.
Organizational processes are not threats. They belong in governance, risk management, incident management, workforce management, and continuity domains, depending on the process described.
Affiliation with cybersecurity organizations is neither a threat nor a direct control. It is an institutional alignment and information sharing signal.
Compact taxonomy table
The classification is compacted as follows.
| Taxonomic layer | Question answered | Classes relevant to the article |
|---|---|---|
| Asset and exposure domain | What is exposed | OT and production, enterprise IT, data estates, third parties and supply chain, identity perimeter |
| Vulnerability domain | What is weak | Technical, identity and access, architectural, organizational and process, human, continuity and recovery |
| Threat domain | What acts against the firm | Ransomware, malware, phishing and social engineering, unauthorized access and exfiltration, DDoS, supply chain compromise, APT activity |
| Event and incident domain | What happened | Suspicious event, confirmed malicious event, cyber incident, major incident |
| Impact domain | What security property or function was affected | Confidentiality, integrity, availability, authenticity, operational continuity |
| Business consequence domain | Why it matters economically | Operational disruption, financial loss, legal and regulatory effect, reputational effect, strategic effect, credit effect |
| Control domain | What reduces vulnerability | Governance, risk management, IAM, architecture and technical controls, detection and response, workforce, continuity and recovery, assessment and testing |
| External assurance domain | What signals maturity or embeddedness | Regulatory compliance, certifications, affiliations and information sharing participation |
Relation to the indicator used in the article
This taxonomy also clarifies the structure of the Banca d’Italia style vulnerability indicator discussed in your article. The six dimensions you cite are not six attack classes. They are six kinds of evidence drawn from different taxonomic layers: regulatory compliance and certifications belong to the assurance layer, technological defenses and organizational processes belong to the control layer, realized cyberattacks belong to the threat and incident layers, and affiliations belong to the institutional alignment layer. That is why the index is best understood not as a taxonomy of attacks, but as a composite measurement architecture built on top of multiple taxonomic strata.
Concluding remark on the role of the taxonomy
The practical value of the taxonomy is not terminological elegance. It is causal clarity. Once the cited risks are separated by layer, the analysis can distinguish antecedents from manifestations and manifestations from consequences. That, in turn, improves both measurement and governance. A firm may have strong compliance signals but weak continuity capability. It may suffer a phishing led incident because of workforce weakness rather than because of missing technology. It may show no realized incident yet still be highly exposed through supplier concentration or privileged identity weakness. A flat taxonomy hides these distinctions. A layered taxonomy reveals them. This is much closer to the way ACN’s official materials structure the cybersecurity problem space.
The layered taxonomy proposed in this appendix clarifies the conceptual structure underlying the cyber risk indicator discussed in the article. By distinguishing assets, vulnerabilities, threats, events, impacts, and business consequences, the taxonomy separates the causal drivers of cyber risk from its observable manifestations and economic effects. This distinction is essential for measurement purposes. Without it, heterogeneous signals such as cyberattacks, compliance disclosures, certifications, and organizational processes risk being interpreted as elements of the same analytical category. In reality, they represent different stages of the cyber risk propagation chain. A structured taxonomy therefore provides the conceptual foundation required to transform dispersed and unstructured information about cybersecurity into a coherent set of variables suitable for empirical analysis and integration into credit risk assessment frameworks.
Reuse
Citation
@online{montano2026,
author = {Montano, Antonio},
title = {Measuring {Cyber} {Risk} in the {Italian} {Corporate}
{Sector}},
date = {2026-01-24},
url = {https://antomon.github.io/longforms/measuring-cyber-risk-in-italian-corporate-sector/},
langid = {en}
}