Research | Cybantage Published Works
Published Research & Whitepapers

The research preceded
every product we built.

Every Cybantage advisory product has a published research antecedent. The research identifies the problem, defines the mechanism, and establishes the standard. No competitor can replicate this lineage by announcing a competing offering.

Primary Research · 2026

The foundational dataset.
1,478 organizations. Three years. Definitive findings.

All Publications

Seven published works.
Every one a research antecedent to a product.

CISI Methodology · 2025

Cyber Insurance and the Compliance Reality Gap

The foundational CISI Discussion Paper. 215-point scoring methodology for cyber insurance claim defensibility. Two-dimensional denial risk framework: claimant-side and insurer-side. Company-size claim outcome data. Change Healthcare and Stryker case studies.

Key Findings
  • 40% of cyber claims denied or only partially paid
  • Two independent denial dimensions — neither addresses the other
  • Domain 10 exclusion risks void coverage regardless of security posture
Download Discussion Paper →
CFO / Board · 2025

The Assumption Stack: Why Your Safety Net Has a 40% Failure Rate

The three assumptions that fail under forensic conditions. The accurate cyber risk register entry most CFOs don't have. The seven questions your board should be asking — including the critical insurer-side question most boards have never heard.

Key Findings
  • Compliance audit ≠ forensic defensibility — different tests, different verdicts
  • IT security delegation creates structural spending misalignment
  • 56–60% actual claim payment probability — not the assumed near-certainty
Download Whitepaper →
Insurance Intelligence · 2025

The Compliance-Insurance Illusion

Four structural failures in SMB and mid-market cyber risk management: governance misread as resilience, IT security delegation, 40–44% insurance denial, identity neglect. Same 1,478-organization dataset.

Key Findings
  • Four structural failures present across SMB and mid-market organizations
  • Identity neglect the highest-frequency correctable failure
  • Insurance denial rate 40–44% — not the assumed near-zero
Read the Research →
Framework Analysis · 2026

HITRUST: Certification Assurance and Its Limits

HITRUST confirms control maturity — not adversarial resilience. Three certification tiers: e1, i1, r2. Change Healthcare held r2 certification when breached via Citrix and stolen credentials with no MFA. Three-layer model for genuine survivability.

Key Findings
  • HITRUST r2 certification does not prevent breach or guarantee claim payment
  • Control maturity ≠ operational validation ≠ strategic alignment
  • The 99.41% resilience marketing claim is not supported by breach data
Read the Analysis →
Framework Analysis · 2026

SOC 2: Governance Assurance and Its Limits

SOC 2 is governance assurance under AT-C 205 — not adversarial resilience. Semantic gap, interpretation drift, and assumption registry. Three-layer model mirrors the HITRUST analysis. Identity-based threats exploit the conformance-vs-resilience gap.

Key Findings
  • SOC 2 tests design suitability — not operational effectiveness under attack
  • Semantic gap between auditor language and forensic investigator language
  • Assumption registry: what SOC 2 does not cover that organizations assume it does
Read the Analysis →
Governance · 2025

The Accidental DQI

Governance framework for the Designated Qualified Individual role across healthcare, financial services, and small business. Covers governance, risk assessment, vendor oversight, regulatory frameworks, and personal liability. Multi-vertical authority on DQI accountability.

Key Findings
  • DQI personal liability is real and frequently unrecognized by named individuals
  • Governance gaps create exposure that no insurance policy eliminates
  • Role applies across FTC Safeguards Rule, HIPAA, and state frameworks
Read the Book →
The Research Foundation

Original data. Not curated statistics. Not vendor reports.

The Cybantage research dataset is sourced directly from HHS/OCR breach reporting data — the same data carriers and regulators use. The 1,478-organization dataset represents every major breach reported by healthcare providers and business associates from January 2023 through February 2026. It excludes health plans, government entities, and educational institutions to focus on the organizations most directly comparable to Cybantage's client base.

1,478Healthcare providers and business associates in the primary dataset
73%Logistic regression accuracy for predicting organizational survival
462Organizations confirmed closed or sold post-breach (31.3%)
3 yrsData span: January 2023 through February 2026

Methodology

Source HHS/OCR Breach Portal — official federal breach reporting database
Scope Major breaches affecting 500+ individuals. Excludes health plans, government, and educational entities.
Period January 2023 through February 2026
Model 73% accurate logistic regression model for survival probability. Introduces HBSI framework.
Primary research and statistical analysis
The Research Moat

No competitor can replicate this
by announcing a competing offering.

Research preceded products

Every Cybantage advisory product has a published research antecedent. The market position was established by evidence before a dollar of product development was spent. That sequence cannot be reverse-engineered.

Original primary data

The 1,478-organization dataset is primary research derived from federal breach reporting data — not curated from vendor reports, industry surveys, or third-party databases. The findings are independently verifiable.

The two-dimensional framework

The CISI Discussion Paper established the claimant-side vs. insurer-side denial framework before any other market participant had named it. Domain 10 is a Cybantage construct. No competitor has published an equivalent.

The CISI puts this research to work for your organization.

215 points. 10 domains. Two denial dimensions. The free assessment generates a scored picture of your organization's claim defensibility against the same forensic standard this research established.