Annual Breach Probability Calculator
Estimate your annual probability of a data breach from your sector's base rate, shown both as a percentage per year and as an intuitive "about 1 in N years" likelihood. Pick your industry to load an indicative base rate derived from Verizon DBIR incidence data, then read the full table of sectors below. These are sector base rates for planning — not a prediction for any specific business, whose real odds depend on its size, attack surface and security posture. Benchmarks as of Jun 25, 2026 — sources.
Breach probability by sector
The table below lists the indicative annual breach probability for every sector in the dataset, highest first, with the same figure expressed as a recurrence interval. Probability and "1 in N years" are two views of the same number: N is simply one divided by the probability.
| Sector | Annual probability | Recurrence |
|---|---|---|
| Healthcare | 32% | ~1 in 3 years |
| Financial services | 30% | ~1 in 3 years |
| Technology / SaaS | 27% | ~1 in 4 years |
| Public sector | 26% | ~1 in 4 years |
| Professional services | 25% | ~1 in 4 years |
| Retail / e-commerce | 24% | ~1 in 4 years |
| Education | 23% | ~1 in 4 years |
| Manufacturing / industrial | 22% | ~1 in 5 years |
| Other | 22% | ~1 in 5 years |
| Energy / utilities | 21% | ~1 in 5 years |
| Pharmaceutical | 21% | ~1 in 5 years |
| Consumer / other services | 20% | ~1 in 5 years |
Figures verified Jun 25, 2026 against Verizon Data Breach Investigations Report (incidence by industry). See the full dated reference: breach frequency by sector.
Annual probability p = sector base rate (Verizon DBIR incidence)
Recurrence interval N = round(1 ÷ p) — "about 1 in N years"
Default: Healthcare p = 32% → N = round(1 ÷ 0.32) = 1 in 3 years
How it works
Breach probability answers the first half of any risk question: not "how bad would it be?" but "how likely is it?" The tool starts from a sector base rate — the observed frequency with which organizations in your industry suffer a breach in a given year, drawn from the incidence data in the Verizon Data Breach Investigations Report. The DBIR analyzes tens of thousands of security incidents and confirmed breaches each year and breaks them down by industry, which lets us express each sector's exposure as an approximate annual probability. Healthcare, financial services and technology tend to sit near the top because they hold high-value data and present large attack surfaces; sectors with less monetizable data or smaller digital footprints tend to sit lower.
The same probability is shown two ways because the two framings suit different audiences. A percentage per year ("a 32% chance this year") is precise and feeds straight into a quantitative risk model. The "about 1 in N years" framing — where N is one divided by the probability — is more intuitive for a board or a non-technical owner, because people grasp "roughly once every 3 years" more readily than a percentage. They are mathematically identical: a 32% annual probability is the same statement as "about 1 in 3 years". One important subtlety is that the recurrence interval is a long-run average for an event that has the same independent probability every year; it does not mean you are protected until year N and then certain to be hit.
It is essential to read these numbers as base rates, not predictions. The figure for your sector describes the typical organization in that sector, averaged over many companies of many sizes and security maturities. Your own probability could be considerably lower if you have strong controls and a small, well-defended attack surface, or considerably higher if you are an attractive, under-protected target. The base rate is the right place to start — it anchors your thinking in real data rather than guesswork — but it should be adjusted with judgment about your specific circumstances. That is also why this tool deliberately stops at the probability and does not pretend to forecast a particular company's fate.
The reason probability matters so much is that, on its own, the cost of a breach is misleading. A six-figure breach that happens once a decade and one that happens twice a year are wildly different risks, even though a single incident costs the same. Probability is the multiplier that turns the cost of one incident into an annual expected loss, which is the figure you actually budget against and the figure you compare to the cost of prevention. That multiplier has a formal name in risk analysis — the annualized rate of occurrence — and this calculator is designed to feed it directly into the next step.
A worked example
Take a healthcare provider trying to decide how much to spend on security. From the table, its sector base rate is 32% a year, or about 1 in 3 years.
- Annual probability p = 32% (0.32 as a decimal)
- Recurrence N = round(1 ÷ 0.32) = about 1 in 3 years
That probability is exactly the annualized rate of occurrence (ARO) the annual loss expectancy calculator needs. If a single breach for this provider would cost, say, the figure produced by the data breach cost estimator as its single loss expectancy, then ALE = 0.32 × that cost gives the average annual loss to plan for. To see how much that volume of records is worth in pure exposure terms, use the records-at-risk exposure calculator. Together, the three tools take you from "how likely" to "how much per year" to "is the control worth it" — the full chain of a defensible security-budget argument.
Frequently asked questions
What is my annual probability of a data breach?
It depends heavily on your sector, your size and your security posture, so any single figure is only a starting point. Using Verizon DBIR incidence data, the indicative annual probabilities in this tool run from about 20% to 32% a year. For the default sector here, healthcare, the base rate is 32% per year — roughly 1 in 3 years. Treat it as a sector base rate, not a prediction for your specific business.
What does "about 1 in N years" mean?
It is the same probability expressed as a recurrence interval: N = 1 ÷ probability, rounded. A 32% annual probability is about 1 in 3 years, meaning that on a long-run average a business with this risk profile would experience a breach roughly once every 3 years. It does not mean you are safe for 3 years and then certain to be breached — each year carries the same independent probability.
Where do these probabilities come from?
They are indicative base rates derived from the incidence of breaches by industry reported in the Verizon Data Breach Investigations Report. They describe how commonly organizations in each sector experience a breach, not the likelihood for one named company. Your own probability moves up or down with your attack surface, the controls you have in place and how attractive a target your data is.
How do I turn this into a dollar figure?
Use this probability as the annualized rate of occurrence (ARO) in the annual loss expectancy calculator. Multiply it by the cost of a single breach (your single loss expectancy, which you can get from the data breach cost estimator) and you get the average annual loss to budget for. Probability alone tells you how likely; ALE tells you how much it is worth spending to prevent.
Can I lower my probability?
Yes — the sector base rate is the starting point, not your destiny. Mature controls (MFA, tested backups, security monitoring, staff training, a rehearsed incident-response plan) measurably reduce both the likelihood and the cost of a breach. The security control ROI calculator shows when the spend on those controls is justified by the risk they remove.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.