There is no "hard statistics" on desktop compromise. There is only case study and research into limited contexts where compromise has occurred. But that data is not useful for making inferences in other contexts.
Case studies and "vendor propaganda" study a limited set of systems and compare the historical results. That's great if your system is in the same context, have the same users, threats, processes, etc. etc. They don't tend to include systems in similar contexts that have a different result because that just gets confusing as a narrative.
There's a reason why you can't Google this and get an authoritative data set: the number of factors involved are numerous, interrelated (one factor can affect another), and there is often no linear causal relationship between the factors and the outcome. It's a "Complex Problem" (also known as a "wicked problem").
Probability and cost/benefit analyses depend on a stable system. The problem with information security is that stable digital systems are unusual. Digital systems get more complex with every update, patches alter how systems function, the system context can change, people use and maintain the system, and the external threats to the system are sentient and adaptive. Each of those factors changes the underlying basis for a calculation.
There are ways to get closer to a probability calculation using formal probability approaches. And you will want to read How To Measure Anything in Cybersecurity Risk for that. But the author takes the approach that systems and their context do not change enough to worry about deviations. I debate that as a universal premise. It's true in some contexts, just not any that I have worked in.
If you constrain your analyses to the stable form of a system, then you can end up with a calculation for a system state and context that no longer exists. Fancy answers that are functionally useless as a decision support for what to do next.
To do the analysis that you want to do:
- Analyse your systems in context to identify those factors that are linear with known and limited cause/effect contexts. What's linear for you might not be linear in another org (and what's linear for you might change over time). You then work out probabilities for those things.
- Then you need to identify the non-linear contexts, the Complex contexts, and get as many people who know the systems and contexts together to get their opinions. For Complex contexts, you can't use linear calculations of probabilities: you need perspectives. Then you track those opinions over time.
There is a very real possibility that you will not be able to perform a cost/benefit forecast analysis, only a retrospective one. Knowing that is very important.
To learn more about this problem, look up:
- Dr Nancy Leveson from MIT - she asserts there is a complexity threshold in social-technical systems where impact and likelihood is inherently unpredictable
- Dr David Snowden - creator of the Cynefin Framework around making sense of contexts that are a mix of the linear and non-linear (and then what to do about it)
- WEF's "Towards Quantification of Cyber Risk" - promoting the "Value-at-Risk" approach, which is a nice way of averaging out the historical data to make some useful inferences
- I have also done work in this area for a few years. My first slide deck after I asked this same question six years ago.
The slide deck explains how several frameworks approach this problem:
- COSO
- ISO 31000/ ISO 27005
- NIST 800-39
- RISK IT
- FAIR
- OCTAVE Allegro
The US Government Accountability Office (GAO) has this to say about the problem:
“Reliably assessing information security risks can be more difficult
than assessing other types of risks, because the data on the
likelihood and costs associated with information security risk factors
are often more limited and because risk factors are constantly
changing.”
“Even if precise information were available, it would soon be out of
date due to fast-paced changes in technology and factors such as
improvements in tools available to would-be intruders.”