PASC · Observatory series

PASC Yearly Briefs on Predictive Risk & Governance

The PASC Yearly Briefs are short, evidence-based notes written for boards, regulators and senior practitioners. Each brief summarises the most stable structural signals observed over the previous year, with a backward-looking window of approximately five years. The series is deliberately limited and curated: the goal is to support calm, high-stakes decisions, not to add more noise.

To maintain focus, this page only presents the current brief and the previous two. Each of these already contains a five-year recap. This means that, taken together, the visible briefs cover more than a decade of structural trends. Older briefs and working notes can be shared on request, in particular for supervisors, auditors and research partners.

These briefs are written to help boards, supervisors and senior executives answer a small set of recurring questions: Which structural factors actually predicted the most costly incidents last year? What should we look at beyond CVSS, KEV and patch rates to understand real exposure? And how do workforce structure and governance choices change incident outcomes in practice?

Methodology

How the PASC observatory works

The yearly briefs combine public incident reports, sector observatories, regulatory publications, research literature and anonymised field observations from PASC members and partners. The focus is on signals that are stable across sources and that correlate with real harm: financial loss, service disruption and erosion of trust.

Each brief states explicitly the period it covers, the main data sources used, and the role of illustrative case studies. Case studies drawn from real organisations are anonymised when confidentiality is required, and are used to highlight structural patterns rather than to attribute blame. None of the briefs are sponsored by vendors or clients; the council maintains a strict conflict-of-interest policy.

The briefs also indicate how their analysis connects to PASC standards, in particular OSPCRM (predictive cyber risk) and ORG-GOV (organisational health and governance quality), so that decision-makers can move directly from diagnosis to concrete implementation steps.

The observatory currently produces one consolidated yearly brief, typically issued in January and based on the previous calendar year’s data. Interim notes may be shared directly with regulators and partners where urgent structural changes are observed.

Current & recent briefs

Available PASC Yearly Briefs

PASC Yearly Brief YB-2025-01 – State of Predictive Cyber Risk, Governance & Workforce Health

Issued: January 2025 · Data window: global & African trends observed in 2024

Scope: Global + Africa Audience: Boards & regulators

This brief provides a concise supervisory view of 2024 as a year where identity abuse, structural workforce risks and governance choices became more predictive of severe incidents than traditional hygiene indicators. It documents how organisations with similar CVE profiles and toolsets experienced very different outcomes depending on the quality of identity controls, the stability and seniority of security teams, and whether risk models went beyond CVSS/KEV and patch rates. Particular attention is given to availability-focused attacks, long dwell times and the difficulty many boards faced in interpreting technical dashboards in business terms.

The brief translates these observations into a minimal, actionable predictive backbone based on OSPCRM and ORG-GOV. It recommends that boards, regulators and senior practitioners prioritise: (1) a clear P0–P4 impact language shared across business and security; (2) systematic use of context factors (asset criticality, data sensitivity, exposure and resilience); (3) explicit workforce indicators (turnover, seniority balance, overload); and (4) incident-linked performance metrics such as False Negative Rate and precision of the “critical” bucket. The note also outlines how supervisors can ask for evidence of these capabilities without prescribing specific tools.

Citation suggestion:
PASC (2025). Yearly Brief YB-2025-01 – State of Predictive Cyber Risk, Governance & Workforce Health (Based on trends observed in 2024). Pan-African Standards Council (PASC).

⬇️ Download brief · PDF 📊 Figures & graphs (ZIP)

Disclaimer – This document is provided for informational and governance purposes. It does not replace legal advice, national regulations or binding supervisory guidance.

PASC Yearly Brief YB-2024-01 – State of Predictive Cyber Risk & Governance

Issued: January 2024 · Data window: global & African trends observed in 2023

Scope: Global + Africa Focus: early identity & context signals

This inaugural brief reads 2023 as a structural warning: identity, cloud configuration and governance weaknesses were already more predictive of severe incidents than raw CVSS scores, KEV flags or patch counts. It shows how organisations with comparable exposure on paper, including similar CVE profiles and technology stacks, experienced sharply different incident trajectories depending on whether they modelled business impact and context or relied mainly on technical “hygiene” metrics. Several anonymised case studies illustrate how the same vulnerability landscape can lead either to contained events or to major crises.

The note introduces the core logic behind OSPCRM and ORG-GOV as a response to this gap. It proposes a shift from checklist-based compliance towards impact-centred, context-rich predictive models that can be explained to boards and regulators in simple terms. The brief highlights a small number of indicators that supervisors can request—such as impact tiers, context fields per major finding, and performance metrics tied to real incidents—without mandating any particular vendor or platform.

Citation suggestion:
PASC (2020). Yearly Brief YB-2024-01 – State of Predictive Cyber Risk & Governance (Based on trends observed in 2023). Pan-African Standards Council (PASC).

⬇️ Download brief · PDF 📊 Figures & graphs (ZIP)

Disclaimer – This document is provided for informational and governance purposes. It does not replace legal advice, national regulations or binding supervisory guidance.

PASC Yearly Brief YB-2023-01 – State of Predictive Cyber Risk & Governance

Issued: January 2023 · Data window: global & African trends observed in 2022

Scope: Global + Africa Focus: KEV/EPSS, ransomware, identity

This brief examines 2022 as the year when KEV lists and exploitation prediction scores (EPSS and similar models) became widely used but were often treated as complete risk answers rather than partial inputs. It shows that the most damaging incidents still stemmed from identity abuse, misconfigurations, opaque third-party exposure and governance gaps, even in organisations that followed KEV-driven patching programmes. The analysis distinguishes between what these tools do well (highlighting likely exploited vulnerabilities) and what they cannot capture (business impact, exposure, cumulative weaknesses in controls and decision-making).

The brief clarifies PASC’s position on KEV/EPSS for boards and regulators: they are valuable prioritisation signals but must be embedded in a broader contextual model that includes impact tiers, asset and data criticality, exposure, resilience and workforce structure. It also introduces juniorisation and structural overload of critical security functions as measurable risk factors, and suggests simple questions supervisors and audit committees can ask to differentiate between cosmetic patching and genuine reduction of the probability and impact of severe incidents.

Citation suggestion:
PASC (2023). Yearly Brief YB-2023-01 – State of Predictive Cyber Risk & Governance (Based on trends observed in 2022). Pan-African Standards Council (PASC).

⬇️ Download brief · PDF 📊 Figures & graphs (ZIP)

Disclaimer – This document is provided for informational and governance purposes. It does not replace legal advice, national regulations or binding supervisory guidance.

Archives & access

Older briefs and working papers

For clarity and ease of use, the PASC website only displays the current yearly brief and the previous two. Together they already cover more than ten years of structural trends, because each brief contains a five-year recap and forward-looking analysis.

Earlier briefs, observatory notes and working papers can be shared on request, in particular for regulators, supervisors, auditors, research partners and institutional clients who require longitudinal evidence for their work. To request access, please contact the PASC coordination team at inquiries@pasc.institute or use the contact form on the main page and select “Request access to older yearly briefs” as the topic.