To help companies make cybersecurity investment decisions, we conducted a survey to estimate the costs of cyber incidents by company size, incidents type, and industry type for the first in South Korea. According to the survey, it was found that the costs of cyber incidents by company size increased in the order of size, large companies (20.9 billion won), mediumsized enterprises (17.4 billion won), small and medium-sized enterprises (4.4 billion won), and non-profit foundations (0.2 billion won). However, the direct costs was higher in mid-sized enterprises (15.1 billion won) than in large enterprises (4.1 billion won), and SMEs were 3.8 billion won. The amount of investment in detecting incidents and preventing recurrence included in indirect costs was 16.8 billion won, which was 409% of the direct costs, while mid-sized and small and medium-sized companies were 2.3 billion won and 0.6 billion won, respectively, accounting for 12% and 15% of the direct costs. As a result of the efforts of large companies to prevent and prevent recurrence, direct costs was relatively small, whereas small and mediumsized enterprises and small and medium-sized enterprises had little investment in prevention, and the direct costs was large, while the investment to prevent recurrence was still relatively small. The most damaging attack types for medium-sized companies and small and mediumsized enterprises were surveyed as ransomware attacks. It was confirmed that the main targets of hackers attacking ransomware for the purpose of money are medium-sized companies and small and medium-sized enterprises. It was found that the government's follow-up support policy was needed for medium-sized enterprises and SMEs.