A new publication to guide Small and Medium-sized Enterprises (SMEs) has been published as an outcome of a RISCS-funded project Economic Metrics for Supporting Cyber Security Investment Decision-Making.

There are 6 million Small and Medium-Sized Enterprises (SMEs) in the UK, and they constitute 99% of all businesses[1]. Every day SMEs face hard cyber security investment decisions. In 2020, 46% of businesses reported having cyber security breaches in the last 12 months. SMEs are considered a softer target by cyber criminals and an easy back door into large businesses as supply chain attacks show. While more than 80% of businesses consider investment in cyber security a high priority[2], there are no well-established practices that SMEs may follow to ensure the robustness of cyber security investment decision-making.

The project aimed to support SMEs with cyber-security decision making and to assist them with creating a healthy cyber security environment. The research team interviewed UK-based SMEs about their cyber security decision-making practices and then applied rigorous academic analysis to practical knowledge distilled from SMEs. Based on the analysis, the researchers produced a set of practice-inspired and industry-validated recommendations for SMEs on cyber security investment decision-making. The recommendations were validated by SMEs in a focus group. The Best Practice Guide summarises the recommendations for SMEs and will assist them with making well-informed cyber security decisions.

You can find the download links for English and Welsh versions of the guide below.

Please contact Dr Yulia Cherdantseva if you would like to contribute your opinion to the next version of the Guide or if you have questions about this research project.


[1] https://commonslibrary.parliament.uk/research-briefings/sn06152/

[2] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2020