A Framework to Model and Incentivise Cyber Security Investment Decisions (MERIT)

Dates: April 2020 – March 2021 

Lead researchers: Dr Manos Panaousis, University of Greenwich and Dr Michail Chronopoulos, City, University of London. 


This project sought to address the challenges of quantifying the benefits of investment in cybersecurity. It is common for cybersecurity budgets to cover overlapping elements through diverse service agreements. Through economic modelling, this project aimed to minimise cybersecurity risks by guiding organisations to optimally invest their budget for cyber controls. 

The team produced: 

• A software tool that visualises decisions about investing in cyber security controls;

• A knowledge base of controls along with their costs; and

• A threat-based risk assessment modelling using the MITRE ATT&CK® – a globally accessible knowledge base of adversary tactics and techniques based on real-world observations of cyberattack.

Policy implications

This work could benefit cybersecurity policymakers who will be able to tailor existing cyber security policies and best practises to incentivise and regulate the use of any required baseline defences and appropriate levels of investments in cyber security controls. The work is intended to be useful for cyber security accreditation (such as for IASME and NCSC) and to incentivise businesses by saving them money. 


Mathematics, software development, cybersecurity engineering 

Funders: RISCS 

External collaborators: IASME Consortium, Professor Chris Hankin, Imperial College London 

Follow on work: We are collaborators on European CUREX project, Collaborators on European SECONDO project, SecurityBudget project to produce a cybersecurity dashboard to support SMEs.


Posted on

December 9, 2021