Economic Metrics for Supporting Cyber Security Investment Decision-Making


Research Fellows: Yulia Cherdantseva and Izidin El Kalak

For Small and Medium Enterprises (SMEs) in the UK, an average cost of a cyber security breach varies between £3,650 and £9,270. According to the survey, 78% of businesses consider cyber security as a high priority. However, awareness does not always translate into action and more work is required to support SMEs on this path.

There are many approaches for supporting decision-making in cyber security, including score cards, risk portfolios, game theory, combinatorial optimisation etc. These techniques are costly and difficult to implement for SMEs who have highly limited resources. A detailed research is required into “how SMEs, given their specifics, could better support decision-making about cyber security investments?”

In this project, we are conducting an empirical study on the use of quantitative and qualitative economic metrics by Boards and technical experts for supporting cyber security investments decision-making in SMEs in the UK, and working towards developing a Best Practice Guide for SMEs and for Boards on the use of economic metrics for supporting cyber security investments decision-making.

We are combining practical experience distilled from cyber security professionals and academic research, and then translating this awareness into action by developing a more compelling narrative for SMEs and for Boards for cyber security investment decision-making.

A list of questions addressed by the project includes but is not limited to

  1. What quantitative and qualitative economic metrics are used by SMEs to support cyber security investment decisions?
  2. What are the advantages/disadvantages of different metrics?
  3. What types and sources of data are used to compute economic metrics?
  4. What assumptions are made to allow computing economic metrics given a lack of reliable data?
  5. How effective qualitative metrics are for supporting decision-making in this field?
  6. How could the economic metrics reflecting the effectiveness of cyber security investments be made more appealing for Boards?

We would like to invite all SMEs and individuals well-positioned to contribute to this study and willing to participate in interviews to contact us on


Posted on

June 25, 2020