Economic Metrics for Supporting Cyber Security Investment Decision-Making

Dates: April 2020 – March 2021  

Lead researchers: Dr Yulia Cherdantseva and Dr Izidin El Kalak, Cardiff University  


For Small and Medium Enterprises (SMEs) in the UK, an average cost of a cybersecurity breach varies between £3,650 and £9,270. According to the DCMS Cyber Security Breaches Survey, 78% of businesses consider cyber security as a high priority. More work is needed to support SMEs to take appropriate action. While there are many approaches they can take, such as score cards or risk portfolios, techniques can be costly and difficult to implement for SMEs who have limited resources. This project involved an empirical study on the use of economic metrics (both quantitative and qualitative) by Boards and technical experts for supporting decision-making on cyber security investments. It looked at advantages and disadvantages of different metrics, how effective they are for supporting decision making and how they could be made more appealing for Boards.  

Policy implications  

The project resulted in A Best Practice Guide for SMEs on Cybersecurity Investment Decision-Making which is aimed at assisting them to make well-informed cyber security decision. It aims to equip cyber security professionals with an actionable guidance on how to “sell security to their bosses” which may lead to the improvement in the cyber security posture of SMEs. This should be a relevant and useful contribution to policy actors working to improve the cyber security of SMEs. In the current landscape, where SMEs often have not yet implemented standardised cyber security decision processes, and where the application of investment metrics is either absent or inconsistent, it is critically important to produce a practically useful guide on the use of economic metrics for cyber security decision support. In the business context, the output of the project  


Interviews with businesses as well as security vendors or consultants who work with them, qualitative data analysis  

Find out more

A Best Practise Guide for SMEs on Cybersecurity Investment Decision-Making.  

Funders: RISCS 


Posted on

December 9, 2021