Quantification and Cyber Risk

About this theme

    While progress has undoubtedly been made in measuring and quantifying cyber risk we still have a long way to go. Indeed, discourse relies far too much on anecdotes and numbers seemingly ‘plucked out of the sky’ on the size of the cyber-security risk. This argument is not new, but the gap is still not being filled. Moreover, the extent to which businesses and organizations use appropriate cyber data to inform their risk management decisions is unclear.


    The quantification and cyber risk theme has the broad objectives to explore:

    • How to integrate quantification into a wider risk management process?
    • How do we overcome the challenges and enable the cyber security community to use quantification to best effect in understanding cyber risk and enabling effective cyber security decision-making?
    • Can quantification play a role in bridging the gap between cyber risk and other areas of risk such as safety?


    The Fellowship involves two complementary strands of work outlined below.


    Optimising the use of UK Government survey data on cyber security

    There is a wealth of UK Government data on cyber security, most notably the Cyber Security Breaches Survey, Commercial Victimization Survey and Action Fraud data, as well as other surveys that touch on cyber such as the Longitudinal Small Business Survey. Such data is currently under-utilized as a resource for studying cyber-security. We will look to promote research using this data.


    Key activities
    • We held a policy workshop in July 2021 to address the following questions: (a) What data on cyber-security in SMEs is freely available for academic research? (b) What are the priority policy questions we should try to analyse with that data? (c) How can we most effectively analyse the data?
    • In August 2021 we launched a competition, based on the outcomes of the policy workshop, to encourage novel data analysis.
    • In March 2022 we will hold an engagement workshop to feedback on the outcomes of the competition and set a plan for future collaboration and analysis.


    Cyber-risk management in SMEs.

    Small and medium organisations are widely considered to still be relatively lax in cyber-security. While there is no simple solution to this cyber-security awareness gap, local micro IT companies maybe part of the solution. Micro IT companies are often embedded in their community and provide, therefore, an ideal way of cascading information through local business communities.


    Key activities
    • Hold a series of focus groups with small local IT providers to explore how they think best practice can be spread most effectively to SMEs.
    • To produce a policy report exploring the opportunities and challenges of cascading cyber security information through local IT companies.


    Research Fellow

    Anna Cartwright