Measuring Cyber Risk

Pilot Project 5:

Measuring Cyber Risk

Applications are invited to undertake a collaborative project to explore how we can better measure cyber risk at the national level, in such a way that we can use this information to quantify the impact of interventions and calibrate those interventions accordingly.

This could be based on a holistic analysis of what the greatest cyber risks to the UK are, taking into account.

  • Risk in areas being addressed by National Cyber Security Strategy (NCSS), including:
    • – Growing areas of risk, that require further intervention and investment
    • – Areas where risk is reducing, and intervention/investment can be reduced
    • – Areas where intervention/investment is ineffective and not mitigating the risk
  • New areas of risk that are not being addressed by the NCSS

The risks being addressed are disparate in how they might be assessed, yet related (e.g. a lack of cyber skills would impact on the ability of UK businesses to protect themselves). A methodology is needed for how these risks can be assessed individually, collectively and comparatively, and in an appropriately quantifiable and communicable manner, in order to

  • Inform investment and policy decision making
  • Identify trends, gaps, themes and crossovers
  • Enable us to look forward and back by providing baselines, showing progress, and making predictions.

A lack of long term data and the continually evolving nature of cyber risks means scenario based predictive analysis may not be the most appropriate approach in order to inform decision making.

The outcome of this project will be a contribution to the assessment of UK cyber security and the efficacy of current and potential interventions using good monitoring and evaluation practice.

The CRUISSE network will be able to provide assistance in obtaining relevant data or contacts.


Up to £15,000 is available for this initiative. Applicants should provide a 4 page A4 document setting out how they would approach the task and why they think they are suitable to carry it out. They should provide details of grant administration, finances, time line and deliverables (and an indication of supervisory responsibility for junior researchers if applicable).

The proposal will include ideas about the kinds of information needed for the study, how it will be analysed and followed up, and the types of outcomes that may be expected.

It is envisaged that a senior academic, postdoc or research student will apply to conduct the project themselves or to obtain funds to employ someone else suitable to conduct the work under their supervision over a period of about 6 months starting as soon as possible.

The PI, Co-I or other core members of the CRUISSE Network will be available for consultation and expect to receive informal updates on progress occasionally during the project as well as any formal deliverables specified by the applicant.

The work will probably require some social science and/or psychology expertise but the network selection committee will select whichever application seems likely to be most successful.

Before the project commences, the successful applicant in collaboration with the project partners will be expected to draw up a brief (maximum 2 page) summary of the expected

outcomes and impacts of the work. This document should also set out the expected level of interaction between the applicant and the project partners, and an approximate timeline for the work.

Eligibility and Evaluation

Applications for Project 5 should be sent to

Applicants must be staff (including current postdocs and PDRA’s) working at an eligible UK institution. Please refer to the EPSRC Eligibility of organisations webpage to check your institution’s eligibility:


The proposals will be reviewed and evaluated quickly within the CRUISSE Network.


Deadline for Applications: 20th December 2017