Call for evidence outcome

Cyber Security Breaches Survey: User-engagement exercise

This call for evidence has closed

Detail of outcome

The Department of Science, Innovation and Technology (DSIT) conducted a user engagement exercise from 1 October 2024 to 4 November 2024 on the Cyber Security Breaches Survey (CSBS).

This user engagement exercise sought feedback from users and stakeholders on DSIT’s plans for future iterations of the CSBS, including potential additions and amendments to the areas covered by the survey.

In the user engagement exercise, we asked users about the following:

  • The frequency and nature of their use of the CSBS
  • The continuation of the CSBS and the ongoing presence of similar research initiatives.
  • Proposed plans for CSBS 2026 onwards on the modification of cyber security breaches and cyber security crimes cost questions.
  • Proposed areas for potential inclusion and any other topics or questions of particular interest.
  • Any research that may conflict with or duplicate the proposals.
  • Whether they would be negatively impacted if the CSBS was discontinued in its current format.
  • Any other feedback they could provide on the survey.

For more information, please see the user engagement exercise document at the bottom of the page.

What you said

The user engagement exercise received 34 complete responses. This included 16 responses from organisations and 18 from individuals. We received responses from businesses, government, academics, and voluntary, community and social enterprise organisations.

The feedback has been summarised below to reflect the broad areas on which views were sought during the user engagement activity.

Current usage and most used areas of the survey

Most respondents (nineteen out of thirty-four) identified using the findings from the CSBS quarterly or more frequently (i.e., monthly or weekly). The survey results have been used to understand the prevalence, impact and frequency of cyber security breaches and attacks in the past twelve months.

Respondents used the CSBS for a variety of purposes, for example, to understand the broader cyber security landscape in the UK, organisations’ attitudes towards evolving cyber threats, their handling of breaches or attacks, and organisations’ reporting and measures adapted to avoid similar incidents in future. Specific sections of the CSBS report that several respondents stated are very or somewhat useful/interesting were ‘approaches to cyber resilience’, ‘organisations’ awareness and attitudes towards cyber security’, and ‘prevalence and impact of breaches and attacks.

One respondent mentioned their use of the survey report in postgraduate/masters’ curricula for cyber security, and another respondent reported how CSBS is referred to regularly in research initiatives, both on its own and in conjunction with similar research on policy areas (such as the Computer Misuse Act 1990). Several respondents appreciated the availability of respondent-level quantitative data (via UK Data Service) and stated potential benefits of follow up qualitative data if it was made available to the researchers.

One respondent stated that CSBS serves as an indicator of where to focus efforts on cyber security risk training for their staff. Another respondent mentioned their use of these official statistics to raise public and political awareness, and to demonstrate to political stakeholders why it is critical for the UK to prioritise and invest in national cyber resilience.

Findings related to certain organisation sizes (e.g., small businesses) or sectors (e.g., education) were highlighted throughout the engagement activity as a unique benefit of the CSBS.

Cyber security breaches cost and cyber crime cost questions

Nearly half of the respondents supported the proposals to modify the cyber security breaches cost questions in the CSBS (seven of fifteen respondents who chose to respond to this question). Other respondents were divided between those who thought the questions should not be kept as they are (four out of fifteen), and those who reported having no opinion (also four out of fifteen).

Modification of the cyber security crime costs questions was also supported by almost half of respondents to this question (six out of fourteen responses), with half of the respondents reporting having no opinion (seven out of fourteen). Only one respondent said that the cyber security crime costs questions should not be modified.

Open text responses on the cost questions also showed an interest in the wider context around costs and interest in knowing what exact costs are captured by the survey and/or participating organisations. One respondent mentioned how the findings tend to differ from the other evidence available in this space. Several respondents in their open text responses appreciated the strengths in methodology but acknowledged that specificity in costs can be difficult to capture.

Potential amendments and future topic areas for inclusion

Respondents stated an interest in the proposed areas for inclusion, with twelve out of fourteen participants who responded to this question believing that adding follow-up questions to the existing suite of survey questions on supply chain cyber security would be very useful and interesting. In addition to this key area of policy interest, respondents were also interested in inclusion of new questions to explore emerging areas of interest such as Artificial Intelligence (AI) cyber security (seven out of fourteen respondents) and AI facilitated cyber crimes (six out of fourteen respondents).A small number of respondents mentioned using the CSBS results in conjunction with other data sources on computer misuse, and to explore the impact of existing relevant laws, such as the Computer Misuse Act (CMA) 1990, which prohibits unauthorised access, regardless of intent.

Other areas suggested for inclusion in the CSBS varied widely, including:

  • Quantum computing cyber security preparedness
  • Organisations’ perception of causes of attacks
  • Data security and sensitive data protection

Feedback on the continuation of the survey

The majority respondents said that they are not aware of any research that may conflict with or duplicate the proposals for the CSBS (thirteen out of fourteen respondents who responded to this question). Most respondents said that they would be negatively impacted if the CSBS was discontinued in its current format (eight out of fourteen). Several respondents also provided open text feedback stating how the survey results are invaluable to organisations and a key source of independent research on cyber security.

We are not able to provide further breakdowns due to potential disclosure risk.

What we will do

We have conducted additional engagement with key users across the government. Since the closure of the user-engagement activities in November 2024, we have analysed the results and sought to build a consensus on the future of the survey. We have identified key areas to focus on, and amendments reflecting survey users’ priorities.

Following the feedback received, DSIT intends to take the following actions:

DSIT will retain the Cyber Security Breaches Survey in its current format, with a main comprehensive report, an accompanying technical report and a separate annex reporting results for the educational institutions.

We plan to amend the cyber security breaches and crime costs related questions by incorporating user feedback and expert advice from financial, technical, and behavioural science experts in the CSBS from 2026 onwards.

We aim to incorporate and revise the question areas highlighted by respondents in this engagement activity. During the questionnaire design phase in future editions of the survey, DSIT will continue to engage with the cyber security sector.

We will continue to explore the feasibility of introducing a range of follow-up questions on topic areas such as software cyber security and new topic areas such as data security, cyber security of AI and AI-facilitated cyber crimes.

We would like to thank all of those who took part in the user engagement exercise and provided us with invaluable feedback that will guide the future of the CSBS.

If you have any further questions, please email cybersurveys@dsit.gov.uk.


Original call for evidence

Summary

The government is seeking views from users of the Cyber Security Breaches Survey on how it could be developed and improved in future.

This call for evidence ran from
to

Call for evidence description

The Cyber Security Breaches Survey (CSBS) is an ongoing quantitative and qualitative research study. The questions currently cover a comprehensive suite of issues, including:  

  • Frequency and types of cyber breaches and crimes, associated impacts and outcomes experienced 
  • Corporate reporting of cyber security breaches and crimes 
  • Cyber security policies and processes 
  • Supplier standards. 

The findings of the CSBS are representative of UK businesses, charities and educational institutions. They help organisations understand the nature and significance of the cyber security threats they face, and what others are doing to stay secure. This research supports the government’s work to shape future cyber security policy and to work with industry to improve UK’s cyber defences and protect our economy and essential public services. 

The CSBS is conducted by an external supplier. The Department for Science, Innovation, and Technology (DSIT) holds and manages the contract. The Home Office is currently responsible for the cyber crime section of the survey and has been the co-funder for the CSBS since 2023. The current contract for the CSBS concludes in 2025. However, DSIT and the Home Office plan to continue this research due to its value in informing policy context and decision making, and its widespread use by stakeholders.  

The aim of this engagement survey is to collect user and stakeholder feedback on different aspects of CSBS for 2026 onwards, and to understand their views on the proposed changes to the CSBS. 

Feedback is requested in line with the Code of Practice for Statistics, which sets out that: 

“Users of statistics and data should be at the centre of statistical production; their needs should be understood, their views sought and acted on, and their use of statistics supported”.  

“Statistics producers should periodically review whether to continue, discontinue, adapt or to provide the statistics through other means, in discussion with users and other stakeholders.”

How to respond

This survey will take approximately 10 minutes to complete. Responses can be submitted via our online survey.

If you would prefer, you can also respond via email. Please send emails to cybersurveys@dsit.gov.uk

This questionnaire can be completed anonymously, and most respondent information fields are not mandatory. (*  = mandatory response). 

Data collected from this survey will form the evidence base for the further development of the CSBS. Anonymised findings from the data collected will be shared with DSIT and the Home Office. No individuals will be identifiable.  

The information we receive will allow us to make more informed decisions. 

  • A summary of findings will be published in response to this public engagement exercise within 12 weeks of the public engagement exercise closing (by 31 January 2025). No individuals will be identifiable in the published results. 
  • Please read the privacy notice for more information on the data collected as part of the engagement exercise. 

If you have questions about this survey or on the CSBS, please email cybersurveys@dsit.gov.uk

This public engagement exercise closes at 23:59 on Monday 4 November 2024.

Future directions and key changes

DSIT and Home Office wish to incorporate the following changes in CSBS. 

Questions to be amended: 

Previous editions of the CSBS have provided estimates of the proportion of organisations who experience a cyber breach. This has helped identify the number of cyber crime incidents. Reflecting policy interest, a few survey questions were included to understand the volume as well as costs of various types of cyber breaches and crimes for organisations and whether they were successful in breaching perimeter defences. 

Current questions in this research cover areas such as:  

  • How much do cyber-attacks and cyber crimes cost? (including business disruption, lost business, recovery costs, etc.) 
  • How much are businesses spending on cyber security? 

We intend to keep the questions around the nature and volume of cyber breaches and crimes, as well as the questions around estimates that are important to understand the ability of existing government interventions to drive cyber resilience. The incidents questions also feed into the wider cyber security workstream at DSIT. However, the follow-up or standalone cost questions need to be revised and amended following concerns over their accuracy. Estimates of the cost of cyber crimes experienced by organisations are a useful indicator. Although the accuracy of the related costs questions could be improved and therefore suggestions for improvements are welcomed.

Potential areas for future inclusion: 

  1. Follow up questions on supply chain cyber security: Given the growing concerns around supply chain vulnerabilities, we plan to include follow up questions in existing questions on supply chain cyber security.  
  2. Follow up questions on cyber insurance: While previous CSBS findings suggest that risk awareness continues to rise, organisations still need to assess their cyber insurance needs and overall enhance their resilience. We plan to include follow-up questions in this area. 
  3. New/follow up questions on software cyber security: Ensuring the cybersecurity of software used by organisations is essential, as vulnerabilities in software can lead to data breaches, system compromises, and other cyber incidents. Therefore, we also plan to add follow-up questions on existing software cyber security question.   
  4. New questions on AI cyber security: We would like to include some questions on AI cyber security, primarily to understand how businesses implement cyber security practices and processes around the AI technology they deploy.  
  5. AI-facilitated cyber crime: Given the growing use of AI, we would like to incorporate questions to understand business’ experiences of AI-facilitated cyber crime and what security measures organisations may have in place to help protect from AI-facilitated cyber crime.  
  6. Data security: Ensuring the security of customer’s and organisation’s own data is essential, as data breaches can lead to fraud and other crimes. Therefore, we are keen to incorporate questions on how data security is part of organisations’ wider cyber security strategy. For example, we want to know what organisations are doing to protect data in the event of a breach. 

If agreed and prioritised, these will be new additions for the CSBS for 2026 onwards.

Documents

Updates to this page

Published 2 October 2024
Last updated 31 January 2025 + show all updates
  1. The DSIT response to the user-engagement exercise has been published.

  2. First published.

Sign up for emails or print this page