Cyber security breaches survey 2025: technical report

Question 1

Introduction

Accepted Answer

This Technical Annex provides the technical details of the Cyber Security Breaches Survey 2025. It covers the quantitative survey (fieldwork carried out between August and December 2024) and qualitative element (carried out between October and December 2024), and copies of the main survey instruments (in the appendices) to aid with interpretation of the findings.

The annex supplements a main Statistical Release published by the Department for Science, Innovation and Technology (DSIT), covering this year’s results for businesses and charities.

There is another Education Institutions Findings Annex, available on the same GOV.UK page, that covers the findings for schools, colleges and universities.

The Cyber Security Breaches Survey is a research study on UK cyber resilience. It is primarily used to inform government policy on cyber security, making the UK cyberspace a secure place to do business. The study explores the policies, processes and approach to cyber security, for businesses, charities and educational institutions. It also considers the different cyber attacks and cyber crimes these organisations face, as well as how these organisations are impacted and respond.

For this latest release, the quantitative survey and qualitative interviews were carried out between August and December 2024.

Lead analysts: Saman Rizvi (DSIT), Eleanor Fordham (Home Office)

Responsible statistician: Saman Rizvi

Enquiries: cybersurveys@dsit.gov.uk

Question 2

Chapter 1: Overview

Accepted Answer

1.1 Summary of methodology

As in previous years, there were two strands to the Cyber Security Breaches Survey:

We undertook a random probability telephone and online survey of 2,180 UK businesses, 1,081 UK registered charities and 574 education institutions from August 2024 to December 2024. The data for businesses and charities have been weighted to be statistically representative of these two populations
We carried out 44 in-depth interviews between October 2024 and December 2024, to gain further qualitative insights from some of the organisations that answered the survey

Sole traders and public-sector organisations (with the exception of educational institutions) were outside the scope of the survey. In addition, businesses with no IT capacity or online presence were deemed ineligible. These exclusions are consistent with previous years of the survey.

The survey methodology for this year’s survey is consistent with last year’s survey, and only minor changes were made to last year’s questionnaire (as pointed out in the relevant sections of the main report).

1.2 Strengths and limitations of the survey overall

While there have been other surveys about cyber security in organisations in recent years, these have often been less applicable to the typical UK business or charity for several methodological reasons, including:

focusing on larger organisations employing cyber security or IT professionals, at the expense of small organisations (with under 50 employees) that typically do not employ a professional in this role. Missing out these small organisations means the population is not well represented as they make up the overwhelming majority of the business and charity populations
covering several countries alongside the UK, which leads to a small sample size of UK organisations
using partially representative sampling or online-only data collection methods

By contrast, the Cyber Security Breaches Survey is intended to be statistically representative of UK businesses of all sizes and all relevant sectors, and of UK registered charities in all income bands.

The 2025 survey shares the same strengths as previous surveys in the series:

the use of random probability sampling and interviewing to minimise selection bias
the inclusion of micro and small businesses, and low-income charities, which ensures that the respective findings are not disproportionately skewed towards larger organisations
a data collection approach predominantly conducted by telephone, which aims to also include businesses and charities with less of an online presence (compared to online-only surveys)
a comprehensive attempt to obtain accurate frequency and cost data from respondents, giving respondents flexibility in how they can answer (e.g. allowing numeric and banded amounts)
a consideration of the cost of an organisation’s most disruptive cyber security breach or attack beyond the immediate direct costs (i.e. explicitly asking respondents to consider longer-term direct costs, staff time costs, as well as other indirect costs, while giving a description of what might be included within each of these cost categories)

At the same time, while this survey aims to produce the most representative, accurate and reliable data possible with the resources available, it should be acknowledged that there are inevitable limitations of the data, as with any survey project. The following might be considered the main limitations:

Organisations can only tell us about the cyber security breaches or attacks that they have detected. There may be other breaches or attacks affecting organisations, but which are not identified as such by their systems or by staff, such as a virus or other malicious code that has so far gone unnoticed. Therefore, the survey may tend to systematically underestimate the real level of breaches or attacks. This equally applies to the cyber crime and cyber-facilitated fraud prevalence and scale estimates, given that these types of crimes emanate from cyber security breaches and attacks.
The business survey intends to represent businesses of all sizes. As the Department for Business and Trade Business Population Estimates 2024 show, the UK business population is predominantly made up of micro and small businesses (respectively 81% and 15% of all businesses excluding sole traders). This presents a challenge as these businesses, due to their smaller scale and resource limitations, typically have a less mature cyber security profile. This may limit the insights this study in isolation can generate into the more sophisticated cyber security issues and challenges facing the UK’s large business population, and the kinds of high-impact cyber security incidents that appear in the news and media. Nevertheless, the study design attempts to balance this by boosting survey responses among medium and large businesses (and high-income charities). Moreover, DSIT undertakes a separate survey series focused on larger organisations, the Cyber Security Longitudinal Survey, partly to address this limitation.
Organisations may be inclined to give answers that reflect favourably on them in surveys about cyber security (a form of social desirability bias), given the common perceptions of reputational damage associated with cyber security incidents. Furthermore, organisations that have suffered from more substantial cyber security incidents may be less inclined to take part because of this. This may result in surveys like this one under-counting the true extent and cost of cyber security incidents, although we have no direct evidence of this (for example from cognitive testing). Moreover, we make a concerted effort to overcome this in the administration of the survey. We make it clear to respondents, across a range of communication materials, that their answers are confidential and anonymous.
A significant challenge remains in terms of designing a methodology that accurately captures the financial implications of cyber security incidents, given that survey findings necessarily depend on self-reported costs from organisations. As previous years’ findings and government research from 2020 on the full cost of cyber security breaches suggest, there is no consistent framework across organisations at present that supports them to understand and monitor their costs, and many organisations do not actively monitor these costs at all. Moreover, we consciously opted not to ask about certain long-term indirect costs, as it was unrealistic to collect accurate figures for these areas in a single survey. In addition, a survey based on a sample such as this one may miss some of the most financially damaging cyber security incidents, that affect a very small number of UK organisations in a very extreme way. This implies that respondents may underestimate the true economic cost of their most disruptive breaches or attacks in the survey, and that our averaged results may miss critical cases within the population. This risk of inaccuracy also applies to the cost of cyber crime and cyber-facilitated fraud estimates and provides a possible reason for the average costs of the most disruptive cyber attack or breach being higher than the average cost for cyber crime. The differences between these two estimates are explored in the main report.
The total populations of further and higher education institutions available in the sample frame^{[footnote 1]} are small (342^{[footnote 2]} and 175^{[footnote 3]} respectively for this year’s survey).
This limits the ability to achieve relatively high sample sizes among these groups. It results in much higher margins of error for the survey estimates for these groups, compared to businesses, charities and schools.

1.3 Cyber crime and cyber-facilitated fraud statistics

Questions on cyber crime, and on fraud that occurs as a result of cyber breaches or attacks (i.e. cyber-facilitated fraud)^{[footnote 4]} in UK organisations were introduced for the first time in the 2023 survey. These questions were re-drafted significantly for the 2024 survey to make questions clearer and responses more accurate. For the 2025 survey, only minor edits have been made to the cyber crime questions to aid accuracy. These changes were overseen by both DSIT and the Home Office. More detail on these changes can be found in Section 2.1 of this annex.

The survey includes estimates for:

the prevalence of cyber crime, i.e. how many organisations are affected by them
the nature of these cyber crimes
the scale of cyber crimes, i.e. the number of times each organisation experienced a cyber crime, and estimates for the total number of cyber crimes against UK organisations
the financial cost of cyber crime
a similar set of statistics with regards to frauds that occur as a result of cyber breaches or attacks (cyber-facilitated fraud)

The survey approaches these estimates in a similar way to existing official estimates of crime against individuals. This includes police-recorded crime as well as the estimates from the general public Crime Survey for England and Wales (CSEW), both of which follow the Home Office Counting Rules. The approach aims to be as robust as possible, in the following ways:

Comprehensiveness: the questionnaire was set up to measure multiple types of cyber crime, relating to ransomware, viruses and other malware, unauthorised access to data, online takeovers, denial of service and phishing. Cyber-facilitated fraud is counted separately, as a different category of crime.
Isolating criminal acts: the survey asks a series of questions to establish whether the cyber security breaches or attacks that organisations have experienced are crimes. It systematically aims to exclude cyber attacks that were stopped by software and breaches where the organisation was not deliberately targeted (e.g. accidental accessing of confidential data by employees). It only includes phishing attacks in cases where organisations confirmed that either employees engaged in some way (e.g. by opening an attachment) or that it was specifically targeted at the organisation (the attackers referred to the organisation or its staff by name, or included any personal or contact details in any messages) and no other crimes succeeded this. From the 2025 survey it only includes ransomware attacks where a ransom was demanded.
The questions were asked in a hierarchical structure to align with the Home Office Counting Rules and ensure that where a series of attacks were inter-linked as a part of one wider incident, only one ‘principle crime’ should be recorded. For example, instances of unauthorised access may have led to subsequent events, such as ransomware, other malware or cyber-facilitated fraud. In these instances, only the ‘principle crime’ is recorded as a crime. This avoids double-counting, in line with the Home Office Counting Rules.

Whilst it does remain methodologically challenging to achieve robust estimates of cyber crime via a survey method, we are able to compare this year’s results for cyber crime and cyber crime costs against the baseline in 2024. Whilst some small changes have been made to the wording of questions^{[footnote 5]} that feed into the ransomware figures and therefore subsequent cyber crime figures, the changes made do not represent a substantive difference in the way cyber crime has been recorded.

The data for the proportion of organisations saying they have had a ransomware breach or attack remains consistent between 2024 and 2025 (3% for businesses and 1% for charities). The proportion of organisations experiencing a ransomware cyber crime (where it was confirmed a financial ransom was demanded in 2025, and confirmed the ransomware attack overcame internal or third party software in 2024) has gone up slightly among businesses (from less than 0.5% in 2024 to 1% in 2025), however, there is no reason to think that the wording change would lead to an increase in ransomware crimes being recorded. In fact the expectation was that it could have led to a decrease in ransomware crimes being recorded, and is therefore most likely to represent a real change. More detail on the wording changes made to these questions is included in section 2.1 ‘Changes made to the questionnaire for the 2025 survey’.

The questionnaire changes for 2025 also included some edits to the questions used to obtain cyber-facilitated fraud estimates. The questions were changed to ask organisations to specifically include instances of fraud that occurred as a result of phishing attacks. On this basis we are unable to directly compare cyber-facilitated fraud estimates, including prevalence and cost, to 2024.

We are unable to compare cyber crime and cyber-facilitated fraud results to any wave before 2024 due to significant changes made to these sections of the questionnaire in 2024.

The cyber crime statistics should ideally be considered alongside other, related evidence on computer misuse, such as the Crime Survey for England and Wales (CSEW). The CSEW and Cyber Security Breaches Survey are not directly comparable, as the CSEW does not look at crime against organisations and excludes Scotland and Northern Ireland. However, it does provide a benchmark for the scale of cyber crime against individuals in England and Wales, to help contextualise the equivalent results for UK organisations in this survey.

1.4 Methodology changes from previous waves

One of the objectives of the survey is to understand how approaches to cyber security and the cost of breaches are evolving over time. Therefore, the methodology is intended to be as comparable as possible to previous surveys in the series.

The core approach of a random-probability survey, predominantly conducted by telephone remains unchanged in 2025. We therefore are able to continue to make comparisons to previous years.

The following points cover major changes or additions to the study that have been made in previous years:

In the 2023 survey, the sample frame was changed for businesses from the Inter-Departmental Business Register (IDBR) to the Market Location business database. This was done to improve the overall sample quality, accuracy and telephone coverage. More detail of how many records were sourced from Market Location and the proportion that had contact details is provided in Section 2.3. The Market Location business database has been used consistently since the 2023 survey and the sample frames for charities and education institutions were consistent with previous years (see Section 2.3).
In the 2023 survey onwards, we adopted a multimode data collection approach, allowing organisations to take part partially or fully online as well as by phone. This matches the approach taken in other random probability business surveys since the COVID-19 pandemic and reflects the increasing need to offer organisations the flexibility to respond online under hybrid or remote working. More details are in Section 2.4.
In the 2023 survey onwards, for businesses and charities, we substantially increased the use of split-sampling (where certain questions are only asked to a random half of the sample). We also restricted various questions to larger organisations (medium and large businesses, and high-income charities). Both actions were taken to maintain a questionnaire length comparable to previous years.
The agriculture, forestry and fishing sector was included in the business sample for the first time in 2022. This is a small sector, accounting for 3.6% of all UK employers^{[footnote 6]}. Its inclusion has a negligible impact on the comparability of findings across years, but increases the overall representativeness of our sampling methodology.
The government’s 10 Steps to Cyber Security guidance was refreshed between the 2022 and 2023 studies. As such, the way the 10 steps mapped to the questionnaire changed, and this section of the Statistical Release is not comparable to releases pre-2023.
In 2021, we substantially changed the way we collect data on the costs of breaches in the survey, as part of a reflection on findings from a separate 2020 research study on the full cost of cyber security breaches. These changes mean we cannot make direct comparisons between data from 2021 onwards and previous years. We can, however, still comment on whether the broad patterns in the data are consistent with previous years, for example the differences between smaller and larger businesses, as well as charities.
The charities sample was added in 2018, while the education institutions sample was added in 2020. The initial scope of the school and college samples were expanded from 2021 to include institutions in Wales, Scotland and Northern Ireland, as well as England.

1.5 Comparability to the pre-2016 Information Security Breaches Surveys

From 2012 to 2015, the government commissioned and published annual Information Security Breaches Surveys.^{[footnote 7]} While these surveys covered similar topics to the Cyber Security Breaches Survey series, they employed a radically different methodology, with a self-selecting online sample weighted more towards large businesses. Moreover, the question wording and order is different for both sets of surveys. This means that comparisons between surveys from both series are not possible.

1.6 Margins of error

The survey results for businesses and charities are weighted to be representative of the respective UK population profiles for these organisations. The education institution samples are unweighted, but these groups are included as simple random samples, i.e. without any disproportionate stratification. As such, they are also considered to be representative samples. Therefore, it is theoretically possible to extrapolate survey responses to the wider population (with the exception of the financial cost data, as explained at the end of this section).

We recommend accounting for the margin of error in any extrapolated results. Table 1.1 shows the overall margins of error (MoE) for the sampled groups in the survey, for different survey estimates.

As a worked through example, the overall business sample this year has a margin of error range of ±1.6 to ±2.7 percentage points, based on a 95% confidence interval calculation. That is to say, if we were to conduct this survey 100 times (each time with a different sample of the business population), we would expect the results to be within 1.6 to 2.7 percentage points of the results we achieved here in 95 out of those 100 cases. The range illustrates that survey results closer to 50% tend to have higher margins of error. This happens because the standard error is largest when the sample proportion is 50%. If 90% of surveyed businesses said cyber security is a high priority for their senior management, this result would have a margin of error of ±1.6 percentage points, whereas if only 50% said this, the margin of error would be ±2.7 percentage points.

The margins of error are calculated using the effective sample sizes (which take into account survey weighting). Figures are only reported on in the main report for effective sample sizes of 30 and above. Where base sizes are shown on charts or in tables the unweighted base size is quoted to indicate the number of organisations that responded at the relevant question.

For reference, we have also included MoE calculations for the split-sampled questions, where the business and charities samples are roughly half of the total. In these cases we have used the lower of the two split-samples. For example, where the business questions are split-sampled, some questions were asked to a randomly selected 1,046 business respondents (out of the total 2,180) whereas some questions were asked to the remaining 1,134. We have calculated the MoE for the 1,046.

All sample sizes shown are the unweighted totals.

Table 1.1: Margins of error (MoE) for each sample group for different survey estimates (in percentage points)

Sample group	Sample size	Effective sample size	10% or 90% estimate	30% or 70% estimate	50% estimate
Businesses	2,180	1,326	±1.6	±2.5	±2.7
Businesses split-sampled (Half A)	1,046	642	±2.3	±3.5	±3.9
Charities	1,081	685	±2.2	±3.4	±3.7
Charities split-sampled (Half B)	523	330	±3.2	±4.9	±5.4
Primary schools	250	250	±3.7	±5.6	±6.2
Secondary schools	240	240	±3.7	±5.7	±6.2
Further education	52	52	±7.5	±11.5	±12.5
Higher education	32	32	±9.4	±14.4	±15.7

1.7 Extrapolating results to the wider population

The total population sizes for each of these sample groups are as follows:

1,427,165 UK businesses with employees (according to the Department for Business and Trade Business Population Estimates 2024^{[footnote 8]})
202,676 UK registered charities (combining the lists of registered charity databases, downloaded in February 2025 at the time of report writing, across England and Wales^{[footnote 9]} that contained 170,871 charities, Scotland^{[footnote 10]} that contained 24,589 charities and Northern Ireland^{[footnote 11]} that contained 7,216 charities)
20,772 primary schools (including free schools, academies, Local Authority-maintained schools and special schools covering children aged 5 to 11) (combining the schools databases from England^{[footnote 12]}, Wales^{[footnote 13]}, Scotland^{[footnote 14]} and Northern Ireland^{[footnote 15]}, laid out in Section 2.3)
4,845 secondary schools (including free schools, academies, Local Authority-maintained schools and special schools covering children aged 11+) (combining the schools databases as referenced under primary schools and laid out in Section 2.3)
342 further education colleges (combining the college databases from England^{[footnote 16]}, Wales^{[footnote 17]}, Scotland^{[footnote 18]} and Northern Ireland^{[footnote 19]}, laid out in Section 2.3)
175 universities (list of all UK universities^{[footnote 20]}, cross-referenced against the comprehensive list of Recognised Bodies^{[footnote 21]} on GOV.UK)

As the samples for each group are statistically representative, it is theoretically possible to extrapolate survey results to the overall population.

Where extrapolated figures for prevalence and the number of crimes experienced are shown in the main report, they are based on the estimated total population of businesses with employees (1,427,165 according to the Department for Business and Trade Business Population Estimates 2024 Table 1) and the total number of registered UK charities (202,676 when combining the charity registers for England and Wales, Northern Ireland and Scotland). Any extrapolated figures are rounded to three significant figures (or to the nearest thousand, if under 1 million) and unrounded weighted prevalence estimates to one decimal place are used. For number of cyber crimes experienced, the weighted average number of cyber crimes rounded to two decimal places are also used.

We recommend restricting any extrapolation of results to the overall business and charity populations rather than to any subgroups within these populations. The sample sizes for subgroups in our survey are smaller than the overall sample sizes for businesses and charities, and consequently have higher margins of error. Similarly, the sample sizes for education institutions are small and have relatively high margins of error (see Section 1.6). For example, the margin of error on a result of 50% for Higher education institutions is ±15.7. This compares to a margin of error on a result of 50% for businesses of ±2.7.

Any extrapolated results should be clearly labelled as estimates and, ideally, should be calibrated against other sources of evidence.

We specifically do not consider the financial cost estimates from this survey to be suitable for this sort of extrapolation (e.g. to produce a total cost of cyber incidents, cyber crime or cyber-facilitated fraud for the UK economy). These estimates tend to have a high level of statistical standard error, and low base sizes, so the margins of error for any extrapolated cost estimate are likely to be very wide, limiting the value of such an estimate.

If you wish to use extrapolated Cyber Security Breaches Survey data as part of your analysis or reporting, then we would encourage you to contact DSIT via the cyber surveys mailbox: cybersurveys@dsit.gov.uk.

Question 3

Chapter 2: Survey approach technical details

Accepted Answer

2.1 Survey and questionnaire development

The questionnaire content is largely driven by the Cyber Resilience team at DSIT, alongside the Home Office (which has co-funded the study since 2023). The questions are designed to provide evidence on UK cyber resilience, and influence future government policy and other interventions in this space.

Ipsos developed the questionnaire and all other survey instruments (e.g. the interview script and briefing materials) with DSIT and the Home Office. DSIT had final approval of the questionnaire. A full copy is available in Appendix A.

Stakeholder engagement

Each year, Ipsos has consulted a range of industry stakeholders, to ensure that the Cyber Security Breaches Survey continues to explore the most important trends and themes that organisations are grappling with when it comes to cyber security. This includes the Association of British Insurers (ABI) and techUK, who were consulted this year and agreed to endorse the survey. Similarly, DSIT and the Home Office, have consulted a range of stakeholders across government, such as the National Cyber Security Centre (NCSC).

Separately, Ipsos and DSIT engaged with two stakeholders that had relationships with cyber security professionals in the further and higher education sectors Jisc (a membership organisation of individuals in digital roles within the further and higher education sectors) and UCISA (formerly known as the Universities and Colleges Information Systems Association). These organisations subsequently encouraged their members and contacts to take part in the survey, promoting the online survey link created by Ipsos (see Section 2.4).

Changes made to the questionnaire for the 2025 survey

The main changes to the 2025 questionnaire centred on two areas:

Ensuring that phishing attacks that led to instances of fraud were adequately captured by the questionnaire:
- At Q88A_FRAUD the text ‘including phishing attacks’ was added to the question wording asking whether a fraud had taken place
- At Q88E_FRAUDCOSTA the list of bullet points to describe what to include in the cost calculation was expanded to say ‘including as a result of phishing emails’ and the bullet point ‘the cost of any payments made as a result of phishing emails’ was removed to avoid repetition
Increasing the accuracy of the data around whether ransomware attacks had taken place. The questions in the 2024 survey asked organisations if they had been targeted with ransomware and then how many of these ransomware attacks overcame internal or third-party software. Results suggested that a number of ransomware attacks experienced by businesses had been blocked by software. However, stakeholder engagement suggested it would be difficult for organisations to identify that a ransomware attack had taken place if it had been blocked. We therefore re-framed the questions around ransomware to ask about instances where a financial ransom was demanded. For the following questions changes were made to the text to remove references to ransomware attacks being ‘successful or unsuccessful’ but instead to ask about instances where a financial ransom was demanded:
- Q83E_RANSSOFT
- SHOWSCREEN_RANS
- Q83H_RANSDEMA
- Q83K_RANSPAYA
- Q83M_RANSCOSTA
- Q85A_HACKCOUNT
- Q86A_TKVRCOUNT
- SHOWSCREEN_DOSCHK
- SHOWSCREEN_VIRUSCHK
- SHOWSCREEN_PHISHCHK

In addition, the following questions were added as new questions for 2025:

Q24Y_WHYNOINSURE was added to understand more about the reasons why some businesses do not hold cyber insurance
Q29C_SOFTWARE was added to understand more about the role that cyber security considerations play when organisations are purchasing software
Q64B_DISRUPTPHISH was added to gain more insight into why phishing was cited in the 2024 survey as the most disruptive breach

Some other minor changes to the questionnaire included:

At Q29A_COMPLY and Q45X_SUPPLYCERT the wording of ‘The Cyber Essentials standard’ and ‘The Cyber Essentials Plus’ was changed to ‘Cyber Essentials’ and ‘Cyber Essentials Plus’
At Q64A_DISRUPTA the wording of the code around malware was made consistent with the malware text at Q53A so that it read ‘Your organisation’s devices being targeted with ransomware, i.e. a type of malware that tells you to pay a ransom to restore your files or stop them being made public’
Q78K_VALIDATE and Q82_CHECKA were validation questions in previous years of the survey that were used for following up with organisations after they had completed the survey to check that their answer to the costs associated with cyber breaches was correct. Given the number of responses to these questions in previous years were very low and that it had led to only one edit to the data, this question was removed from the 2025 survey. More detail on the validation survey is provided in Section 2.4

Cognitive testing and piloting

Whilst in previous waves of the survey cognitive interviews and a pilot survey were carried out, it was felt that these were not necessary this year due to very limited questionnaire changes.

A soft launch or ‘rolling pilot’ was carried out at the start of fieldwork where only a small batch of sample was called through to begin this. This was to ensure that all of the script was working as it should with live sample in it and to make sure that the average interview length was not over the target.

The average interview length for the rolling pilot was around 22 minutes on average. Given the interview was within the target length and there were no issues found with the questionnaire-, no changes were made to the questionnaire following the rolling pilot.

2.2 GOV.UK page

As in previous years, a similar GOV.UK page was used to provide reassurance that the survey was legitimate and provide more information before respondents agreed to take part.

Interviewers could refer to the page at the start of the telephone call, while the reassurance emails sent out from the CATI script (to organisations that wanted more information) included a link to the GOV.UK page.

2.3 Sampling

Business population and sample frame

The target population of businesses largely matched those included in all the previous surveys in this series, i.e. private companies or non-profit organisations^{[footnote 22]} with more than one person on the payroll.

The survey is designed to represent enterprises (i.e. the whole organisation) rather than establishments (i.e. local or regional offices or sites). This reflects that multi-site organisations will typically have connected digital devices and will therefore deal with cyber security centrally.

The sample frame for businesses was the Market Location database which covers businesses in all sectors across the UK at the enterprise level. It is compiled from a mix of public business directories, Companies House data and call centre activity. It is not only a clean database but also high quality; over 10,000 calls are made daily to validate numbers, with each record (telephone, email and senior contact name) having been validated within a rolling 12-month period.

Exclusions from the sample frame

With the exception of universities, public sector organisations are typically subject to government-set minimum standards on cyber security. Moreover, the focus of the primary sample in the survey was to provide evidence on businesses’ engagement, to inform future policy for this audience. Public sector organisations (Standard Industrial Classification, or SIC, 2007 category O) were therefore considered outside of the scope of the survey and excluded from the sample selection.

In line with the previous year, businesses listed as having just 1 employee were eligible to take part in the survey (only 0-employee businesses were excluded entirely). However, given that many businesses listed as having 1 employee on business databases were found to have 0 employees, the sampling was only done on businesses listed as having 2 or more employees. This helped to avoid an unreasonably high ineligibility rate during fieldwork.

Charity population and sample frames (including limitations)

The target population of charities was all UK registered charities. The sample frames were the charity regulator databases in each UK country:

the Charity Commission for England and Wales database: https://register-of-charities.charitycommission.gov.uk/register/full-register-download
the Office of the Scottish Charity Regulator (OSCR) database: https://www.oscr.org.uk/about-charities/search-the-register/download-the-scottish-charity-register/
the Charity Commission for Northern Ireland database: https://www.charitycommissionni.org.uk/charity-search/

In England and Wales, and in Scotland, the respective charity regulator databases contain a comprehensive list of registered charities. DSIT was granted access to the non-public OSCR database, including telephone numbers, and a random sample of Scotland-based charities was generated.

The Charity Commission in Northern Ireland does not yet have a comprehensive list of established charities but has been registering charities and building its list over the past few years. Alternative sample frames for Northern Ireland, such as the Experian and Dun & Bradstreet business directories (which also include charities) have been considered in previous years, and ruled out, because they do not contain essential information on charity income for sampling and cannot guarantee up-to-date charity information.

Therefore, while the Charity Commission in Northern Ireland database was the best sample frame for this survey, it cannot be considered as a truly random sample of Northern Ireland charities at present and is updated on a regular basis. This year, there were 7,216 registered charities on the Northern Ireland database^{[footnote 23]} at the point of drawing sample, compared to 7,157 in the 2024 survey, 6,880 in the 2023 survey and 6,438 in the 2022 survey.

Education institutions population and sample frame

The education institutions sample frame came from the following sources:

all schools and colleges in England from the Get Information About Schools database
schools in Scotland from the Scottish Government School Contact details
further education colleges in Scotland from the Colleges Scotland directory
schools in Wales from the Welsh Government Address list of schools
further education colleges in Wales from the Welsh Government Further Education Institutions contact details page
schools in Northern Ireland from the Northern Ireland Department of Education database
further education colleges in Northern Ireland from the NI Direct FE College directory
online lists of all UK universities, e.g. the Universities UK website, cross-referenced against the comprehensive list of Recognised Bodies on GOV.UK (which also includes, for example, degree-awarding arts institutes)

Given the significant differences in size and management approaches between different types of education institutions, we split the sample frame into four independent groups:

20,772 primary schools (including free schools, academies, Local Authority-maintained schools and special schools covering children aged 5 to 11)
4,845 secondary schools (including free schools, academies, Local Authority-maintained schools and special schools covering children aged 11+)
342 further education colleges
175 universities

In order to avoid disclosure, we do not include any information about the specific school type (beyond fitting responses into the primary or secondary school bracket) in the published data or SPSS file.

Business sample selection

In total, 46,446 businesses were selected from the Market Location database for the 2025 survey.

The business sample was proportionately stratified by region, and disproportionately stratified by size and sector. An entirely proportionately stratified sample would not allow sufficient subgroup analysis by size and sector. For example, it would effectively exclude all medium and large businesses from the selected sample, as they make up a very small proportion of all UK businesses according to the Department for Business and Trade Business Population Estimates 2024 (Table 1). Therefore, we set disproportionate sample targets for micro (1 to 9 employees), small (10 to 49 employees), medium (50 to 249 employees) and large (250 or more employees) businesses. We also boosted specific sectors, to ensure we could report findings for the same sector subgroups that were used in the 2024 report. The boosted sectors included:

manufacturing (SIC C)
information and communications (SIC J)
financial and insurance (SIC K)
health, social work or social care (SIC Q)

Post-survey weighting corrected for the disproportionate stratification (see Section 2.6).

Table 2.1 breaks down the selected business sample by size and sector.

Table 2.1: Pre-cleaning selected business sample by size and sector

SIC 2007 letter^{[footnote 24]}	Sector description	Micro 1-9 employees	Small 10-49 employees	Medium 50-249 employees	Large 250+ employees	Total
A	Agriculture, forestry or fishing	850	84	65	42	1,041
B, C, D, E	Utilities or production (including manufacturing)	897	503	1,297	1,054	3,751
F	Construction	4,377	590	484	176	5,627
G	Retail or wholesale (including vehicle sales and repairs)	3,377	1,059	1,177	990	6,603
H	Transport or storage	943	207	523	324	1,997
I	Food or hospitality	3,056	1,118	890	263	5,327
J	Information or communications	876	358	1,372	373	2,979
K	Finance or insurance	991	790	1,408	568	3,757
L, N	Administration or real estate	2,807	792	1,240	613	5,452
M	Professional, scientific or technical	2,039	526	1,074	655	4,294
P	Education	176	114	61	450	801
Q	Health, social care or social work	559	504	851	527	2,441
R, S	Entertainment, service or membership organisations	1,501	249	258	368	2,376
Total	22,449	6,894	10,700	6,403	46,446

Charity and education institution sample selection

The charity sample was proportionately stratified by country and disproportionately stratified by income band, using the respective charity regulator databases to profile the population. This used the same reasoning as for businesses as without this disproportionate stratification, analysis by income band would not be possible as hardly any high-income charities would be in the selected sample. In addition, having fewer high-income charities in the sample would be likely to reduce the variance in responses, as high-income charities tend to take more action on cyber security than low-income ones. This would have raised the margins of error in the survey estimates.

As the entirety of the three charity regulator databases were used for sample selection, there was no restriction in the amount of charity sample that could be used, so no equivalent to Table 2.1 is shown for charities.

Similarly, the entirety of the state education institution databases was available for sample selection, so no equivalent table is shown for education institutions.

Sample telephone tracing and cleaning

Not all the original samples were usable. In total:

3,979 of the 46,446 business in the original Market Location records were excluded because they had an invalid telephone number (i.e. the number was either in an incorrect format, too long, too short, had an invalid string, or was a number which would charge the respondent when called), because they were flagged as part of Ipsos’ non-contact list (organisations that have requested no further contact), because they were based outside the UK, or because they were found to be a duplicate
A further 84 business records were excluded on the basis they were part of the DSIT Cyber Security Longitudinal Survey panel
33,055 of the 202,676 charities had no valid telephone numbers, were flagged as being on the non-contact list, or were duplicate records (i.e. with the same number appearing twice)
3,970 of the 26,134 education institutions had no valid telephone number or were duplicate records

We expect the unusable sample does not bias our estimates.

Ipsos undertook significant sample improvement work, using their sampling partners to match the samples to data from organisations’ websites, publicly available LinkedIn pages and other social media, and Companies House data, to add in the names and job titles of relevant individuals within the business, as well as email addresses where available, in order to maximise our ability to get past gatekeepers (e.g. receptionists) and reach the appropriate individual in the organisation.

At the same time as this survey, Ipsos was also carrying out another survey with a potentially overlapping sample of businesses and charities the DSIT Cyber security skills in the UK labour market research. We therefore flagged overlapping sample leads across surveys, so telephone interviewers could avoid contacting the same organisations in quick succession for both surveys and minimise the burden on respondents. Similarly, Ipsos flagged and excluded business and charity sample leads that had recently completed the DSIT Cyber Security Longitudinal Survey, in order to minimise the burden on respondents.

Following cleaning to remove unusable or duplicate numbers, the usable sample amounted to:

42,383 business Market Location records
149,153 charities (with exclusions mainly due to the high prevalence of duplicate numbers in this sample frame)
22,164 education institutions

Table 2.2 breaks the usable business leads down by size and sector, for the business sample. As this shows, around 9 in 10 records across the total sample were usable. Fewer records were usable in the education sector due to a high proportion of duplicate telephone numbers found.

Table 2.2: Post-cleaning available business sample by size and sector (sample volumes and as a percentage of originally selected sample)

SIC 2007 letter	Sector description	Micro 1-9 employees	Small 10-49 employees	Medium 50-249 employees	Large 250+ employees	Total
A	Agriculture, forestry and fishing	840 (99%)	77 (92%)	61 (80%)	41 (94%)	1,019 (99%)
B, C, D, E	Utilities or production (including manufacturing)	886 (99%)	473 (94%)	1,186 (91%)	958 (91%)	3,530 (93%)
F	Construction	4,334 (99%)	572 (97%)	371 (77%)	169 (96%)	5,446 (97%)
G	Retail or wholesale (including vehicle sales and repairs)	3,353 (99%)	1,012 (96%)	1,149 (98%)	904 (91%)	6,418 (97%)
H	Transport or storage	927 (98%)	190 (92%)	315 (60%)	288 (89%)	1,720 (86%)
I	Food or hospitality	3,022 (99%)	1,054 (94%)	662 (74%)	251 (95%)	4,989 (94%)
J	Information or communications	856 (98%)	332 (93%)	959 (70%)	328 (88%)	2,475 (83%)
K	Finance or insurance	961 (97%)	735 (93%)	1,250 (89%)	474 (83%)	3,420 (91%)
L, N	Administration or real estate	2,741 (98%)	725 (92%)	991 (80%)	575 (94%)	5,032 (92%)
M	Professional, scientific or technical	1,974 (97%)	453 (86%)	871 (81%)	532 (81%)	3,830 (89%)
P	Education	142 (81%)	54 (47%)	29 (48%)	163 (36%)	388 (48%)
Q	Health, social care or social work	523 (94%)	390 (77%)	745 (88%)	366 (69%)	2,024 (83%)
R, S	Entertainment, service or membership organisations	1,413 (94%)	207 (83%)	217 (84%)	282 (77%)	2,119 (89%)
	Total	21,972 (98%)	6,274 (91%)	8,806 (82%)	5,331 (83%)	42,383 (91%)

Sample batches

For businesses and charities, the usable sample for the main stage survey was randomly allocated into batches. The first batch, excluding the pilot sample, had 21,726 business records and 5,495 charity records.

The selection counts were modelled according to two criteria:

If a particular size band, industry sector or (in the case of charities) income band had a higher interview target based on the disproportionate stratification, we selected more records to reflect that higher target.
Equally, if a particular size band, industry sector or income band had historically achieved lower response rates, we selected more records to reflect these lower response rate expectations. The response rate expectations were modelled on how other recent DSIT cyber surveys using these same sample frames had performed.

For primary and secondary schools, we selected simple random sample batches of each group. In the first batch, this amounted to 1,891 primary schools and 2,284 secondary schools.

The colleges and higher education institutions sample was released in full at the start of fieldwork (i.e. we carried out a census of these groups, only excluding records where there was no valid telephone number, or numbers were duplicated).

Subsequent sample batches were selected according to the same criteria, updated with the remaining interview targets and response rates achieved up to that point. Across all sample groups, two batches were released throughout fieldwork. We aimed to maximise the response rate by fully exhausting the existing sample batches before releasing additional records. This aim was balanced against the need to meet interview targets, particularly for boosted sample groups (without setting specific interview quotas).

Over the course of fieldwork, we used:

27,063 Market Location records
8,404 charity records
2,130 primary schools
2,509 secondary schools
317 further education colleges
172 higher education institutions

We did not use all the available (and usable) records for businesses, charities, primary schools and secondary schools. The remaining records were held in reserve.

2.4 Fieldwork

Ipsos carried out all main stage fieldwork from August 2024 to December 2024, a fieldwork period of 18 weeks.

In total, we completed interviews with 3,835 organisations:

2,180 businesses
1,081 charities
250 primary schools
240 secondary schools
52 further education colleges
32 higher education institutions

The average interview length was around 22 minutes for all groups.

Multimode data collection

In 2023 the survey method was changed to multimode, allowing respondents to take part either by telephone or online.

In practical terms, the multimode methodology worked as follows for businesses, charities, and primary and secondary schools:

Initial contact with organisations typically took place by phone, with Ipsos telephone interviewers calling organisations in line with previous years. The exception to this was an email invite to participate in the survey being sent out to large businesses partway through fieldwork that we hadn’t been able to make contact with over the telephone.
Where organisations requested more information before deciding to take part, interviewers could send out an information and reassurance email. This email contained a unique link for each organisation to complete the survey entirely or partially online. The interviewers explained this ahead of sending out each email.
Beyond the initial phone call to establish contact and explain the survey, the respondents that completed the survey online had no interaction with an Ipsos interviewer when answering the questions but were instead routed through an online questionnaire, with each question appearing on a separate screen.

For further and higher education institutions, a further option was available. Ipsos created an open link to the online survey to be disseminated by Jisc and UCISA representative bodies for individuals working in IT and cyber roles in colleges and universities to their members. In total, 14 higher education institutions and 1 charity took part in the survey via this open link (and these are included in the total completed interviews mentioned at the start of Section 2.4).

In total, 235 interviews were completed using the online survey option, which represents 6% of the 3,835 total interviews. This remains similar to 2023 where 4% of interviews were conducted online.

Table 2.3 shows how this is split across the different sample groups:

Table 2.3: Data collection mode by sample group

Sample group	Telephone interviews	Online interviews	Percentage conducted online
Businesses	2,075	105	5%
Charities	991	90	8%
Primary schools	245	5	2%
Secondary schools	231	9	4%
Further education	45	7	13%
Higher education	13	19	59%
Total	3,600	235	6%

Ipsos made the following efforts to monitor and maintain the quality of the online interviews, and reduce the possibility of mode differences in the responses:

We took a best-practice approach to multimode questionnaire design, where the format of each question was similar across modes (e.g. using collapsible grids for statements online, rather than showing all statements at once). However, it should be noted that long pre-coded questions like INFO, GOVTACT, NOREPORT, REPORTB and PREVENT were unavoidably different across modes. INFO was asked unprompted by telephone but as a prompted list online. This is standard practice in multimode questionnaires, but typically means that online respondents are inclined to give a wider range of responses (as they see a list of possible responses in front of them). This does not necessarily mean that either the telephone or online responses are wrong at any of these questions. However, it does mean that a small note of caution should be applied when comparing results for individual answer codes before and since 2023 when the multimode method was introduced.
We validated that online respondents were the appropriate individuals from the organisation via the TITLE question (which requests job titles).
We checked online responses to ensure respondents were not speeding through the interview or “straightlining” (i.e. answering “don’t know” or the top answer code in the list to every question).

Fieldwork preparation

Prior to fieldwork, the Ipsos research team briefed the telephone interviewing team in a video call. They also received:

written briefing materials about all aspects of the survey
a copy of the questionnaire and other survey instruments

Screening of respondents (for telephone interviews)

Telephone interviewers screened all sampled organisations at the beginning of the call to identify the right individual to take part and ensure the business was eligible for the survey. At this point, the following organisations would have been removed as ineligible:

organisations that identified themselves as sole traders with no other employees on the payroll
organisations that identified themselves as part of the public sector

As this was a survey of enterprises rather than establishments, interviewers also confirmed that they had called through to the UK head office or site of the organisation.

At this point, interviewers specifically asked for the senior individual with the most responsibility for cyber security in the organisation. The interviewer briefing materials included written guidance on likely job roles and job titles for these individuals, which would differ based on the type and size of the organisation.

For UK businesses that were part of a multinational group, interviewers requested to speak to the relevant person in the UK who dealt with cyber security at the company level. In any instances where a multinational group had different registered companies in Great Britain and in Northern Ireland, both companies were considered eligible.

Franchisees with the same company name but different trading addresses were also all considered eligible as separate independent respondents.

Random probability approach and maximising participation

We adopted random probability interviewing to minimise selection bias. The overall aim with this approach is to have a known outcome for sample record loaded. For this survey, an approach comparable to other robust business surveys was used around this:

Each organisation loaded in the main survey sample was called either a minimum of 7 times, or until an interview was achieved, a refusal given, or information obtained to make a judgement on the eligibility of that contact.
Each sample record was called at different times of the day, throughout the working week, to make every possible attempt to achieve an interview. Evening and weekend interviews were also offered if the respondent preferred these times.

We took several steps to maximise participation in the survey and reduce non-response bias:

The survey had its own web page on GOV.UK, to let organisations know that the contact from Ipsos was genuine. The web pages included appropriate Privacy Notices on processing of personal data, and the data rights of participants, following the introduction of GDPR in May 2018.
Interviewers could send a reassurance email to prospective respondents if the respondent requested this. This included a link to the GOV.UK page to confirm the legitimacy of the survey, a link to the relevant Privacy Notice and an option to unsubscribe (by replying to the message and requesting this).
Ipsos set up an email inbox for respondents to be able to contact to set up appointments or, in the case of the phone number, take part there and then in interviews. Where we had email addresses on the sample for organisations, we also sent five warm-up and reminder emails across the course of fieldwork to let organisations know that an Ipsos interviewer would attempt to call them and give them the opportunity to opt in by arranging an appointment. These emails also asked organisations to check the contact details we had for them and to send us better contact details if necessary. They were tailored to the type of organisation, with each email featuring a different subject line and key message to encourage participation.
The survey was endorsed by the Association of British Insurers (ABI), the Charity Commission for England and Wales and the Charity Commission for Northern Ireland and techUK. In practice, this meant that these organisations allowed their identity and logos to be used in the survey introduction and on the microsite, to encourage organisations to take part.
Specifically, to encourage participation from colleges and universities, DSIT and Ipsos jointly worked with Jisc and UCISA. These organisations contacted their members, which include IT and cyber security professionals in the further and higher education sectors, to proactively ask them to take part in the survey via the open link.
Large businesses were offered a £10 charity donation on their behalf if they took part. They could choose to donate to Turn2us, the NSPCC or the Samaritans.

Fieldwork monitoring

Ipsos is a member of the interviewer Quality Control Scheme recognised by the Market Research Society. In accordance with this scheme, the field supervisor on this project listened into at least 10% of the interviews and checked the data entry on screen for these interviews.

Recontact survey to clarify responses at cyber breaches and attacks cost questions

During 2023 fieldwork, Ipsos, DSIT and the Home Office developed a recontact survey to revalidate some of the cost of breaches data that respondents had provided in the survey. This acted as a second check on the numeric data to ensure it hadn’t been inputted incorrectly.

In the 2024 survey, 1,105 businesses were eligible for being sent the link to the validation and 970 of these agreed for it to be sent. Only 33 respondents took part in the validation survey and following the answers given at this survey only one edit was made to the data at question ‘damagestaff’.

Based on low uptake of the validation survey and a high level of accuracy in the data that was found in 2024, the validation survey was removed for the 2025 wave.

2.5 Fieldwork outcomes and response rate

We monitored fieldwork outcomes and response rates throughout fieldwork, and interviewers were given regular guidance on how to avoid common reasons for refusal. Table 2.4 shows the final outcomes, the response rate and the response rate adjusted for unusable or ineligible records, for businesses and charities. The approach for calculating these figures is covered later in this section.

Table 2.4: Fieldwork outcomes and response rate calculations for businesses and charities

Outcome	Businesses	Charities
Total selected from original sample frame	46,446	182,208
Sample without contact details or duplicates post-cleaning	4,063	33,055
Net: total sample with contact details	42,383	149,153
Sample with contact details left in reserve	15,320	140,749
Net: total sample used (i.e. excluding any left in reserve)	27,063	8,404
Unresponsive numbers	10,083	2,622
Refusals	4,412	786
Unusable leads with working numbers	8,647	3,311
Unusable numbers	644	225
Ineligible leads established during screener	362	168
Incomplete interviews	735	211
Net: completed interviews	2,180	1,081
Expected eligibility of screened respondents	86%	87%
Response rate	8%	13%
Response rate adjusted for unusable or ineligible records	14%	25%

The fieldwork outcomes for state education institutions are shown in Table 2.5.

Table 2.5: Fieldwork outcomes and response rate calculations for state education institutions

Outcome	Primary schools	Secondary schools	Further education	Higher education
Total selected from original sample frame	20,772	4,845	342	175
Sample without contact details or duplicates post-cleaning	3,271	671	25	3
Net: total sample with contact details	17,501	4,174	317	172
Sample with contact details left in reserve	15,371	1,665	0	0
Net: total sample used (i.e. excluding any left in reserve)	2,130	2,509	317	172
Unresponsive numbers	1,203	1,398	87	44
Refusals	84	75	16	16
Unusable leads with working numbers	539	745	149	75
Unusable numbers	11	19	5	4
Ineligible leads established during screener	15	5	1	0
Incomplete interviews	28	27	7	1
Net: completed interviews	250	240	52	32
Expected eligibility of screened respondents	94%	98%	98%	100%
Response rate	12%	10%	16%	19%
Response rate adjusted for unusable or ineligible records	17%	14%	32%	34%

Notes on response rate calculations

The following points explain the specific calculations and assumptions involved in coming up with these response rates:

Response rate = completed interviews / total sample used
Response rate adjusted for unusable or ineligible records = completed interviews / (completed interviews + incomplete interviews + refusals expected to be eligible + any remaining unresponsive numbers expected to be eligible)
Expected eligibility is calculated by taking completes as a proportion of completes + ineligible leads established during screener
Refusals exclude “soft” refusals. This is where the respondent was hesitant about taking part, so our interviewers backed away and avoided a definitive refusal
Unusable leads with working numbers are where there was communication difficulty making it impossible to carry out the survey (e.g. a bad line, or language difficulty), as well as numbers called 7 or more times over fieldwork without ever being picked up
Unusable numbers are where the number was in a valid format, so was loaded into the main survey sample batches, but which turned out to be wrong numbers, fax numbers, household numbers or disconnected
Unresponsive numbers account for sample that had a working telephone number, but where the respondent was unreachable or unavailable for an interview during the fieldwork period, so eligibility could not be assessed

Response rates post-COVID-19 and expected negligible impact on the survey reliability

The adjusted response rates for all the sampled groups, outside of higher education institutions, are lower than in earlier iterations of this study, that took place before the COVID-19 pandemic. For example, the adjusted response rates for the last survey in this series that took place before the pandemic (CSBS 2020) were 27% for businesses and 45% for charities.

The lower response rates compared to historic years are likely to be due to a combination of unique circumstances, including:

the hybrid working conditions adopted by many organisations since the pandemic
the ongoing challenge of declining response rates in telephone survey fieldwork in general, including in business surveys specifically

More generally, there has been an increasing awareness of cyber security, potentially making businesses more reticent to take part in surveys on this topic.

Furthermore, the increase in the survey length from c.17 minutes in 2020 and earlier iterations, to just under 23 minutes in 2023 onwards is also expected to have reduced the response rate interviewers must mention the average length to respondents when they introduce the survey, and respondents are naturally less inclined to take part in longer interviews.

It is also likely that the running of two other DSIT surveys in parallel to CSBS 2025 may have impacted the performance of this survey. Ipsos undertook the fieldwork for both the Cyber Security Longitudinal Survey and the Cyber Skills and Sector Survey^{[footnote 25]} which both ran between July and October 2024. Whilst every effort was made to keep the samples between these jobs independent, in some groups with a small population, such as large businesses, this was not possible. Organisations that were sampled for more than one of these surveys may have been contacted for Cyber Security Breaches Survey after being contacted for one of the other surveys and may have been less likely to take part as a result.

However, it is important to remember that response rates are not a direct measure of non-response bias in a survey, but only a measure of the potential for non-response bias to exist. Previous research into response rates, mainly with consumer surveys, has indicated that they are often poorly correlated with non-response bias.^{[footnote 26]}

2.6 Data processing and weighting

Editing and data validation

There were a number of logic checks in the CATI script, which checked the consistency and likely accuracy of answers estimating costs and time spent dealing with breaches. If respondents gave unusually high or low answers at these questions relative to the size of their organisation, the interviewer would read out the response they had just recorded and double-check this is what the respondent meant to say. This meant that, typically, minimal work was needed to manually edit the data post fieldwork.

Nonetheless, individual outliers or errors in the data can heavily affect cyber breach cost and frequency estimates. Therefore, the research team manually checked the final data at these variables for outliers. For each cost and frequency question where numerical data was collected, the data was sorted in descending order in an Excel export of the SPSS file to identify unusually high or low and therefore potentially illegitimate responses. The definition of unusually high or low was purposive rather than based on a specific threshold to ensure that all potential outliers were considered. There was typically an obvious cut-off of the top 1-2 responses being substantially higher than the others.

A total of 29 potential outliers, across 16 questions, were flagged for warranting further investigation. The recordings of these interviews were listened back to in order to assess whether the answer recorded in the data was accurate and then cross-referenced against business size and charity turnover (where relevant), as well as cross referenced against other answers provided in the survey. Our findings were flagged to DSIT and the Home Office, so they could have the final say as to whether we kept these responses in or edited them.

This year, we made edits to the responses of 3 respondents, as detailed below:

Q53A_TYPE (Type of breach or attack). At VIRUSCOSTA (What was the total cost of these successful malware attacks to your organisation?) a large business gave a specific cost that was between £500,000 and £1 million, which was at the very extreme end of the distribution of responses to this question. The interview was listened back to and the response was verified as being correct. However, listening back to the interview flagged that the respondent was classifying a faulty cyber security software update that led to an IT outage^{[footnote 27]} as both a malware attack and a denial of service attack. After discussions with Home Office and DSIT it was decided that a defective cyber security update should not be classified as breach or attack. The decision was therefore made to edit the response at Q53A_TYPE from having had a malware and denial of service attack to having experienced no breach or attack. This had a series of knock-on implications for their responses at subsequent questions which they should not have been asked if they hadn’t experienced a breach or attack. For any question the respondent should not have been asked they were edited into a ‘Not asked’ code. Their response was also updated at any derived variable they were included in, to ensure they were no longer counted as experiencing a breach or attack or as having experienced a cyber crime.
At Q83H_RANSDEMA (Across the ransomware attacks where a financial ransom was demanded, what was the sum total demanded in ransoms?) a large business gave an answer of £1. Home Office advised that it was unlikely for a ransomware attack to involve a ransom demand of only £1, so on balance it was assumed to be a data error and edited to a ‘Don’t know’ response.
At Q86A_TKVRCOUNT (How many times in the last 12 months has someone tried to take over websites, social media, email accounts or online bank accounts, separate from instances that led to fraud and/or ransomware attacks?) one micro business provided a response of 770. After listening back to the interview it was found that the respondent had given an answer of 77,000, but had been prevented by giving that answer because of an imposed cap of 999. The interviewer had inputted the response as 770 as they were only allowed to input the first 3 digits. It was therefore decided to edit this response to 999 to be consistent with the other answers above 999 that were provided and capped at the 999 level.
One micro business was not asked the question Q53A_TYPE (Type of breach or attack) due to an unknown script error. This only affected this single respondent and their Q53A response has been edited to read ‘Not asked – CATI script error at Q53A’.
Given this one micro business was not asked Q53A_TYPE it meant they were not asked follow-up questions that are routed from Q53A. We do not know whether this business experienced any breaches or attacks, and so do not know which follow-up questions they should have answered. For example, we do not know if they should have been asked about the frequency of breaches or attacks at Q54, or whether they should have been asked any of the cyber crime questions to derive whether a breach or attack they experienced constituted a cyber crime. On this basis, at all variables where we are unsure whether this business should have been asked or not they have been coded as ‘Not asked – CATI script error at Q53A’. This means that when looking at the cyber crime variables, for example, to establish the proportion of businesses experiencing a cyber crime, this business will not be included in the base. Likewise, they will also be excluded from the base of other variables routed from Q53A such as type_comb1 (Net: any breach or attack including phishing).

The final SPSS data uploaded to the UK Data Archive will reflect the above edits.

It should also be noted that investigation of data provided at the frequency questions (where respondents state how many attacks of each nature have taken place over the last 12-month period) highlighted several responses being capped at 999. When the frequency questions were introduced they carried a cap of 999, so this was the maximum number of attacks (of a single nature) that the respondent could state. This was based on an assumption that it was unlikely to be credibly higher than this and that introducing a cap of this nature would therefore decrease the chance of data input errors (adding erroneous zeros for example). However, reviewing data for this wave has indicated that in 12 instances, across 5 questions (hackcount, hacksiv, tkvrcount, doscount, phishcon), respondents attempted to give answers higher than 999 but the interviewer was forced to input 999 as the response.

This means that at the questions hackcount (1 response of 999), hacksiv (1 response of 999), tkvrcount (3 responses of 999, including the edit outlined above), doscount (2 responses of 999) and phishcon (6 responses of 999), the mean average is potentially an underestimate of the actual mean average value across the sample.

A systematic review of all caps in the survey should be undertaken before conducting the next wave of the survey to ensure they are fit for purpose and not excluding valid responses.

Coding

The verbatim responses to unprompted questions could be coded as “other” by interviewers when they did not appear to fit into the predefined code frame. These “other” responses were coded manually by Ipsos’ coding team, and where possible, were assigned to codes in the existing code frame. It was also possible for new codes to be added where enough respondents (10% or more) had given a similar answer outside of the existing code frame. The Ipsos research team verified the accuracy of the coding, by checking and approving each new code proposed.

The code frame between 2024 and 2025 has remained largely consistent. Two new codes were added for the 2025 survey:

At Q77A_NOREPORT (What were the reasons for not reporting this breach or attack?) the code ‘Too frequent/happens all the time/too often to report’ (‘noreport10’ in the SPSS file)
At Q78_PREVENT (What, if anything, have you done since this breach or attack to prevent or protect your organisation from further breaches like this?) the code ‘New/updated phishing policy’ was added (‘prevent67’ in the SPSS file)

We did not undertake SIC coding. Instead, the SIC 2007 codes that were already in the Market Location sample were used to assign businesses to a sector for weighting and analysis purposes. The 2023 survey had overwhelmingly found the SIC 2007 codes in the sample to be accurate, so this practice was carried forward to subsequent surveys.

Significant differences

When reporting on sub-groups, we note whether or not results from sub-groups differ in a statistically significant way, both against other sub-groups and against the total (minus the sub-group in question). Statistical significance testing is used to determine whether differences in results are likely to be due to a genuine difference between groups, as opposed to chance variation. The threshold used in the main report is the 95% level of confidence, meaning there is less than a 5% chance that results deemed significantly different differ due to chance. This is a standard level of significance used in social sciences. The test used to determine statistical significance is a two-tailed t-test.

Weighting

The education institutions samples are unweighted. Since they were sampled through a simple random sample approach, there were no sample skews to be corrected through weighting.

For the business and charities samples, we applied random iterative method (rim) weighting for two reasons. Firstly, to account for non-response bias where possible. Secondly, to account for the disproportionate sampling approaches, which purposely skewed the achieved business sample by size and sector, and the charities sample by income band. The weighting makes the data representative of the actual UK business and registered charities populations.

Rim weighting is a standard weighting approach undertaken in business surveys of this nature, because it allows you to weight your sample to represent a wider population using multiple variables. In cases where the weighting variables are strongly correlated with each other, it is potentially less effective than other methods, such as cell weighting. However, this is not the case here.

We did not weight by region, primarily because region is not considered to be an important determining factor for attitudes and behaviours around cyber security. Moreover, the final weighted data are already closely aligned with the business population region profile. The population profile data came from the Department for Business and Trade Business Population Estimates 2024 (Tables 1-9).

Non-interlocking rim weighting by income band and country was undertaken for charities. The population profile data for these came from the respective charity regulator databases.

For both businesses and charities, interlocking weighting was also possible, but was ruled out as it would have potentially resulted in very large weights. This would have reduced the statistical power of the survey results, without making any considerable difference to the weighted percentage scores at each question.

Table 2.6 and Table 2.7 shows the unweighted and weighted profiles of the final data. The percentages are rounded so do not always add to 100%.

Table 2.6: Unweighted and weighted sample profiles for business interviews

	Unweighted %	Weighted %
Size
Micro (1-9 employees)	47%	81%
Small (10-49 employees)	26%	15%
Medium (50-249 employees)	19%	3%
Large (250+ employees)	9%	1%
Sector
Agriculture, forestry or fishing	2%	4%
Administration or real estate	15%	13%
Construction	11%	14%
Education	1%	2%
Entertainment, service or membership organisations	5%	7%
Finance or insurance	7%	2%
Food or hospitality	8%	10%
Health, social care or social work	7%	4%
Information or communications	6%	5%
Professional, scientific or technical	13%	13%
Retail or wholesale (including vehicle sales or repairs)	16%	17%
Transport or storage	4%	3%
Utilities or production (including manufacturing)	7%	7%

Table 2.7: Unweighted and weighted sample profiles for charity interviews

	Unweighted %	Weighted %
Income band
£0 to under £10,000	24%	42%
£10,000 to under £100,000	18%	35%
£100,000 to under £500,000	27%	15%
£500,000 to under £5 million	27%	7%
£5 million or more	5%	2%
Country
England and Wales	77%	83%
Northern Ireland	3%	4%
Scotland	20%	13%

2.7 SPSS data uploaded to UK Data Archive

A de-identified SPSS dataset from this survey is being published on the UK Data Archive to enable further analysis. The variables are largely consistent with those in the previously archived dataset (from 2024), outside of new questions added for 2025.

Mapping of 10 Steps guidance

As noted in Section 2.1, Ipsos engaged Professor Steven Furnell from the University of Nottingham in July 2022 to review how the questionnaire was mapped to the government’s 10 Steps to Cyber Security guidance, and suggest a more accurate and robust mapping. The 10 Steps mapping remains consistent with 2023 and 2024 and is outlined in Table 2.8.

Table 2.8: Mapping of the questionnaire to the 10 Steps to Cyber Security guidance

Step in SPSS	Current step description and mapping
Step 1	Risk management - organisation have undertaken a cyber security risk assessment (IDENT4)
Step 2	Engagement and training - staff receive cyber security training (TRAINED)
Step 3	Asset management - organisations have a list of their critical assets (MANAGE8)
Step 4	Architecture and configuration - organisations have at least 3 of the following: up-to-date malware protection (RULES2) firewalls that cover your entire IT network, as well as individual devices (RULES3) restricting IT admin and access rights to specific users (RULES4) security controls on organisation-owned devices (e.g. laptops) (RULES7) only allowing access via organisation -owned devices (RULES8) separate WiFi networks for staff and for visitors (RULES9) specific rules for storing and moving personal data files securely (RULES15) a virtual private network, or VPN, for staff connecting remotely (RULES18)
Step 5	Vulnerability management - organisations have policy to apply software security updates within 14 days (RULES1)
Step 6	Identity and access management - organisations have any requirement for two-factor authentication when people access the organisation’s network, or for applications they use (RULES20)
Step 7	Data security - organisations have cloud backups (RULES13) or other kinds of backups (RULES14)
Step 8	Logging and monitoring - organisations fulfil at least 1 of the following criteria: used specific tools designed for security monitoring, such as Intrusion Detection Systems (IDENT11) any monitoring of user activity (RULES5)
Step 9	Incident management - organisations have a formal incident response plan (INCIDCONTENT1) or at least 3 of the following: written guidance on who to notify of breaches (INCIDCONTENT2) roles or responsibilities assigned to specific individuals during or after an incident (INCIDCONTENT3) external communications and public engagement plans (INCIDCONTENT6) guidance around when to report incidents externally, e.g. to regulators or insurers (INCIDCONTENT11)
Step 10	Supply chain security - organisations have taken actions to manage the cyber risks from their immediate suppliers (SUPPLYRISK1) or wider supply chain (SUPPLYRISK2)

Organisation size variables

There are two organisation size variables, including a numeric variable (SIZEA) and a banded variable (SIZEB). The banded variable in the SPSS does not include the highest band from the questionnaire (1,000 or more employees) because there is no analysis carried out on this group. Instead, it is merged into an overall large business (250 or more employees) size band, which is used across the published report.

Sector grouping before the 2019 survey

In the SPSS datasets for 2016 to 2018, an alternative sector variable (sector_comb1) was included. This variable grouped some sectors together in a different way, and was less granular than the updated sector variable (sector_comb2).

“education” and “health, social care or social work” were merged together, rather than being analysed separately
“information or communications” and “utilities” were merged together, whereas now “utilities” and “manufacturing” are merged together

The previous grouping reflected how we used to report on sector differences before the 2019 survey. As this legacy variable has not been used in the report for the last two years, we have stopped including it in the SPSS dataset, in favour of the updated sector variable.

Derived financial cost estimates for cyber security breaches and attacks

For the questions in the survey estimating the financial costs of an organisation’s most disruptive breach or attack (DAMAGEDIRSX, DAMAGEDIRLX, DAMAGESTAFFX, DAMAGEINDX), respondents were asked to give either an approximate numeric response or, if they did not know, then a banded response. The vast majority of those who gave a response gave numeric responses (after excluding refusals and those saying there was no cost incurred).

We agreed with DSIT from the outset of the survey that for those who gave banded responses, a numeric response would be imputed, in line with all previous surveys in the series. This ensures that no survey data goes unused and also allows for larger sample sizes for these questions.

To impute numeric responses, syntax was applied to the SPSS dataset which:

calculated the mean amount within a banded range for respondents who had given numeric responses (e.g. a £200 mean amount for everyone giving an answer between £100 and £500)
applied this mean amount as the imputed value for all respondents who gave the equivalent banded response (i.e. £200 would be the imputed mean amount for everyone not giving a numeric response but saying “£100 to less than £500” as a banded response)

Often in these cases, a common alternative approach is to take the mid-point of each banded response and use that as the imputed value (i.e. £300 for everyone saying “£100 to less than £500”). It was decided against doing this for these specific questions, given that the mean responses within a banded range have tended to cluster towards the bottom of the band over the years. This suggested that imputing values based on mid-points would slightly overestimate the true values across respondents.

Derived cyber crime estimates (including numeric and financial cost estimates)

Since 2024 the SPSS file has included a number of additional derived variables based on the cyber crime questions. Here is a brief description of each derived variable in the cyber crime section:

Cybercrime_all - the percentage of organisations that have experienced any cyber crime (i.e. excluding cyber-facilitated fraud)
Cybercrime_allsum - the total number of cyber crimes experienced (i.e. excluding cyber-facilitated fraud), rebased to only be amongst those that experienced cyber crimes
Cybercrime_notphish - the percentage of organisations that have experienced any cyber crime other than phishing (still excluding cyber-facilitated fraud)
Cybercrime_notphishsum - the total number of cyber crimes experienced, other than phishing (still excluding cyber-facilitated fraud), rebased to only be amongst those that experienced these cyber crimes
Cybercrime_rans - the percentage of organisations that have experienced cyber crime relating to ransomware
Cybercrime_ranssum - the total number of cyber crimes experienced relating to ransomware, rebased to only be amongst those that experienced these cyber crimes
Cybercrime_virus - the percentage of organisations that have experienced cyber crime relating to viruses or other malware
Cybercrime_virussum - the total number of cyber crimes experienced relating to viruses or other malware, rebased to only be amongst those that experienced these cyber crimes
Cybercrime_hack - the percentage of organisations that have experienced cyber crime relating to hacking
Cybercrime_hacksum - the total number of cyber crimes experienced relating to hacking, rebased to only be amongst those that experienced these cyber crimes
Cybercrime_dos - the percentage of organisations that have experienced cyber crime relating to denial of service attacks
Cybercrime_dossum - the total number of cyber crimes experienced relating to denial of service attacks, rebased to only be amongst those that experienced these cyber crimes
crime_fraud - the percentage of organisations that have experienced fraud as a result of cyber breaches or attacks
crime_fraudsum - the total number of frauds experienced as a result of cyber crime, rebased to only be amongst those that experienced these frauds
Cybercrime_phish - the percentage of organisations that have experienced cyber crime relating to phishing
Cybercrime_phishsum - the total number of cyber crimes experienced relating to phishing, rebased to only be amongst those that experienced these cyber crimes
Extortion - the percentage of organisations that have experienced any extortion (among those experiencing cyber crimes relating to unauthorised access, online takeovers or denial of service)
Extortion_sum - the total number of extortion events, rebased to only be amongst those that experienced cyber crimes relating to unauthorised access, online takeovers or denial of service
hacksumcost_bands - the total cost of criminal hacking and online takeovers in the last 12 months assigned to bands and rebased to only be amongst those that provided a cost estimate for any relevant cyber crime experienced
notfraudcost_bands - the total cost of all cyber crimes (i.e. excluding cyber-facilitated fraud) assigned to bands and rebased to only be amongst those that provided a cost estimate for any relevant cyber crime experienced
fraudcost_bands - the total cost of fraud that occurred as a result of cyber breaches or attacks assigned to bands
crimecost_bands - the total cost of all crimes (including cyber-facilitated fraud) assigned to bands and rebased to only be amongst those that provided a cost estimate for any crime experienced

Please note that, as in previous waves of the survey, the following variables listed below have ‘yes’ and ‘no’ binary categories. The ‘no’ category includes both those that gave either a ‘no’ or ‘don’t know’ response, but this information (whether they are a ‘no’ or ‘don’t know’) can be found at other variables in the SPSS file:

Cybercrime_all
Cybercrime_notphish
Cybercrime_rans
Cybercrime_virus
Cybercrime_hack
Cybercrime_dos
crime_fraud
Cybercrime_phish
Extortion
type_comb1
type_comb2
prevent_comb4
AllEssentials
Step1
Step2
Step3
Step4
Step5
Step6
Step7
Step8
Step9
Step10
Any10Steps

For the numeric and financial cost estimates for cyber crime, respondents were also able to give a banded response if they could not provide an exact answer. We have opted to impute the numeric or financial value for these questions by taking the mid-point of each banded response (or the specific value mentioned in the top band). This is different from the cyber incident cost estimates, which impute the average value within the band. The sample of cyber crime cost estimates is much lower, so there is not enough data to impute average values within bands. In other words, it is simply not possible to use anything other than the mid-point values.

Redaction of financial cost estimates in published SPSS data

No numeric cost variables will be included in the published SPSS dataset, both for the cyber incident (DAMAGE) questions and the crime (COSTA) questions. This was agreed with DSIT to prevent any possibility of individual organisations being identified. Instead, all variables related to spending and cost figures will be banded, including the imputed values (laid out in the previous section). These banded variables include:

damagedirsx_bands
damagedirlx_bands
damagestaffx_bands
damageindx_bands
damage_bands
ransdem_bands
ranspay_bands
ranscost_bands
viruscost_bands
hackcost_bands
tkvrcost_bands
doscost_bands
fraudcost_bands2
hacksumcost_bands
notfraudcost_bands
fraudcost_bands
crimecost_bands

In addition, the following merged or derived variables will be included:

country_comb
ext_report
scheme_any
supplyrisk_any
supplycert_any
type6x
morethanphish
disruptax

No region groupings are included for the education institution data, to avoid the risk of these schools, colleges or universities being identified, and no individual region is included for businesses and charities to avoid the risk of identification of these organisations when triangulated against other variables.

Missing values

We have treated missing values consistently each year.

For all non-cost data, only respondents that did not answer a question are treated as missing, and allocated a value of -1. That means that all responses, including “don’t know” (a value of -97) and “refused” responses (-99) are counted in the base and in any descriptive statistics.
For all cost data, i.e. damagedirs through to cost_bands, the “don’t know” (-97) and “refused” (-99) responses are treated as missing. Practically, this means that any analysis run on these variables systematically excludes “don’t know” and “refused” responses from the base. In other words, this kind of analysis (e.g. analysis to show the mean cost or median cost) only uses the respondents that have given a numeric or banded cost.

Rounding differences between the SPSS dataset and published data

If running analysis on weighted data in SPSS, users must be aware that the default setting of the SPSS crosstabs command does not handle non-integer weighting in the same way as typical survey data tables.^{[footnote 28]} Users may, therefore, see very minor differences in results between the SPSS dataset and the percentages in the main release, which consistently use the survey data tables. These should be differences of no more than one percentage point, and only occur on rare occasions.

Question 4

Chapter 3: Qualitative approach technical details

Accepted Answer

The qualitative strand of this research covered all the sampled groups from the survey. We conducted 44 in-depth interviews overall, the same as in 2024.

3.1 Sampling

We took the sample for all 44 in-depth interviews from the quantitative survey. We asked respondents during the survey whether they would be willing to be recontacted specifically to take part in a further 60-minute interview on the same topic. Table 3.1 shows the proportion of respondents from each group that agreed to be recontacted, the total recontact sample available, and the qualitative interviews undertaken with each group.

Table 3.1: Summary of qualitative sample counts and interviews

Sample group	Achieved quantitative interviews	Permission for recontact	Recontact sample	Achieved qualitative interviews
Businesses	2,180	59%	1,296	23
Charities	1,081	65%	699	10
Primary schools	250	58%	144	1
Secondary schools	240	61%	146	3
Further education	52	60%	31	3
Higher education	32	41%	13	4

3.2 Recruitment quotas and screening

We carried out recruitment for the qualitative element by email and telephone, using the contact details collected in the survey, and via a specialist business recruiter. We offered a high street voucher or charity donation of £50 made on behalf of participants to encourage participation.

We used recruitment quotas to ensure that interviews included a mix of different sizes, sectors and regions for businesses, and different charitable areas, income bands and countries for charities. We also had further quotas based on the responses in the quantitative survey, reflecting the topics to be discussed in the interviews. These ensured we spoke to a range of organisations that had:

a formal cyber security strategy
published an annual report in the last 12 months
referenced cyber security risks in their latest annual report
adopted specific cyber security standards or accreditations
formally reviewed supply chain cyber security risks (including for immediate suppliers and their wider supply chain)
some form of incident response planning
would take at least one action if experiencing a cyber security incident
reported cyber security breaches
not reported cyber security breaches
deemed cyber security a low business priority
used Managed Service Providers or other Digital Service Providers
reported costs from their most disruptive cyber security breach

These were all administered as soft rather than hard quotas. This meant that the recruiter aimed to recruit a minimum number of participants in each group, and could exceed these minimums, rather than having to reach a fixed number of each type of respondent.

We also briefed the recruiter to carry out a further qualitative screening process of participants, to check that they felt capable of discussing at least some of the broad topic areas covered in the topic guide (laid out in the following section). The recruiter probed participants’ job titles, job roles, and gave them some further information about the topic areas over email. The intention was to screen out organisations that might have been willing to take part but would have had little to say on these topics.

3.3 Fieldwork

The Ipsos research team carried out all fieldwork from October to December 2024. We conducted the 44 interviews through a mix of telephone and Microsoft Teams calls. Interviews lasted around 60 minutes on average.

DSIT and the Home Office originally laid out their topics of interest for the 2025 study. Ipsos then drafted the interview topic guide around these topics, which was reviewed and approved by both departments. The qualitative topic guide has changed slightly each year, in order to respond to the new findings that emerge from each year’s quantitative survey. The intention is for the qualitative research to explore new topics that were not necessarily as big or salient in previous years, as well as to look more in depth at the answers that organisations gave in this year’s survey. This year, the guide covered the following broad thematic areas:

perception of cyber security risk
cyber security practices
cyber security leadership and governance
incidence response
reporting and data protection
digital service providers
cost of cyber security breaches

In order to ensure that the interviews would fit within the 60-minute time allocation, not all respondents were asked about digital service providers and the cost of cyber security breaches. These sections were only asked where relevant (for example the respondent had to have reported that they had incurred costs as a result of a cyber security breach to be asked the section on the cost of cyber security breached).

A full reproduction of the topic guide is available in Appendix B.

Tables 3.2 and 3.3 shows a profile of the 23 interviewed businesses by size and sector.

Table 3.2: Sector profile of businesses in follow-up qualitative stage

SIC 2007 letter	Sector description	Total
A	Agriculture, forestry or fishing	0
B, C, D, E	Utilities or production (including manufacturing)	7
F	Construction	1
G	Retail or wholesale (including vehicle sales and repairs)	1
H	Transport or storage	2
I	Food or hospitality	1
J	Information or communications	0
K	Finance or insurance	1
L, N	Administration or real estate	3
M	Professional, scientific or technical	5
P	Education (excluding state education institutions)	0
Q	Health, social care or social work	1
R, S	Entertainment, service or membership organisations	1
	Total	23

Table 3.3: Size profile of businesses (by number of staff) in follow-up qualitative stage

Size band	Total
Micro or small (1-49 employees)	7
Medium (50-249 employees)	10
Large (250+ employees)	6
Total	23

Table 3.4 shows a profile of the 10 interviewed charities by income band.

Table 3.4: Size profile of charities (by income band) in follow-up qualitative stage

Income band	Total
£100,000 to under £500,000	2
£500,000 to under £5 million	3
£5 million or more	5
Total	10

3.4 Analysis

Throughout fieldwork, the core research team discussed interim findings and outlined areas to focus on in subsequent interviews. Specifically, we held two face-to-face analysis meetings with the entire fieldwork team one halfway through fieldwork and one once fieldwork had been completed. In these sessions, researchers discussed the findings from individual interviews, and we drew out emerging key themes, recurring findings and other patterns across the interviews. DSIT and the Home Office attended the final analysis session once fieldwork had been completed.

We also recorded all interviews and summarised them in an Excel notes template, which categorised findings by topic area and the research questions within that topic area. The research team reviewed these notes, and also listened back to recordings, to identify the examples and verbatim quotes to include in the main report.

Question 5

Chapter 4: Research burden

Accepted Answer

The Government Statistical Service (GSS) has a policy of monitoring and reducing statistical survey burden to participants where possible, and the burden imposed should be proportionate to the benefits arising from the use of the statistics. As a producer of statistics, DSIT is committed to monitoring and reducing the burden on those providing their information, and on those involved in collecting, recording and supplying data.

This section calculates the research compliance cost, in terms of the time cost on respondents, imposed by both the quantitative survey and qualitative fieldwork.

The quantitative survey had 3,835 respondents and the average (mean) survey length was 22 minutes. Therefore the research compliance cost for the quantitative survey this year was [3,835 × 22 minutes = 1,406 hours].
The qualitative research had 44 respondents and the average interview length was 60 minutes. Respondents completed the qualitative interviews in addition to the quantitative survey. The research compliance cost for the qualitative strand this year was [44 × 60 minutes = 44 hours].

In total, the compliance cost for the Cyber Security Breaches Survey 2025 was 1,450 hours.

Steps taken to minimise the research burden

Across both strands of fieldwork, we took the following steps to minimise the research burden on respondents:

making it clear that all participation was voluntary
informing respondents of the average time it takes to complete an interview at the start of the survey call, during recruitment for the qualitative research and again at the start of the qualitative interview
confirming that respondents were happy to continue if the interviews went over this average time
split-sampled certain questions - that is to say they were asked to a random half of respondents to reduce the overall interview length
offering to carry out interviews at the times convenient for respondents, including evenings and weekends where requested
offering an online interview instead of a telephone one, according to the respondent’s preferences.

The study also adheres to Government Social Research Professional Guidance on ethics.

Question 6

Appendix A: Questionnaire

Accepted Answer

Cyber Security Breaches Survey 2025

Main stage questionnaire

Key

INTERVIEWER INSTRUCTIONS IN CAPS

Screener

CATIINTRO INTRO SCREEN IF TELEPHONE (MODETYPE = CATI) Is this the head office for [SAMPLE CONAME]?

IF NOT THE HEAD OFFICE, ASK TO BE TRANSFERRED AND RESTART

Hello, my name is … from Ipsos, the independent research organisation.

IF CALLING 08 NUMBER FOR CHARITY (SAMPLE S_FREENUM=_01): Before I proceed, I’d like to make clear that I’m calling your 0800 number, for which you may be charged. Would you like me to proceed, or call on a different number?

We are conducting a survey on behalf of [SAMPLE S_COUNTRY=_03: the Department for Science, Innovation and Technology, the Home Office and Scottish Government/ELSE: the Department for Science, Innovation and Technology and the Home Office]. It is about how UK [SAMPLE S_SAMPTYPE=_01: businesses/SAMPLE S_SAMPTYPE=_02: charities/SAMPLE S_SAMPTYPE=_03: education institutions] of all different sizes approach cyber security and online safety. Each year, the organisations that take part help to shape the government’s guidance on this topic.

[SAMPLE S_SIZEBAND=_04: If your organisation takes part, Ipsos will make a £10 donation to charity on your behalf at the start of the interview.]
The purpose is not to sell any software or services. It is conducted annually to generate Official Statistics for the Government.
Taking part is confidential.
The interview takes an average of 20-22 minutes, and is typically shorter for smaller organisations.
The organisations that take part get given a summary of last year’s findings, as well as a help card with links to the latest Government cyber security guidance for [SAMPLE S_SAMPTYPE=_01: businesses/SAMPLE S_SAMPTYPE=_02: charities/SAMPLE S_SAMPTYPE=_03: education institutions].

Could I please speak to the senior person at your organisation with the most responsibility when it comes to cyber security?

IF OUTSOURCE CYBER SECURITY: In that case, we want to talk to the person within your organisation who typically deals with your external IT or cyber security provider. We know this may be the business owner, a trustee, Chief Executive, or someone else from the senior management team.

REASSURANCES IF NECESSARY

We got your contact details from the [SAMPLE S_SAMPTYPE=_01: Market Location business database/SAMPLE S_COUNTRY=_01: Charity Commission for England and Wales/SAMPLE S_COUNTRY=_02: Charity Commission for Northern Ireland/SAMPLE S_COUNTRY=_03: Office of the Scottish Charity Regulator/SAMPLE S_SAMPTYPE=_03: public databases of schools, colleges and universities].
The survey is for all types of businesses and charities. We also want to talk to organisations that have not had any cyber security issues, or that outsource their cyber security, so we get your views as well.
The survey is not technical we want your views, not just expert opinion on this topic.
The survey has been endorsed by techUK, the Association of British Insurers (ABI), and the Charity Commission for England and Wales.
To check the survey is legitimate, you can visit the GOV.UK website on www.gov.uk/government/publications/cyber-security-breaches-survey. You can also Google the term “Cyber Security Breaches Survey 2024” to find the same link yourself.

SHOWSCREEN_REASSURANCE SHOW IF TELEPHONE (MODETYPE = CATI) AND WANTS REASSURANCE EMAIL Just so you know, this email has more information about the survey and gives you a unique link to complete all or part of the survey online, if you prefer this. We may call you back after a few days to help you get the survey completed, if you’re unable to fill it out online.

STANDARD OPTIONS TO SEND REASSURANCE EMAIL

WEBINTRO

INTRO SCREEN IF WEB (MODETYPE = WEB/ONLINE)

Thanks for filling in this important government survey. This survey should be completed by the most senior person in the organisation who is responsible for cyber security.

Each year, the organisations that take part help to shape the government’s guidance on cyber security and online safety.

[SAMPLE S_SIZEBAND=_04: If your organisation takes part, Ipsos will make a £10 donation to charity on your behalf at the end of the interview.]

Participation in the survey is voluntary and you can change your mind at any time. To check the survey is legitimate and to view Ipsos’ privacy policy, you can visit the GOV.UK website on www.gov.uk/government/publications/cyber-security-breaches-survey.

Consent

Q1A_CONSENT

ASK IF TELEPHONE (MODETYPE = CATI)

Before we start, I just want to clarify that participation in the survey is voluntary and you can change your mind at any time. Are you happy to proceed with the interview?

SINGLE CODE

Yes
No CLOSE SURVEY

Q_VERIFYSENIOR

ASK IF WEB (MODETYPE = WEB/ONLINE)

Please could you confirm that you are a senior person responsible for cyber security in [SAMPLE S_CONAME]?

SINGLE CODE

Yes - senior person responsible for cyber security
No - not a senior person responsible for cyber security

SHOWSCREEN_NOTSENIOR

SHOW IF NOT A SENIOR PERSON (Q_VERIFYSENIOR CODE 2)

Thank you for your interest in this study.

Please forward the email invitation or survey link you received to the appropriate senior person in your organisation. Their feedback will shape the government’s understanding of organisations like yours.

RETURN TO INTRO SCREEN

Q1X_UNICOL

ASK IF WEB OPEN LINK

Thanks for taking part via this open survey link. Ipsos is also telephoning and emailing UK further and higher education institutions directly to invite them to take part.

Just to make sure we don’t call you again after you have taken part through this link, could you please provide us with the name of your institution?

WRITE IN

Incentive

Q90_DONATION

ASK IF SAMPLED AS LARGE BUSINESS (SAMPLE S_SIZEBAND=_04)

As promised, we will make a £10 charity donation on your behalf as a thank you for completing the full interview, which takes an average of 20-22 minutes. We have three charities for you to choose from.

ADD IF NECESSARY:

Turn2us helps people in financial need gain access to charitable grants and other financial help.
The NSPCC, or National Society for the Prevention of Cruelty to Children, is a charity campaigning and working in child protection in the United Kingdom.
Samaritans provides emotional support to anyone in emotional distress, struggling to cope, or at risk of suicide throughout the United Kingdom and Ireland.

READ OUT CODES

Please select one answer

SINGLE CODE

Turn2us
NSPCC
Samaritans
DO NOT READ OUT: Prefer not to donate

Business profile

Q1B_TITLE

ASK ALL

What is your job role?

PROMPT TO CODE, INCLUDING SENIORITY AND IF RELATED DIRECTLY TO CYBER SECURITY OR NOT

Please select one answer

SINGLE CODE

Job role directly related to cyber security

Chief Information Officer (CIO)
Chief Information Security Officer (CISO)
Director of Security
Head of Cyber Security/Information Security
Another cyber security role

Job role directly related to IT

Senior IT role (e.g. IT director, Head of IT)
Non-senior IT role (e.g. IT manager, technician, administrator)

Job role not related to cyber security/IT - senior management level

Business owner
Chief Executive (CEO)/Managing Director (MD)
Chief Operations Officer (COO)/Operations Director
Finance Director/Controller
Headteacher
Trustee/treasurer/on trustee board
Partner
Chairperson
Another senior management role (e.g. director)

Job role not related to cyber security/IT- non-senior management level

General/office manager (not a director/trustee)
PA/secretary/admin
Teacher (not in senior management)
Another non-senior role

TYPEXDUM

DUMMY VARIABLE NOT ASKED

Would you classify your organisation as … ?

SINGLE CODE

IF SAMPLE S_SAMPTYPE=1: Private sector
IF SAMPLE S_SAMPTYPE=2: Charity
IF SAMPLE S_SAMPTYPE=3: State education institution

BUSINESS/CHARITY/EDUCATION TEXT SUBSTITUTIONS BASED ON TYPEXDUM. THIS IS THE DEFAULT SCRIPTING FOR ALL TEXT SUBSTITUTIONS FROM THIS POINT ONWARDS, UNLESS OTHERWISE SPECIFIED.

Q4_SIZEA

ASK IF BUSINESS (TYPEXDUM CODE 1)

Including yourself, how many employees work for your organisation across the UK as a whole?

This includes full-time and part-time staff. Please include yourself if you are on the payroll as an employee.

PROBE FOR BEST ESTIMATE BEFORE CODING DK

WRITE IN RANGE 2-99,999

SOFT CHECK IF >4,999

SINGLE CODE

Respondent is sole trader CLOSE SURVEY
DO NOT READ OUT: Don’t know

Q5_SIZEB

ASK IF DON’T KNOW SIZE OF BUSINESS (SIZEA CODE DK)

Which of these best represents the number of employees working for your organisation across the UK as a whole, including yourself?

PROBE FULLY

Please select one answer

SINGLE CODE

Under 10
10 to 49
50 to 249
250 or more
DO NOT READ OUT: Don’t know

SIZEDUM

DUMMY VARIABLE NOT ASKED

Which of these best represents the number of employees working in your organisation, including yourself?

SINGLE CODE

MERGE RESPONSES FROM SIZEA AND SIZEB

USE SAMPLE S_SIZEBAND IF SIZEB CODE DK

LEAVE AS MISSING IF TYPEXDUM NOT CODE 1

Under 10
10 to 49
50 to 249
250 or more

Perceived importance and preparedness

SHOWSCREEN_DISPRI

READ OUT/SHOW TO ALL The rest of the survey is about cyber security. By this, we mean any strategy, processes, practices or technologies that organisations have in place to secure their networks, computers, programs or the data they hold from damage, attack or unauthorised access.

Q9_PRIORITY

ASK IF HALF A IF BUSINESS/CHARITY, OR ALL IF EDUCATION

How high or low a priority is cyber security to your organisation’s [INSERT STATEMENT]? Is it…

READ OUT STATEMENT AND SCALE

Please select one answer

ASK AS A CAROUSEL

a. [IF BUSINESS: directors/IF CHARITY: trustees/IF EDUCATION: governors] or senior management

SINGLE CODE

REVERSE SCALE EXCEPT FOR LAST CODE

Very high
Fairly high
Fairly low
Very low
DO NOT READ OUT: Don’t know

Q11_UPDATE

ASK IF MEDIUM OR LARGE BUSINESSES (TYPEXDUM CODE 1 AND SIZEDUM CODES 3-4), HIGH-INCOME CHARITIES (TYPEXDUM CODE 2 AND SAMPLE S_INCOME = _04 OR _05) OR EDUCATION (TYPEXDUM CODE 3)

Approximately how often, if at all, are your organisation’s [IF BUSINESS: directors/IF CHARITY: trustees/IF EDUCATION: governors] or senior management given an update on any actions taken around cyber security? Is it…

IF CATI AND EDUCATION (MODETYPE = CATI AND TYPEXDUM CODE 3): INTERVIEWER NOTE: FOR EDUCATION INSTITUTIONS, “EVERY TERM” MEANS QUARTERLY

READ OUT

Please select one answer

SINGLE CODE

REVERSE SCALE EXCEPT FOR LAST 2 CODES

Never
Less than once a year
Annually
Quarterly
Monthly
Weekly
Daily
DO NOT READ OUT: Each time there is a breach or attack
DO NOT READ OUT: Don’t know

Spending

Q23X_INSUREX

ASK IF HALF A IF BUSINESS/CHARITY, OR ALL IF EDUCATION

There are general insurance policies that provide cover for cyber security breaches or attacks, among other things. There are also specific insurance policies that are solely for this purpose. Which of the following best describes your situation?

READ OUT

Please select one answer

SINGLE CODE

We have a specific cyber security insurance policy
We have cyber security cover as part of a broader insurance policy
We are not insured against cyber security breaches or attacks
DO NOT READ OUT: Don’t know

Q23Y_WHYNOINSURE

ASK THOSE THAT DO NOT HAVE A CYBER INSURANCE POLICY (Q23X_INSUREX = 3)

Is there a reason why you do not have cyber insurance? Is it?

READ OUT

MULTICODE

Please select all that apply

Too expensive
Coverage not broad enough
Not a budgetary priority
Leadership not interested in cyber insurance
Not aware of cyber insurance
CATI: DO NOT READ OUT: Don’t know

Information sources

Q24_INFO

ASK IF HALF A IF BUSINESS/CHARITY, OR ALL IF EDUCATION

In the last 12 months, from where, if anywhere, has your organisation sought information, advice or guidance on the cyber security threats that you face?

INTERVIEWER NOTE: IF “GOVERNMENT”, THEN PROBE WHERE EXACTLY

DO NOT PROMPT

PROBE FULLY, I.E. “ANYTHING ELSE?”

Please select all that apply

MULTICODE

Government/public sector

Government’s 10 Steps to Cyber Security guidance
Government’s Cyber Aware website/materials
Government’s Cyber Essentials materials
Government intelligence services (e.g. GCHQ)
GOV.UK/Government website (excluding NCSC website)
A regional Cyber Resilience Centre (CRC)
Action Fraud
National Cyber Security Centre (NCSC) website/offline
Police
Regulator (e.g. Financial Conduct Authority) - but excluding charity regulators
Another government or public sector organisation WRITE IN

Charity-related

Association of Chief Executives of Voluntary Organisations (ACEVO)
Charity Commission/regulator
Charity Finance Group (CFG)
Community Accountants
Community Voluntary Services (CVS)
Institute of Fundraising (IOF)
National Council for Voluntary Organisations (NCVO)

Education related

Jisc/the Janet network
Department for Education (DfE)
Ofsted
Secure Schools programme
Teachers’ unions (e.g. NASUWT, NEU or NUT)

Other specific organisations

Cyber Security Information Sharing Partnership (CISP)
Professional/trade/industry/volunteering association
Security bodies (e.g. ISF or IISP)
Security product vendors (e.g. AVG, Kaspersky etc)
UK Cyber Security Council

Internal sources

Within your organisation - senior management/board
Within your organisation - other colleagues or experts

Any other external sources

Auditors/accountants
Bank/business bank/bank’s IT staff
External security/IT consultants/cyber security providers
Internet Service Provider
LinkedIn
Newspapers/media
Online searching generally/Google
Specialist IT blogs/forums/websites
Another (non-government) source WRITE IN

SINGLE CODE

Nowhere
Don’t know

Q24D_SCHEME

ASK IF HALF B IF BUSINESS/CHARITY, OR IF EDUCATION

There are various government campaigns, schemes, information and guidance on cyber security. Which, if any, of the following have you heard of?

READ OUT STATEMENTS

Please select one answer for each statement

IF CATI: ASK AS SEPARATE SCREENS

IF WEB: ASK AS A COLLAPSIBLE GRID

RANDOMISE LIST

a. The Cyber Essentials scheme

b. The 10 Steps to Cyber Security

c. IF MICRO OR SMALL BUSINESS (TYPEXDUM CODE 1 AND SIZEDUM CODES 1-2): Any Small Business Guides, such as the Small Business Guide to Cyber Security, the Small Business Guide to Response and Recovery

d. IF MEDIUM OR LARGE BUSINESSES (TYPEXDUM CODE 1 AND SIZEDUM CODES 3-4), HIGH-INCOME CHARITIES (TYPEXDUM CODE 2 AND SAMPLE S_INCOME = _04 OR _05) OR EDUCATION (TYPEXDUM CODE 3): The Cyber Security Board Toolkit

e. IF CHARITY: The Cyber Security Small Charity Guide

f. The Cyber Aware campaign

g. The “Check Your Cyber Security” tool on the National Cyber Security Centre website

h. IF MICRO OR SMALL BUSINESS (TYPEXDUM CODE 1 AND SIZEDUM CODES 1-2) OR CHARITY (TYPEDUM CODE 2): The Cyber Action Plan for small organisations

SINGLE CODE

Yes
No
DO NOT READ OUT: Don’t know

Q24E_GOVTACT

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND SEEN OR HEARD GOVERNMENT GUIDANCE (SCHEMEa-j CODE 1)

What, if anything, have you changed or implemented at your organisation after seeing or hearing any government campaigns or guidance on cyber security?

DO NOT PROMPT

PROBE FULLY, I.E. “ANYTHING ELSE?”

Please select all that apply

MULTICODE IF CATI

Governance changes

Increased spending
Changed nature of the business/activities
New/updated business continuity plans
New/updated cyber policies
New checks for suppliers/contractors
New procurement processes, e.g. for devices/IT
New risk assessments
Increased senior management oversight/involvement

Technical changes

Changed/updated firewall/system configurations
Changed user admin/access rights
Increased monitoring
New/updated antivirus/anti-malware software
Other new software/tools (not antivirus/anti-malware)
Penetration testing

People/training changes

Outsourced cyber security/hired external provider
Recruited new staff
Staff training/communications
Vetting staff/extra vetting

Another change WRITE IN

SINGLE CODE

Nothing done
Only heard about guidance, not read it
Don’t know

Policies and procedures

SHOWSCREEN_PROCEDURES

SHOW TO ALL

Here are some questions about your current cyber security processes and procedures. If you don’t do or have the things we’re asking about, just say so and we’ll move on.

Q29_MANAGE

ASK ALL

Which of the following governance or risk management arrangements, if any, do you have in place?

READ OUT

Please select all that apply

MULTICODE

ROTATE LIST

[IF BUSINESS: Board members/IF CHARITY: Trustees/IF EDUCATION: A governor or senior manager] with responsibility for cyber security
An outsourced provider that manages your cyber security
A formal policy or policies in place covering cyber security risks
A Business Continuity Plan that covers cyber security
A written list of the most critical data, systems or assets that your organisation wants to protect

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: Don’t know
DO NOT READ OUT: None of these

Q29A_COMPLY

ASK HALF B IF BUSINESS/CHARITY, OR ALL IF EDUCATION

Is your organisation certified with any of the following standards or accreditations?

ADD IF NECESSARY: By certified, we mean your organisation has applied for and received an optional certificate for meeting these standards or accreditations.

READ OUT

Please select all that apply

MULTICODE

ISO 27001
IF HEARD OF CYBER ESSENTIALS (SCHEMEa CODE 1): Cyber Essentials
IF HEARD OF CYBER ESSENTIALS (SCHEMEa CODE 1): Cyber Essentials Plus

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: Don’t know
DO NOT READ OUT: None of these

Q29C_SOFTWARE

ASK ALL

What role do cyber security considerations play when purchasing new software?

Please select one answer

SINGLE CODE

We consider cyber security to a large extent when purchasing new software
We consider cyber security to some extent when purchasing new software, but it is not a major concern
As we purchase new software from established and/or large companies we feel we are protected and thus cyber security is not a major concern when purchasing new software
We do not consider cyber security when purchasing new software
DO NOT READ OUT: Don’t know

Q30_IDENT

ASK ALL

And which of the following, if any, have you done over the last 12 months to identify cyber security risks to your organisation?

READ OUT

Please select all that apply

MULTICODE

ROTATE LIST

A cyber security vulnerability audit
A risk assessment covering cyber security risks
Used or invested in threat intelligence
Used specific tools designed for security monitoring, such as Intrusion Detection Systems
Penetration testing
Testing staff awareness and response (e.g. via mock phishing exercises)

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: Don’t know
DO NOT READ OUT: None of these

Q30A_AUDIT

ASK IF CARRIED OUT A CYBER SECURITY VULNERABILITY AUDIT (IDENT CODE 1)

Were any cyber security audits carried out internally by staff, by an external contractor, or both?

DO NOT PROMPT

Please select one answer

SINGLE CODE

Only internally by staff
Only by an external contractor
Both internal and external
Don’t know

Q31_RULES

ASK ALL

And which of the following rules or controls, if any, do you have in place?

READ OUT

Please select all that apply

MULTICODE

ROTATE LIST BUT KEEP CODES 10/11 TOGETHER

A policy to apply software security updates within 14 days
Up-to-date malware protection
Firewalls that cover your entire IT network, as well as individual devices
Restricting IT admin and access rights to specific users
Any monitoring of user activity
Specific rules for storing and moving personal data files securely
Security controls on company-owned devices (e.g. laptops)
Only allowing access via company-owned devices
Separate WiFi networks for staff and for visitors
Backing up data securely via a cloud service
Backing up data securely via other means
A password policy that ensures users set strong passwords
A virtual private network, or VPN, for staff connecting remotely
An agreed process for staff to follow when they identify a fraudulent email or malicious website
Any requirement for two-factor authentication when people access your network, or for applications they use

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: Don’t know
DO NOT READ OUT: None of these

Q32_POLICY

ASK IF HAVE CYBER SECURITY POLICIES (MANAGE CODE 3)

Which of the following aspects, if any, are covered within your cyber security-related policy, or policies?

READ OUT

Please select all that apply

MULTICODE

ROTATE LIST

What can be stored on removable devices (e.g. USB sticks)
Remote or mobile working (e.g. from home)
What staff are permitted to do on your organisation’s IT devices
Use of personally-owned devices for business activities
Use of cloud computing
Use of network-connected devices, sometimes called smart devices
Any Digital Service Providers such as cloud service providers, MSPs or providers of software services
How you’re supposed to store data

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: Don’t know
DO NOT READ OUT: None of these

Q63C_RANSOM

ASK HALF A IF BUSINESS/CHARITY, OR ALL IF EDUCATION

In the case of ransomware attacks, does your organisation make it a rule or policy to not pay ransomware payments?

SINGLE CODE

Yes
No
DO NOT READ OUT: Don’t know

Q33A_REVIEW

ASK IF HAVE CYBER SECURITY POLICIES (MANAGE CODE 3)

When were any of your policies or documentation for cyber security last created, updated, or reviewed to make sure they were up-to-date?

INTERVIEWER NOTE: IF NEVER UPDATED OR REVIEWED, ANSWER IS WHEN POLICIES WERE CREATED

If these policies or documentation have not yet been updated or reviewed, please tell us when they were created.

PROMPT TO CODE

Please select one answer

SINGLE CODE

Within the last 3 months
3 to under 6 months ago
6 to under 12 months ago
12 to under 24 months ago
24 months ago or earlier
DO NOT READ OUT: Don’t know

Q33B_TRAINED

ASK ALL

In the last 12 months, have you carried out any cyber security training or awareness raising sessions specifically for any [IF BUSINESS/EDUCATION: staff/IF CHARITY: staff or volunteers] who are not directly involved in cyber security?

SINGLE CODE

Yes
No
DO NOT READ OUT: Don’t know

Strategy

Q33D_STRATEGY

ASK IF MEDIUM OR LARGE BUSINESSES (TYPEXDUM CODE 1 AND SIZEDUM CODES 3-4), HIGH-INCOME CHARITIES (TYPEXDUM CODE 2 AND SAMPLE S_INCOME = _04 OR _05) OR FURTHER/HIGHER EDUCATION (SAMPLE S_EDUTYPE = _05 OR _06)

Does your organisation have a formal cyber security strategy, i.e. a document that underpins all your policies and processes?

SINGLE CODE

Yes
No
DO NOT READ OUT: Don’t know

Q33E_STRATINT

ASK IF HAVE A CYBER SECURITY STRATEGY (STRATEGY CODE 1)

In the last 12 months, has this strategy been reviewed by your organisation’s [IF BUSINESS: directors/IF CHARITY: trustees/IF EDUCATION: governors] or senior management?

SINGLE CODE

Yes
No
DO NOT READ OUT: Don’t know

Corporate reporting of cyber risks

Q33H_CORPORATE

ASK IF MEDIUM OR LARGE BUSINESSES (TYPEXDUM CODE 1 AND SIZEDUM CODES 3-4), HIGH-INCOME CHARITIES (TYPEXDUM CODE 2 AND SAMPLE S_INCOME = _04 OR _05) These next questions are about how cyber security is discussed in any publicly available annual reports of your organisation’s activities.

Firstly, did your organisation publish an annual report in the last 12 months?

SINGLE CODE

Yes
No
DO NOT READ OUT: Don’t know

Q33I_CORPRISK

ASK IF HAVE AN ANNUAL REPORT (CORPORATE CODE 1) Did your latest annual report cover any cyber security risks faced by your organisation?

SINGLE CODE

Yes
No
DO NOT READ OUT: Don’t know

Supplier standards

SHOWSCREEN_SUPPLYBUSINESS

SHOW IF BUSINESS (TYPEXDUM CODE 1)

The next questions are about suppliers. This is not just security or IT suppliers. It includes any suppliers that provide goods or services to your organisation.

SHOWSCREEN_SUPPLYOTHER

SHOW IF CHARITY OR EDUCATION (TYPEXDUM CODES 2-3)

The next questions are about third-party organisations you work with. This includes any suppliers that provide goods or services to your organisation, or partners such as local authorities.

Q45B_SUPPLYRISK

ASK ALL

Has your organisation carried out any work to formally review the following?

READ OUT STATEMENTS

Please select one answer for each statement

IF CATI: ASK AS A GRID (NOT COLLAPSIBLE)

IF WEB: ASK AS A GRID (NOT COLLAPSIBLE)

a. The potential cyber security risks presented by your immediate suppliers [IF CHARITY/EDUCATION: or partners]

b. The potential cyber security risks presented by your wider supply chain, i.e. your suppliers’ suppliers

SINGLE CODE

Yes
No
DO NOT READ OUT: Don’t know

Q45X_SUPPLYCERT

ASK HALF B IF BUSINESS/CHARITY, OR ALL IF EDUCATION

Do you require your suppliers to be certified with any of the following standards or accreditations?

ADD IF NECESSARY: By certified, we mean your organisation has applied for and received an optional certificate for meeting these standards or accreditations.

PROMPT TO CODE

Please select one answer for each statement

IF CATI: ASK AS A GRID (NOT COLLAPSIBLE)

IF WEB: ASK AS A GRID (NOT COLLAPSIBLE)

a. ISO 27001

b. IF HEARD OF CYBER ESSENTIALS (SCHEMEa CODE 1): Cyber Essentials

c. IF HEARD OF CYBER ESSENTIALS (SCHEMEa CODE 1): Cyber Essentials Plus

SINGLE CODE

Yes all of them
Yes some, but not all of them
DO NOT READ OUT: Don’t know
DO NOT READ OUT: None of these

Breaches or attacks

Q53A_TYPE

ASK ALL

Have any of the following happened to your organisation in the last 12 months, even if they ended up having no impact on you?

Please note, many of these things could happen at once or close together, i.e. as part of a related series of breaches or attacks. We want to hear about all aspects.

READ OUT

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please select all that apply

MULTICODE

Your organisation’s devices being targeted with ransomware, i.e. a type of malware that tells you to pay a ransom to restore your files or stop them being made public
Your organisation’s devices being targeted with other malware (e.g. viruses or spyware)
Denial of service attacks, i.e. attacks that try to slow or take down your website, applications or online services
Hacking or attempted hacking of online bank accounts
People impersonating, in emails or online, your organisation or your staff [IF CHARITY: or volunteers]
Phishing attacks, i.e. staff [IF CHARITY: or volunteers] receiving fraudulent emails, or arriving at fraudulent websites - even if they did not engage with these emails or websites
Unauthorised accessing of files or networks by staff [IF CHARITY: or volunteers], even if accidental
IF EDUCATION: Unauthorised accessing of files or networks by students
Unauthorised accessing of files or networks by people [IF BUSINESS/CHARITY: outside your organisation/IF EDUCATION: other than staff or students]
Unauthorised listening into video conferences or instant messaging
Takeovers or attempts to take over your website, social media accounts or email accounts

MULTICODE

NOT PART OF ROTATION

s12.Any other types of cyber security breaches or attacks

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: Don’t know
DO NOT READ OUT: None of these
DO NOT READ OUT: Prefer not to say

Q53B_IMPERSONATIONHACK

ASK IF EXPERIENCED IMPERSONATION (TYPE CODE 5)

Just to check, did any of the instances where people impersonated your organisation or your staff involve someone gaining unauthorised access to your files or networks?

PROMPT TO CODE

SINGLE CODE

Yes - all of them
Yes - some of them
No
DO NOT READ OUT: Don’t know

Q53C_IMPERSONATIONTKVR

ASK IF EXPERIENCED IMPERSONATION (TYPE CODE 5)

And again just to check, did any of the instances where people impersonated your organisation or your staff involve someone taking over your own website, social media accounts or email accounts?

SINGLE CODE

Yes all of them
Yes some of them
No
DO NOT READ OUT: Don’t know

TYPEDUM

DUMMY VARIABLE NOT ASKED

Have any of the following happened to your organisation in the last 12 months, even if they ended up having no impact on you?

MULTICODE

MERGE RESPONSES FROM TYPE, IMPERSONATIONHACK AND IMPERSONATIONTKVR - SEE INSTRUCTIONS BELOW

ransomware
malware other than ransomware (e.g. viruses or spyware)
denial of service attacks
hacking or attempted hacking of online bank accounts
people impersonating, in emails or online, your organisation or your staff or volunteers
phishing attacks
unauthorised accessing of files or networks by staff or volunteers
unauthorised accessing of files or networks by students
IF TYPE CODE 9 OR IMPERSONATIONHACK CODES 1-2: unauthorised accessing of files or networks by people outside your organisation
unauthorised listening into video conferences or instant messaging
IF TYPE CODE 11 OR IMPERSONATIONTKVR CODES 1-2: takeovers or attempts to take over your website, social media accounts or email accounts
any other types of cyber security breaches or attacks
Don’t know
None of these
Prefer not to say

Q54_FREQ

ASK IF ANY BREACHES OR ATTACKS (TYPEDUM CODES 1-12)

Approximately, how often in the last 12 months did you experience any of the cyber security breaches or attacks you mentioned? Was it …

READ OUT

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please select one answer

SINGLE CODE

Once only
More than once but less than once a month
Roughly once a month
Roughly once a week
Roughly once a day
Several times a day
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

Q56A_OUTCOME

ASK IF ANY BREACHES OR ATTACKS (TYPEDUM CODES 1-12)

Thinking of all the cyber security breaches or attacks experienced in the last 12 months, which, if any, of the following happened as a result? READ OUT

Please select all that apply

MULTICODE

ROTATE LIST BUT KEEP CODES 3/4 AND 6/7 TOGETHER

Software or systems were corrupted or damaged
Personal data (e.g. on [IF BUSINESS: customers or staff/IF CHARITY: beneficiaries, donors, volunteers or staff/IF EDUCATION: students or staff]) was altered, destroyed or taken
Permanent loss of files (other than personal data)
Temporary loss of access to files or networks
Lost or stolen assets, trade secrets or intellectual property
Money was stolen or taken by the attackers
Money was paid to the attackers
Your website, applications or online services were taken down or made slower
Lost access to any third-party services you rely on
Physical devices or equipment were damaged or corrupted
Compromised accounts or systems used for illicit purposes (e.g. launching attacks)

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: None of these
DO NOT READ OUT: Don’t know

Q57_IMPACT

ASK IF ANY BREACHES OR ATTACKS (TYPEDUM CODES 1-12)

And have any of these breaches or attacks impacted your organisation in any of the following ways, or not?

READ OUT

Please select all that apply

MULTICODE

ROTATE LIST BUT KEEP CODES 3/4 TOGETHER

Stopped staff from carrying out their day-to-day work
Loss of [IF BUSINESS: revenue or share value/ELSE: income]
Additional staff time to deal with the breach or attack, or to inform [IF BUSINESS: customers/IF CHARITY: beneficiaries/IF EDUCATION: students, parents] or stakeholders
Any other repair or recovery costs
New measures needed to prevent or protect against future breaches or attacks
Fines from regulators or authorities, or associated legal costs
Reputational damage
IF BUSINESS/CHARITY: Prevented provision of goods or services to [IF BUSINESS: customers/IF CHARITY: beneficiaries or service users]
Discouraged you from carrying out a future business activity you were intending to do
Complaints from [IF BUSINESS: customers/IF CHARITY: beneficiaries or stakeholders/IF EDUCATION: students or parents]
IF BUSINESS/CHARITY: Goodwill compensation or discounts given to customers

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: None of these
DO NOT READ OUT: Don’t know

Cyber crime: cyber-facilitated fraud

SHOWSCREEN_FRAUD

SHOW IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND ANY SPECIFIC BREACHES OR ATTACKS OTHER THAN IMPERSONATION (TYPEDUM CODES 1-4 OR 6-11)

The next questions focus on the following types of cyber security breaches or attacks that your organisation has experienced in the last 12 months:

SCRIPT TO SHOW ALL RESPONSES FROM TYPEDUM EXCEPT CODES 5, 12, DK, NULL AND REF ONE RESPONSE PER LINE AND USING SHORTENED WORDING FROM TYPEDUM

IF SOME INSTANCES OF IMPERSONATION RELATED TO ANOTHER BREACH OR ATTACK, BUT NOT ALL (IMPERSONATIONHACK CODE 2 OR IMPERSONATIONTKVR CODE 2): We know you also had instances of people impersonating your organisation or staff. Here, we only want you to include these instances if they were related to another type of breach or attack.

IF NO INSTANCES OF IMPERSONATION RELATED TO ANOTHER BREACH OR ATTACK (IMPERSONATIONHACK CODE 3 OR DK AND IMPERSONATIONTKVR CODE 3 OR DK): We know you also had instances of people impersonating your organisation or staff. You can ignore these for now.

Q88A_FRAUD

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND ANY SPECIFIC BREACHES OR ATTACKS OTHER THAN IMPERSONATION (TYPEDUM CODES 1-4 OR 6-11) How many times, if at all, did any of these cyber security breaches or attacks, including phishing attacks, result in the following?

READ OUT STATEMENTS

Please write in one answer for each statement

IF CATI: ASK ON SEPARATE SCREENS

IF WEB: ASK AS A COLLAPSIBLE GRID

ROTATE LIST

a. Attackers moving money out of your organisation’s bank account

b. Your organisation’s credit or debit card information being used without permission

c. Your organisation paying or transferring money to the attackers based on fraudulent information (e.g. a fake invoice)

d. IF ALL OR SOME INSTANCES OF IMPERSONATION RELATED TO ANOTHER BREACH OR ATTACK (IMPERSONATIONHACK CODES 1-2 OR IMPERSONATIONTKVR CODES 1-2): People impersonating your organisation or your staff using information obtained through the initial breach or attack

WRITE IN RANGE 0-99

SOFT CHECK IF>9

SINGLE CODE

DO NOT READ OUT: Don’t know

FRAUDDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced cyber-facilitated fraud:

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF ANY FRAUDa-d>0: Yes
ELSE (INCLUDING IF FRAUDa-d ALL MISSING): No

FRAUDCOUNTDUM

DUMMY VARIABLE NOT ASKED

Number of cyber-facilitated fraud experienced (among those experiencing any):

IF EXPERIENCED CYBER-FACILITATED FRAUD (FRAUDDUM CODE 1) CODE AS FOLLOWS, ELSE MISSING:

FRAUDa + FRAUDb + FRAUDc + FRAUDd

Q88D_FRAUDCONT

ASK IF EXPERIENCED CYBER-FACILITATED FRAUD (FRAUDDUM CODE 1) AND MORE THAN ONE BREACH OR ATTACK OTHER THAN IMPERSONATION (2 OR MORE TYPEDUM CODES 1-4 OR 6-11)

The instances you just mentioned are instances of fraud.

IF FRAUDCOUNTDUM>1: Of the [FRAUDCOUNTDUM] instances of fraud your organisation experienced in the last 12 months, how many were the direct result of each of the following?

PROBE FULLY, I.E. NO NEED TO READ OUT ALL STATEMENTS IF ALL INSTANCES OF FRAUD HAVE ALREADY BEEN ACCOUNTED FOR

IF FRAUDCOUNTDUM=1: Which of the following directly resulted in this fraud?

INTERVIEWER NOTE: PUT 1 FOR “YES” AND 0 FOR “NO”

Please put 1 for “yes” and 0 for “no”

IF CATI: ASK AS A GRID (NOT COLLAPSIBLE)

IF WEB: ASK AS A GRID (NOT COLLAPSIBLE)

SCRIPT TO SHOW ONLY STATEMENTS IF EQUIVALENT STATEMENT MENTIONED AT TYPEDUM

a. Ransomware

b. Malware other than ransomware (e.g. viruses or spyware)

c. Denial of service attacks

d. Hacking or attempted hacking of online bank accounts

e. Phishing attacks

f. Unauthorised accessing of files or networks by staff [IF CHARITY: or volunteers]

g. Unauthorised accessing of files or networks by people outside your organisation

h. Unauthorised listening into video conferences or instant messaging

I. Takeovers or attempts to take over your website, social media accounts or email accounts

WRITE IN RANGE 0-[FRAUDCOUNTDUM NUMBER]

HARD CHECK IF TOTAL ACROSS ALL STATEMENTS =0

SINGLE CODE

DO NOT READ OUT: Don’t know

FRAUDCONTDUM

DUMMY VARIABLE NOT ASKED (SEPARATE VARIABLE FOR EACH STATEMENT AT FRAUDCONT)

Cyber security breaches or attacks resulting in fraud.

IF FRAUDCONTa-i≥0: TAKE ANSWER FROM FRAUDCONT

IF EXPERIENCED CYBER-FACILITATED FRAUD (FRAUDDUM CODE 1) AND ONLY ONE BREACH OR ATTACK OTHER THAN IMPERSONATION (ONLY 1 OF TYPEDUM CODES 1-4 OR 6-11): TAKE ANSWER FROM FRAUDCOUNTDUM AND APPLY AS FOLLOWS:

IF TYPEDUM CODE 1: FRAUDCONTDUMa = FRAUDCOUNTDUM NUMBER
IF TYPEDUM CODE 2: FRAUDCONTDUMb = FRAUDCOUNTDUM NUMBER
IF TYPEDUM CODE 3: FRAUDCONTDUMc = FRAUDCOUNTDUM NUMBER
IF TYPEDUM CODE 4: FRAUDCONTDUMd = FRAUDCOUNTDUM NUMBER
IF TYPEDUM CODE 6: FRAUDCONTDUMe = FRAUDCOUNTDUM NUMBER
IF TYPEDUM CODE 7: FRAUDCONTDUMf = FRAUDCOUNTDUM NUMBER
IF TYPEDUM CODE 8: FRAUDCONTDUMg = FRAUDCOUNTDUM NUMBER
IF TYPEDUM CODE 9: FRAUDCONTDUMh = FRAUDCOUNTDUM NUMBER
IF TYPEDUM CODE 10: FRAUDCONTDUMi = FRAUDCOUNTDUM NUMBER
IF TYPEDUM CODE 11: FRAUDCONTDUMj = FRAUDCOUNTDUM NUMBER

ELSE: MISSING

Q88E_FRAUDCOSTA

ASK IF EXPERIENCED CYBER-FACILITATED FRAUD (FRAUDDUM CODE 1)

IF FRAUDCOUNTDUM>1: Across these [FRAUDCOUNTDUM NUMBER] instances of fraud, what was the total cost to your organisation?

IF FRAUDCOUNTDUM=1: What was the total cost to your organisation of this fraud?

This includes:

the direct cost of any money taken from bank accounts, credit or debit cards, or paid to the fraudsters, including as a result of phishing emails
other direct costs such as legal fees, insurance excess payments, or buying new software
the cost of staff time or external contractors to help resolve or investigate issues
the cost of any damage or disruption, such as lost revenue.

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1 £999,999

SOFT CHECK IF>£999

SINGLE CODE

No cost incurred
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

Q88F_FRAUDCOSTB

ASK IF DON’T KNOW TOTAL COST OF CYBER-FACILITATED FRAUD (FRAUDCOSTA CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Less than £100
£100 to less than £250
£250 to less than £500
£500 to less than £1,000
£1,000 to less than £2,000
£2,000 to less than £5,000
£5,000 to less than £10,000
£10,000 to less than £20,000
£20,000 to less than £50,000
£50,000 to less than £100,000
£100,000 or more
DO NOT READ OUT: Don’t know

Cyber crime: ransomware

Q83X_RANSCHK

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND HAD RANSOMWARE THAT LED TO FRAUD (FRAUDCONTDUMa>0)

IF FRAUDCONTDUMa>1: Just to check, other than the [FRAUDCONTDUMa NUMBER] instances that led to fraud, did you experience any other instances in the last 12 months where devices were targeted with ransomware, even if the attacks were unsuccessful or did not impact your organisation?

IF FRAUDCONTDUMa=1: Just to check, other than the instance that led to fraud, did you experience any other instances in the last 12 months where devices were targeted with ransomware, even if the attacks were unsuccessful or did not impact your organisation?

SINGLE CODE

Yes
No
DO NOT READ OUT: Don’t know

Q83E_RANSSOFT

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2)

AND

EXPERIENCED RANSOMWARE WITHOUT FRAUD (TYPEDUM CODE 1 AND FRAUDDUM NOT CODE 1) OR EXPERIENCED FRAUD THAT DIDN’T INVOLVE THEIR RANSOMWARE (TYPEDUM CODE 1 AND FRAUDDUM CODE 1 AND (RANSCHK CODE 1 OR MISSING))

IF RANSOMWARE THAT DID NOT LEAD TO FRAUD (RANSCHK NOT CODE 1): You said you experienced at least one instance in the last 12 months where devices were targeted with ransomware.

IF RANSOMWARE THAT LED TO FRAUD (RANSCHK CODE 1): Aside from the [FRAUDCONTDUMa NUMBER] [instance/instances] that led to fraud, in how many of the ransomware attacks you faced in the last 12 months was a financial ransom demanded?

IF RANSOMWARE THAT DID NOT LEAD TO FRAUD (RANSCHK NOT CODE 1): In how many of the ransomware attacks you faced in the last 12 months was a financial ransom demanded?

SHOW FOR EVERYONE BEING ASKED Q83E: The financial ransom demanded may be in the form of bitcoin or other cryptocurrency.

WRITE IN RANGE 0-999 SOFT CHECK IF 0: Just to check, it was the case that no ransom has been demanded in any ransomware attack your business has faced? SOFT CHECK IF>9

SINGLE CODE

DO NOT READ OUT: Don’t know

RANSSOFTDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced ransomware cyber crime:

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF RANSSOFT>0: Yes
ELSE (INCLUDING IF RANSSOFT MISSING): No

SHOWSCREEN_RANS

SHOW IF EXPERIENCED RANSOMWARE CYBER CRIME (RANSSOFTDUM CODE 1)

IF RANSSOFT>1: This next question is specifically about these [RANSSOFT NUMBER] ransomware attacks you experienced where a financial ransom was demanded [IF FRAUD (RANSCHK CODE 1):, which did not lead to fraud].

IF RANSSOFT=1: This next question is about the one ransomware attack you experienced where a financial ransom was demanded [IF FRAUD (RANSCHK CODE 1):, which did not lead to fraud].

Q83H_RANSDEMA

ASK IF EXPERIENCED RANSOMWARE CYBER CRIME (RANSSOFTDUM CODE 1)

IF RANSSOFT>1: Across these [RANSSOFT NUMBER] ransomware attacks where a financial ransom was demanded, what was the sum total demanded in ransoms?

IF RANSSOFT=1: What was the total ransom amount demanded in this ransomware attack?

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1 £999,999

SOFT CHECK IF>£999

SINGLE CODE

DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

Q83I_RANSDEMB

ASK IF DON’T KNOW SUM TOTAL OF RANSOMS DEMANDED (RANSDEMA CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Less than £100
£100 to less than £250
£250 to less than £500
£500 to less than £1,000
£1,000 to less than £2,000
£2,000 to less than £5,000
£5,000 to less than £10,000
£10,000 to less than £20,000
£20,000 to less than £50,000
£50,000 to less than £100,000
£100,000 to less than £250,000
£250,000 or more
DO NOT READ OUT: Don’t know

Q83J_RANSPAYYN

ASK IF CAN RECALL SUM TOTAL OF RANSOMS DEMANDED (RANSDEMA >1 OR RANSDEMB CODES 1-12)

And did you pay any of this amount to the attackers?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Yes, totally
Yes, partially
No
DO NOT READ OUT: Don’t know

Q83K_RANSPAYA

ASK IF PARTIALLY PAID RANSOM (RANSPAYYN CODE 2)

IF RANSSOFT >1: Across the [RANSSOFT NUMBER] ransomware attacks where a financial ransom was demanded, what was the sum total you ended up paying in ransoms to the attackers?

IF RANSSOFT=1: What was the total ransom amount you ended up paying to the attackers?

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £0 [RANSDEMA NUMBER OR TOP OF RANSDEMB BAND]

SINGLE CODE

DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

Q83L_RANSPAYB

ASK IF DON’T KNOW SUM TOTAL OF RANSOMS PAID (RANSPAYA CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

ONLY SHOW CODES UNDER OR EQUAL TO ANSWER AT RANSDEMA OR RANSDEMB

Less than £100
£100 to less than £250
£250 to less than £500
£500 to less than £1,000
£1,000 to less than £2,000
£2,000 to less than £5,000
£5,000 to less than £10,000
£10,000 to less than £20,000
£20,000 to less than £50,000
£50,000 to less than £100,000
£100,000 to less than £250,000
£250,000 or more
DO NOT READ OUT: Don’t know

Q83M_RANSCOSTA

ASK IF EXPERIENCED RANSOMWARE CYBER CRIME (RANSSOFTDUM CODE 1)

IF RANSSOFT>1: Across these [RANSSOFT NUMBER] ransomware attacks where a financial ransom was demanded, what was the total cost to your organisation?

IF RANSSOFT=1: What was the total cost of this ransomware attack where a financial ransom was demanded to your organisation?

This includes:

the direct cost of any ransoms paid
other direct costs such as legal fees, insurance excess payments, or buying new software
the cost of staff time or external contractors to help resolve or investigate issues
the cost of any damage or disruption, such as lost revenue, or deleted files.

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1 £999,999

SOFT CHECK IF>£999

SINGLE CODE

No cost incurred
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

Q83N_RANSCOSTB

ASK IF DON’T KNOW TOTAL COST OF RANSOMWARE CYBER CRIME (RANSCOSTA CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Less than £100
£100 to less than £250
£250 to less than £500
£500 to less than £1,000
£1,000 to less than £2,000
£2,000 to less than £5,000
£5,000 to less than £10,000
£10,000 to less than £20,000
£20,000 to less than £50,000
£50,000 to less than £100,000
£100,000 to less than £250,000
£250,000 or more
DO NOT READ OUT: Don’t know

Cyber crime: unauthorised access

HACKDUM

DUMMY VARIABLE NOT ASKED

Number of unauthorised access events that led to fraud (used for later text substitution):

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

FRAUDCONTDUMf + FRAUDCONTDUMg + FRAUDCONTDUMh

Q85A_HACKCOUNT

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND EXPERIENCED UNAUTHORISED ACCESS (TYPEDUM CODES 7-10) You said you experienced at least one instance in the last 12 months where someone tried to access your files, networks, instant messages or conference calls without authorisation, even if they were unsuccessful or did not impact your organisation.

SCRIPT TO CHANGE INSTANCE/INSTANCES AND ATTACK/ATTACKS IN TEXT SUBS BELOW IF NUMBER>1.

IF HAD UNAUTHORISED ACCESS THAT LED TO FRAUD (HACKDUM>0) AND RANSOMWARE CYBER CRIME (RANSSOFTDUM CODE 1): Just to check, how many of these, if any, were separate from the [HACKDUM NUMBER] [instance/instances] that led to fraud, as well as the [RANSSOFT NUMBER] ransomware [attack/attacks] you mentioned where a financial ransom was demanded.

IF HAD UNAUTHORISED ACCESS THAT LED TO FRAUD (HACKDUM>0) AND NO RANSOMWARE CYBER CRIME (RANSSOFTDUM NOT CODE 1): Just to check, how many of these, if any, were separate from the [HACKDUM NUMBER] [instance/instances] that led to fraud.

IF HAD NO UNAUTHORISED ACCESS THAT LED TO FRAUD (HACKDUM NOT>0) AND RANSOMWARE CYBER CRIME (RANSSOFTDUM CODE 1): Just to check, how many of these, if any, were separate from the [RANSSOFT NUMBER] ransomware [attack/attacks] you mentioned where a financial ransom was demanded.

IF HAD NO UNAUTHORISED ACCESS THAT LED TO FRAUD (HACKDUM NOT>0) AND NO RANSOMWARE CYBER CRIME (RANSSOFTDUM NOT CODE 1): How many times did this happen?

IF HAD NO UNAUTHORISED ACCESS THAT LED TO FRAUD (HACKDUM NOT>0) AND NO SUCCESSFUL RANSOMWARE ATTACKS (RANSSOFTDUM NOT CODE 1): WRITE IN RANGE 1-999 ELSE: WRITE IN RANGE 0-999 SOFT CHECK IF>9

SINGLE CODE

DO NOT READ OUT: Don’t know

Q85B_HACKCOUNTDK

ASK IF DON’T KNOW HOW MANY UNAUTHORISED ACCESS EVENTS EXPERIENCED (HACKCOUNT CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

1
2 to 3
4 to 5
6 to 10
11 to 20
21 to 50
51 to 100
More than 100
DO NOT READ OUT: Don’t know

HACKCOUNTDUM

DUMMY VARIABLE NOT ASKED

Number of instances of unauthorised access (used for later text substitution):

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF HACKCOUNT>1 OR HACKCOUNTDK CODES 2-8: More than one
IF HACKCOUNT=1 OR HACKCOUNTDK CODE 1: One
ELSE: None

Q85E_HACKSIV

ASK IF ONE OR MORE UNAUTHORISED ACCESS EVENTS (HACKCOUNTDUM CODES 1-2)

Deliberate breaches or attacks are where someone knowingly gains unauthorised access. This is different to accidental breaches where, for example, an employee has accidentally accessed a file they did not have permission to use.

INTERVIEWER NOTE: PROBE IF THEY FEEL THEY UNDERSTAND BEFORE CONTINUING. REPEAT PART OR ALL OF EXPLANATION IF NECESSARY.

IF HACKCOUNTDUM CODE 1: How many, if any, of the [HACKCOUNT NUMBER/HACKCOUNTDK CODE] instances of unauthorised access you faced were deliberate?

IF HACKCOUNTDUM CODE 2: Was the instance of unauthorised access you faced deliberate?

IF HAD UNAUTHORISED ACCESS THAT LED TO FRAUD (HACKDUM>0) OR SUCCESSFUL RANSOMWARE ATTACKS (RANSSOFTDUM CODE 1): Just as a reminder, this is separate from any instances that led to fraud, or involved ransomware.

IF HACKCOUNTDUM CODE 2: INTERVIEWER NOTE: PUT 1 FOR “YES” AND 0 FOR “NO”

IF HACKCOUNTDUM CODE 2: Please put 1 for “yes” and 0 for “no”

WRITE IN RANGE 0-[HACKCOUNT NUMBER OR TOP OF HACKCOUNTDK BAND]

SOFT CHECK IF 0: Just to check, were none of the instances of unauthorised access you faced deliberate? I.e. were they all accidental?

SINGLE CODE

DO NOT READ OUT: Don’t know

HACKSIVDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced unauthorised access cyber crime:

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF HACKSIV>0: Yes
ELSE (INCLUDING IF HACKSIV MISSING): No

Q85H_HACKEXTCOUNT

SHOW IF EXPERIENCED UNAUTHORISED ACCESS CYBER CRIME (HACKSIVDUM CODE 1)

IF HACKSIV>1: How many of these [HACKSIV NUMBER] deliberate instances, if any, involved the attackers demanding a payment to end the unauthorised access?

IF HACKSIV=1: Did this one deliberate instance involve the attackers demanding a payment to end the unauthorised access?

IF HACKSIV=1: INTERVIEWER NOTE: PUT 1 FOR “YES” AND 0 FOR “NO”

IF HACKSIV=1: Please put 1 for “yes” and 0 for “no”

WRITE IN RANGE 0-[HACKSIV NUMBER]

SINGLE CODE

DO NOT READ OUT: Don’t know

HACKEXTDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced extortion from unauthorised access (among those experiencing any):

SINGLE CODE

IF EXPERIENCED UNAUTHORISED ACCESS CYBER CRIME (HACKSIVDUM CODE 1) CODE AS FOLLOWS, ELSE MISSING:

IF HACKEXTCOUNT>0: Yes
ELSE: No

Q85J_HACKCOSTA

ASK IF EXPERIENCED UNAUTHORISED ACCESS CYBER CRIME (HACKSIVDUM CODE 1)

IF HACKSIV>1: Across these [HACKSIV NUMBER] deliberate instances of unauthorised access, what was the total cost to your organisation?

IF HACKSIV=1: What was the total cost of this deliberate instance of unauthorised access to your organisation?

This includes:

IF HACKEXTDUM CODE 1: any payments made to the attackers to end the attack
any other direct costs such as legal fees, insurance excess payments, or buying new software
the cost of staff time or external contractors to help resolve or investigate issues
the cost of any damage or disruption, such as lost revenue, or deleted files.

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1 £999,999

SOFT CHECK IF>£999

SINGLE CODE

No cost incurred
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

Q85K_HACKCOSTB

ASK IF DON’T KNOW TOTAL COST OF UNAUTHORISED ACCESS CYBER CRIME (HACKCOSTA CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Less than £100
£100 to less than £250
£250 to less than £500
£500 to less than £1,000
£1,000 to less than £2,000
£2,000 to less than £5,000
£5,000 to less than £10,000
£10,000 to less than £20,000
£20,000 to less than £50,000
£50,000 to less than £100,000
£100,000 to less than £250,000
£250,000 or more
DO NOT READ OUT: Don’t know

Cyber crime: online takeovers

TKVRDUM

DUMMY VARIABLE NOT ASKED

Number of online takeovers that led to fraud (used for later text substitution):

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

FRAUDCONTDUMd + FRAUDCONTDUMi

Q86A_TKVRCOUNT

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND EXPERIENCED ONLINE TAKEOVERS (TYPEDUM CODE 4 OR 11)

You said you experienced at least one instance in the last 12 months where someone tried to take over your website, social media, email accounts, or online bank account, even if they were unsuccessful or did not impact your organisation.

SCRIPT TO CHANGE INSTANCE/INSTANCES AND ATTACK/ATTACKS IN TEXT SUBS BELOW IF NUMBER>1.

IF HAD ONLINE TAKEOVERS THAT LED TO FRAUD (TKVRDUM>0) AND RANSOMWARE CYBER CRIME (RANSSOFTDUM CODE 1):

Just to check, how many of these, if any, were separate from the [TKVRDUM NUMBER] [instance/instances] that led to fraud, as well as the [RANSSOFT NUMBER] ransomware [attack/attacks] you mentioned where a financial ransom was demanded.

IF HAD ONLINE TAKEOVERS THAT LED TO FRAUD (TKVRDUM>0) AND NO RANSOMWARE CYBER CRIME (RANSSOFTDUM NOT CODE 1):

Just to check, how many of these, if any, were separate from the [TKVRDUM NUMBER] [instance/instances] that led to fraud.

IF HAD NO ONLINE TAKEOVERS THAT LED TO FRAUD (TKVRDUM NOT>0) AND RANSOMWARE CYBER CRIME (RANSSOFTDUM CODE 1):

Just to check, how many of these, if any, were separate from the [RANSSOFT NUMBER] ransomware [attack/attacks] you mentioned where a financial ransom was demanded.

IF HAD NO ONLINE TAKEOVERS THAT LED TO FRAUD (TKVRDUM NOT>0) AND NO RANSOMWARE CYBER CRIME (RANSSOFTDUM NOT CODE 1):

How many times did this happen?

IF HAD NO ONLINE TAKEOVERS THAT LED TO FRAUD (HACKDUM NOT>0) AND NO SUCCESSFUL RANSOMWARE ATTACKS (RANSSOFTDUM NOT CODE 1): WRITE IN RANGE 1-999

ELSE: WRITE IN RANGE 0-999

SOFT CHECK IF>9

SINGLE CODE

DO NOT READ OUT: Don’t know

Q86B_TKVRCOUNTDK

ASK IF DON’T KNOW HOW MANY ONLINE TAKEOVERS EXPERIENCED (TKVRCOUNT CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

1
2 to 3
4 to 5
6 to 10
11 to 20
21 to 50
51 to 100
More than 100
DO NOT READ OUT: Don’t know

TKVRCOUNTDUM

DUMMY VARIABLE NOT ASKED

Number of instances of online takeover (used for later text substitution):

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF TKVRCOUNT>1 OR TKVRCOUNTDK CODES 2-8: More than one
IF TKVRCOUNT=1 OR TKVRCOUNTDK CODE 1: One
ELSE: None

Q86C_TKVRSUC

ASK IF ONE OR MORE ONLINE TAKEOVERS (TKVRCOUNTDUM CODES 1-2)

IF TKVRCOUNTDUM CODE 1: How many, if any, of the [TKVRCOUNT NUMBER/TKVRCOUNTDK CODE] instances of attempted online takeover you faced were successful?

IF TKVRCOUNTDUM CODE 2: Was the instance of attempted online takeover you faced successful?

IF HAD ONLINE TAKEOVERS THAT LED TO FRAUD (TKVRDUM>0) OR SUCCESSFUL RANSOMWARE ATTACKS (RANSSOFTDUM CODE 1): Just as a reminder, this is separate from any instances that led to fraud, or involved ransomware.

IF TKVRCOUNTDUM CODE 2: INTERVIEWER NOTE: PUT 1 FOR “YES” AND 0 FOR “NO”

IF TKVRCOUNTDUM CODE 2: Please put 1 for “yes” and 0 for “no”

WRITE IN RANGE 0-[TKVRCOUNT NUMBER OR TOP OF TKVRCOUNTDK BAND]

SOFT CHECK IF 0: Just to check, were none of the instances of attempted online takeover you faced successful? I.e. were they all cases where someone tried and failed to gain access?

SINGLE CODE

DO NOT READ OUT: Don’t know

TKVRSUCDUM

DUMMY VARIABLE NOT ASKED

Whether online takeover cyber crime:

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF TKVRSUC>0: Yes
ELSE (INCLUDING IF TKVRSUC MISSING): No

Q86H_TKVREXTCOUNT

SHOW IF EXPERIENCED ONLNE TAKEOVER CYBER CRIME (TKVRSUCDUM CODE 1)

IF TKVRSUC>1: How many of these [TKVRSUC NUMBER] successful online takeovers, if any, involved the attackers demanding a payment to end the takeover?

IF TKVRSUC=1: Did this one successful online takeover involve the attackers demanding a payment to end the takeover?

IF TKVRSUC=1: INTERVIEWER NOTE: PUT 1 FOR “YES” AND 0 FOR “NO”

IF TKVRSUC=1: Please put 1 for “yes” and 0 for “no”

WRITE IN RANGE 0-[TKVRSUC NUMBER]

SINGLE CODE

DO NOT READ OUT: Don’t know

TKVREXTDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced extortion from online takeovers (among those experiencing any):

SINGLE CODE

IF EXPERIENCED ONLNE TAKEOVER CYBER CRIME (TKVRSUCDUM CODE 1) CODE AS FOLLOWS, ELSE MISSING:

IF TKVREXTCOUNT>1: Yes
ELSE: No

Q86J_TKVRCOSTA ASK IF EXPERIENCED ONLINE TAKEOVER CYBER CRIME (TKVRSUCDUM CODE 1)

IF TKVRSUC>1: Across these [TKVRSUC NUMBER] successful online takeovers, what was the total cost to your organisation?

IF TKVRSUC=1: What was the total cost of this successful online takeover to your organisation?

This includes:

IF TKVREXTDUM CODE 1: any payments made to the attackers to end the attack
any other direct costs such as legal fees, insurance excess payments, or buying new software
the cost of staff time or external contractors to help resolve or investigate issues
the cost of any damage or disruption, such as lost revenue, or deleted files.

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1 £999,999

SOFT CHECK IF>£999

SINGLE CODE

No cost incurred
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

Q86K_TKVRCOSTB

ASK IF DON’T KNOW TOTAL COST OF ONLINE TAKEOVER CYBER CRIME (TKVRCOSTA CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Less than £100
£100 to less than £250
£250 to less than £500
£500 to less than £1,000
£1,000 to less than £2,000
£2,000 to less than £5,000
£5,000 to less than £10,000
£10,000 to less than £20,000
£20,000 to less than £50,000
£50,000 to less than £100,000
£100,000 to less than £250,000
£250,000 or more
DO NOT READ OUT: Don’t know

Cyber crime: hacking (dummy variables)

HACKMERGEDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced hacking cyber crime:

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF HACKSIVDUM CODE 1 OR TKVRSUCDUM CODE 1: Yes
ELSE (INCLUDING IF HACKSIVDUM OR TKVRDUM MISSING): No

HACKNUMDUM

DUMMY VARIABLE NOT ASKED

Number of hacking cyber crimes experienced (among those experiencing any):

IF EXPERIENCED HACKING CYBER CRIME (HACKMERGEDUM CODE 1) CODE AS FOLLOWS, ELSE MISSING:

HACKSIV + TKVRSUC (TREATING ANY DK VALUES AS MISSING, SO AS 0 IN THE CALCULATION)

Cyber crime: denial of service

DOSDUM

DUMMY VARIABLE NOT ASKED

Any successful and deliberate cyber security breach or attack, or cyber-facilitated fraud so far (used for later text substitution):

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF FRAUDDUM CODE 1 OR RANSSOFTDUM CODE 1 OR HACKMERGEDUM CODE 1: Yes
ELSE: No

SHOWSCREEN_DOSCHK

SHOW IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND EXPERIENCED DENIAL OF SERVICE ATTACKS (TYPEDUM CODE 3) AND ANY CYBER CRIME OR CYBER-FACILITATED FRAUD SO FAR (DOSDUM CODE 1)

So far, you’ve told us about the following distinct cyber security breaches or attacks from the last 12 months that were both successful and deliberate:

SCRIPT TO CHANGE INSTANCE/INSTANCES AND ATTACK/ATTACKS IN TEXT SUBS BELOW IF NUMBER>1.

SCRIPT TO ONLY SHOW EACH BULLET BASED ON THE FOLLOWING ROUTING:

IF FRAUDDUM CODE 1: [FRAUDCOUNTDUM NUMBER] [instance/instances] in total that led to fraud
IF RANSSOFTDUM CODE 1: [RANSSOFT NUMBER] ransomware [attack/attacks] where a financial ransom was demanded
IF HACKSIVDUM CODE 1: [HACKSIV NUMBER] [instance/instances] of unauthorised access
IF TKVRSUCDUM CODE 1: [TKVRSUC NUMBER] online takeover [attack/attacks]

This next question is specifically about any unrelated instances in the last 12 months where someone tried to slow or take down your website, applications or online services, known as a denial of service attack.

INTERVIEWER NOTE: PROBE IF THEY FEEL THEY UNDERSTAND BEFORE CONTINUING. REPEAT PART OR ALL OF EXPLANATION IF NECESSARY.

Q87A_DOSCOUNT

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND EXPERIENCED DENIAL OF SERVICE ATTACKS (TYPEDUM CODE 3)

You said you experienced at least one denial of service attack in the last 12 months, even if the attacks were unsuccessful or did not impact your organisation. How many times did this happen?

IF ANY CYBER CRIME OR CYBER-FACILITATED FRAUD SO FAR (DOSDUM CODE 1): Please exclude any instances related to the successful and deliberate breaches or attacks you have already told us about. If that means you have already mentioned all your denial of service attacks, you can say this.

WRITE IN RANGE 1-999

SOFT CHECK IF>9

SINGLE CODE

IF DOSDUM CODE 1: DO NOT READ OUT: Already mentioned all denial of service attacks
DO NOT READ OUT: Don’t know

Q87B_DOSCOUNTDK

ASK IF DON’T KNOW HOW MANY DENIAL OF SERVICE ATTACKS EXPERIENCED (DOSCOUNT CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

1
2 to 3
4 to 5
6 to 10
11 to 20
21 to 50
51 to 100
More than 100
DO NOT READ OUT: Don’t know

DOSCOUNTDUM

DUMMY VARIABLE NOT ASKED

Number of denial of service attacks (used for later text substitution):

SINGLE CODE

IF DOSCOUNT>1 OR DOSCOUNTDK CODES 2-8: More than one
IF DOSCOUNT=1 OR DOSCOUNTDK CODE 1: One

s3.ELSE: None

Q87E_DOSSOFT

ASK IF ONE OR MORE DENIAL OF SERVICE ATTACKS (DOSCOUNTDUM CODES 1-2)

INTERVIEWER READ OUT IF NOT PREVIOUSLY MENTIONED: Some breaches or attacks are unsuccessful, because they are stopped by an organisation’s internal or third-party software before they make an impact. Others are successful, and overcome internal or third-party software.

INTERVIEWER NOTE: PROBE IF THEY FEEL THEY UNDERSTAND BEFORE CONTINUING. REPEAT PART OR ALL OF EXPLANATION IF NECESSARY.

IF DOSCOUNTDUM CODE 1: How many, if any, of the [DOSCOUNT NUMBER/DOSCOUNTDK CODE] denial of service attacks you faced were successful? I.e. they overcame internal or third-party software.

IF DOSCOUNTDUM CODE 2: Was the denial of service attack you faced successful? I.e. it overcame internal or third-party software.

IF ANY CYBER CRIME SO FAR (DOSDUM CODE 1): Just as a reminder, this is aside from the instances that led to fraud, or other successful and deliberate breaches or attacks you have already told us about.

IF DOSCOUNTDUM CODE 2: INTERVIEWER NOTE: PUT 1 FOR “YES” AND 0 FOR “NO”

IF DOSCOUNTDUM CODE 2: Please put 1 for “yes” and 0 for “no”

WRITE IN RANGE 0-[DOSCOUNT NUMBER OR TOP OF DOSCOUNTDK BAND]

SOFT CHECK IF 0: Just to check, were none of the denial of service attacks you faced successful? I.e. were they all stopped by internal or third-party software before they made an impact?

SINGLE CODE

DO NOT READ OUT: Don’t know

DOSSOFTDUM

DUMMY VARIABLE NOT ASKED

Number of successful denial of service attacks (used for later text substitution):

SINGLE CODE

IF DOSSOFT>1: More than one
IF DOSSOFT=1: One
ELSE: None

Q87G_DOSSIV

ASK IF ONE OR MORE SUCCESSFUL DENIAL OF SERVICE ATTACKS (DOSSOFTDUM CODES 1-2)

Deliberate denial of service attacks are where someone knowingly overloads your systems to cause them to crash. This is different to non-deliberate instances where, for example, service is denied because a website is experiencing high traffic.

INTERVIEWER NOTE: PROBE IF THEY FEEL THEY UNDERSTAND BEFORE CONTINUING. REPEAT PART OR ALL OF EXPLANATION IF NECESSARY.

IF DOSSOFTDUM CODE 1: As far as you know, how many of your [DOSSOFT NUMBER] successful denial of service attacks in the last 12 months were deliberate?

IF DOSSOFTDUM CODE 2: As far as you know, was your successful denial of service attacks deliberate?

IF DOSSOFTDUM CODE 2: INTERVIEWER NOTE: PUT 1 FOR “YES” AND 0 FOR “NO”

IF DOSSOFTDUM CODE 2: Please put 1 for “yes” and 0 for “no”

WRITE IN RANGE 0-[DOSSOFT NUMBER]

SOFT CHECK IF 0: Just to check, were none of your successful denial of service attacks deliberate? I.e. were they all instances of non-deliberate high traffic?

SINGLE CODE

DO NOT READ OUT: Don’t know

DOSSIVDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced denial of service cyber crime:

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF DOSSIV>0: Yes
ELSE (INCLUDING IF DOSSIV MISSING): No

Q87J_DOSEXTCOUNT

SHOW IF EXPERIENCED DENIAL OF SERVICE CYBER CRIME (DOSSIVDUM CODE 1)

IF DOSSIV>1: How many of these [DOSSIV NUMBER] successful and deliberate denial of service attacks, if any, involved the attackers demanding a payment to end the attack?

IF DOSSIV=1: Did this one successful and deliberate denial of service attack involve the attackers demanding a payment to end the attack?

IF DOSSIV=1: INTERVIEWER NOTE: PUT 1 FOR “YES” AND 0 FOR “NO”

IF DOSSIV=1: Please put 1 for “yes” and 0 for “no”

WRITE IN RANGE 0-[DOSSIV NUMBER]

SINGLE CODE

DO NOT READ OUT: Don’t know

DOSEXTDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced extortion from denial of service attacks (among those experiencing any):

SINGLE CODE

IF EXPERIENCED DENIAL OF SERVICE CYBER CRIME (DOSSIVDUM CODE 1) CODE AS FOLLOWS, ELSE MISSING:

IF DOSEXTCOUNT>0: Yes
ELSE: No

Q87L_DOSCOSTA

ASK IF EXPERIENCED DENIAL OF SERVICE CYBER CRIME (DOSSIVDUM CODE 1)

IF DOSSIV>1: Across these [DOSSIV NUMBER] successful and deliberate denial of service attacks, what was the total cost to your organisation?

IF DOSSIV=1: What was the total cost of these successful and deliberate denial of service attack to your organisation?

This includes:

IF DOSEXTDUM CODE 1: any payments made to the attackers to end the attack
any other direct costs such as legal fees, insurance excess payments, or buying new software
the cost of staff time or external contractors to help resolve or investigate issues
the cost of any damage or disruption, such as lost revenue, or deleted files.

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1 £999,999

SOFT CHECK IF>£999

SINGLE CODE

No cost incurred
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

Q87M_DOSCOSTB

ASK IF DON’T KNOW TOTAL COST OF DENIAL OF SERVICE CYBER CRIME (DOSCOSTA CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Less than £100
£100 to less than £250
£250 to less than £500
£500 to less than £1,000
£1,000 to less than £2,000
£2,000 to less than £5,000
£5,000 to less than £10,000
£10,000 to less than £20,000
£20,000 to less than £50,000
£50,000 to less than £100,000
£100,000 to less than £250,000
£250,000 or more
DO NOT READ OUT: Don’t know

Cyber crime: other malware

VIRUSDUM

DUMMY VARIABLE NOT ASKED

Any successful and deliberate cyber security breach or attack, or cyber-facilitated fraud so far (used for later text substitution):

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF FRAUDDUM CODE 1 OR RANSSOFTDUM CODE 1 OR HACKMERGEDUM CODE 1 OR DOSSIVDUM CODE 1: Yes
ELSE: No

SHOWSCREEN_VIRUSCHK

SHOW IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND EXPERIENCED OTHER MALWARE (TYPEDUM CODE 2) AND ANY CYBER CRIME OR CYBER-FACILITATED FRAUD SO FAR (VIRUSDUM CODE 1)

So far, you’ve told us about the following distinct cyber security breaches or attacks from the last 12 months that were both successful and deliberate:

SCRIPT TO CHANGE INSTANCE/INSTANCES AND ATTACK/ATTACKS IN TEXT SUBS BELOW IF NUMBER>1.

SCRIPT TO ONLY SHOW EACH BULLET BASED ON THE FOLLOWING ROUTING:

IF FRAUDDUM CODE 1: [FRAUDCOUNTDUM NUMBER] [instance/instances] in total that led to fraud
IF RANSSOFTDUM CODE 1: [RANSSOFT NUMBER] ransomware [attack/attacks] where a financial ransom was demanded
IF HACKSIVDUM CODE 1: [HACKSIV NUMBER] [instance/instances] of unauthorised access
IF TKVRSUCDUM CODE 1: [TKVRSUC NUMBER] online takeover [attack/attacks]
IF DOSSOFTDUM CODE 1: [DOSSOFT NUMBER] denial of service [attack/attacks]

This next question is specifically about any unrelated instances in the last 12 months where your organisation’s devices were targeted with malware such as viruses or spyware.

INTERVIEWER NOTE: PROBE IF THEY FEEL THEY UNDERSTAND BEFORE CONTINUING. REPEAT PART OR ALL OF EXPLANATION IF NECESSARY.

Q84E_VIRUSSOFT

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND EXPERIENCED OTHER MALWARE (TYPEDUM CODE 2)

You said you experienced at least one instance in the last 12 months where devices were targeted with malware such as viruses or spyware.

INTERVIEWER READ OUT IF NOT PREVIOUSLY MENTIONED: Some breaches or attacks are unsuccessful, because they are stopped by an organisation’s internal or third-party software before they make an impact. Others are successful, and overcome internal or third-party software.

INTERVIEWER NOTE: PROBE IF THEY FEEL THEY UNDERSTAND BEFORE CONTINUING. REPEAT PART OR ALL OF EXPLANATION IF NECESSARY.

How many, if any, of the malware attacks you faced were successful? I.e. they overcame internal or third-party software.

IF ANY CYBER CRIME SO FAR (VIRUSDUM CODE 1): Just as a reminder, this is aside from the instances that led to fraud, or other successful and deliberate breaches or attacks you have already told us about.

WRITE IN RANGE 0-999

SOFT CHECK IF 0: Just to check, were none of the malware attacks you faced successful? I.e. were they all stopped by internal or third-party software before they made an impact?

SINGLE CODE

DO NOT READ OUT: Don’t know

VIRUSSOFTDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced other malware cyber crime:

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF VIRUSSOFT>0: Yes
ELSE (INCLUDING IF VIRUSSOFT MISSING): No

SHOWSCREEN_VIRUS

SHOW IF EXPERIENCED OTHER MALWARE CYBER CRIME (VIRUSSOFTDUM CODE 1)

IF VIRUSSOFT>1: This next question is specifically about the [VIRUSSOFT NUMBER] successful malware attacks you experienced. [IF ANY CYBER CRIME SO FAR (VIRUSDUM CODE 1): These are the ones that did not lead to fraud, or involve the other successful and deliberate cyber security breaches or attacks you have already told us about].

IF VIRUSSOFT=1: This next question is about the one successful malware attack you experienced. [IF ANY CYBER CRIME SO FAR (VIRUSDUM CODE 1): This is the one that did not lead to fraud, or involve the other successful and deliberate cyber security breaches or attacks you have already told us about].

Q84I_VIRUSCOSTA

ASK IF EXPERIENCED OTHER MALWARE CYBER CRIME (VIRUSSOFTDUM CODE 1)

IF VIRUSSOFT>1: Across these [VIRUSSOFT NUMBER] successful malware attacks, what was the total cost to your organisation?

IF VIRUSSOFT=1: What was the total cost of this successful malware attack to your organisation?

This includes:

any direct costs such as legal fees, insurance excess payments, or buying new software
the cost of staff time or external contractors to help resolve or investigate issues
the cost of any damage or disruption, such as lost revenue, or deleted files.

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1 £999,999

SOFT CHECK IF>£999

SINGLE CODE

No cost incurred
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

Q84J_VIRUSCOSTB

ASK IF DON’T KNOW TOTAL COST OF MALWARE CYBER CRIME (VIRUSCOSTA CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Less than £100
£100 to less than £250
£250 to less than £500
£500 to less than £1,000
£1,000 to less than £2,000
£2,000 to less than £5,000
£5,000 to less than £10,000
£10,000 to less than £20,000
£20,000 to less than £50,000
£50,000 to less than £100,000
£100,000 to less than £250,000
£250,000 or more
DO NOT READ OUT: Don’t know

Cyber crime: phishing

PHISHDUM

DUMMY VARIABLE NOT ASKED

Any successful and deliberate cyber security breach or attack, or cyber-facilitated fraud so far (used for later text substitution):

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF FRAUDDUM CODE 1 OR RANSSOFTDUM CODE 1 OR HACKMERGEDUM CODE 1 OR DOSSIVDUM CODE 1 OR VIRUSSOFTDUM CODE 1: Yes
ELSE: No

SHOWSCREEN_PHISHCHK

SHOW IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND EXPERIENCED OTHER MALWARE (TYPEDUM CODE 2) AND ANY CYBER CRIME OR CYBER-FACILITATED FRAUD SO FAR (PHISHDUM CODE 1)

So far, you’ve told us about the following distinct cyber security breaches or attacks from the last 12 months that were both successful and deliberate:

SCRIPT TO CHANGE INSTANCE/INSTANCES AND ATTACK/ATTACKS IN TEXT SUBS BELOW IF NUMBER>1.

SCRIPT TO ONLY SHOW EACH BULLET BASED ON THE FOLLOWING ROUTING:

IF FRAUDDUM CODE 1: [FRAUDCOUNTDUM NUMBER] [instance/instances] in total that led to fraud
IF RANSSOFTDUM CODE 1: [RANSSOFT NUMBER] ransomware [attack/attacks] where a financial ransom was demanded
IF HACKSIVDUM CODE 1: [HACKSIV NUMBER] [instance/instances] of unauthorised access
IF TKVRSUCDUM CODE 1: [TKVRSUC NUMBER] online takeover [attack/attacks]
IF DOSSOFTDUM CODE 1: [DOSSOFT NUMBER] denial of service [attack/attacks]
IF VIRUSSOFTDUM CODE 1: [VIRUSSOFT NUMBER] malware [attack/attacks]

This next question is specifically about any unrelated instances in the last 12 months of phishing attacks, where staff received a fraudulent email, or arrived at a fraudulent website. I.e. any phishing attacks that did not lead to the instances you have already told us about.

INTERVIEWER NOTE: PROBE IF THEY FEEL THEY UNDERSTAND BEFORE CONTINUING. REPEAT PART OR ALL OF EXPLANATION IF NECESSARY.

Q89C_PHISHENG

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND EXPERIENCED PHISHING ATTACKS (TYPEDUM CODE 6)

You said you experienced at least one phishing attack in the last 12 months, where staff received a fraudulent email, or arrived at a fraudulent website.

Some phishing attacks are unsuccessful, because no one in the organisation engages with them. Others are successful, because someone engages, for example by clicking a link, opening an attachment, downloading a file, or replying to the attack email.

If more than one person engages with the same phishing attack, we want to count this as just one attack.

INTERVIEWER NOTE: PROBE IF THEY FEEL THEY UNDERSTAND BEFORE CONTINUING. REPEAT PART OR ALL OF EXPLANATION IF NECESSARY.

How many, if any, of the phishing attacks you faced did someone, such as an employee, engage with?

IF ANY CYBER CRIME SO FAR (PHISHDUM CODE 1): Just as a reminder, this is aside from the instances that led to fraud, or to other successful and deliberate breaches or attacks you have already told us about.

WRITE IN RANGE 0-999

SOFT CHECK IF 0: Just to check, did no one engage with any of the phishing attacks you faced? I.e. did no one click a link, open an attachment, download a file, or reply to the attack email?

SINGLE CODE

DO NOT READ OUT: Don’t know

PHISHENGDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced phishing engagement cyber crime:

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF PHISHENG>0: Yes
ELSE (INCLUDING IF PHISHENG MISSING): No

Q89X_PHISHCONYES

ASK IF EXPERIENCED PHISHING ENGAGEMENT CYBER CRIME (PHISHENGDUM CODE 1)

Other than the [PHISHENG NUMBER] phishing [attack/attacks] that someone in your organisation engaged with, did you experience any further phishing attacks in the last 12 months?

SINGLE CODE

Yes
No
DO NOT READ OUT: Don’t know

Q89E_PHISHCON

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND EXPERIENCED PHISHING ATTACKS (TYPEDUM CODE 6) WHERE NO ENGAGEMENT (PHISHCONYES CODE 1 OR PHISHENGDUM CODE 2)

IF PHISHCONYES CODE 1:

This question is about the remaining phishing attacks from the last 12 months that no one engaged with.

As far as you know, how many, if any, of these remaining phishing attacks were specifically targeted at your organisation or its staff? By this, we mean the attackers referred to your organisation or its staff by name, or included any personal or contact details in any messages.

ELSE:

And as far as you know, how many, if any, of the phishing attacks you faced in the last 12 months were specifically targeted at your organisation or its staff? By this, we mean the attackers referred to your organisation or its staff by name, or included any personal or contact details in any messages.

WRITE IN RANGE 0-999

SOFT CHECK IF 0: Just to check, were none of the remaining phishing attacks you faced specifically targeted at your organisation or its staff? I.e. was there no mention of your organisation, of staff by name, or other personal or contact details?

SINGLE CODE

DO NOT READ OUT: Don’t know

Q89F_PHISHCONDK

ASK IF DON’T KNOW HOW MANY PHISHING ATTACKS WERE TARGETED (PHISHCON CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

1
2 to 3
4 to 5
6 to 10
11 to 20
21 to 50
51 to 100
More than 100
DO NOT READ OUT: Don’t know

PHISHCONDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced phishing personal details cyber crime:

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF PHISHCON>0 OR PHISHCONDK CODE DK: Yes
ELSE (INCLUDING IF PHISHCON MISSING): No

PHISHCONNUMDUM

DUMMY VARIABLE NOT ASKED

Number of phishing personal details cyber crimes experienced (among those experiencing any):

IF EXPERIENCED PHISHING PERSONAL DETAILS CYBER CRIME (PHISHCONNUMDUM CODE 1) CODE AS FOLLOWS, ELSE MISSING:

IF PHISHCON>0: TAKE VALUE FROM PHISHCON

If PHISHCONDK CODES 1-8: CODE AS FOLLOWS FROM PHISHCONDUM:

CODE 1 = 1
CODE 2 = 3
CODE 3 = 5
CODE 4 = 8
CODE 5 = 16
CODE 6 = 36
CODE 7 = 76
CODE 8 = 100

ELSE: MISSING

PHISHMERGEDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced phishing cyber crime:

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF PHISHENGDUM CODE 1 OR PHISHCONDUM CODE 1: Yes
ELSE (INCLUDING IF PHISHENG OR PHISHCON MISSING): No

PHISHNUMDUM

DUMMY VARIABLE NOT ASKED

Number of phishing cyber crimes experienced (among those experiencing any):

IF EXPERIENCED PHISHING CYBER CRIME (PHISHMERGEDUM CODE 1) CODE AS FOLLOWS, ELSE MISSING:

PHISHENG + PHISHCONNUMDUM (TREATING ANY DK VALUES AS MISSING, SO AS 0 IN THE CALCULATION)

Cyber crime (further dummy variables)

CRIMEDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced any cyber crime:

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF RANSSOFTDUM CODE 1 OR HACKMERGEDUM CODE 1 OR DOSSIVDUM OR VIRUSSOFTDUM CODE 1 OR PHISHMERGEDUM CODE 1: Yes
ELSE (INCLUDING IF ABOVE VARIABLES HAVE MISSING RESPONSES): No

CRIMENUMDUM

DUMMY VARIABLE NOT ASKED

Number of cyber crimes experienced (among those experiencing any):

IF EXPERIENCED CYBER CRIME (CRIMEDUM CODE 1) CODE AS FOLLOWS, ELSE MISSING:

RANSSOFT + HACKNUMDUM + DOSSIV + VIRUSSOFT + PHISHNUMDUM (TREATING ANY DK OR -97 VALUES AS MISSING, SO 0 IN THE CALCULATION) Most disruptive breach or attack

SHOWSCREEN_DISRUPT

SHOW IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND MORE THAN ONE TYPE OF BREACH OR ATTACK EXPERIENCED (2 OR MORE TYPEDUM CODES 1-12)

Just to remind you, you mentioned that your organisation had experienced the following types of cyber security breaches or attacks in the last 12 months:

SCRIPT TO SHOW ALL MENTIONS AT TYPEDUM ONE RESPONSE PER LINE AND USING SHORTENED WORDING FROM TYPEDUM

For these final questions, we want to return to thinking about all of these.

Q64A_DISRUPTA

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND MORE THAN ONE TYPE OF BREACH OR ATTACK EXPERIENCED (2 OR MORE TYPEDUM CODES 1-12) Now we would like you to think about the one cyber security breach or attack, or the main event in a related series of breaches or attacks, that caused the most disruption to your organisation in the last 12 months.

What kind of breach or attack was this?

INTERVIEWER NOTE: IF MORE THAN ONE CODE APPLIES, ASK RESPONDENT WHICH ONE OF THESE THEY THINK STARTED OFF THE BREACH OR ATTACK PROMPT TO CODE IF NECESSARY Please select one answer

SINGLE CODE

SCRIPT TO SHOW ONLY CODES MENTIONED AT TYPEDUM

Your organisation’s devices being targeted with ransomware, i.e. a type of malware that tells you to pay a ransom to restore your files or stop them being made public
Your organisation’s devices being targeted with other malware (e.g. viruses or spyware)
Denial of service attacks, i.e. attacks that try to slow or take down your website, applications or online services
Hacking or attempted hacking of online bank accounts
People impersonating, in emails or online, your organisation or your staff [IF CHARITY: or volunteers]
Phishing attacks, i.e. staff [IF CHARITY: or volunteers] receiving fraudulent emails or arriving at fraudulent websites
Unauthorised accessing of files or networks by staff [IF CHARITY: or volunteers], even if accidental
Unauthorised accessing of files or networks by students
Unauthorised accessing of files or networks by people outside your organisation
Unauthorised listening into video conferences or instant messaging
Takeovers or attempts to take over your website, social media accounts or email accounts
Any other types of cyber security breaches or attacks
DO NOT READ OUT: Don’t know

Q64B_DISRUPTPHISH

ASK IF PHISHING WAS MOST DISRUPTIVE BREACH(Q64A_DISRUPTA=6)

You said that the cyber security breach or attack that caused the most disruption to your organisation was a phishing attack. What made this phishing attack the most disruptive?

READ OUT

MULTICODE

It resulted in your organisation’s devices being targeted with ransomware , i.e. a type of malware that tells you to pay a ransom to restore your files or stop them being made public.
It resulted in your organisation’s devices being targeted with other malware (e.g. viruses or spyware)
It resulted in a denial of service attack, i.e. attacks that try to slow or take down your website, applications or online services
It resulted in hacking or attempted hacking of online bank accounts
It resulted in people impersonating, in emails or online, your organisation or your staff [IF CHARITY: or volunteers]
It resulted in unauthorised accessing of files or networks by staff [IF CHARITY: or volunteers], even if accidental
IF EDUCATION: It resulted in unauthorised accessing of files or networks by students
It resulted in unauthorised accessing of files or networks by people [IF BUSINESS/CHARITY: outside your organisation/IF EDUCATION: other than staff or students]
It resulted in unauthorised listening into video conferences or instant messaging
It resulted in takeovers or attempts to take over your website, social media accounts or email accounts
It resulted in attackers moving money out of your organisation’s bank account
It resulted in your organisation’s credit or debit card information being used without permission
It resulted in your organisation paying or transferring money to the attackers based on fraudulent information (e.g. a fake invoice)

MULTICODE

NOT PART OF ROTATION

It resulted in any other types of cyber security breaches or attacks
Other reason (please specify)

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: Don’t know
DO NOT READ OUT: None of these
DO NOT READ OUT: Prefer not to say

SHOWSCREEN_ONEATTACK

SHOW IF EXPERIENCED ONE TYPE OF BREACH OR ATTACK MORE THAN ONCE (ONLY 1 TYPEDUM CODES 1-12 AND [FREQ CODES 2-6 OR DK]): You mentioned you had experienced [INSERT SHORTENED WORDING FROM TYPEDUM] on more than one occasion. Now I would like you to think about the one instance of this that caused the most disruption to your organisation in the last 12 months.

Q71_RESTORE

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND ONLY ONE TYPE OF BREACH OR ATTACK EXPERIENCED OR IF CAN CONSIDER A PARTICULAR BREACH OR ATTACK (ONLY 1 TYPEDUM CODES 1-12 OR DISRUPTA NOT DK)

How long, if any time at all, did it take to restore business operations back to normal after the breach or attack was identified? Was it…

PROMPT TO CODE

Please select one answer

SINGLE CODE

No time at all
Less than a day
Between a day and under a week
Between a week and under a month
One month or more
DO NOT READ OUT: Still not back to normal
DO NOT READ OUT: Don’t know

Q76_REPORTA

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND ONLY ONE TYPE OF BREACH OR ATTACK EXPERIENCED OR IF CAN CONSIDER A PARTICULAR BREACH OR ATTACK (ONLY 1 TYPEDUM CODES 1-12 OR DISRUPTA NOT DK)

Was this breach or attack reported to anyone outside your organisation, or not?

SINGLE CODE

Yes
No
DO NOT READ OUT: Don’t know

Q77A_NOREPORT

ASK IF MOST DISRUPTIVE BREACH OR ATTACK NOT REPORTED (REPORTA CODE 2)

What were the reasons for not reporting this breach or attack?

DO NOT PROMPT

PROBE FULLY (“ANYTHING ELSE?”)

Please select all that apply

MULTICODE

Breach/impact not significant enough
Breach was not criminal
Don’t know who to report to
No benefit to our business
Not obliged/required to report breaches
Reporting won’t make a difference
Too soon/haven’t had enough time
Worried about reputational damage
Another reason WRITE IN

SINGLE CODE

Don’t know

Q77_REPORTB

ASK IF REPORTED (REPORTA CODE 1)

Who was this breach or attack reported to?

DO NOT PROMPT

PROBE FULLY (“ANYONE ELSE?”)

Please select all that apply

MULTICODE

IT/cyber security provider

External IT/cyber security provider

Government or public sector organisations

Action Fraud
Cifas (the UK fraud prevention service)
Charity Commission/regulator
Information Commissioner’s Office (ICO)
Another regulator (e.g. Financial Conduct Authority)
National Cyber Security Centre (NCSC)
National Crime Agency (NCA)
National Protective Security Authority (NPSA)
Police
Another government or public sector organisation WRITE IN

Other non-government organisations

Antivirus company
Bank, building society or credit card company
CERT UK (the national computer emergency response team)
Clients/customers
Cyber Security Information Sharing Partnership (CISP)
Internet/Network Service Provider
Professional/trade/industry association
Suppliers
Was publicly declared
Website administrator
Another non-government organisation WRITE IN

SINGLE CODE

Don’t know

Q78_PREVENT

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND ONLY ONE TYPE OF BREACH OR ATTACK EXPERIENCED OR IF CAN CONSIDER A PARTICULAR BREACH OR ATTACK (ONLY 1 TYPEDUM CODES 1-12 OR DISRUPTA NOT DK)

What, if anything, have you done since this breach or attack to prevent or protect your organisation from further breaches or attacks like this?

DO NOT PROMPT

PROBE FULLY (“ANYTHING ELSE?”)

Please select all that apply

MULTICODE

Governance changes

Increased spending
Changed nature of the business/activities
New/updated business continuity plans
ew/updated cyber policies
New checks for suppliers/contractors
New procurement processes, e.g. for devices/IT
New risk assessments
Increased senior management oversight/involvement
Purchased cyber insurance

Technical changes

Changed/updated firewall/system configurations
Changed user admin/access rights
Increased monitoring
New/updated antivirus/anti-malware software
Other new software/tools (not antivirus/anti-malware)
Penetration testing

People/training changes

Outsourced cyber security/hired external provider
Recruited new staff
Staff training/communications
Vetting staff/extra vetting

Another action WRITE IN

SINGLE CODE

Nothing done
Don’t know

Q78K_DAMAGEDIRS

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND ONLY ONE TYPE OF BREACH OR ATTACK EXPERIENCED OR IF CAN CONSIDER A PARTICULAR BREACH OR ATTACK (ONLY 1 TYPEDUM CODES 1-12 OR DISRUPTA NOT DK)

These next questions are about the approximate costs of this most disruptive breach or attack, or related series of breaches or attacks.

Firstly, what was the approximate value of any external payments made when the incident was being dealt with? This includes:

any payments to external IT consultants or contractors to investigate or fix the problem
any payments to the attackers, or money they stole.

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1 £9,999,999

SOFT CHECK IF>£9,999

SINGLE CODE

No cost of this kind incurred
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

Q78L_DAMAGEDIRSB

ASK IF DON’T KNOW SHORT-TERM DIRECT COST OF THIS CYBER SECURITY BREACH OR ATTACK (DAMAGEDIRSHO CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Less than £100
£100 to less than £500
£500 to less than £1,000
£1,000 to less than £5,000
£5,000 to less than £10,000
£10,000 to less than £20,000
£20,000 to less than £50,000
£50,000 to less than £100,000
£100,000 to less than £500,000
£500,000 to less than £1 million
£1 million to less than £5 million
£5 million or more

s13.DO NOT READ OUT: Don’t know

Q78M_DAMAGEDIRL

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND ONLY ONE TYPE OF BREACH OR ATTACK EXPERIENCED OR IF CAN CONSIDER A PARTICULAR BREACH OR ATTACK (ONLY 1 TYPEDUM CODES 1-12 OR DISRUPTA NOT DK)

What was the approximate value of any external payments made in the aftermath of the incident? This includes:

any payments to external IT consultants or contractors to run audits, risk assessments or training
the cost of new or upgraded software or systems
recruitment costs if you had to hire someone new
any legal fees, insurance excess, fines, compensation or PR costs related to the incident.

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1 £9,999,999

SOFT CHECK IF>£9,999

SINGLE CODE

No cost of this kind incurred
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

Q78N_DAMAGEDIRLB

ASK IF DON’T KNOW LONG-TERM DIRECT COST OF THIS CYBER SECURITY BREACH OR ATTACK (DAMAGEDIRL CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Less than £100
£100 to less than £500
£500 to less than £1,000
£1,000 to less than £5,000
£5,000 to less than £10,000
£10,000 to less than £20,000
£20,000 to less than £50,000
£50,000 to less than £100,000
£100,000 to less than £500,000
£500,000 to less than £1 million
£1 million to less than £5 million
£5 million or more
DO NOT READ OUT: Don’t know

Q78O_DAMAGESTAFF ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND ONLY ONE TYPE OF BREACH OR ATTACK EXPERIENCED OR IF CAN CONSIDER A PARTICULAR BREACH OR ATTACK (ONLY 1 TYPEDUM CODES 1-12 OR DISRUPTA NOT DK)

What was the approximate cost of the staff time dealing with the incident? This is how much staff would have got paid for the time they spent investigating or fixing the problem. Please include this cost even if this was part of this staff member’s job.

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1 £9,999,999

SOFT CHECK IF>£9,999

SINGLE CODE

No cost of this kind incurred
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

Q78P_DAMAGESTAFFB ASK IF DON’T KNOW STAFF TIME COST OF THIS CYBER SECURITY BREACH OR ATTACK (DAMAGESTAFF CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Less than £100
£100 to less than £500
£500 to less than £1,000
£1,000 to less than £5,000
£5,000 to less than £10,000
£10,000 to less than £20,000
£20,000 to less than £50,000
£50,000 to less than £100,000
£100,000 to less than £500,000
£500,000 to less than £1 million
£1 million to less than £5 million
£5 million or more
DO NOT READ OUT: Don’t know

Q78Q_DAMAGEIND ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND ONLY ONE TYPE OF BREACH OR ATTACK EXPERIENCED OR IF CAN CONSIDER A PARTICULAR BREACH OR ATTACK (ONLY 1 TYPEDUM CODES 1-12 OR DISRUPTA NOT DK)

What was the approximate value of any damage or disruption during the incident? This includes:#

the cost of any time when staff could not do their jobs
the value of lost files or intellectual property
the cost of any devices or equipment that needed replacing.

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1 £9,999,999

SOFT CHECK IF>£9,999

SINGLE CODE

No cost of this kind incurred
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

Q78R_DAMAGEINDB

ASK IF DON’T KNOW OTHER INDIRECT COST OF THIS CYBER SECURITY BREACH OR ATTACK (DAMAGEIND CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Less than £100
£100 to less than £500
£500 to less than £1,000
£1,000 to less than £5,000
£5,000 to less than £10,000
£10,000 to less than £20,000
£20,000 to less than £50,000
£50,000 to less than £100,000
£100,000 to less than £500,000
£500,000 to less than £1 million
£1 million to less than £5 million
£5 million or more
DO NOT READ OUT: Don’t know

Incident response

Q63A_INCIDCONTENT

ASK ALL

Which of the following, if any, do you have in place, for when you experience a cyber security incident? By incident, we mean any breach or attack that requires a response from your organisation.

READ OUT

Please select all that apply

MULTICODE

ROTATE LIST

Written guidance on who to notify
Roles or responsibilities assigned to specific individuals during or after an incident
External communications and public engagement plans
A formal incident response plan
Guidance around when to report incidents externally, e.g. to regulators or insurers

SINGLE CODE

DO NOT READ OUT: Don’t know
DO NOT READ OUT: None of these

Q63B_INCIDACTION

ASK ALL

IF ANY BREACHES OR ATTACKS (TYPEDUM CODES 1-12): Which of the following, if any, have you done in response to any cyber security incidents you experienced in the last 12 months?

IF NO BREACHES OR ATTACKS (ELSE): Which of the following, if any, do you plan to do if you experience a cyber security incident?

READ OUT STATEMENTS

Please select one answer for each statement

IF CATI: ASK ON SEPARATE SCREENS

IF WEB: ASK AS A COLLAPSIBLE GRID

RANDOMISE LIST

a. Keep an internal record of incidents

b. Attempt to identify the source of the incident

c. Make an assessment of the scale and impact of the incident

d. Formal debriefs or discussions to log any lessons learnt

e. Inform your [IF BUSINESS: directors/IF CHARITY: trustees/IF EDUCATION: governors] or senior management of the incident

f. Inform a regulator of the incident when required

g. ASK IF HAVE CYBER INSURANCE (CODES 1-2 AT INSUREX): Inform your cyber insurance provider of the incident

h. Use an NCSC-approved incident response company

SINGLE CODE

Yes
No
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Depends on/did not reflect the severity or nature of the incident

Recontact and follow-up

Q79_RECON

ASK ALL

Ipsos expects to undertake further research on the topic of cyber security within the next 12 months. In these research studies, we would again randomly sample businesses in your industry sector and your business may be selected. In this case, having your individual contact details would save us from having to contact your switchboard, or email another part of your business.

With this in mind, would you be happy for us to securely hold your individual contact details for this purpose for the next 12 months?

SINGLE CODE

Yes
No

Q80_REPORT

ASK IF WEB (MODETYPE = WEB/ONLINE)

OR

ASK IF TELEPHONE (MODETYPE = CATI) AND ANSWER “PREFER NOT TO SAY” TO ALL COST QUESTIONS (DAMAGEDIRS, DAMAGEDIRL, DAMAGESTAFF, DAMAGEIND ALL REF) Would you like us to email you a copy of last year’s report and a Government help card, with links to the latest official cyber security guidance for organisations like yours?

SINGLE CODE

Yes
No

Q81_EMAIL

ASK IF WANT VALIDATION SURVEY (VALIDATE CODE 1) RECONTACT (RECON CODE 1) OR REPORT/HELPCARD (REPORT CODE 1)

Can we please take your contact details, so we can contact you only for the agreed reasons?

PROMPT TO CODE

SCRIPT TO COLLECT CONTACT NAME, CONTACT JOB TITLE, VALID EMAIL AND VALID TELEPHONE IN 4 SEPARATE BOXES

Prefer not to say

SEND WEB INVITE IF VALIDATE CODE 1

SEND FOLLOW-UP EMAIL IF REPORT CODE 1

SHOWSCREEN_END

SHOW TO ALL

Thank you for taking the time to participate in this study. You can access the privacy notice online at www.gov.uk/government/publications/cyber-security-breaches-survey. This explains the purposes for processing your personal data, as well as your rights under data protection regulations to:

access your personal data
withdraw consent
object to processing of your personal data
and other required information.

CLOSE SURVEY

Question 7

Appendix B: Topic guide

Accepted Answer

Cyber Security Breaches Survey 2025 - Qualitative topic guide

Structure of the topic guide (for interviewers)	Timings
Introduction	2-3 minutes
Perception of cyber security risk	2-3 minutes
Cyber security practices	10 minutes
Cyber security leadership and governance	10 minutes
Incident response	10 minutes
Reporting and data protection	10-15 minutes
Cost of breaches (modular) / DSPs (modular)	5-10 minutes
Summary and wrap-up	5 minutes

Introduction (FOR ALL) 2-3 minutes

Introduce yourself and Ipsos: My name is MODERATOR TO ADD NAME and I am a researcher working for Ipsos, an independent research organisation.
Explain research: The Department for Science, Innovation and Technology (DSIT) and the Home Office have commissioned Ipsos to carry out this study which involves talking to businesses and charities to get a better understanding of their cyber security policies and processes. This was also covered in the Cyber Security Breaches Survey that took place in 2024 which you or someone in your organisation has responded to. This interview will provide an opportunity to discuss some issues in more detail.
The interview: The discussion will be informal. There are no right or wrong answers.
Explain confidentiality: The contents of our discussion are completely confidential, and all findings are reported on anonymously. This means that no identifiable information will be shared with the Department for Science, Innovation and Technology or any other parties.
Explain payment for participation. You will receive £50 as either a shopping voucher or charity donation as a thank you for your time. (ONLY IF THEY ASK: Let participants know that it takes a maximum of 8 working days for them to receive the incentive.)
Explain voluntary participation: If you wish to end the discussion at any time, please let me know. Your participation in this research is voluntary.
Length of the interview: This discussion will last a maximum of 60 minutes.
Questions: Do you have any questions before we begin?
Consent to audio record: I would like to record our discussion as this helps with making notes and analysis? Recordings are used only for analysis purposes and are stored securely and deleted 12 months after the interview takes place.

MODERATOR TO TURN ON RECORDING

GDPR added consent (MODERATOR TO ASK ONCE RECORDER IS ON)

Ipsos’s legal basis for processing your data is your consent to take part in this research. Your participation is voluntary. You can withdraw your consent for your data to be used at any point before, during or after the interview and before data is anonymised at the end of February 2025.

Can I check that you are happy to proceed?

Perception of cyber security risk (ASK ALL) 2-3 minutes

Briefly, what would you say are the top 2-3 cyber security priorities for your organisation right now?
How has awareness of cyber resilience and cyber risks (e.g. cyber espionage, IP theft, data breaches, hacks and leaks, impact on reputation) changed over the last 12 months?
- What prompted these changes, if any?
- What impact have these changes had, if any?
- Have current economic conditions had an impact on your awareness of or attitudes towards cyber resilience and cyber risks? Have they impacted on your ability to implement tools / software that will spot cyber security breaches?
How do you see cyber resilience and cyber risks changing over the next 12 months?
- How do you see your investment changing over the next 12 months?
Why do you say that?

Cyber security practices 10 minutes

Can you briefly summarise your organisation’s overarching approach to cyber security? Why do you take this approach?
- How do you formalise this approach, if at all?
Can you please tell us about the external cyber security standards and accreditations your organisation has adopted.
- What made you decide to apply for this? PROBE: internal pressure (e.g. board members), external pressure/requirements from clients, investors, insurance providers, for branding/marketing, etc.
- What made you choose this standard over others? PROBE: ISO 27001, Cyber Essentials, Cyber Essentials Plus, NIST
- What involvement did your board/executive team have in this? How well do they understand this standard and what it means?
- How has this standard improved your cyber security? What changes did you have to make to meet this standard, if any?
Are your cyber security measures impacted by the rules and regulations set out by the Information Commissioner’s Office?
IF ANSWERED THAT CYBER SECURITY IS A LOW PRIORITY: You said in the previous interview that cyber security wasn’t a high priority for your organisation. Are you able to go into a bit more detail about this and why it isn’t currently a high priority?
IF ANSWERED LIMITED/NO PLAN FOR CYBER SECURITY INCIDENT: If a major cyber attack or cyber incident were to occur tomorrow, what actions do you think your staff would take in response?
IF ANSWERED SOME PLAN FOR CYBER SECURITY INCIDENT: You mentioned in the survey that you have plans in place if you experience a cyber security incident [SEE SURVEY RESPONSE AT Q63A/B].
- What types of cyber security incidents does this cover?
- How do you go about preparing against cyber security incidents?
- Who is responsible for signing these off? What guidance or advice do you receive on this, and from whom?
If you use suppliers, how confident do you feel about the cyber security practices of your suppliers?
- Why?
- How do you assess the cyber security practices of your suppliers?
Do you think your clients are confident that your organisation has adequate cyber security?
- Why/why not?
Does your organisation have Cyber Essentials? If so, why do you have this? If not, why not?
- Do you ask your suppliers to have Cyber Essentials? Why/why not?
- Would you work with a supplier who doesn’t have Cyber Essentials? Why/why not?
- Do your clients ask you about Cyber Essentials?
How does your organisation manage cyber risks in its supply chain?
- Is Cyber Essentials used to manage risks from supply chains? If so, why? If not, why not? Supply chains include a supplier’s supplier, not just a direct supplier
Does your organisation have cyber insurance? Why/why not?
- If your organisation does have cyber insurance, have you made any claims? Why/why not?
When purchasing software for your organisation, what role does cyber security have in the decision-making process?
- Does this vary depending on the type of software purchased? In what ways does it vary?
- Why have a role/why not have a role?

Cyber security leadership and governance (ASK ALL) 10 minutes

Who is responsible for cyber security and how do they report to the board?
- If not at executive level, who in the organisation is delegated this responsibility?
- How does this delegation occur?
How closely are board members (directors, trustees etc.) and your executive team (CEOs etc.) involved in cyber security decisions?

PROBE INVOLVEMENT IN:

Deciding what your cyber security priorities/critical assets are
Spending decisions (including staffing and outsourcing)
Incident response
How does the board monitor and update your approach to cyber security?
- What is contained in your cyber security strategy, whether that strategy is formal or informal?
How frequently is cyber security discussed at the Board or at senior management meetings (e.g. ad hoc, standing agenda item)?
How well do they (members of Board or executive team) understand your cyber security approach?
- What bits do they understand well/less well? What further support would you want to see from them on cyber security?
- How do cyber security risks fit into wider risk management?
- How frequently do you assess the threat environment, technology developments and your capabilities?
What current guidance do you use to help develop and implement your cyber security strategy?
- Why do you use this guidance?
- How did you hear about this guidance?
Do you receive any support or advice from external experts around cyber security? If so, from who (e.g. outsourced providers, auditors)? Why do you need to use these?

Incident response (ASK ALL) 10 minutes

[SEE SURVEY RESPONSES TO Q63A / Q63B FOR CONTEXT AND REPHRASE QUESTIONS ACCORDINGLY]

We’d now like to move away from incident planning and ask you about incident response in the aftermath of a breach.

[FOR RESPONDENTS WITH AN INCIDENT RESPONSE PLAN AT Q63A] How often, if at all, is your incident response plan tested? Interviewer note: For those with an incident response plan, please probe beyond formal plan/process where appropriate such as staff attitudes to incident plans
What is the first thing you would do when you notice any suspicious activity?
How do you assess the severity / potential impact of an incident or breach?
Would you be able to briefly walk us through the journey of how you typically respond to an impactful breach?
- In the survey you said you [SEE SURVEY RESPONSES TO Q63A / Q63B] in response to a breach. Is this consistent across all breaches? What drives you to take action? What other actions do you take?
- How has your actual response to a severe breach differed to what was planned? How did this impact overall response? IF TALKING ABOUT RANSOMWARE: Did it involve making payments?
- What do you do once the breach has been contained? Why is this?
- In what stage and type of incident would you involve the Board or senior management?
How do you think your approach to incident response can be improved? What kind of support would you need in helping to address this?
Do you have a policy or rules around post-incident reviews with the board and management?
Under what circumstances would you not report a cyber security incident or breach to the board? Why not?

Cyber reporting and data protection (ASK ALL) 10-15 minutes

Have you ever had a serious breach you did not report to anyone externally? IF YES: Please talk me through the breach and why you didn’t report it.

PLEASE REMIND PARTICIPANT ALL RESPONSES ARE ANONYMOUS

What types of cyber security incident would lead to you alerting any of the following bodies or groups:
- A regulator
- Your bank or insurance company
- The police or a related body like Action Fraud what kinds of breaches do you think they are interested in hearing about? Had you heard of Action Fraud before (https://www.actionfraud.police.uk/)?
- The National Cyber Security Centre what kinds of breaches do you think they are interested in hearing about?
- Your clients, customers, investors or suppliers
What do you think the result of reporting a breach to the police or a related body like Action Fraud might be?
- Do you feel this would help or hinder your organisation?
Have you previously reported breaches to any of the bodies or groups mentioned above?
- IF YES: Please talk me through the breach and the decision behind reporting it.
- What were the advantages and disadvantages of reporting? PROBE: ON WHETHER THEY THOUGHT REPORTING MADE THEM IDENTIFIABLE TO THE PUBLIC OR CLIENTS AND CUSTOMERS
- How did you decide who to report the breach to? Did you receive any third party advice on actions to take?
- IF NOT REPORTED A BREACH: Please talk me through what informed this decision (e.g. cost / benefit, third party influence).

Now we would like to think about data protection considering potential cyber security incidents.

A cyber security incident or breach can sometimes facilitate other crimes such as fraud, resulting in clients and customers as well as an organisation becoming victims of these other crimes. To what extent, if at all, has the potential resulting knock-on impacts to your clients and customers informed the approach that your organisation takes towards cyber security?
- How important is data protection within your cyber security approach?
- How important is data protection generally to your organisation?
Are you aware that stolen data can be sold onwards to others to commit other offences such as fraud?
- How do you protect client’s, customer’s and your organisation’s data?
- Do you add extra protections to personal data of clients, customers and employees, such as encryption?

PROBE: WHAT ARE THESE EXTRA PROTECTIONS?

If needed: personal data is information that relates to an individual or can be linked back to an individual, and non-personal data is any other data

IF HAD A BREACH: What did you do to notify clients, customers and employees if personal data had been stolen?
IF NOT REPORTED A BREACH: What would you do to notify clients, customers and employees if personal data had been stolen?
Would this approach change depending on the data type i.e. non-personal data?

Cost of breaches (MODULAR, LISTED IN THE SAMPLE PROFILE) 5-10 minutes

In the survey you said that your organisation incurred a cost related to your most disruptive cyber security incident. The following questions all relate to your most disruptive cyber security incident.

How much is the estimated cost to the organisation from your most disruptive incident?
How have you calculated this cost?
- PROBE: on factors like staff hours, replacing equipment, external payments
What made this incident the most disruptive? Are there any other factors outside cost that meant it was the most disruptive?
- PROBE on other factors such as number of people it reached, public profile
Were these costs in any cyber security risk planning? Why/why not?
How has the cost of this incident influenced your organisation’s future cyber security incident planning?

Digital Service Providers (MODULAR, LISTED IN THE SAMPLE PROFILE) 5-10 minutes

This section is about Digital Service Providers, or DSPs, that manage a suite of IT services like your network, cloud computing and applications. In the survey, you said your organisation used one or more DSPs. This may include Managed Service Providers (MSPs).

What do(es) your DSP(s) provide? Is it a software package or a service? How essential are they to your continuity of production/service?
What access to your data does your DSP(s) possess?
- Does this include sensitive data or any essential services?
What were the factors involved in choosing your DSP(s)?
- Was cyber security one of the considerations? IF YES: How much of a priority would you say this was compared to other factors (e.g. price, reliability, word of mouth)?
Do you feel you receive enough information from your DSP(s) to make informed and effective decisions?
- What information would you like to receive but don’t?
How much of a risk do you think your DSP(s) poses to your organisation’s cyber security?
- Have you discussed this with them? How willing are they to discuss it/share information on their cyber security?
- Has this been discussed with the board/executives? Have they had any involvement in managing DSP risk?
- Does your contract with your DSP say anything about cyber security? What’s covered?
Who is responsible for cyber security between them and you, when it comes to their service? E.g. for incident response?

Summary & wrap-up 5 minutes

What is the key thing you would like to feed back to the Department for Science, Innovation and Technology and the Home Office about what we have discussed today?

Is there anything else you’d like to mention that we haven’t had a chance to discuss?

The Department for Science, Innovation and Technology or the Home Office may want to do some follow-up research on this subject in the future. Would you be happy to be contacted by DSIT / Ipsos / Home Office for future research?

INCENTIVE: Thank participant and remind them of confidentiality. Explain that they can get in touch if they have any further comments or questions about the research. Remind them of the £50 as either a shopping voucher or charity donation thank you from Ipsos, as an appreciation for their time and contribution to the research. (ONLY IF THEY ASK: Let participants know that it takes a maximum of 8 working days for them to receive the incentive.)

Question 8

Appendix C: Further information

Accepted Answer

A1.The Department for Science, Innovation and Technology and the Home Office would like to thank the following people for their work in the development and carrying out of the survey and for their work compiling this report.

Alice Stratton, Ipsos
Nada El-Hammamy, Ipsos
Hannah Harding, Ipsos
Jono Roberts, Ipsos
Eva Radukic, Ipsos
Jayesh Shah, Ipsos

A2. The Cyber Security Breaches Survey was first published in 2016 as a research report, and became an Official Statistic in 2017. The previous reports can be found at https://www.gov.uk/government/collections/cyber-security-breaches-survey. This includes the full report and the technical and methodological information for each year.

A3. The lead DSIT analyst and responsible statistician for this release is Saman Rizvi. The lead Home Office analyst for this release is Eleanor Fordham. For enquiries on this release, from an official statistics perspective, please contact DSIT at cybersurveys@dsit.gov.uk.

A4. The Cyber Security Breaches Survey is an official statistics publication and has been produced to the standards set out in the Code of Practice for Official Statistics. Details of the pre-release access arrangements for this dataset have been published alongside this release.

This work was carried out in accordance with the requirements of the international quality standard for Market Research, ISO 20252.

Cookies on GOV.UK

Introduction

Chapter 1: Overview

1.1 Summary of methodology

1.2 Strengths and limitations of the survey overall

1.3 Cyber crime and cyber-facilitated fraud statistics

1.4 Methodology changes from previous waves

1.5 Comparability to the pre-2016 Information Security Breaches Surveys

1.6 Margins of error

1.7 Extrapolating results to the wider population

Chapter 2: Survey approach technical details

2.1 Survey and questionnaire development

Stakeholder engagement

Changes made to the questionnaire for the 2025 survey

Cognitive testing and piloting

2.2 GOV.UK page

2.3 Sampling

Business population and sample frame

Exclusions from the sample frame

Charity population and sample frames (including limitations)

Education institutions population and sample frame

Business sample selection

Charity and education institution sample selection

Sample telephone tracing and cleaning

Sample batches

2.4 Fieldwork

Multimode data collection

Screening of respondents (for telephone interviews)

Random probability approach and maximising participation

Fieldwork monitoring

Recontact survey to clarify responses at cyber breaches and attacks cost questions

2.5 Fieldwork outcomes and response rate

Notes on response rate calculations

Response rates post-COVID-19 and expected negligible impact on the survey reliability

2.6 Data processing and weighting

Editing and data validation

Coding

Significant differences

Weighting

2.7 SPSS data uploaded to UK Data Archive

Mapping of 10 Steps guidance

Chapter 3: Qualitative approach technical details

3.1 Sampling

3.2 Recruitment quotas and screening

3.3 Fieldwork

3.4 Analysis

Chapter 4: Research burden

Steps taken to minimise the research burden

Appendix A: Questionnaire

Appendix B: Topic guide

Introduction (FOR ALL) 2-3 minutes

Perception of cyber security risk (ASK ALL) 2-3 minutes

Cyber security practices 10 minutes

Cyber security leadership and governance (ASK ALL) 10 minutes

Incident response (ASK ALL) 10 minutes

Cyber reporting and data protection (ASK ALL) 10-15 minutes

Cost of breaches (MODULAR, LISTED IN THE SAMPLE PROFILE) 5-10 minutes

Digital Service Providers (MODULAR, LISTED IN THE SAMPLE PROFILE) 5-10 minutes

Summary & wrap-up 5 minutes

Appendix C: Further information

Is this page useful?

Help us improve GOV.UK

Help us improve GOV.UK