Closed call for evidence

Cyber Security Breaches Survey: User-engagement exercise

Summary

The government is seeking views from users of the Cyber Security Breaches Survey on how it could be developed and improved in future.

This call for evidence ran from
to

Call for evidence description

The Cyber Security Breaches Survey (CSBS) is an ongoing quantitative and qualitative research study. The questions currently cover a comprehensive suite of issues, including:  

  • Frequency and types of cyber breaches and crimes, associated impacts and outcomes experienced 
  • Corporate reporting of cyber security breaches and crimes 
  • Cyber security policies and processes 
  • Supplier standards. 

The findings of the CSBS are representative of UK businesses, charities and educational institutions. They help organisations understand the nature and significance of the cyber security threats they face, and what others are doing to stay secure. This research supports the government’s work to shape future cyber security policy and to work with industry to improve UK’s cyber defences and protect our economy and essential public services. 

The CSBS is conducted by an external supplier. The Department for Science, Innovation, and Technology (DSIT) holds and manages the contract. The Home Office is currently responsible for the cyber crime section of the survey and has been the co-funder for the CSBS since 2023. The current contract for the CSBS concludes in 2025. However, DSIT and the Home Office plan to continue this research due to its value in informing policy context and decision making, and its widespread use by stakeholders.  

The aim of this engagement survey is to collect user and stakeholder feedback on different aspects of CSBS for 2026 onwards, and to understand their views on the proposed changes to the CSBS. 

Feedback is requested in line with the Code of Practice for Statistics, which sets out that: 

“Users of statistics and data should be at the centre of statistical production; their needs should be understood, their views sought and acted on, and their use of statistics supported”.  

“Statistics producers should periodically review whether to continue, discontinue, adapt or to provide the statistics through other means, in discussion with users and other stakeholders.”

How to respond

This survey will take approximately 10 minutes to complete. Responses can be submitted via our online survey.

If you would prefer, you can also respond via email. Please send emails to [email protected]

This questionnaire can be completed anonymously, and most respondent information fields are not mandatory. (*  = mandatory response). 

Data collected from this survey will form the evidence base for the further development of the CSBS. Anonymised findings from the data collected will be shared with DSIT and the Home Office. No individuals will be identifiable.  

The information we receive will allow us to make more informed decisions. 

  • A summary of findings will be published in response to this public engagement exercise within 12 weeks of the public engagement exercise closing (by 31 January 2025). No individuals will be identifiable in the published results. 
  • Please read the privacy notice for more information on the data collected as part of the engagement exercise. 

If you have questions about this survey or on the CSBS, please email [email protected]

This public engagement exercise closes at 23:59 on Monday 4 November 2024.

Future directions and key changes

DSIT and Home Office wish to incorporate the following changes in CSBS. 

Questions to be amended: 

Previous editions of the CSBS have provided estimates of the proportion of organisations who experience a cyber breach. This has helped identify the number of cyber crime incidents. Reflecting policy interest, a few survey questions were included to understand the volume as well as costs of various types of cyber breaches and crimes for organisations and whether they were successful in breaching perimeter defences. 

Current questions in this research cover areas such as:  

  • How much do cyber-attacks and cyber crimes cost? (including business disruption, lost business, recovery costs, etc.) 
  • How much are businesses spending on cyber security? 

We intend to keep the questions around the nature and volume of cyber breaches and crimes, as well as the questions around estimates that are important to understand the ability of existing government interventions to drive cyber resilience. The incidents questions also feed into the wider cyber security workstream at DSIT. However, the follow-up or standalone cost questions need to be revised and amended following concerns over their accuracy. Estimates of the cost of cyber crimes experienced by organisations are a useful indicator. Although the accuracy of the related costs questions could be improved and therefore suggestions for improvements are welcomed.

Potential areas for future inclusion: 

  1. Follow up questions on supply chain cyber security: Given the growing concerns around supply chain vulnerabilities, we plan to include follow up questions in existing questions on supply chain cyber security.  
  2. Follow up questions on cyber insurance: While previous CSBS findings suggest that risk awareness continues to rise, organisations still need to assess their cyber insurance needs and overall enhance their resilience. We plan to include follow-up questions in this area. 
  3. New/follow up questions on software cyber security: Ensuring the cybersecurity of software used by organisations is essential, as vulnerabilities in software can lead to data breaches, system compromises, and other cyber incidents. Therefore, we also plan to add follow-up questions on existing software cyber security question.   
  4. New questions on AI cyber security: We would like to include some questions on AI cyber security, primarily to understand how businesses implement cyber security practices and processes around the AI technology they deploy.  
  5. AI-facilitated cyber crime: Given the growing use of AI, we would like to incorporate questions to understand business’ experiences of AI-facilitated cyber crime and what security measures organisations may have in place to help protect from AI-facilitated cyber crime.  
  6. Data security: Ensuring the security of customer’s and organisation’s own data is essential, as data breaches can lead to fraud and other crimes. Therefore, we are keen to incorporate questions on how data security is part of organisations’ wider cyber security strategy. For example, we want to know what organisations are doing to protect data in the event of a breach. 

If agreed and prioritised, these will be new additions for the CSBS for 2026 onwards.

Documents

Updates to this page

Published 2 October 2024

Sign up for emails or print this page