Cyber security breaches survey 2025/2026: technical report

Question 1

Introduction

Accepted Answer

This Technical Annex provides the technical details of the Cyber Security Breaches Survey 2025/2026. It covers the quantitative survey (fieldwork carried out between August and December 2025) and qualitative element (carried out between October and November 2025), and copies of the main survey instruments (in the appendices) to aid with interpretation of the findings.

The annex supplements a main Statistical Release published by the Department for Science, Innovation and Technology (DSIT), covering this year’s results for businesses and charities.

There is another Education Institutions Findings Annex, available on the same GOV.UK page, that covers the findings for schools, colleges and universities.

The Cyber Security Breaches Survey is a research study on UK cyber resilience. It is primarily used to inform government policy on cyber security, making the UK cyberspace a secure place to do business. The study explores the policies, processes and approach to cyber security, for businesses, charities and educational institutions. It also considers the different cyber breaches or attacks and cyber crimes these organisations face, as well as how these organisations are impacted and respond.

For this latest release, the quantitative survey and qualitative interviews were carried out between August and December 2025.

Lead analyst:

Emma Johns (DSIT)

Responsible statisticians:

Saman Rizvi (DSIT)
Lamyr Megnin (Home Office)

Enquiries:

cybersurveys@dsit.gov.uk

Question 2

Chapter 1: Overview

Accepted Answer

1.1 Summary of methodology

As in previous years, there were two strands to the Cyber Security Breaches Survey:

We undertook a random probability telephone and online survey of 2,112 UK businesses, 1,085 UK registered charities and 577 education institutions from August to December 2025. The data for businesses and charities have been weighted to be statistically representative of these two populations
We carried out 44 in-depth interviews between October and November 2025, to gain further qualitative insights from some of the organisations that answered the survey

Sole traders and public-sector organisations (with the exception of educational institutions) were outside the scope of the survey. In addition, businesses with no IT capacity or online presence were deemed ineligible. These exclusions are consistent with previous years of the survey.

The survey methodology for this year’s survey is consistent with last year’s survey. Minor changes were made to last year’s questionnaire, as well as some new questions added. These changes are detailed in Chapter 2 in the section ‘Changes made to the questionnaire for the 2025/2026 survey’.

1.2 Naming convention for reference period of the Cyber Security Breaches Survey

For this year’s survey, DSIT and the Home Office (HO) decided to update the naming convention used for reference periods for the Cyber Security Breaches Survey from a single year label (e.g. CSBS 2025) to a dual-year format (that is, CSBS 2025/2026 or CSBS 2025 to 2026). This change aims to reduce confusion, as previously the survey’s title aligned with the year of publication but did not typically align with when the fieldwork was conducted, potentially misleading users about the timeframe of the findings. The dual-year approach reflects common UK government reporting practices, especially for activities spanning two calendar years or fiscal years.

Table 1.1 maps how previous CSBS surveys and fieldwork periods relate to the labelling convention in this year’s report.

Table 1.1: CSBS survey references and fieldwork dates

Previous survey reference	Fieldwork period	Updated survey reference
CSBS 2016	November 2015 to February 2016	CSBS 2015/2016
CSBS 2017	October 2016 to January 2017	CSBS 2016/2017
CSBS 2018	October 2017 to December 2017	CSBS 2017/2018
CSBS 2019	October 2018 to December 2018	CSBS 2018/2019
CSBS 2020	October 2019 to December 2019	CSBS 2019/2020
CSBS 2021	October 2020 to January 2021	CSBS 2020/2021
CSBS 2022	October 2021 to January 2022	CSBS 2021/2022
CSBS 2023	September 2022 to January 2023	CSBS 2022/2023
CSBS 2024	September 2023 to January 2024	CSBS 2023/2024
CSBS 2025	August 2024 to December 2024	CSBS 2024/2025
CSBS 2025/2026	August 2025 to December 2025	CSBS 2025/2026

1.3 Strengths and limitations of the survey overall

While there have been other surveys about cyber security in organisations in recent years, these have often been less applicable to the typical UK business or charity for several methodological reasons, including:

focusing on only larger organisations employing cyber security or IT professionals, at the expense of small organisations (with under 50 employees) that typically do not employ a professional in this role. Missing out these small organisations means the population is not well represented as they make up the overwhelming majority of the business and charity populations
covering several countries alongside the UK, which leads to a small sample size of UK organisations
using partially representative sampling or online-only data collection methods

By contrast, the Cyber Security Breaches Survey is intended to be statistically representative of UK businesses of all sizes and all relevant sectors, and of UK registered charities in all income bands.

The 2025/2026 survey shares the same strengths as previous surveys in the series:

the use of random probability sampling and interviewing to minimise selection bias
the inclusion of micro and small businesses, and low-income charities, which ensures that the respective findings are not disproportionately skewed towards larger organisations
a data collection approach predominantly conducted by telephone, which aims to also include businesses and charities with less of an online presence (compared to online-only surveys)
a comprehensive attempt to obtain self-reported frequency and cost data from respondents, giving respondents flexibility in how they can answer (e.g. allowing numeric and banded amounts). It should be noted that we obtain perceived estimates and not audited economic valuations
a consideration of the cost of an organisation’s most disruptive cyber security breach or attack beyond the immediate direct costs (i.e. explicitly asking respondents to consider longer-term direct costs, staff time costs, as well as other indirect costs, while giving a description of what might be included within each of these cost categories)

At the same time, while this survey aims to produce the most representative, accurate and reliable data possible with the resources available, it should be acknowledged that there are inevitable limitations of the data, as with any survey project. The following might be considered the main limitations:

Organisations can only tell us about the cyber security breaches or attacks that they have detected. There may be other breaches or attacks affecting organisations, but which are not identified as such by their systems or by staff, such as a virus or other malicious code that has so far gone unnoticed. Therefore, the survey may tend to systematically underestimate the real level of breaches or attacks. This equally applies to the cyber crime and cyber-facilitated fraud prevalence and scale estimates, given that these types of crimes emanate from cyber security breaches and attacks.
The business survey intends to represent businesses of all sizes. As the Department for Business and Trade Business Population Estimates 2025 show, the UK business population is predominantly made up of micro and small businesses (respectively 81% and 16% of all businesses excluding sole traders). This presents a challenge as these businesses, due to their smaller scale and resource limitations, typically have a less mature cyber security profile. This may limit the insights this study in isolation can generate into the more sophisticated cyber security issues and challenges facing the UK’s large business population, and the kinds of high-impact cyber security incidents that appear in the news and media. Nevertheless, the study design attempts to balance this by boosting survey responses among medium and large businesses (and high-income charities). Moreover, up until 2025 DSIT undertook a separate survey series focused on larger organisations, the Cyber Security Longitudinal Survey, partly to address this limitation.
Organisations may be inclined to give answers that reflect favourably on them in surveys about cyber security (a form of social desirability bias), given the common perceptions of reputational damage associated with cyber security incidents. Furthermore, organisations that have suffered from more substantial cyber security incidents may be less inclined to take part because of this. This may result in surveys like this one under-counting the true extent and cost of cyber security incidents, although we have no direct evidence of this (for example from cognitive testing). Moreover, we make a concerted effort to overcome this in the administration of the survey. We make it clear to respondents, across a range of communication materials, that their answers are confidential and anonymous.
A significant challenge remains in terms of designing a methodology that accurately captures the financial implications of cyber security incidents, given that survey findings necessarily depend on self-reported costs from organisations. As previous years’ findings and government research from 2020 on the full cost of cyber security breaches suggest, there is no consistent framework across organisations at present that supports them to understand and monitor their costs, and many organisations do not actively monitor these costs at all. We have therefore amended the wording throughout the costs sections this year to refer to costs as ‘perceived’ costs.
The total populations of further and higher education institutions available in the sample frame^{[footnote 1]} are small (342^{[footnote 2]} and 175^{[footnote 3]} respectively for this year’s survey). This limits the ability to achieve relatively high sample sizes among these groups. It results in much higher margins of error for the survey estimates for these groups, compared to businesses, charities and schools.

1.4 Cyber crime statistics

Questions on cyber crime, and on fraud that occurs as a result of cyber breaches or attacks (i.e. cyber-facilitated fraud)^{[footnote 4]} in UK organisations were introduced for the first time in the 2022/2023 survey. These questions were re-drafted significantly for the 2023/2024 survey to make questions clearer and responses more accurate. For the 2024/2025 survey, only minor edits were made to the cyber crime questions to aid accuracy. These changes were overseen by both DSIT and the Home Office. More detail on these changes can be found in Section 2.1 of this annex.

The survey includes estimates for:

the prevalence of cyber crime, i.e. how many organisations are affected by them
the nature of these cyber crimes
the scale of cyber crimes, i.e. the number of times each organisation experienced a cyber crime, and estimates for the total number of cyber crimes against UK organisations
the financial cost of cyber crime
a similar set of statistics with regards to frauds that occur as a result of cyber breaches or attacks (cyber-facilitated fraud)

The survey approaches these estimates in a similar way to existing official estimates of crime against individuals. This includes police-recorded crime as well as the estimates from the general public Crime Survey for England and Wales (CSEW), both of which follow the Home Office Counting Rules. The approach aims to be as robust as possible, in the following ways:

Comprehensiveness: the questionnaire was set up to measure multiple types of cyber crime, relating to ransomware, viruses and other malware, unauthorised access to data, online takeovers, denial of service and phishing. Cyber-facilitated fraud is counted separately, as a different category of crime.
Isolating criminal acts: the survey asks a series of questions to establish whether the cyber security breaches or attacks that organisations have experienced are crimes. It systematically aims to exclude cyber attacks that were stopped by software and breaches where the organisation was not deliberately targeted (e.g. accidental accessing of confidential data by employees). It only includes phishing attacks in cases where organisations confirmed that either employees engaged in some way (e.g. by opening an attachment) or that it was specifically targeted at the organisation (the attackers referred to the organisation or its staff by name, or included any personal or contact details in any messages) and no other crimes succeeded this. From the 2024/2025 survey onwards it only includes ransomware attacks where a ransom was demanded.
The questions were asked in a hierarchical structure to align with the Home Office Counting Rules and ensure that where a series of attacks were inter-linked as a part of one wider incident, only one ‘principle crime’ should be recorded. For example, instances of unauthorised access may have led to subsequent events, such as ransomware, other malware or cyber-facilitated fraud. In these instances, only the ‘principle crime’ is recorded as a crime. This avoids double-counting, in line with the Home Office Counting Rules.

Whilst it does remain methodologically challenging to achieve robust estimates of cyber crime via a survey method, we are able to compare this year’s results for cyber crime and cyber crime costs against the baseline in 2023/2024 and against the 2024/2025 results.

We are unable to compare cyber crime results to any wave before 2023/2024 due to significant changes made to the cyber crime section of the questionnaire in 2023/2024.

The 2025/2026 questionnaire included a new question to capture the perceived costs associated with phishing cyber crime. Phishing cyber crime costs have therefore been merged into the overall crime cost variable (crimecost_num) and the crime cost variable that excludes any costs from fraud (notfraudcost_num) in the dataset. A new variable has been created to allow for comparison with previous years (notfraudORphishcost_num) which includes cyber crime costs excluding costs from fraud of phishing cyber crime.

The questionnaire changes between 2023/2024 and 2024/2025 did include some edits to the questions used to obtain cyber-facilitated fraud estimates. The questions were changed to ask organisations to specifically include instances of fraud that occurred as a result of phishing attacks. On this basis, whilst we are able to compare the latest 2025/2026 results against the last wave in 2024/2025, we are unable to directly compare cyber-facilitated fraud estimates, including prevalence and cost, to 2023/2024.

The cyber crime statistics should ideally be considered alongside other, related evidence on computer misuse, such as the Crime Survey for England and Wales (CSEW). The CSEW and Cyber Security Breaches Survey are not directly comparable, as the CSEW does not look at crime against organisations and excludes Scotland and Northern Ireland. However, it does provide a benchmark for the scale of cyber crime against individuals in England and Wales, to help contextualise the equivalent results for UK organisations in this survey.

1.5 Methodology changes from previous waves

One of the objectives of the survey is to understand how approaches to cyber security and the cost of breaches are evolving over time. Therefore, the methodology is intended to be as comparable as possible to previous surveys in the series.

The core approach of a random-probability survey, predominantly conducted by telephone remains unchanged in 2025/2026. We therefore are able to continue to make comparisons to previous years.

This year a single change was made to the weighting approach for businesses. In previous years of the survey, business data was weighted by size and sector. This year some regions (including the Devolved Nations and the North East) were oversampled to boost interviews in these regions and allow for more robust analysis by region. Consequently, this year region weighting was also applied to businesses (as well as size and sector) to ensure that the region profile of businesses matched the overall UK business population. In previous years of the survey there was no need to weight businesses by region as the sample was proportionately stratified by business region and consequently interviews were achieved roughly in line with the regional profile of the UK business population. As such, we are still able to make comparisons to previous years where questions have remained the same or very similar.

The following points cover major changes or additions to the study that have been made in previous years:

In the 2022/2023 survey, the sample frame was changed for businesses from the Inter-Departmental Business Register (IDBR) to the Market Location business database. This was done to improve the overall sample quality, accuracy and telephone coverage. More detail of how many records were sourced from Market Location and the proportion that had contact details is provided in Section 2.3. The Market Location business database has been used consistently since the 2022/2023 survey and the sample frames for charities and education institutions were consistent with previous years (see Section 2.3).
In the 2022/2023 survey onwards, we adopted a multimode data collection approach, allowing organisations to take part partially or fully online as well as by phone. This matches the approach taken in other random probability business surveys since the COVID-19 pandemic and reflects the increasing need to offer organisations the flexibility to respond online under hybrid or remote working. More details are in Section 2.4.
In the 2022/2023 survey onwards, for businesses and charities, we substantially increased the use of split-sampling (where certain questions are only asked to a random half of the sample). We also restricted various questions to larger organisations (medium and large businesses, and high-income charities). Both actions were taken to maintain a questionnaire length comparable to previous years.
The agriculture, forestry and fishing sector was included in the business sample for the first time in 2021/2022. This is a small sector, accounting for 3.5% of all UK employers^{[footnote 5]}. Its inclusion has a negligible impact on the comparability of findings across years, but increases the overall representativeness of our sampling methodology.
The government’s 10 Steps to Cyber Security guidance was refreshed between the 2021/2022 and 2022/2023 studies. As such, the way the 10 steps mapped to the questionnaire changed, and this section of the Statistical Release is not comparable to releases pre-2022/2023.
In 2020/2021, we substantially changed the way we collect data on the costs of breaches in the survey, as part of a reflection on findings from a separate 2020 research study on the full cost of cyber security breaches. These changes mean we cannot make direct comparisons between data from 2020/2021 onwards and previous years. We can, however, still comment on whether the broad patterns in the data are consistent with previous years, for example the differences between smaller and larger businesses, as well as charities.
The charities sample was added in 2017/2018, while the education institutions sample was added in 2019/2020. The initial scope of the school and college samples were expanded from 2020/2021 to include institutions in Wales, Scotland and Northern Ireland, as well as England.

1.6 Comparability to the pre-2016 Information Security Breaches Surveys

From 2012 to 2015, the government commissioned and published annual Information Security Breaches Surveys.^{[footnote 6]} While these surveys covered similar topics to the Cyber Security Breaches Survey series, they employed a radically different methodology, with a self-selecting online sample weighted more towards large businesses. Moreover, the question wording and order is different for both sets of surveys. This means that comparisons between surveys from both series are not possible.

1.7 Margins of error

The survey results for businesses and charities are weighted to be representative of the respective UK population profiles for these organisations. The education institution samples are unweighted, but these groups are included as simple random samples, i.e. without any disproportionate stratification. As such, they are also considered to be representative samples. Therefore, it is theoretically possible to extrapolate survey responses to the wider population (with the exception of the financial cost data, as explained at the end of this section).

We recommend accounting for the margin of error in any extrapolated results. Table 1.2 shows the overall margins of error (MoE) for the sampled groups in the survey, for different survey estimates. Margins of error are calculated using finite population correction (FPC) which is an adjustment that reduces the standard error (and thus the margin of error) when you sample a sizable fraction of a finite population without replacement.

As a worked through example, the overall business sample this year has a margin of error range of ±1.6 to ±2.6 percentage points depending on the prevalence or extremity of a response, based on a 95% confidence interval calculation. That is to say, if we were to conduct this survey 100 times (each time with a different sample of the business population), we would expect the results to be within 1.6 to 2.6 percentage points of the results we achieved here in 95 out of those 100 cases. The table below showing the expected ranges illustrates that survey results closer to a 50/50 response tend to have higher margins of error. This happens because the standard error is largest when the sample proportion is around 50%. If 90% of surveyed businesses said cyber security is a high priority for their senior management, this result would have a margin of error of ±1.6 percentage points, whereas if only 50% said this, the margin of error would be ±2.6 percentage points. The margins of error are calculated using the effective sample sizes (which take into account survey weighting). Figures are only reported on in the main report for effective sample sizes of 30 and above^{[footnote 7]}. Where base sizes are shown on charts or in tables the unweighted base size is quoted to indicate the number of organisations that responded at the relevant question.

For questions only asked to half of respondents in our split-sampled questions, we have also included MoE calculations. Where the business and charities samples are roughly half of the size of the total cases, we have used the lower sample size of the two split-samples. For example, where the business questions are split-sampled, some questions were asked to a randomly selected 1,051 business respondents out of the total 2,112 (Half A) whereas some questions were asked to the remaining 1,061 (Half B). We have calculated the MoE for the 1,051. For charities Half A was made up of 530 charities and Half B was made up of 555 charities. We have calculated MoE for the 530.

Table 1.2: Margins of error (MoE) for each sample group at the 95% confidence level for different survey estimate outcomes (in percentage points)^{[footnote 8]}

Sample group	Sample size (unweighted)	Effective sample size (weighted)	10% or 90% estimate	30% or 70% estimate	50% estimate
Businesses	2,112	1,376	±1.6	±2.4	±2.6
Businesses ‑ split-sampled (Half A)	1,051	681	±2.3	±3.4	±3.8
Charities	1,085	777	±2.1	±3.2	±3.5
Charities ‑ split-sampled (Half A)	530	383	±3.0	±4.6	±5.0
Primary schools	273	273	±3.5	±5.4	±5.9
Secondary schools	222	222	±3.8	±5.9	±6.4
Further education	33	33	±9.7	±14.9	±16.2
Higher education	49	49	±7.1	±10.9	±11.9

1.8 Significant differences

When reporting on sub-groups, we note whether or not results from sub-groups differ in a statistically significant way, both against other sub-groups and against the total (minus the sub-group in question). Statistical significance testing is used to determine whether differences in results are likely to be due to a genuine difference between groups, as opposed to chance variation. The threshold used in the main report is the 95% level of confidence, meaning there is less than a 5% chance that results deemed significantly different differ due to chance. This is a standard level of significance used in social sciences. The test used to determine statistical significance is a two-tailed t-test.

1.9 Extrapolating results to the wider population

The total population sizes for each of these sample groups are as listed below. It should be noted that the population databases referenced here are live and updated regularly and the population figures were accurate as of June and July 2025, ahead of starting fieldwork.

1,417,730 UK businesses with employees (according to the Department for Business and Trade Business Population Estimates 2025^{[footnote 9]})
202,539 UK registered charities (combining the lists of registered charity databases, downloaded in June and July 2025 as part of sample preparation for the survey, across England and Wales^{[footnote 10]} that contained 170,931 charities, Scotland^{[footnote 11]} that contained 24,656 charities and Northern Ireland^{[footnote 12]} that contained 6,952 charities)
20,831 primary schools (including free schools, academies, Local Authority-maintained schools and special educational schools covering children aged 5 to 11) (combining the schools databases from England^{[footnote 13]}, Wales^{[footnote 14]}, Scotland^{[footnote 15]} and Northern Ireland^{[footnote 16]}, laid out in Section 2.3)
4,222 secondary schools (including free schools, academies, Local Authority-maintained schools and special educational schools covering children aged 11+) (combining the schools databases as referenced under primary schools and laid out in Section 2.3)
342 further education colleges (combining the college databases from England^{[footnote 17]}, Wales^{[footnote 18]}, Scotland^{[footnote 19]} and Northern Ireland^{[footnote 20]}, laid out in Section 2.3)
175 universities (list of all UK universities^{[footnote 21]}, cross-referenced against the comprehensive list of Recognised Bodies^{[footnote 22]} on GOV.UK)

As the samples for each group are statistically representative, it is theoretically possible to extrapolate survey results to the overall population.

Where extrapolated figures for prevalence and the number of crimes experienced are shown in the main report, they are based on the estimated total population of businesses with employees (1,417,730 according to the Department for Business and Trade Business Population Estimates 2025 Table 1) and the total number of registered UK charities (202,539 when combining the charity registers for England and Wales, Northern Ireland and Scotland). Any extrapolated figures are rounded to three significant figures (or to the nearest thousand, if under 1 million) and unrounded weighted prevalence estimates to one decimal place are used. For number of cyber crimes experienced, the weighted average number of cyber crimes rounded to two decimal places are also used.

We recommend restricting any extrapolation of results to the overall business and charity populations rather than to any subgroups within these populations. The sample sizes for subgroups in our survey are smaller than the overall sample sizes for businesses and charities and consequently have higher margins of error. Similarly, the sample sizes for education institutions are small and have relatively high margins of error (see Section 1.7). For example, the margin of error on a result of 50% for Higher education institutions is ±11.9. This compares to a margin of error on a result of 50% for businesses of ±2.6.

Any extrapolated results should be clearly labelled as estimates and, ideally, should be calibrated against other sources of evidence.

We specifically do not consider the financial cost estimates from this survey to be suitable for this sort of extrapolation (e.g. to produce a total cost of cyber incidents, cyber crime or cyber-facilitated fraud for the UK economy). These estimates tend to have a high level of statistical standard error, and low base sizes, so the margins of error for any extrapolated cost estimate are likely to be very wide, limiting the value of such an estimate.

If you wish to use extrapolated Cyber Security Breaches Survey data as part of your analysis or reporting, then we would encourage you to contact DSIT via the cyber surveys mailbox: cybersurveys@dsit.gov.uk.

Question 3

Chapter 2: Survey approach technical details

Accepted Answer

2.1 Survey and questionnaire development

The questionnaire content is largely driven by the Cyber Resilience team at DSIT, alongside the Home Office (which has co-funded the study since 2022/2023). The questions are designed to provide evidence on UK cyber resilience, and influence future government policy and other interventions in this space.

Ipsos developed the questionnaire and all other survey instruments (e.g. the interview script and briefing materials) with DSIT and the Home Office. DSIT had final approval of the questionnaire. A full copy is available in Appendix A.

Stakeholder engagement

Each year, Ipsos has consulted a range of industry stakeholders, to ensure that the Cyber Security Breaches Survey continues to explore the most important trends and themes that organisations are grappling with when it comes to cyber security. This includes the Association of British Insurers (ABI) and techUK, who were consulted this year and agreed to endorse the survey. Similarly, DSIT and the Home Office, have consulted a range of stakeholders across government, such as the National Cyber Security Centre (NCSC).

Separately, Ipsos and DSIT engaged with two stakeholders that had relationships with cyber security professionals in the further and higher education sectors Jisc (a membership organisation of individuals in digital roles within the further and higher education sectors) and UCISA (formerly known as the Universities and Colleges Information Systems Association). These organisations subsequently encouraged their members and contacts to take part in the survey, promoting the online survey link created by Ipsos (see Section 2.4).

Changes made to the questionnaire for the 2025/2026 survey

The main changes to the 2025/2026 questionnaire centred on four main areas, described in more detail below:

Adding questions to capture new areas of interest where insight is required
Minor wording updates to existing questions to improve understanding and options available to respondents
Minor routing changes to improve the flow of the interview
Increasing the upper limit at numerical questions and adding in of some soft checks to accurately capture a range of responses

The following questions were added as new questions for 2025/2026:

Q11B_UPDATEACTION was added to provide a measure of what information organisations include in their internal cyber security updates
Q30B_AUDITCONTENT was added to measure what organisations include when carrying out internal cyber security audits
Q31B_PERSONALDATA was added to investigate the proportion of organisations that do not protect data using anonymisation or encryption
Q33X_AIUSE was added to measure the prevalence of using AI tools among organisations
Q33Y_AISTRATEGY was added to understand whether organisations have specific cyber security practices or processes in place to manage the risks from the use of AI technology
Q56B_DATATYPE was added for those who have experienced data loss to measure what types of personal or organisational data have been altered, destroyed or taken in a cyber breach or attack
Q89I_PHISHCOSTA and B were added to capture the cost to the organisation of phishing cyber crime

The following additional check questions were also added to validate the data provided during the interview, these included:

Q83HX_RANSDEMA_CHK was added to provide an extra check for organisations who provide a low ransom amount to check they did experience ransomware
Q83MX_RANSCOSTA_CHK was added as a check to ensure organisations only included figures from ransomware costs in their previous answer
Q83K_RANSPAYA was added as an extra check if respondents have a value of less than £10 to check that it was correct

Wording updates or addition of new codes to questions included:

Q23Y_WHYNOINSURE was updated with the addition of an ‘Another reason’ code to capture answers outside of the precoded list
Q24D_SCHEME was updated with the addition of new schemes to reflect the new cyber landscape
Q24E_GOVACT was updated with a minor change to the wording of one code to broaden scope of code from senior management to include the board and directors
Q30_IDENT was updated to provide a definition of threat intelligence to aid organisations understanding
Q45B_SUPPLYRISK was updated with the addition of code ‘Not applicable / do not use suppliers’ to ensure we were capturing where organisations didn’t use suppliers so that they were automatically routed to subsequent questions about suppliers
Q56A_OUTCOME was updated with the addition of a code around organisational data being altered or destroyed so that organisations could be appropriately routed to the new question Q56B_DATATYPE
Q63B_INCIDACTION was updated with the addition of a code about informing immediate suppliers to capture when this answer was given
Q64B_DISRUPTPHISH was updated to provide other reasons for why phishing was the most disruptive attack, aside from it just leading to other attacks
SHOWSCREEN_FRAUD was updated with new text added to ask respondents who had paid ransoms to not include those costs in the following section
SHOWSCREEN_PHISH was added to provide an introduction to the new phishing cost question
Q85E_HACKSIV was updated with new question wording to refer to separate hacking attempts experienced between those that were deliberate and successful and those that were not
Q88A_FRAUD was amended to include some additional text for people who had experienced ransomware attacks to stipulate that costs from paying ransomware should not be factored into answers to this question, as this was covered elsewhere in the survey

Routing changes to the questionnaire included:

Q83J_RANSPAYYN routing was amended to ensure organisations were not asked the question if they did not experience ransomware at RANSDEMA_CHK
Q83M_RANSCOSTA routing was amended to ensure organisations were not asked the question if they did not experience ransomware at RANSDEMA_CHK

The 2024/2025 wave data checking process revealed that several responses to numerical questions in the survey (such as for number of breaches and attacks) were being capped at 999, based on an assumption that it was unlikely to be credibly higher than this and that introducing a cap of this nature would decrease the chance of data input errors (adding erroneous zeros for example). However, a review of the 2024/2025 data indicated that in 12 instances respondents had attempted to give an answer higher than 999 but the interviewer had been forced to input 999 as the response.

A systematic review of all numerical caps in the survey was therefore undertaken and edits to the numerical caps at the following questions were made:

Q83E_RANSSOFT the numerical cap was increased to 9,999
Q85A_HACKCOUNT the numerical cap was increased to 9,999
Q86A_TKVRCOUNT the numerical cap was increased to 9,999
Q87A_DOSCOUNT the numerical cap was increased to 9,999
Q84E_VIRUSSOFT the numerical cap was increased to 9,999
Q88A_FRAUD the numerical cap was increased to 9,999
Q89C_PHISHENG the numerical cap was increased to 9,999

Changes to the reporting of costs for the 2025/2026 survey

Each year, this survey series has attempted to capture the perceived cost of cyber security breaches or attacks, cyber crime and cyber-facilitated fraud on organisations.

This year, we have stopped reporting the mean costs. Given the distribution of cyber impacts is highly skewed and subject to high sampling error this is not a robust statistical indicator. It can also create a disclosure risk where a dominant share of the total cost is from a limited number of organisations.

The median perceived cost is presented, alongside the 25th-75th percentile range where most cases fall, the top 10% of cases (90th percentile) and the top 5% of cases (95th percentile).

There has been a small change in the statistical methodology^{[footnote 23]} used to calculate the median.

The following minimum effective base sizes have been adhered to when reporting percentiles:

Table: Minimum effective base sizes for percentiles

Percentile	Effective base size needed to include in the report
0.25	10
0.50	5
0.75	10
0.90	25
0.95	50

Region classification change for the 2025/2026 survey

Historically, the Cyber Security Breaches Survey used the Government Office Region (GOR) classification to assign businesses to regions. During the 2025/2026 survey the lookup used to assign addresses to regions was found to be outdated and based on Standard Statistical Regions (SSRs) used prior to the introduction of GOR regions. GOR region classification has now been superseded by International Territorial Levels (ITL) as the recognised UK regional classification^{[footnote 24]}. The International Territorial Levels (ITLs) adopt a convention used by the Organisation for Economic Co-operation and Development (OECD) member countries and therefore align with international standards, enabling comparability internationally. Therefore, ITL level 1 (ITL1) region groupings, with the most updated postcode lookups to assign addresses to regions, was used for the 2025/2026 survey, and will be used for future waves of the survey.

Cognitive testing

The Ipsos research team carried out 8 cognitive testing interviews with businesses, charities and schools between the 7th and 15th of July 2025. These interviews focused on the new questions added for the 2025/2026 wave.

Table 2.2 shows how these cognitive interviews broke down by organisation type and size.

Table 2.2: Cognitive interviews achieved by organisation type and size

Type	Quantity	Sub Quota	Achieved
Business	3	Large	1
		Medium	1
		Small/Micro	1
Charity	3	£5million +	1
		£500k-£5m	1
		£100-£500k	1
Primary school	1	1	1
Secondary school	1	1	1
Total	8		8

All interviews were conducted via MS Teams or over the telephone and took around 45 minutes to complete. The sample source was organisations that took part in the previous iteration of the survey and gave permission to be recontacted for subsequent research on cyber security over the next 12 months. We offered £50 incentive^{[footnote 25]} to ensure participation from different-sized organisations and as a thank you for taking part.

The cognitive testing highlighted some improvements that could be made to the new questions. These can be summarised as follows:

Wording updates or streamlining of question codes to aid understanding (Q11B_UPDATEACTION, Q30B_AUDITCONTENT, Q56B_DATATYPE)
Restructuring and simplification of question to avoid confusion over technical terms (Q31B_PERSONALDATA, Q64B_DISRUPTPHISH)
Addition of codes to provide more granular data (Q33Y_AISTRATEGY)
Deletion due to limited usefulness of data and additional questionnaire length (Q33Z_AIDEFENCE)

Piloting

The pilot survey was used to:

test the questionnaire Computer-Assisted Telephone Interviewing (CATI) script
time the questionnaire
test the usefulness of the interviewer briefing materials

Ipsos interviewers carried out all the pilot fieldwork by phone between the 4th and 6th August 2025. Ipsos applied quotas to ensure the pilot covered different-sized businesses from a range of sectors, charities with different incomes and from different countries. Education institutions were not included in the pilot because it was being conducted in August, which is outside of term time for these organisations. We carried out 22 interviews, as shown in Table 2.3.

Table 2.3: Pilot interviews achieved by organisation type and size

Type	Sub Quota	Achieved	Total
Business	Micro	8	13
	Small	3
	Medium	2
	Large	0
Charity	£0-£10k	4	9
	£10-£100k	3
	£100-£500k	0
	£500k+	2
Total		22	22

The pilot sample came from the same sample frames used for the main stage survey (see next section).

Following the same approach as in previous years, the pilot was used as a soft launch of the main fieldwork. While quotas were initially applied to achieve the pilot interviews, the remaining pilot sample was subsumed into the main survey and fully worked alongside the other sample batches, following a strict random probability approach. Moreover, there were no substantial post-pilot changes to the questionnaire and the 22 pilot interviews were counted as part of the final data.

The average interview length for the pilot was 23 minutes, one minute above target for the main stage (22 minutes). A few minor amendments were made to the survey questions following the pilot, based on interviewer feedback and the need to reduce the survey length. Minor changes were made at the following three questions:

Q33X_AIUSE was found to be overly wordy and to take a long time to read out. A few minor edits to the question wording were proposed to simplify the question.
Q31B_PERSONALDATA contained the term ‘pseudonymisation’ which respondents struggled to understand and often didn’t know what it meant. Some interviewers were also struggling to pronounce it. This question was simplified and the term ‘pseudonymisation’ removed.
Q45B_SUPPLYRISK was not a new question for 2025/2026, however, it was raised during the pilot that there was not the possibility to answer that they had no suppliers. The option ‘Not applicable / do not use suppliers’ was added as an option to this question.

2.2 GOV.UK page

As in previous years, a similar GOV.UK page was used to provide reassurance that the survey was legitimate and provide more information before respondents agreed to take part.

Interviewers could refer to the page at the start of the telephone call, while the reassurance emails sent out from the CATI script (to organisations that wanted more information) included a link to the GOV.UK page.

2.3 Sampling

Business population and sample frame

The target population of businesses largely matched those included in all the previous surveys in this series, i.e. private companies or non-profit organisations^{[footnote 26]} with more than one person on the payroll.

The survey is designed to represent enterprises (i.e. the whole organisation) rather than establishments (i.e. local or regional offices or sites). This reflects that multi-site organisations will typically have connected digital devices and will therefore deal with cyber security centrally.

The sample frame for businesses was the Market Location database which covers businesses in all sectors across the UK at the enterprise level. It is compiled from a mix of public business directories, Companies House data and call centre activity. It is not only a clean database but also high quality; over 10,000 calls are made daily to validate numbers, with each record (telephone, email and senior contact name) having been validated within a rolling 12-month period.

Exclusions from the sample frame

With the exception of universities, public sector organisations are typically subject to government-set minimum standards on cyber security. Moreover, the focus of the primary sample in the survey was to provide evidence on businesses’ engagement, to inform future policy for this audience. Public sector organisations (Standard Industrial Classification, or SIC, 2007 category O) were therefore considered outside of the scope of the survey and excluded from the sample selection.

In line with the previous year, businesses listed as having just 1 employee were eligible to take part in the survey (only 0-employee businesses were excluded entirely). However, given that many businesses listed as having 1 employee on business databases were found to have 0 employees, the sampling was only done on businesses listed as having 2 or more employees. This helped to avoid an unreasonably high ineligibility rate during fieldwork.

Charity population and sample frames (including limitations)

The target population of charities was all UK registered charities. The sample frames were the charity regulator databases in each UK country:

the Charity Commission for England and Wales database: https://register-of-charities.charitycommission.gov.uk/register/full-register-download
the Office of the Scottish Charity Regulator (OSCR) database: OSCR | Download the Scottish Charity Register
the Charity Commission for Northern Ireland database: https://www.charitycommissionni.org.uk/charity-search/

In England and Wales, and in Scotland, the respective charity regulator databases contain a comprehensive list of registered charities. DSIT was granted access to the non-public OSCR database, including telephone numbers, and a random sample of Scotland-based charities was generated.

The Charity Commission in Northern Ireland does not yet have a comprehensive list of established charities but has been registering charities and building its list over the past few years. Alternative sample frames for Northern Ireland, such as the Experian and Dun & Bradstreet business directories (which also include charities) have been considered in previous years, and ruled out, because they do not contain essential information on charity income for sampling and cannot guarantee up-to-date charity information.

Therefore, while the Charity Commission in Northern Ireland database was the best sample frame for this survey, it cannot be considered as a truly random sample of Northern Ireland charities at present and is updated on a regular basis. This year, there was a small decline in the number of registered charities on the database compared to 2024/2025 and 2023/2024. This year there was 6,952 registered charities on the Northern Ireland database^{[footnote 27]} at the point of drawing sample, compared to 7,216 in the 2024/2025 survey, 7,157 in the 2023/2024 survey, 6,880 in the 2022/2023 survey and 6,438 in the 2021/2022 survey.

Education institutions population and sample frame

Primary and secondary schools and further education colleges in this survey are all public sector, publicly funded organisations. Higher education institutions in this survey are considered publicly funded organisations but are not government owned and typically operate independently. Private educational institutions are included in the business sample.

The education institutions sample frame came from the following sources:

Given the significant differences in size and management approaches between different types of education institutions, we split the sample frame into four independent groups:

20,831 primary schools (including free schools, academies, Local Authority-maintained schools and special educational schools covering children aged 5 to 11)
4,222 secondary schools (including free schools, academies, Local Authority-maintained schools and special educational schools covering children aged 11+)
342 further education colleges
175 universities

In order to avoid disclosure, we do not include any information about the specific school type (beyond fitting responses into the primary or secondary school bracket) in the published data or SPSS file.

Business sample selection

In total, 60,011 businesses were selected from the Market Location database for the 2025/2026 survey.

The business sample was disproportionately stratified by size, sector and region. An entirely proportionately stratified sample would not allow sufficient subgroup analysis by size and sector. For example, it would effectively exclude all medium and large businesses from the selected sample, as they make up a very small proportion of all UK businesses according to the Department for Business and Trade Business Population Estimates 2025 Table 1. Therefore, we set disproportionate sample targets for micro (1 to 9 employees), small (10 to 49 employees), medium (50 to 249 employees) and large (250 or more employees) businesses. We also boosted specific sectors and regions, to ensure we achieved robust effective base sizes in these groups, they included:

North East
Wales
Scotland
Northern Ireland
agriculture, forestry or fishing (SIC A)
utilities or production (SIC BDE)
transport or storage (SIC H)
finance or insurance (SIC K)
real estate (SIC L)
arts or recreation (SIC R)

Post-survey weighting corrected for the disproportionate stratification (see Section 2.6).

Table 2.4 breaks down the selected business sample by size and sector.

Table 2.4: Pre-cleaning selected business sample by size and sector^{[footnote 28]}

SIC 2007 letter	Sector description	Micro 1-9 employees	Small 10-49 employees	Medium 50-249 employees	Large 250+ employees	Total
A	Agriculture, forestry or fishing	1,684	53	67	47	1,851
B, C, D, E	Utilities or production (including manufacturing)	2,300	1,363	1,515	1,055	6,233
F	Construction	5,329	367	333	185	6,214
G	Retail or wholesale (including vehicle sales and repairs)	4,211	677	870	1,048	6,806
H	Transport or storage	1,255	261	597	346	2,459
I	Food or hospitality	4,639	823	735	258	6,455
J	Information and communication	998	311	897	373	2,579
K	Finance or insurance	2,257	3,413	1,378	575	7,623
L, N	Administration or real estate	3,888	1,200	1,578	650	7,316
M	Professional, scientific or technical	2,309	465	681	629	4,084
P	Education	279	242	112	450	1,083
Q	Health, social care or social work	876	423	478	984	2,761
R, S	Entertainment, service or membership organisations	2,965	403	795	384	4,547
	Total	32,990	10,001	10,036	6,984	60,011

Charity and education institution sample selection

The charity sample was proportionately stratified by country and disproportionately stratified by income band, using the respective charity regulator databases to profile the population. This used the same reasoning as for businesses as without this disproportionate stratification, analysis by income band would not be possible as hardly any high-income charities would be in the selected sample. In addition, having fewer high-income charities in the sample would be likely to reduce the variance in responses, as high-income charities tend to take more action on cyber security than low-income ones. This would have raised the margins of error in the survey estimates.

As the entirety of the three charity regulator databases were used for sample selection, there was no restriction in the amount of charity sample that could be used, so no equivalent to Table 2.3 is shown for charities.

Similarly, the entirety of the state education institution databases was available for sample selection, so no equivalent table is shown for education institutions.

Sample telephone tracing and cleaning

Not all the original samples were usable. In total:

4,004 of the 60,011 business in the original Market Location records were excluded because they had an invalid telephone number (i.e. the number was either in an incorrect format, too long, too short, had an invalid string, or was a number which would charge the respondent when called), because they were flagged as part of Ipsos’ non-contact list (organisations that have requested no further contact), because they were based outside the UK, or because they were found to be a duplicate
A further 275 business records were excluded on the basis they were part of the DSIT Cyber Security Longitudinal Survey panel
36,841 of the 202,539 charities had no valid telephone numbers, were flagged as being on the non-contact list, or were duplicate records (i.e. with the same number appearing twice)
4,860 of the 25,570 education institutions had no valid telephone numbers, were flagged as being on the non-contact list, or were duplicate records (i.e. with the same number appearing twice).

We expect the unusable sample does not bias our estimates.

Ipsos undertook significant sample improvement work, using their sampling partners to match the samples to data from organisations’ websites, publicly available LinkedIn pages and other social media, and Companies House data, to add in the names and job titles of relevant individuals within the business, as well as email addresses where available, in order to maximise our ability to get past gatekeepers (e.g. receptionists) and reach the appropriate individual in the organisation.

At the same time as this survey, Ipsos was also carrying out two other surveys with a potentially overlapping sample of businesses and charities: the DSIT Cyber security skills in the UK labour market research and the Cyber Security Longitudinal Survey. We therefore flagged overlapping sample leads across surveys, so telephone interviewers could avoid contacting the same organisations in quick succession for both surveys and minimise the burden on respondents. Similarly, Ipsos flagged and excluded business and charity sample leads that had recently completed the DSIT survey in order to minimise the burden on respondents.

Following cleaning to remove unusable or duplicate numbers, the usable sample amounted to:

55,732 business Market Location records
165,698 charities (with exclusions mainly due to the high prevalence of duplicate numbers in this sample frame)
20,710 education institutions

Table 2.5 breaks the usable business leads down by size and sector, for the business sample. As this shows, around 9 in 10 business records across the total sample were usable. This compares to around 82% usable records among charities and 81% usable records among education institutions.

Table 2.5: Post-cleaning available business sample by size and sector (sample volumes and as a percentage of originally selected sample)

SIC 2007 letter	Sector description	Micro 1-9 employees	Small 10-49 employees	Medium 50-249 employees	Large 250+ employees	Total
A	Agriculture, forestry and fishing	1,656 (98%)	49 (92%)	64 (96%)	46 (98%)	1,815 (98%)
B, C, D, E	Utilities or production (including manufacturing)	2,168 (94%)	1,248 (92%)	1,432 (95%)	962 (91%)	5,810 (93%)
F	Construction	5,298 (99%)	331 (90%)	313 (94%)	164 (89%)	6,106 (98%)
G	Retail or wholesale (including vehicle sales and repairs)	4,182 (99%)	651 (96%)	840 (97%)	964 (92%)	6,637 (98%)
H	Transport or storage	12,32 (98%)	226 (87%)	567 (95%)	312 (90%)	23,37 (95%)
I	Food or hospitality	4,583 (99%)	795 (97%)	710 (97%)	240 (93%)	6,328 (98%)
J	Information and communication	937 (94%)	258 (83%)	820 (91%)	316 (85%)	2,331 (90%)
K	Finance or insurance	1,933 (86%)	3,166 (93%)	1,229 (89%)	493 (86%)	6,821 (89%)
L, N	Administration or real estate	3,716 (96%)	1,105 (92%)	1,450 (92%)	587 (90%)	6,858 (94%)
M	Professional, scientific or technical	2,251 (97%)	407 (88%)	603 (89%)	528 (84%)	3,789 (93%)
P	Education	228 (82%)	102 (42%)	47 (42%)	216 (48%)	593 (55%)
Q	Health, social care or social work	770 (88%)	345 (82%)	375 (78%)	799 (81%)	2,289 (83%)
R, S	Entertainment, service or membership organisations	2,726 (92%)	315 (78%)	671 (84%)	306 (80%)	4,018 (88%)
	Total	31,680 (96%)	8,998 (90%)	9,121 (91%)	5,933 (85%)	55,732 (93%)

Sample batches

For businesses and charities, the usable sample for the main stage survey was randomly allocated into batches. The first batch had 21,537 business records and 6,800 charity records.

The selection counts were modelled according to two criteria:

If a particular size band, industry sector, region or (in the case of charities) income band had a higher interview target based on the disproportionate stratification, we selected more records to reflect that higher target.
Equally, if a particular size band, industry sector, region or income band had historically achieved lower response rates, we selected more records to reflect these lower response rate expectations. The response rate expectations were modelled on how other recent DSIT cyber surveys using these same sample frames had performed.

For primary and secondary schools, we selected simple random sample batches of each group. In the first batch, this amounted to 1,680 primary schools and 2,000 secondary schools.

The colleges and higher education institutions sample was released in full at the start of fieldwork (i.e. we carried out a census of these groups, only excluding records where there was no valid telephone number, or numbers were duplicated).

Subsequent sample batches were selected according to the same criteria, updated with the remaining interview targets and response rates achieved up to that point. For businesses four batches were released throughout fieldwork and for charities and education institutions, two batches were released throughout fieldwork. We aimed to maximise the response rate by fully exhausting the existing sample batches before releasing additional records. This aim was balanced against the need to meet interview targets, particularly for boosted sample groups (without setting specific interview quotas).

We did not use all the available (and usable) records for businesses, charities, primary schools and secondary schools. The remaining records were held in reserve.

Over the course of fieldwork, we used:

29,240 Market Location records
8,300 charity records
2,080 primary schools
2,400 secondary schools
305 further education colleges
162 higher education institutions

2.4 Fieldwork

Ipsos carried out all main stage fieldwork from 11th August 2025 to 12th December 2025, a fieldwork period of 18 weeks.

In total, we completed interviews with 3,774 organisations:

2,112 businesses
1,085 charities
273 primary schools
222 secondary schools
33 further education colleges
49 higher education institutions

The average interview length was around 24 minutes across all groups.

Multimode data collection

In 2022/2023 the survey method was changed to multimode, allowing respondents to take part either by telephone or online.

In practical terms, the multimode methodology worked as follows for businesses, charities, and primary and secondary schools:

Initial contact with organisations typically took place by phone, with Ipsos telephone interviewers calling organisations in line with previous years. The exception to this was an email invite to participate in the survey being sent out to large businesses partway through fieldwork that we hadn’t been able to make contact with over the telephone.
Where organisations requested more information before deciding to take part, interviewers could send out an information and reassurance email. This email contained a unique link for each organisation to complete the survey entirely or partially online. The interviewers explained this ahead of sending out each email.
Beyond the initial phone call to establish contact and explain the survey, the respondents that completed the survey online had no interaction with an Ipsos interviewer when answering the questions but were instead routed through an online questionnaire, with each question appearing on a separate screen.

For further and higher education institutions, a further option was available. Ipsos created an open link to the online survey to be disseminated by Jisc and UCISA representative bodies for individuals working in IT and cyber roles in colleges and universities to their members. In total, 28 higher education institutions and 1 further education institution took part in the survey via this open link, an increase from 14 higher education institutions and 1 charity in the 2024/2025 wave of the survey. The surveys completed via the open link are included in the online interviews column in Table 2.6.

In total, 225 interviews were completed using the online survey option, which represents 6% of the 3,774 total interviews. This remains in line with last year’s 2024/2025 survey where 6% of interviews were also conducted online.

Table 2.6 shows how this is split across the different sample groups:

Table 2.6: Data collection mode by sample group

Sample group	Telephone interviews	Online interviews	Percentage conducted online
Businesses	2,031	81	4%
Charities	1,000	85	8%
Primary schools	265	8	3%
Secondary schools	213	9	4%
Further education	27	6	18%
Higher education	13	36	73%
Total	3,549	225	6%

Ipsos made the following efforts to monitor and maintain the quality of the online interviews, and reduce the possibility of mode differences in the responses:

We took a best-practice approach to multimode questionnaire design, where the format of each question was similar across modes (e.g. using collapsible grids for statements online, rather than showing all statements at once). However, it should be noted that long pre-coded questions like INFO, GOVTACT, NOREPORT, REPORTB and PREVENT were unavoidably different across modes. INFO was asked unprompted by telephone but as a prompted list online. This is standard practice in multimode questionnaires but typically means that online respondents are inclined to give a wider range of responses (as they see a list of possible responses in front of them). This does not necessarily mean that either the telephone or online responses are wrong at any of these questions. However, it does mean that a small note of caution should be applied when comparing results for individual answer codes before and since 2023 when the multimode method was introduced.
We validated that online respondents were the appropriate individuals from the organisation via the TITLE question (which requests job titles).
We checked online responses to ensure respondents were not speeding through the interview or “straightlining” (i.e. answering “don’t know” or the top answer code in the list to every question).

Fieldwork preparation

Prior to fieldwork, the Ipsos research team briefed the telephone interviewing team in a video call. They also received:

written briefing materials about all aspects of the survey
a copy of the questionnaire and other survey instruments

Screening of respondents (for telephone interviews)

Telephone interviewers screened all sampled organisations at the beginning of the call to identify the right individual to take part and ensure the business was eligible for the survey. At this point, the following organisations would have been removed as ineligible:

organisations that identified themselves as sole traders with no other employees on the payroll
organisations that identified themselves as part of the public sector

As this was a survey of enterprises rather than establishments, interviewers also confirmed that they had called through to the UK head office or site of the organisation.

At this point, interviewers specifically asked for the senior individual with the most responsibility for cyber security in the organisation. The interviewer briefing materials included written guidance on likely job roles and job titles for these individuals, which would differ based on the type and size of the organisation.

For UK businesses that were part of a multinational group, interviewers requested to speak to the relevant person in the UK who dealt with cyber security at the company level. In any instances where a multinational group had different registered companies in Great Britain and in Northern Ireland, both companies were considered eligible.

Franchisees with the same company name but different trading addresses were also all considered eligible as separate independent respondents.

Random probability approach and maximising participation

We adopted random probability interviewing to minimise selection bias. The overall aim with this approach is to have a known outcome for sample record loaded. For this survey, an approach comparable to other robust business surveys was used around this:

Each organisation loaded in the main survey sample was called either a minimum of 7 times, or until an interview was achieved, a refusal given, or information obtained to make a judgement on the eligibility of that contact.
Each sample record was called at different times of the day, throughout the working week, to make every possible attempt to achieve an interview. Evening and weekend interviews were also offered if the respondent preferred these times.

We took several steps to maximise participation in the survey and reduce non-response bias:

The survey had its own web page on GOV.UK, to let organisations know that the contact from Ipsos was genuine. The web pages included appropriate Privacy Notices on processing of personal data, and the data rights of participants, following the introduction of GDPR in May 2018.
Interviewers could send a reassurance email to prospective respondents if the respondent requested this. This included a link to the GOV.UK page to confirm the legitimacy of the survey, a link to the relevant Privacy Notice and an option to unsubscribe (by replying to the message and requesting this).
Ipsos set up an email inbox for respondents to be able to contact to set up appointments or, in the case of the phone number, take part there and then in interviews. Where we had email addresses on the sample for organisations, we also sent five warm-up and reminder emails across the course of fieldwork to let organisations know that an Ipsos interviewer would attempt to call them and give them the opportunity to opt in by arranging an appointment. These emails also asked organisations to check the contact details we had for them and to send us better contact details if necessary. They were tailored to the type of organisation, with each email featuring a different subject line and key message to encourage participation.
The survey was endorsed by the Association of British Insurers (ABI), the Charity Commission for England and Wales and the Charity Commission for Northern Ireland and techUK. In practice, this meant that these organisations allowed their identity and logos to be used in the survey introduction and on the microsite, to encourage organisations to take part.
Specifically, to encourage participation from colleges and universities, DSIT and Ipsos jointly worked with Jisc and UCISA. These organisations contacted their members, which include IT and cyber security professionals in the further and higher education sectors, to proactively ask them to take part in the survey via the open link.
Large businesses were offered a £10 charity donation on their behalf if they took part. They could choose to donate to Turn2us, the NSPCC or the Samaritans.

Fieldwork monitoring

Ipsos is a member of the interviewer Quality Control Scheme recognised by the Market Research Society. In accordance with this scheme, the field supervisor on this project listened into at least 10% of the interviews and checked the data entry on screen for these interviews.

2.5 Fieldwork outcomes and response rate

We monitored fieldwork outcomes and response rates throughout fieldwork, and interviewers were given regular guidance on how to avoid common reasons for refusal. Table 2.7 shows the final outcomes, the response rate and the response rate adjusted for unusable or ineligible records, for businesses and charities. The approach for calculating these figures is covered later in this section.

Table 2.7: Fieldwork outcomes and response rate calculations for businesses and charities

Outcome	Businesses	Charities
Total selected from original sample frame	60,111	202,539
Sample without contact details or duplicates post-cleaning	4,004	36,841
Net: total sample with contact details	55,732	165,698
Sample with contact details left in reserve	26,492	157,398
Net: total sample used (i.e. excluding any left in reserve)	29,240	8,300
Unresponsive numbers	11,080	2,042
Refusals	5,498	976
Unusable leads with working numbers	8,720	3,694
Unusable numbers	747	218
Ineligible leads ‑ established during screener	427	89
Incomplete interviews	656	196
Net: completed interviews	2,112	1,085
Expected eligibility of screened respondents	83%	92%
Response rate	7%	13%
Response rate adjusted for unusable or ineligible records	13%	27%

The fieldwork outcomes for state education institutions are shown in Table 2.8.

Table 2.8: Fieldwork outcomes and response rate calculations for state education institutions

Outcome	Primary schools	Secondary schools	Further education	Higher education
Total selected from original sample frame	20,831	4,222	342	175
Sample without contact details or duplicates post-cleaning	4,095	715	37	13
Net: total sample with contact details	16,736	3,507	305	162
Sample with contact details left in reserve	14,656	1,107	0	0
Net: total sample used (i.e. excluding any left in reserve)	2,080	2,400	305	162
Unresponsive numbers	1,097	1,167	144	63
Refusals	117	105	8	6
Unusable leads with working numbers	529	844	110	41
Unusable numbers	17	15	6	2
Ineligible leads ‑ established during screener	16	5	0	0
Incomplete interviews	31	42	4	1
Net: completed interviews	273	233	33	49
Expected eligibility of screened respondents	94%	98%	100%	100%
Response rate	13%	9%	11%	30%
Response rate adjusted for unusable or ineligible records	19%	15%	17%	41%

Notes on response rate calculations

The following points explain the specific calculations and assumptions involved in coming up with these response rates:

Response rate = completed interviews / total sample used
Response rate adjusted for unusable or ineligible records = completed interviews / (completed interviews + incomplete interviews + refusals expected to be eligible + any remaining unresponsive numbers expected to be eligible)
Expected eligibility is calculated by taking completes as a proportion of completes + ineligible leads established during screener
Refusals exclude “soft” refusals. This is where the respondent was hesitant about taking part, so our interviewers backed away and avoided a definitive refusal
Unusable leads with working numbers are where there was communication difficulty making it impossible to carry out the survey (e.g. a bad line, or language difficulty), as well as numbers called 7 or more times over fieldwork without ever being picked up
Unusable numbers are where the number was in a valid format, so was loaded into the main survey sample batches, but which turned out to be wrong numbers, fax numbers, household numbers or disconnected
Unresponsive numbers account for sample that had a working telephone number, but where the respondent was unreachable or unavailable for an interview during the fieldwork period, so eligibility could not be assessed

Response rates post-COVID-19 and expected negligible impact on the survey reliability

The adjusted response rates for all the sampled groups, outside of higher education institutions, are lower than in earlier iterations of this study, that took place before the COVID-19 pandemic. For example, the adjusted response rates for the last survey in this series that took place before the pandemic (CSBS 2020) were 27% for businesses and 45% for charities.

The lower response rates compared to historic years are likely to be due to a combination of unique circumstances, including:

the hybrid working conditions adopted by many organisations since the pandemic
the ongoing challenge of declining response rates in telephone survey fieldwork in general, including in business surveys specifically

More generally, there has been an increasing awareness of cyber security, potentially making businesses more reticent to take part in surveys on this topic.

Furthermore, the increase in the survey length from c.17 minutes in 2020 and earlier iterations, to just under 23 minutes in 2023 onwards is also expected to have reduced the response rate interviewers must mention the average length to respondents when they introduce the survey, and respondents are naturally less inclined to take part in longer interviews.

It is also likely that the running of three other DSIT surveys in parallel to CSBS 2025/2026 may have impacted the performance of this survey. Ipsos undertook the fieldwork for both the Cyber Security Longitudinal Survey and the Cyber security skills in the UK labour market survey^{[footnote 29]}, which both ran between July and October 2025. Whilst every effort was made to keep the samples between these jobs independent, in some groups with a small population, such as large businesses, this was not possible. Organisations that were sampled for more than one of these surveys may have been contacted for Cyber Security Breaches Survey after being contacted for one of the other surveys and may have been less likely to take part as a result.

However, it is important to remember that response rates are not a direct measure of non-response bias in a survey, but only a measure of the potential for non-response bias to exist. Previous research into response rates, mainly with consumer surveys, has indicated that they are often poorly correlated with non-response bias.^{[footnote 30]}

2.6 Data processing and weighting

Editing and data validation

There were a number of logic checks in the CATI script, which checked the consistency and likely accuracy of answers estimating costs and time spent dealing with breaches. If respondents gave unusually high or low answers at these questions relative to the size of their organisation, the interviewer would read out the response they had just recorded and double-check this is what the respondent meant to say. This meant that, typically, minimal work was needed to manually edit the data post fieldwork.

Nonetheless, individual outliers or errors in the data can heavily affect cyber breach cost and frequency estimates. Therefore, the research team manually checked the final data at these variables for outliers. For each cost and frequency question where numerical data was collected, the data was sorted in descending order in an Excel export of the SPSS file to identify unusually high or low and therefore potentially illegitimate responses. The definition of unusually high or low was purposive rather than based on a specific threshold to ensure that all potential outliers were considered.

A total of 5 potential outliers or errors were flagged for warranting further investigation. The recordings of these interviews were listened back to in order to assess whether the answer recorded in the data was accurate and then cross-referenced against business size and charity turnover (where relevant), as well as cross referenced against other answers provided in the survey. Our findings were flagged to DSIT and the Home Office, so they could have the final say as to whether we kept these responses in or edited them.

This year, we made edits to the responses of 2 organisations, as detailed below:

At tkvrcount (number of takeover breaches or attacks that were separate from instances of fraud or ransomware) an organisation (medium business) had given a high response that we were unable to validate after listening back to the interviews and the decision was made to edit this response at tkvrcount to ‘Don’t know’.
A large business gave a series of high responses to questions around hacking attempts, takeover attempts, denial of service cost and cost of the most disruptive breach. It appeared that on a number of occasions the organisation had reached the threshold cap for the highest value for the question. After listening back to the recording of the interview it appeared the organisation had encountered a high number of hacking attempts and had suffered an extremely high-cost attack which had resulted in downtime for the business and lost revenue. On this basis, the following edits were made to this organisation’s responses:
- At hackcount (number of hacking breaches or attacks that were separate from instances of fraud or ransomware) their answer was edited to a higher value
- At tkvrcount (number of takeover breaches or attacks that were separate from instances of fraud or ransomware) their answer was edited to a higher value
- At doscosta (cost of denial of service attack) their answer was edited to a higher value
- At damageind (approximate cost of any damage or disruption during the incident) their answer was edited to a higher value

The final SPSS data uploaded to the UK Data Archive will reflect the above edits.

Missing cases at Q88A_FRAUD

During the Cyber Security Breaches Survey 2025/2026, a scripting error at code D (fraud3) for Q88A_FRAUD (How many times, if at all, any of these cyber security breaches or attacks resulted the organisation paying or transferring money to the attackers based on fraudulent information) resulted in 493 respondents not being asked this question and associated downstream questions. The immediate remedy was to deploy a callback script to re-contact these respondents and administer any missing questions. This process recovered most cases (72%), and their missing answers were merged back into the dataset. However, 140 respondents had either declined to be called back or could not be reached by Ipsos telephone interviewers.

Ipsos considered imputation of responses to the relevant variables, which would involve replacing missing responses with plausible values inferred from observed data. The primary drawback of applying imputation in this instance was the risk of introducing bias into the survey data model given it would require assumptions on missing responses that may not hold true. In addition, the expected benefit was felt to be negligible. Affected questions had very low prevalence (for example 7 in 1,000 respondents overall and less than 1 in the missing sample of 140) meaning imputation would largely preserve observed distribution and headline percentages and narrative would remain unchanged. Based on these factors it was agreed between Ipsos, DSIT and the Home Office that imputation was not applied.

Following internal review and consultation with DSIT and the Home Office, it was agreed that the remaining missing cases were kept within final CSBS datasets and denoted with a new flag variable (“fraud3_missingcase”). This allows for straightforward identification of missing cases at the fraud3 variable and associated downstream variables, and differentiation from cases missing for any other reason.

Ipsos will report results for CSBS 2025/2026 based on the valid achieved sample and the final SPSS data uploaded to the UK Data Archive will reflect the above edits.

Coding

The verbatim responses to unprompted questions could be coded as “other” by interviewers when they did not appear to fit into the predefined code frame. These “other” responses were coded manually by Ipsos’ coding team, and where possible, were assigned to codes in the existing code frame. It was also possible for new codes to be added where enough respondents (10% or more) had given a similar answer outside of the existing code frame. The Ipsos research team verified the accuracy of the coding, by checking and approving each new code proposed.

The code frame between 2024/2025 and 2025/2026 has remained largely consistent. One new code was added for the 2025/2026 survey:

‘Changed supplier’ was added as code 25 to Q78_PREVENT

We did not undertake SIC coding. Instead, the SIC 2007 codes that were already in the Market Location sample were used to assign businesses to a sector for weighting and analysis purposes. The 2022/2023 survey had overwhelmingly found the SIC 2007 codes in the sample to be accurate, so this practice was carried forward to subsequent surveys.

Weighting

The education institutions samples are unweighted. Since they were sampled through a simple random sample approach, there were no sample skews to be corrected through weighting.

For the business and charities samples, we applied random iterative method (rim) weighting for two reasons. Firstly, to account for non-response bias where possible. Secondly, to account for the disproportionate sampling approaches, which purposely skewed the achieved business sample by size, sector and region, and the charities sample by income band. The weighting makes the data representative of the actual UK business and registered charities populations.

Rim weighting is a standard weighting approach undertaken in business surveys of this nature, because it allows you to weight your sample to represent a wider population using multiple variables. In cases where the weighting variables are strongly correlated with each other, it is potentially less effective than other methods, such as cell weighting. However, this is not the case here.

The population profile data came from the Department for Business and Trade Business Population Estimates 2025 (Tables 1-9).

Non-interlocking rim weighting by income band and country was undertaken for charities. The population profile data for these came from the respective charity regulator databases.

For both businesses and charities, interlocking weighting was also possible, but was ruled out as it would have potentially resulted in very large weights. This would have reduced the statistical power of the survey results, without making any considerable difference to the weighted percentage scores at each question.

Table 2.9 and Table 2.10 shows the unweighted and weighted profiles of the final data. The percentages are rounded so do not always add to 100%.

Table 2.9: Unweighted and weighted sample profiles for business interviews

	Unweighted %	Weighted %
Size
Micro (1-9 employees)	55%	81%
Small (10-49 employees)	24%	16%
Medium (50-249 employees)	14%	3%
Large (250+ employees)	7%	1%
Sector
Agriculture, forestry or fishing	3%	4%
Administration or real estate	15%	12%
Construction	12%	14%
Education	2%	2%
Entertainment, service or membership organisations	8%	7%
Finance or insurance	5%	2%
Food or hospitality	9%	10%
Health, social care or social work	5%	5%
Information and communication	4%	5%
Professional, scientific or technical	10%	13%
Retail or wholesale (including vehicle sales or repairs)	14%	17%
Transport or storage	4%	3%
Utilities or production (including manufacturing)	10%	7%
Region
North East	4%	3%
North West	7%	10%
Yorkshire and the Humber	7%	7%
East Midlands	6%	7%
West Midlands	8%	8%
East of England	10%	10%
London	12%	18%
South East	14%	15%
South West	10%	9%
Wales	8%	4%
Scotland	7%	7%
Northern Ireland	7%	3%

Table 2.10: Unweighted and weighted sample profiles for charity interviews

	Unweighted %	Weighted %
Income band
£0 to under £10,000	26%	38%
£10,000 to under £100,000	20%	36%
£100,000 to under £500,000	23%	17%
£500,000 to under £5 million	17%	7%
£5 million or more	14%	2%
Country
England and Wales	79%	84%
Scotland	17%	12%
Northern Ireland	4%	4%

2.7 SPSS data uploaded to UK Data Archive

A de-identified SPSS dataset from this survey is being published on the UK Data Archive to enable further analysis. The variables are largely consistent with those in the previously archived dataset (from 2024/2025), outside of new questions added for 2025/2026.

Due to the extent of changes at the Q64B_DISRUPTPHISH question, with all of the questionnaire codes changing since 2024/2025, the name for variables relating to this question in the spss file have been changed from ‘disruptphish’ to ‘disruptphishb’.

Mapping of 10 Steps guidance

As noted in Section 2.1, Ipsos engaged Professor Steven Furnell from the University of Nottingham in July 2022 to review how the questionnaire was mapped to the government’s 10 Steps to Cyber Security guidance, and suggest a more accurate and robust mapping. The 10 Steps mapping remains consistent with iterations of the survey since 2022/2023 and is outlined in Table 2.11.

Table 2.11: Mapping of the questionnaire to the 10 Steps to Cyber Security guidance

Step in SPSS	Current step description and mapping
Step1	Risk management ‑ organisation have undertaken a cyber security risk assessment (IDENT4)
Step2	Engagement and training ‑ staff receive cyber security training (TRAINED)
Step3	Asset management ‑ organisations have a list of their critical assets (MANAGE8)
Step4	Architecture and configuration ‑ organisations have at least 3 of the following: - up-to-date malware protection (RULES2) - firewalls that cover your entire IT network, as well as individual devices (RULES3) - restricting IT admin and access rights to specific users (RULES4) - security controls on organisation-owned devices (e.g. laptops) (RULES7) - only allowing access via organisation -owned devices (RULES8) - separate WiFi networks for staff and for visitors (RULES9) - specific rules for storing and moving personal data files securely (RULES15) - a virtual private network, or VPN, for staff connecting remotely (RULES18)
Step5	Vulnerability management ‑ organisations have policy to apply software security updates within 14 days (RULES1)
Step6	Identity and access management ‑ organisations have any requirement for two-factor authentication when people access the organisation’s network, or for applications they use (RULES20)
Step7	Data security ‑ organisations have cloud backups (RULES13) or other kinds of backups (RULES14)
Step8	Logging and monitoring ‑ organisations fulfil at least 1 of the following criteria: - used specific tools designed for security monitoring, such as Intrusion Detection Systems (IDENT11) - any monitoring of user activity (RULES5)
Step9	Incident management ‑ organisations have a formal incident response plan (INCIDCONTENT1) or at least 3 of the following: - written guidance on who to notify of breaches (INCIDCONTENT2) - roles or responsibilities assigned to specific individuals during or after an incident (INCIDCONTENT3) - external communications and public engagement plans (INCIDCONTENT6) - guidance around when to report incidents externally, e.g. to regulators or insurers (INCIDCONTENT11)
Step10	Supply chain security ‑ organisations have taken actions to manage the cyber risks from their immediate suppliers (SUPPLYRISK1) or wider supply chain (SUPPLYRISK2)

Organisation size variables

There are two organisation size variables, including a numeric variable (SIZEA) and a banded variable (SIZEB). The banded variable in the SPSS does not include the highest band from the questionnaire (1,000 or more employees) because there is no analysis carried out on this group. Instead, it is merged into an overall large business (250 or more employees) size band, which is used across the published report.

Sector grouping before the 2018/2019 survey

In the SPSS datasets for 2015/2016 to 2017/2018, an alternative sector variable (sector_comb1) was included. This variable grouped some sectors together in a different way, and was less granular than the updated sector variable (sector_comb2).

“education” and “health, social care or social work” were merged together, rather than being analysed separately
“information and communication” and “utilities” were merged together, whereas now “utilities” and “manufacturing” are merged together

The previous grouping reflected how we used to report on sector differences before the 2018/2019 survey. As this legacy variable has not been used in the report for the last two years, we have stopped including it in the SPSS dataset, in favour of the updated sector variable.

Derived financial cost estimates for cyber security breaches and attacks

For the questions in the survey estimating the financial costs of an organisation’s most disruptive breach or attack (DAMAGEDIRSX, DAMAGEDIRLX, DAMAGESTAFFX, DAMAGEINDX), respondents were asked to give either an approximate numeric response or, if they did not know, then a banded response. The vast majority of those who gave a response gave numeric responses (after excluding refusals and those saying there was no cost incurred).

We agreed with DSIT from the outset of the survey that for those who gave banded responses, a numeric response would be imputed, in line with all previous surveys in the series. This ensures that no survey data goes unused and also allows for larger sample sizes for these questions.

To impute numeric responses, syntax was applied to the SPSS dataset which:

calculated the mean amount within a banded range for respondents who had given numeric responses (e.g. a £200 mean amount for everyone giving an answer between £100 and £500)
applied this mean amount as the imputed value for all respondents who gave the equivalent banded response (i.e. £200 would be the imputed mean amount for everyone not giving a numeric response but saying “£100 to less than £500” as a banded response)

Often in these cases, a common alternative approach is to take the mid-point of each banded response and use that as the imputed value (i.e. £300 for everyone saying “£100 to less than £500”). It was decided against doing this for these specific questions, given that the mean responses within a banded range have tended to cluster towards the bottom of the band over the years. This suggested that imputing values based on mid-points would slightly overestimate the true values across respondents.

Derived cyber crime estimates (including numeric and financial cost estimates)

Since 2023/2024, the SPSS file has included a number of additional derived variables based on the cyber crime questions. Here is a brief description of each derived variable in the cyber crime section:

Cybercrime_all ‑ the percentage of organisations that have experienced any cyber crime (i.e. excluding cyber-facilitated fraud)
Cybercrime_allsum ‑ the total number of cyber crimes experienced (i.e. excluding cyber-facilitated fraud), rebased to only be amongst those that experienced cyber crimes
Cybercrime_notphish ‑ the percentage of organisations that have experienced any cyber crime other than phishing (still excluding cyber-facilitated fraud)
Cybercrime_notphishsum ‑ the total number of cyber crimes experienced, other than phishing (still excluding cyber-facilitated fraud), rebased to only be amongst those that experienced these cyber crimes
Cybercrime_rans ‑ the percentage of organisations that have experienced cyber crime relating to ransomware
Cybercrime_ranssum ‑ the total number of cyber crimes experienced relating to ransomware, rebased to only be amongst those that experienced these cyber crimes
Cybercrime_virus ‑ the percentage of organisations that have experienced cyber crime relating to viruses or other malware
Cybercrime_virussum ‑ the total number of cyber crimes experienced relating to viruses or other malware, rebased to only be amongst those that experienced these cyber crimes
Cybercrime_hack ‑ the percentage of organisations that have experienced cyber crime relating to hacking
Cybercrime_hacksum ‑ the total number of cyber crimes experienced relating to hacking, rebased to only be amongst those that experienced these cyber crimes
Cybercrime_dos ‑ the percentage of organisations that have experienced cyber crime relating to denial of service attacks
Cybercrime_dossum ‑ the total number of cyber crimes experienced relating to denial of service attacks, rebased to only be amongst those that experienced these cyber crimes
crime_fraud ‑ the percentage of organisations that have experienced fraud as a result of cyber breaches or attacks
crime_fraudsum ‑ the total number of frauds experienced as a result of cyber crime, rebased to only be amongst those that experienced these frauds
Cybercrime_phish ‑ the percentage of organisations that have experienced cyber crime relating to phishing
Cybercrime_phishsum ‑ the total number of cyber crimes experienced relating to phishing, rebased to only be amongst those that experienced these cyber crimes
Extortion ‑ the percentage of organisations that have experienced any extortion (among those experiencing cyber crimes relating to unauthorised access, online takeovers or denial of service)
Extortion_sum ‑ the total number of extortion events, rebased to only be amongst those that experienced cyber crimes relating to unauthorised access, online takeovers or denial of service
hacksumcost_bands ‑ the total cost of criminal hacking and online takeovers in the last 12 months assigned to bands and rebased to only be amongst those that provided a cost estimate for any relevant cyber crime experienced
phishcost_bands - the total cost of phishing attacks to the organisation
notfraudcost_bands ‑ the total cost of all cyber crimes (i.e. excluding cyber-facilitated fraud) assigned to bands and rebased to only be amongst those that provided a cost estimate for any relevant cyber crime experienced
fraudcost_bands ‑ the total cost of fraud that occurred as a result of cyber breaches or attacks assigned to bands
crimecost_bands the total cost of all crimes (including cyber-facilitated fraud) assigned to bands and rebased to only be amongst those that provided a cost estimate for any crime experienced
notfraudORphishcost_num - the total cost of all cyber crimes excluding cyber-facilitated fraud and phishing cyber crime costs
notfraudORphishcost_bands - the total cost of all cyber crimes excluding cyber-facilitated fraud and phishing cyber crime costs assigned to bands and rebased to only be amongst those that provided a cost estimate for any relevant cyber crime experienced
crimecost_notphish_num - the total cost of all cyber crimes including cyber-facilitated fraud but excluding phishing cyber crime costs
crimecost_notphish_bands - the total cost of all cyber crimes including cyber-facilitated fraud but excluding phishing cyber crime costs assigned to bands and rebased to only be amongst those that provided a cost estimate for any relevant cyber crime experienced

Please note that, as in previous waves of the survey, the following variables listed below have ‘yes’ and ‘no’ binary categories. The ‘no’ category includes both those that gave either a ‘no’ or ‘don’t know’ response, but this information (whether they are a ‘no’ or ‘don’t know’) can be found at other variables in the SPSS file:

Cybercrime_all
Cybercrime_notphish
Cybercrime_rans
Cybercrime_virus
Cybercrime_hack
Cybercrime_dos
crime_fraud
Cybercrime_phish
Extortion
type_comb1
type_comb2
prevent_comb4
AllEssentials
Step1
Step2
Step3
Step4
Step5
Step6
Step7
Step8
Step9
Step10
Any10Steps

For the numeric and financial cost estimates for cyber crime, respondents were also able to give a banded response if they could not provide an exact answer. We have opted to impute the numeric or financial value for these questions by taking the mid-point of each banded response (or the specific value mentioned in the top band). This is different from the cyber incident cost estimates, which impute the average value within the band. The sample of cyber crime cost estimates is much lower, so there is not enough data to impute average values within bands. In other words, it is simply not possible to use anything other than the mid-point values.

Redaction of financial cost estimates in published SPSS data

No numeric cost variables will be included in the published SPSS dataset, both for the cyber incident (DAMAGE) questions and the crime (COSTA) questions. This was agreed to prevent any possibility of individual organisations being identified. Instead, all variables related to spending and cost figures will be banded, including the imputed values (laid out in the previous section). These banded variables include:

damagedirsx_bands
damagedirlx_bands
damagestaffx_bands
damageindx_bands
damage_bands
ransdem_bands
ranspay_bands
ranscost_bands
viruscost_bands
hackcost_bands
tkvrcost_bands
doscost_bands
fraudcost_bands2
hacksumcost_bands
phishcost_bands
notfraudcost_bands
fraudcost_bands
crimecost_bands
notfraudORphishcost_bands
crimecost_notphish_bands

In addition, the following merged or derived variables will be included:

ext_report
scheme_any
supplyrisk_any
supplycert_any
type6x
morethanphish
disruptax
update_comb3
rules_comb3
impact_any
info_comb9
comply_comb1
comply_comb2
comply_comb2

No region groupings are included for any organisation to avoid the risk of identification of these organisations when triangulated against other variables.

Missing values

We have treated missing values consistently each year.

For most non-cost data, only respondents that did not answer a question are treated as missing, and allocated a value of -1. That means that all responses, including “don’t know” (a value of -97) and “refused” responses (-99) are counted in the base and in any descriptive statistics.
For all cost data, i.e. damagedirs through to cost_bands and some frequency data such as number of instance of fraud, the “don’t know” (-97) and “refused” (-99) responses are treated as missing. Practically, this means that any analysis run on these variables systematically excludes “don’t know” and “refused” responses from the base. In other words, this kind of analysis (e.g. analysis to show the mean cost or median cost) only uses the respondents that have given a numeric or banded cost.

Rounding differences between the SPSS dataset and published data

If running analysis on weighted data in SPSS, users must be aware that the default setting of the SPSS crosstabs command does not handle non-integer weighting in the same way as typical survey data tables.^{[footnote 31]} Users may, therefore, see very minor differences in results between the SPSS dataset and the percentages in the main release, which consistently use the survey data tables. These should be differences of no more than one percentage point and only occur on rare occasions.

Question 4

Chapter 3: Qualitative approach technical details

Accepted Answer

The qualitative strand of this research covered all the sampled groups from the survey. We conducted 44 in-depth interviews overall, the same as in 2024/2025.

3.1 Sampling

We took the sample for all 44 in-depth interviews from the quantitative survey. We asked respondents during the survey whether they would be willing to be recontacted specifically to take part in a further 60-minute interview on the same topic. Table 3.1 shows the proportion of respondents from each group that agreed to be recontacted, the total recontact sample available, and the qualitative interviews undertaken with each group.

Table 3.1: Summary of qualitative sample counts and interviews

Sample group	Achieved quantitative interviews	Permission for recontact	Recontact sample	Achieved qualitative interviews
Businesses	2,112	61%	1,293	19
Charities	1,085	67%	723	11
Primary schools	273	64%	176	3
Secondary schools	222	64%	143	4
Further education	33	79%	26	1
Higher education	49	78%	38	6

3.2 Recruitment quotas and screening

We carried out recruitment for the qualitative element by email and telephone, using the contact details collected in the survey, and via a specialist business recruiter. We offered a high street voucher or charity donation of £50 made on behalf of participants to encourage participation.

We used recruitment quotas to ensure that interviews included a mix of different sizes, sectors and regions for businesses, and different charitable areas, income bands and countries for charities. We also had further quotas based on the responses in the quantitative survey, reflecting the topics to be discussed in the interviews. These ensured we spoke to a range of organisations that had:

a formal cyber security strategy
deemed cyber security as a lower priority
adopted specific cyber security standards or accreditations
formally reviewed supply chain cyber security risks (including for immediate suppliers and their wider supply chain)
some form of incident response planning
would take at least one action if experiencing a cyber security incident
uses AI currently
currently did not encrypt or anonymise personal data
reported costs from their most disruptive cyber security breach

These were all administered as soft rather than hard quotas. This meant that the recruiter aimed to recruit a minimum number of participants in each group, and could exceed these minimums, rather than having to reach a fixed number of each type of respondent.

We also briefed the recruiter to carry out a further qualitative screening process of participants, to check that they felt capable of discussing at least some of the broad topic areas covered in the topic guide (laid out in the following section). The recruiter probed participants’ job titles, job roles, and gave them some further information about the topic areas over email. The intention was to screen out organisations that might have been willing to take part but would have had little to say on these topics.

3.3 Fieldwork

The Ipsos research team carried out all fieldwork from October to November 2025. We conducted the 44 interviews through a mix of telephone and Microsoft Teams calls. Interviews lasted around 60 minutes on average.

DSIT and the Home Office originally laid out their topics of interest for the 2025/2026 study. Ipsos then drafted the interview topic guide around these topics, which was reviewed and approved by both departments. The qualitative topic guide has changed slightly each year, in order to respond to the new findings that emerge from each year’s quantitative survey. The intention is for the qualitative research to explore new topics that were not necessarily as big or salient in previous years, as well as to look more in depth at the answers that organisations gave in this year’s survey. This year, the guide covered the following broad thematic areas:

perception of cyber security risk
cyber security practices
suppliers and software
cyber security leadership and governance
incidence response
reporting and data protection
artificial intelligence
cost of cyber security breaches

In order to ensure that the interviews would fit within the 60-minute time allocation, not all respondents were always asked all sections.

A full reproduction of the topic guide is available in Appendix B.

Tables 3.2 and 3.3 shows a profile of the 20 interviewed businesses by size and sector.

Table 3.2: Sector profile of businesses in follow-up qualitative stage

SIC 2007 letter	Sector description	Total
A	Agriculture, forestry or fishing	0
B, C, D, E	Utilities or production (including manufacturing)	1
F	Construction	1
G	Retail or wholesale (including vehicle sales and repairs)	4
H	Transport or storage	3
I	Food or hospitality	0
J	Information and communication	2
K	Finance or insurance	1
L, N	Administration or real estate	3
M	Professional, scientific or technical	1
P	Education (excluding state education institutions)	0
Q	Health, social care or social work	3
R, S	Entertainment, service or membership organisations	1
	Total	20

Table 3.3: Size profile of businesses (by number of staff) in follow-up qualitative stage

Size band	Total
Micro or small (1‑49 employees)	6
Medium (50‑249 employees)	6
Large (250+ employees)	8
Total	20

Table 3.4 shows a profile of the 10 interviewed charities by income band.

Table 3.4: Size profile of charities (by income band) in follow-up qualitative stage

Income band	Total
£100,000 to under £500,000	2
£500,000 to under £5 million	3
£5 million or more	5
Total	10

3.4 Analysis

Throughout fieldwork, the core research team discussed interim findings and outlined areas to focus on in subsequent interviews. Specifically, we held two face-to-face analysis meetings with the entire fieldwork team one halfway through fieldwork and one once fieldwork had been completed. In these sessions, researchers discussed the findings from individual interviews, and we drew out emerging key themes, recurring findings and other patterns across the interviews. DSIT and the Home Office attended the final analysis session once fieldwork had been completed.

We also recorded all interviews and summarised them in an Excel notes template, which categorised findings by topic area and the research questions within that topic area. The research team reviewed these notes, and also listened back to recordings, to identify the examples and verbatim quotes to include in the main report.

Question 5

Chapter 4: Research burden

Accepted Answer

The Government Statistical Service (GSS) has a policy of monitoring and reducing statistical survey burden to participants where possible, and the burden imposed should be proportionate to the benefits arising from the use of the statistics. As a producer of statistics, DSIT is committed to monitoring and reducing the burden on those providing their information, and on those involved in collecting, recording and supplying data.

This section calculates the research compliance cost, in terms of the time cost on respondents, imposed by both the quantitative survey and qualitative fieldwork.

The quantitative survey had 3,774 respondents and the average (mean) survey length was 24 minutes. Therefore the research compliance cost for the quantitative survey this year was [3,835 × 24 minutes = 1,510 hours].
The qualitative research had 44 respondents and the average interview length was 60 minutes. Respondents completed the qualitative interviews in addition to the quantitative survey. The research compliance cost for the qualitative strand this year was [44 × 60 minutes = 44 hours].

In total, the compliance cost for the Cyber Security Breaches Survey 2025/2026 was 1,554 hours.

Steps taken to minimise the research burden

Across both strands of fieldwork, we took the following steps to minimise the research burden on respondents:

making it clear that all participation was voluntary
informing respondents of the average time it takes to complete an interview at the start of the survey call, during recruitment for the qualitative research and again at the start of the qualitative interview
confirming that respondents were happy to continue if the interviews went over this average time
split-sampled certain questions – that is to say, they were asked to a random half of respondents to reduce the overall interview length
offering to carry out interviews at the times convenient for respondents, including evenings and weekends where requested
offering an online interview instead of a telephone one, according to the respondent’s preferences.

The study also adheres to Government Social Research Professional Guidance on ethics.

Question 6

Appendix A - Questionnaire

Accepted Answer

Cyber Security Breaches Survey 2025/2026
Main stage questionnaire

Key

INTERVIEWER INSTRUCTIONS AND ROUTING/SCRIPTING/TEXT SUBSTITUTION IN CAPS

QUESTION/NEW SCREEN LABELS IN BOLD CAPS

Screener

CATIINTRO
INTRO SCREEN IF TELEPHONE (MODETYPE = CATI)

Is this the head office for [SAMPLE CONAME]?

IF NOT THE HEAD OFFICE, ASK TO BE TRANSFERRED AND RESTART

Hello, my name is … from Ipsos, the independent research organisation.

IF CALLING 08 NUMBER FOR CHARITY (SAMPLE S_FREENUM=_01): Before I proceed, I’d like to make clear that I’m calling your 0800 number, for which you may be charged. Would you like me to proceed, or call on a different number?

We are conducting a survey on behalf of [SAMPLE S_COUNTRY=_03: the Department for Science, Innovation and Technology, the Home Office and Scottish Government/ELSE: the Department for Science, Innovation and Technology and the Home Office]. It is about how UK [SAMPLE S_SAMPTYPE=_01: businesses/SAMPLE S_SAMPTYPE=_02: charities/SAMPLE S_SAMPTYPE=_03: education institutions] of all different sizes approach cyber security and online safety. Each year, the organisations that take part help to shape the government’s guidance on this topic.

[SAMPLE S_SIZEBAND=_04: If your organisation takes part, Ipsos will make a £10 donation to charity on your behalf at the start of the interview.]

The purpose is not to sell any software or services. It is conducted annually to generate Official Statistics for the Government.

Taking part is confidential.

The interview takes an average of 20-22 minutes, and is typically shorter for smaller organisations.

The organisations that take part get given a summary of last year’s findings, as well as a help card with links to the latest Government cyber security guidance for [SAMPLE S_SAMPTYPE=_01: businesses/SAMPLE S_SAMPTYPE=_02: charities/SAMPLE S_SAMPTYPE=_03: education institutions].

Could I please speak to the senior person at your organisation with the most responsibility when it comes to cyber security?

IF OUTSOURCE CYBER SECURITY: In that case, we want to talk to the person within your organisation who typically deals with your external IT or cyber security provider. We know this may be the business owner, a trustee, Chief Executive, or someone else from the senior management team.

REASSURANCES IF NECESSARY

We got your contact details from the [SAMPLE S_SAMPTYPE=_01: Market Location business database/SAMPLE S_COUNTRY=_01: Charity Commission for England and Wales/SAMPLE S_COUNTRY=_02: Charity Commission for Northern Ireland/SAMPLE S_COUNTRY=_03: Office of the Scottish Charity Regulator/SAMPLE S_SAMPTYPE=_03: public databases of schools, colleges and universities].

The survey is for all types of businesses and charities. We also want to talk to organisations that have not had any cyber security issues, or that outsource their cyber security, so we get your views as well.

The survey is not technical – we want your views, not just expert opinion on this topic.

The survey has been endorsed by techUK, the Association of British Insurers (ABI), and the Charity Commission for England and Wales.

To check the survey is legitimate, you can visit the GOV.UK website on www.gov.uk/government/publications/cyber-security-breaches-survey. You can also Google the term “Cyber Security Breaches Survey 2025/2026” to find the same link yourself.

SHOWSCREEN_REASSURANCE

SHOW IF TELEPHONE (MODETYPE = CATI) AND WANTS REASSURANCE EMAIL

Just so you know, this email has more information about the survey and gives you a unique link to complete all or part of the survey online, if you prefer this. We may call you back after a few days to help you get the survey completed, if you’re unable to fill it out online.

STANDARD OPTIONS TO SEND REASSURANCE EMAIL

WEBINTRO
INTRO SCREEN IF WEB (MODETYPE = WEB/ONLINE)
Thanks for filling in this important government survey. This survey should be completed by the most senior person in the organisation who is responsible for cyber security.

Each year, the organisations that take part help to shape the government’s guidance on cyber security and online safety.

[SAMPLE S_SIZEBAND=_04: If your organisation takes part, Ipsos will make a £10 donation to charity on your behalf at the end of the interview.]

Participation in the survey is voluntary and you can change your mind at any time. To check the survey is legitimate and to view Ipsos’ privacy policy, you can visit the GOV.UK website on www.gov.uk/government/publications/cyber-security-breaches-survey.

Consent

Q1A_CONSENT

ASK IF TELEPHONE (MODETYPE = CATI)

Before we start, I just want to clarify that participation in the survey is voluntary and you can change your mind at any time. Are you happy to proceed with the interview?

SINGLE CODE

Yes

No CLOSE SURVEY

Q_VERIFYSENIOR

ASK IF WEB (MODETYPE = WEB/ONLINE)

Please could you confirm that you are a senior person responsible for cyber security in [SAMPLE S_CONAME]?

SINGLE CODE

Yes – senior person responsible for cyber security

No – not a senior person responsible for cyber security

SHOWSCREEN_NOTSENIOR

SHOW IF NOT A SENIOR PERSON (Q_VERIFYSENIOR CODE 2)

Thank you for your interest in this study.

Please forward the email invitation or survey link you received to the appropriate senior person in your organisation. Their feedback will shape the government’s understanding of organisations like yours.

RETURN TO INTRO SCREEN

Q1X_UNICOL

ASK IF WEB OPEN LINK

Thanks for taking part via this open survey link. Ipsos is also telephoning and emailing UK further and higher education institutions directly to invite them to take part.

Just to make sure we don’t call you again after you have taken part through this link, could you please provide us with the name of your institution?

WRITE IN

Incentive

Q90_DONATION

ASK IF SAMPLED AS LARGE BUSINESS (SAMPLE S_SIZEBAND=_04)

As promised, we will make a £10 charity donation on your behalf as a thank you for completing the full interview, which takes an average of 20-22 minutes. We have three charities for you to choose from.

ADD IF NECESSARY:

Turn2us helps people in financial need gain access to charitable grants and other financial help.

The NSPCC, or National Society for the Prevention of Cruelty to Children, is a charity campaigning and working in child protection in the United Kingdom.

Samaritans provides emotional support to anyone in emotional distress, struggling to cope, or at risk of suicide throughout the United Kingdom and Ireland.

READ OUT CODES

Please select one answer

SINGLE CODE

Turn2us

NSPCC

Samaritans

DO NOT READ OUT: Prefer not to donate

Business profile

Q1 DELETED POST-PILOT IN CSBS 2016

Q1B_TITLE

ASK ALL

What is your job role?

PROMPT TO CODE, INCLUDING SENIORITY AND IF RELATED DIRECTLY TO CYBER SECURITY OR NOT

Please select one answer

SINGLE CODE

Job role directly related to cyber security

Chief Information Officer (CIO)

Chief Information Security Officer (CISO)

Director of Security

Head of Cyber Security/Information Security

Another cyber security role

Job role directly related to IT

Senior IT role (e.g. IT director, Head of IT)

Non-senior IT role (e.g. IT manager, technician, administrator)

Job role not related to cyber security/IT – senior management level

Business owner

Chief Executive (CEO)/Managing Director (MD)

Chief Operations Officer (COO)/Operations Director

Finance Director/Controller

Headteacher

Trustee/treasurer/on trustee board

Partner

Chairperson

Another senior management role (e.g. director)

Job role not related to cyber security/IT – non-senior management level

General/office manager (not a director/trustee)

PA/secretary/admin

Teacher (not in senior management)

Another non-senior role

Q2 DELETED POST-PILOT IN CSBS 2016

Q3 DELETED POST-PILOT IN CSBS 2016

Q5X_TYPEX DELETED PRE-PILOT IN CSBS 2024

TYPEXDUM

DUMMY VARIABLE NOT ASKED

Would you classify your organisation as … ?

SINGLE CODE

IF SAMPLE S_SAMPTYPE=1: Private sector

IF SAMPLE S_SAMPTYPE=2: Charity

IF SAMPLE S_SAMPTYPE=3: State education institution

Q5Y_Would you classify your organisation as…?

SINGLE CODE

Private Sector

Charity

Primary education institution

Secondary institution

Higher education institution

Further education institution

BUSINESS/CHARITY/EDUCATION TEXT SUBSTITUTIONS BASED ON TYPEXDUM. THIS IS THE DEFAULT SCRIPTING FOR ALL TEXT SUBSTITUTIONS FROM THIS POINT ONWARDS, UNLESS OTHERWISE SPECIFIED.

Q4_SIZEA

ASK IF BUSINESS (TYPEXDUM CODE 1)

Including yourself, how many employees work for your organisation across the UK as a whole?

This includes full-time and part-time staff. Please include yourself if you are on the payroll as an employee.

PROBE FOR BEST ESTIMATE BEFORE CODING DK

WRITE IN RANGE 2-99,999

SOFT CHECK IF >4,999

SINGLE CODE

Respondent is sole trader CLOSE SURVEY

DO NOT READ OUT: Don’t know

Q5_SIZEB

ASK IF DON’T KNOW SIZE OF BUSINESS (SIZEA CODE DK)

Which of these best represents the number of employees working for your organisation across the UK as a whole, including yourself?

PROBE FULLY

Please select one answer

SINGLE CODE

Under 10

10 to 49

50 to 249

250 or more

DO NOT READ OUT: Don’t know

SIZEDUM

DUMMY VARIABLE NOT ASKED

Which of these best represents the number of employees working in your organisation, including yourself?

SINGLE CODE

MERGE RESPONSES FROM SIZEA AND SIZEB

USE SAMPLE S_SIZEBAND IF SIZEB CODE DK

LEAVE AS MISSING IF TYPEXDUM NOT CODE 1

Under 10

10 to 49

50 to 249

250 or more

Q5A_SALESA DELETED PRE-PILOT IN CSBS 2020

Q5B_SALESB DELETED PRE-PILOT IN CSBS 2020

Q5Z_SALESDUM DELETED PRE-PILOT IN CSBS 2020

Q5C_YEARS DELETED POST-PILOT IN CSBS 2018

Q5D_CHARITYO DELETED PRE-PILOT IN CSBS 2019

Q6_ONLINE DELETED POST-PILOT IN CSBS 2023

Q7_CORE DELETED PRE-PILOT IN CSBS 2019

Q8_MOBILE DELETED POST-PILOT IN CSBS 2023

Perceived importance and preparedness

SHOWSCREEN_DISPRI

READ OUT/SHOW TO ALL

The rest of the survey is about cyber security. By this, we mean any strategy, processes, practices or technologies that organisations have in place to secure their networks, computers, programs or the data they hold from damage, attack or unauthorised access.

Q9_PRIORITY

ASK IF HALF A IF BUSINESS/CHARITY, OR ALL IF EDUCATION

How high or low a priority is cyber security to your organisation’s [INSERT STATEMENT]? Is it …

READ OUT STATEMENT AND SCALE

Please select one answer

ASK AS A CAROUSEL

[IF BUSINESS: directors/IF CHARITY: trustees/IF EDUCATION: governors] or senior management

DELETED DURING FIELDWORK IN CSBS 2018

SINGLE CODE

REVERSE SCALE EXCEPT FOR LAST CODE

Very high

Fairly high

Fairly low

Very low

DO NOT READ OUT: Don’t know

Q9A_HIGH DELETED POST-PILOT IN CSBS 2017

Q9B_RELPRIORITY DELETED POST-PILOT IN CSBS 2018

Q9C_OUTSOURCE DELETED PRE-PILOT IN CSBS 2020

Q9D_COVPRI DELETED PRE-PILOT IN CSBS 2022

Q9E_COVIMPACTH DELETED POST-PILOT IN CSBS 2021

Q9F_COVIMPACTL DELETED POST-PILOT IN CSBS 2021

Q10_LOW DELETED PRE-PILOT IN CSBS 2018

Q10A_ATTITUDES DELETED PRE-PILOT IN CSBS 2020

Q10B_LOWRISK REMOVED POST-PILOT IN CSBS 2017

Q11_UPDATE

ASK IF MEDIUM OR LARGE BUSINESSES (TYPEXDUM CODE 1 AND SIZEDUM CODES 3-4), HIGH-INCOME CHARITIES (TYPEXDUM CODE 2 AND SAMPLE S_INCOME = _04 OR _05) OR EDUCATION (TYPEXDUM CODE 3)

Approximately how often, if at all, are your organisation’s [IF BUSINESS: directors/IF CHARITY: trustees/IF EDUCATION: governors] or senior management given an update on any actions taken around cyber security? Is it …

IF CATI AND EDUCATION (MODETYPE = CATI AND TYPEXDUM CODE 3): INTERVIEWER NOTE: FOR EDUCATION INSTITUTIONS, “EVERY TERM” MEANS QUARTERLY

READ OUT

Please select one answer

SINGLE CODE

REVERSE SCALE EXCEPT FOR LAST 2 CODES

Never

Less than once a year

Annually

Quarterly

Monthly

Weekly

Daily

Each time there is a breach or attack

DO NOT READ OUT: Don’t know

Q11B_UPDATEACTION

ASK IF PROVIDE UPDATES (Q11_UPDATE CODES 2-8)

Which of the following, if any, are included in updates on actions taken around cyber security?

READ OUT

Please select all that apply

MULTI CODE

ROTATE CODES 1-5

Number of significant attacks detected

Types of attacks detected

Management of cyber security risk

Approach to developing cyber skills within the organisation

Investments in cyber security

Anything else WRITE IN

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: Don’t know

DO NOT READ OUT: None of these

Spending

Q12_INVESTA DELETED PRE-PILOT IN CSBS 2020

Q13_INVESTB DELETED PRE-PILOT IN CSBS 2020

Q14_INVESTC DELETED PRE-PILOT IN CSBS 2020

Q15_INVESTD DELETED PRE-PILOT IN CSBS 2020

Q16_INVESTE DELETED PRE-PILOT IN CSBS 2020

Q17_INVESTF DELETED PRE-PILOT IN CSBS 2020

Q18_INVESTG DELETED PRE-PILOT IN CSBS 2020

Q19_ITA DELETED PRE-PILOT IN CSBS 2020

Q20_ITB DELETED PRE-PILOT IN CSBS 2020

Q21_REASON DELETED PRE-PILOT IN CSBS 2020

Q22_EVAL DELETED PRE-PILOT IN CSBS 2018

Q23_INSURE DELETED PRE-PILOT IN CSBS 2018

Q23X_INSUREX

ASK IF HALF A IF BUSINESS/CHARITY, OR ALL IF EDUCATION

There are general insurance policies that provide cover for cyber security breaches or attacks, among other things. There are also specific insurance policies that are solely for this purpose. Which of the following best describes your situation?

READ OUT

Please select one answer

SINGLE CODE

We have a specific cyber security insurance policy

We have cyber security cover as part of a broader insurance policy

We are not insured against cyber security breaches or attacks

DO NOT READ OUT: Don’t know

Q23Y_WHYNOINSURE

ASK THOSE THAT DO NOT HAVE A CYBER INSURANCE POLICY (Q23X_INSUREX CODE 3)

Is there a reason why you do not have cyber insurance? Is it…

READ OUT

Please select all that apply

MULTICODE

RANDOMISE CODES 1-5

Too expensive

Coverage not broad enough

Not a budgetary priority

Leadership not interested in cyber insurance

Not aware of cyber insurance

Another reason WRITE IN

DO NOT READ OUT: Don’t know

Q23Y_INSUREYES DELETED POST-PILOT IN CSBS 2021

Q23A_COVERAGE DELETED PRE-PILOT IN CSBS 2018

Q23B_CLAIM DELETED POST-PILOT IN CSBS 2023

Q23C_NOINSURE DELETED PRE-PILOT IN CSBS 2020

Information sources

Q24_INFO

ASK IF HALF A IF BUSINESS/CHARITY, OR ALL IF EDUCATION

In the last 12 months, from where, if anywhere, has your organisation sought information, advice or guidance on the cyber security threats that you face?

INTERVIEWER NOTE: IF “GOVERNMENT”, THEN PROBE WHERE EXACTLY

DO NOT PROMPT

PROBE FULLY, I.E. “ANYTHING ELSE?”

Please select all that apply

MULTICODE

Government/public sector

Government’s 10 Steps to Cyber Security guidance

Government’s Cyber Aware website/materials

Government’s Cyber Essentials materials

Government intelligence services (e.g. GCHQ)

GOV.UK/Government website (excluding NCSC website)

A regional Cyber Resilience Centre (CRC)

Action Fraud

National Cyber Security Centre (NCSC) website/offline

Police

Regulator (e.g. Financial Conduct Authority) – but excluding charity regulators

Another government or public sector organisation WRITE IN

Charity-related

Association of Chief Executives of Voluntary Organisations (ACEVO)

Charity Commission/regulator

Charity Finance Group (CFG)

Community Accountants

Community Voluntary Services (CVS)

Institute of Fundraising (IOF)

National Council for Voluntary Organisations (NCVO)

Education related

Jisc/the Janet network

Department for Education (DfE)

Ofsted

Secure Schools programme

Teachers’ unions (e.g. NASUWT, NEU or NUT)

Other specific organisations

Cyber Security Information Sharing Partnership (CISP)

Professional/trade/industry/volunteering association

Security bodies (e.g. ISF or IISP)

Security product vendors (e.g. AVG, Kaspersky etc)

UK Cyber Security Council

Internal sources

Within your organisation – senior management/board

Within your organisation – other colleagues or experts

Any other external sources

Auditors/accountants

Bank/business bank/bank’s IT staff

External security/IT consultants/cyber security providers

Internet Service Provider

Newspapers/media

Online searching generally/Google

Specialist IT blogs/forums/websites

Another (non-government) source WRITE IN

SINGLE CODE

Nowhere

Don’t know

Q24A_FINDINF DELETED POST-PILOT IN CSBS 2017

Q24B_GOVTINF DELETED PRE-PILOT IN CSBS 2021

Q24C_CYBERAWARE DELETED PRE-PILOT IN CSBS 2023

Q24D_SCHEME

ASK IF HALF B IF BUSINESS/CHARITY, OR IF EDUCATION

There are various government campaigns, schemes, information and guidance on cyber security and a service for businesses to report ongoing cyber attacks. Which, if any, of the following have you heard of?

READ OUT STATEMENTS

Please select one answer for each statement

IF CATI: ASK AS SEPARATE SCREENS

IF WEB: ASK AS A COLLAPSIBLE GRID

RANDOMISE LIST

The Cyber Essentials scheme

The 10 Steps to Cyber Security

IF MICRO OR SMALL BUSINESS (TYPEXDUM CODE 1 AND SIZEDUM CODES 1-2): Any Small Business Guides, such as the Small Business Guide to Cyber Security, the Small Business Guide to Response and Recovery

IF MEDIUM OR LARGE BUSINESSES (TYPEXDUM CODE 1 AND SIZEDUM CODES 3-4), HIGH-INCOME CHARITIES (TYPEXDUM CODE 2 AND SAMPLE S_INCOME = _04 OR _05) OR EDUCATION (TYPEXDUM CODE 3): The Cyber Security Toolkit for Boards

IF CHARITY: The Cyber Security Small Charity Guide

The Cyber Aware campaign

DELETED PRE-PILOT IN CSBS 2022

The “Check Your Cyber Security” tool on the National Cyber Security Centre website

IF MICRO OR SMALL BUSINESS (TYPEXDUM CODE 1 AND SIZEDUM CODES 1-2) OR CHARITY (TYPEDUM CODE 2): The Cyber Action Plan for small organisations

Cyber Governance Code of Practice

Software Security Code of Practice

Action Fraud 24/7 business incident reporting telephone line

Cyber Resilience Centres

SINGLE CODE

Yes

No

DO NOT READ OUT: Don’t know

Q24E_GOVTACT

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND SEEN OR HEARD GOVERNMENT GUIDANCE (SCHEMEa-n CODE 1)

What, if anything, have you changed or implemented at your organisation after seeing or hearing any government campaigns or guidance on cyber security?

DO NOT PROMPT

PROBE FULLY, I.E. “ANYTHING ELSE?”

Please select all that apply

MULTICODE IF CATI

Governance changes

Increased spending

Changed nature of the business/activities

New/updated business continuity plans

New/updated cyber policies

New checks for suppliers/contractors

New procurement processes, e.g. for devices/IT

New risk assessments

Increased senior management, board or director oversight/involvement

Technical changes

Changed/updated firewall/system configurations

Changed user admin/access rights

Increased monitoring

New/updated antivirus/anti-malware software

Other new software/tools (not antivirus/anti-malware)

Penetration testing

People/training changes

Outsourced cyber security/hired external provider

Recruited new staff

Staff training/communications

Vetting staff/extra vetting

Another change WRITE IN

SINGLE CODE

Nothing done

Only heard about guidance, not read it

Don’t know

Q25_TRAINA DELETED POST-PILOT IN CSBS 2016

Q26_TRAIN DELETED PRE-PILOT IN CSBS 2020

Q26A_TRAINUSE DELETED POST-PILOT IN CSBS 2017

Q26B_TRAINWHO DELETED PRE-PILOT IN CSBS 2020

Q27_DELIVER DELETED POST-PILOT IN CSBS 2018

Q28_COVER DELETED POST-PILOT IN CSBS 2017

Policies and procedures

SHOWSCREEN_PROCEDURES

SHOW TO ALL

Here are some questions about your current cyber security processes and procedures. If you don’t do or have the things we’re asking about, just say so and we’ll move on.

Q29_MANAGE

ASK ALL

Which of the following governance or risk management arrangements, if any, do you have in place?

READ OUT

Please select all that apply

MULTICODE

ROTATE LIST

[IF BUSINESS: Board members/IF CHARITY: Trustees/IF EDUCATION: A governor or senior manager] with responsibility for cyber security

An outsourced provider that manages your cyber security

A formal policy or policies in place covering cyber security risks

A Business Continuity Plan that covers cyber security

A written list of the most critical data, systems or assets that your organisation wants to protect

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: Don’t know

DO NOT READ OUT: None of these

Q29A_COMPLY

ASK HALF B IF BUSINESS/CHARITY, OR ALL IF EDUCATION

Is your organisation certified with any of the following standards or accreditations?

ADD IF NECESSARY: By certified, we mean your organisation has applied for and received an optional certificate for meeting these standards or accreditations.

READ OUT

Please select all that apply

MULTICODE

ISO 27001

IF HEARD OF CYBER ESSENTIALS (SCHEMEa CODE 1): Cyber Essentials

IF HEARD OF CYBER ESSENTIALS (SCHEMEa CODE 1): Cyber Essentials Plus

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: Don’t know

DO NOT READ OUT: None of these

Q29B_NOPOL DELETED PRE-PILOT IN CSBS 2020

Q29C_SOFTWARE

ASK ALL

What role do cyber security considerations play when purchasing new software?

Please select one answer

SINGLE CODE

We consider cyber security to a large extent when purchasing new software

We consider cyber security to some extent when purchasing new software, but it is not a major concern

As we purchase new software from established and/or large companies we feel we are protected and thus cyber security is not a major concern when purchasing new software

We do not consider cyber security when purchasing new software

DO NOT READ OUT: Don’t know

Q30_IDENT

ASK ALL

And which of the following, if any, have you done over the last 12 months to identify cyber security risks to your organisation?

READ OUT

Please select all that apply

MULTICODE

ROTATE LIST

A cyber security vulnerability audit

A risk assessment covering cyber security risks

Used or invested in threat intelligence ADD IF NECESSARY: (this involves gathering and analysing information about cyber threats)

Used specific tools designed for security monitoring, such as Intrusion Detection Systems

Penetration testing

Testing staff awareness and response (e.g. via mock phishing exercises)

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: Don’t know

DO NOT READ OUT: None of these

Q30A_AUDIT

ASK IF CARRIED OUT A CYBER SECURITY VULNERABILITY AUDIT (IDENT CODE 1)

Were any cyber security audits carried out internally by staff, by an external contractor, or both?

DO NOT PROMPT

Please select one answer

SINGLE CODE

Only internally by staff

Only by an external contractor

Both internal and external

Don’t know

Q30B_AUDITCONTENT

ASK IF CARRIED OUT A CYBER SECURITY VULNERABILITY AUDIT (IDENT CODE 1)

Were any of the following included in these cyber security vulnerability audits?

READ OUT

Please select all that apply

MULTI CODE

ROTATE

Whether there is a cyber security strategy in place

Whether cyber security is incorporated into the broader organisational governance structure

Whether all board members are actively involved in discussions of cyber security

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: Don’t know

DO NOT READ OUT: None of these

Q31_RULES

ASK ALL

And which of the following rules or controls, if any, do you have in place?

READ OUT

Please select all that apply

MULTICODE

ROTATE LIST BUT KEEP CODES 10/11 TOGETHER

A policy to apply software security updates within 14 days

Up-to-date malware protection

Firewalls that cover your entire IT network, as well as individual devices

Restricting IT admin and access rights to specific users

Any monitoring of user activity

Specific rules for storing and moving personal data files securely

Security controls on company-owned devices (e.g. laptops)

Only allowing access via company-owned devices

Separate WiFi networks for staff and for visitors

Backing up data securely via a cloud service

Backing up data securely via other means

A password policy that ensures users set strong passwords

A virtual private network, or VPN, for staff connecting remotely

An agreed process for staff to follow when they identify a fraudulent email or malicious website

Any requirement for two-factor authentication when people access your network, or for applications they use

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: Don’t know

DO NOT READ OUT: None of these

Q31B_PERSONALDATA

ASK ALL

As far as you are aware, does your organisation hold personal data on employees or customers [IF EDUCATION TYPEXDUM = 3: or students], that is not protected by techniques such as anonymisation or encryption?

Personal data refers to information that can be used to identify a specific individual. As well as name and contact details, this also includes other identifiers such as an IP address or a cookie identifier.

SINGLE CODE

Yes

No

DO NOT READ OUT: Don’t know

Q32_POLICY

ASK IF HAVE CYBER SECURITY POLICIES (MANAGE CODE 3)

Which of the following aspects, if any, are covered within your cyber security-related policy, or policies?

READ OUT

Please select all that apply

MULTICODE

ROTATE LIST

What can be stored on removable devices (e.g. USB sticks)

Remote or mobile working (e.g. from home)

What staff are permitted to do on your organisation’s IT devices

Use of personally-owned devices for business activities

Use of cloud computing

Use of network-connected devices, sometimes called smart devices

Any Digital Service Providers such as cloud service providers, MSPs or providers of software services

How you’re supposed to store data

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: Don’t know

DO NOT READ OUT: None of these

Q63C_RANSOM

ASK HALF A IF BUSINESS/CHARITY, OR ALL IF EDUCATION

In the case of ransomware attacks, does your organisation make it a rule or policy to not pay ransomware payments?

SINGLE CODE

Yes

No

DO NOT READ OUT: Don’t know

Q32A_FOLLOW DELETED POST-PILOT IN CSBS 2017

Q33_DOC DELETED PRE-PILOT IN CSBS 2019

Q33A_REVIEW

ASK IF HAVE CYBER SECURITY POLICIES (MANAGE CODE 3)

When were any of your policies or documentation for cyber security last created, updated, or reviewed to make sure they were up-to-date?

INTERVIEWER NOTE: IF NEVER UPDATED OR REVIEWED, ANSWER IS WHEN POLICIES WERE CREATED

If these policies or documentation have not yet been updated or reviewed, please tell us when they were created.

PROMPT TO CODE

Please select one answer

SINGLE CODE

Within the last 3 months

3 to under 6 months ago

6 to under 12 months ago

12 to under 24 months ago

24 months ago or earlier

DO NOT READ OUT: Don’t know

Q33B_TRAINED

ASK ALL

In the last 12 months, have you carried out any cyber security training or awareness raising sessions specifically for any [IF BUSINESS/EDUCATION: staff/IF CHARITY: staff or volunteers] who are not directly involved in cyber security?

SINGLE CODE

Yes

No

DO NOT READ OUT: Don’t know

Q33C_COVREVIEW DELETED POST-PILOT IN CSBS 2021

Strategy

Q33D_STRATEGY

ASK IF MEDIUM OR LARGE BUSINESSES (TYPEXDUM CODE 1 AND SIZEDUM CODES 3-4), HIGH-INCOME CHARITIES (TYPEXDUM CODE 2 AND SAMPLE S_INCOME = _04 OR _05) OR FURTHER/HIGHER EDUCATION (SAMPLE S_EDUTYPE = _05 OR _06)

Does your organisation have a formal cyber security strategy, i.e. a document that underpins all your policies and processes?

SINGLE CODE

Yes

No

DO NOT READ OUT: Don’t know

Q33E_STRATINT

ASK IF HAVE A CYBER SECURITY STRATEGY (STRATEGY CODE 1)

In the last 12 months, has this strategy been reviewed by your organisation’s [IF BUSINESS: directors/IF CHARITY: trustees/IF EDUCATION: governors] or senior management?

SINGLE CODE

Yes

No

DO NOT READ OUT: Don’t know

Q33F_STRATEXT DELETED POST-PILOT IN CSBS 2023

Q33G_STRATREV DELETED POST-PILOT IN CSBS 2023

AI usage and security

Q33X _AIUSE

ASK ALL

Which of the following best describes the use of AI (Artificial Intelligence) tools within your organisation? This could be at any level and for any task.

ADD IF NECESSARY: This includes recent generative tools such as ChatGPT, Microsoft Co-pilot, and more complex solutions including machine learning. We are interested in AI tools you might be developing yourselves as well as existing off-the-shelf AI tools.

READ OUT

Please select one answer

SINGLE CODE

REVERSE SCALE EXCEPT FOR LAST CODE

We have adopted some AI tools in our organisation

We are in the process of adopting AI into our organisation (including piloting)

We are actively considering adopting AI at some point

We may adopt AI at some point, but have no active plans to do so

I am aware of AI, but it is not relevant to my organisation

I am not aware of AI

DO NOT READ OUT: Don’t know

Q33Y_AISTRATEGY

ASK THOSE WHO USE OR ARE CONSIDERING USING AI (Q33X _AIUSE CODES 1-3)

Does your organisation have specific cyber security practices or processes in place to manage the risks from the use of AI technology?

PROBE FULLY

Please select one answer

SINGLE CODE

Yes

No – but we may implement these in the next 12 months

No – and no plans to do so now or in the next 12 months

DO NOT READ OUT: Don’t know

Corporate reporting of cyber risks

Q33H_CORPORATE

ASK IF MEDIUM OR LARGE BUSINESSES (TYPEXDUM CODE 1 AND SIZEDUM CODES 3-4), HIGH-INCOME CHARITIES (TYPEXDUM CODE 2 AND SAMPLE S_INCOME = _04 OR _05)

These next questions are about how cyber security is discussed in any publicly available annual reports of your organisation’s activities.

Firstly, did your organisation publish an annual report in the last 12 months?

SINGLE CODE

Yes

No

DO NOT READ OUT: Don’t know

Q33I_CORPRISK

ASK IF HAVE AN ANNUAL REPORT (CORPORATE CODE 1)

Did your latest annual report cover any cyber security risks faced by your organisation?

SINGLE CODE

Yes

No

DO NOT READ OUT: Don’t know

Q34_ISO DELETED DURING FIELDWORK IN CSBS 2018

Q35_IMPLEMA DELETED DURING FIELDWORK IN CSBS 2018

Q36_TENSTEPS DELETED PRE-PILOT IN CSBS 2020

Q37_ESSENT DELETED PRE-PILOT IN CSBS 2020

Q38_IMPLEMB DELETED PRE-PILOT IN CSBS 2020

Q39 DELETED PRE-PILOT IN CSBS 2017

Q40 DELETED PRE-PILOT IN CSBS 2017

Q41 DELETED PRE-PILOT IN CSBS 2017

Q42 DELETED PRE-PILOT IN CSBS 2016

Q43 DELETED PRE-PILOT IN CSBS 2016

Supplier standards

Q44_SUPPLY DELETED PRE-PILOT FOR CSBS 2020

w_ADHERE DELETED PRE-PILOT FOR CSBS 2020

SHOWSCREEN_SUPPLYBUSINESS

SHOW IF BUSINESS (TYPEXDUM CODE 1)

The next questions are about suppliers. This is not just security or IT suppliers. It includes any suppliers that provide goods or services to your organisation.

SHOWSCREEN_SUPPLYOTHER

SHOW IF CHARITY OR EDUCATION (TYPEXDUM CODES 2-3)

The next questions are about third-party organisations you work with. This includes any suppliers that provide goods or services to your organisation, or partners such as local authorities.

Q45A_SUPPLYKNOW DELETED POST-PILOT IN CSBS 2020

Q45B_SUPPLYRISK

ASK ALL

Has your organisation carried out any work to formally review the following?

READ OUT STATEMENTS

Please select one answer for each statement

ASK AS A GRID (NOT COLLAPSIBLE)

The potential cyber security risks presented by your immediate suppliers [IF CHARITY/EDUCATION: or partners]

The potential cyber security risks presented by your wider supply chain, i.e. your suppliers’ suppliers

SINGLE CODE

Yes

No

DO NOT READ OUT: Don’t know

DO NOT READ OUT: Not applicable / do not use suppliers

Q45X_SUPPLYCERT

ASK HALF B IF BUSINESS/CHARITY, OR ALL IF EDUCATION AND IF HAVE SUPPLIERS (HAVE NOT SELECTED CODE 4 FOR BOTH ROWS AT Q45B_SUPPLYRISK)

Do you require your suppliers to be certified with any of the following standards or accreditations?

ADD IF NECESSARY: By certified, we mean your organisation has applied for and received an optional certificate for meeting these standards or accreditations.

PROMPT TO CODE

Please select one answer for each statement

ASK AS A GRID (NOT COLLAPSIBLE)

ISO 27001

IF HEARD OF CYBER ESSENTIALS (SCHEMEa CODE 1): Cyber Essentials

IF HEARD OF CYBER ESSENTIALS (SCHEMEa CODE 1): Cyber Essentials Plus

SINGLE CODE

Yes – all of them

Yes – some, but not all of them

DO NOT READ OUT: Don’t know

DO NOT READ OUT: None of these

Q45C_SUPPLYCHK DELETED POST-PILOT IN CSBS 2020

Q45D_BARRIER DELETED PRE-PILOT IN CSBS 2024

Q46_CLOUD DELETED PRE-PILOT IN CSBS 2020

Q47 DELETED POST-PILOT IN CSBS 2016

Q48_CRITICAL DELETED POST-PILOT IN CSBS 2017

Q49_COMMER DELETED PRE-PILOT IN CSBS 2018

Q50_PERSON DELETED PRE-PILOT IN CSBS 2018

Q51_VALIDA DELETED POST-PILOT IN CSBS 2017

Q52_VALIDB DELETED POST-PILOT IN CSBS 2017

Breaches or attacks

Q53 DELETED PRE-PILOT IN CSBS 2017

Q53A_TYPE

ASK ALL

Have any of the following happened to your organisation in the last 12 months, even if they ended up having no impact on you?

Please note, many of these things could happen at once or close together, i.e. as part of a related series of breaches or attacks. We want to hear about all aspects.

READ OUT

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please select all that apply

MULTICODE

Your organisation’s devices being targeted with ransomware, i.e. a type of malware that tells you to pay a ransom to restore your files or stop them being made public

Your organisation’s devices being targeted with other malware (e.g. viruses or spyware)

Denial of service attacks, i.e. attacks that try to slow or take down your website, applications or online services

Hacking or attempted hacking of online bank accounts

People impersonating, in emails or online, your organisation or your staff [IF CHARITY: or volunteers]

Phishing attacks, i.e. staff [IF CHARITY: or volunteers] receiving fraudulent emails, or arriving at fraudulent websites – even if they did not engage with these emails or websites

Unauthorised accessing of files or networks by staff [IF CHARITY: or volunteers], even if accidental

IF EDUCATION: Unauthorised accessing of files or networks by students

Unauthorised accessing of files or networks by people [IF BUSINESS/CHARITY: outside your organisation/IF EDUCATION: other than staff or students]

Unauthorised listening into video conferences or instant messaging

Takeovers or attempts to take over your website, social media accounts or email accounts

MULTICODE

NOT PART OF ROTATION

Any other types of cyber security breaches or attacks

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: Don’t know

DO NOT READ OUT: None of these

DO NOT READ OUT: Prefer not to say

Q53B_IMPERSONATIONHACK

ASK IF EXPERIENCED IMPERSONATION (TYPE CODE 5)

Just to check, did any of the instances where people impersonated your organisation or your staff involve someone gaining unauthorised access to your files or networks?

PROMPT TO CODE

SINGLE CODE

Yes – all of them

Yes – some of them

No

DO NOT READ OUT: Don’t know

Q53C_IMPERSONATIONTKVR

ASK IF EXPERIENCED IMPERSONATION (TYPE CODE 5)

And again just to check, did any of the instances where people impersonated your organisation or your staff involve someone taking over your own website, social media accounts or email accounts?

SINGLE CODE

Yes – all of them

Yes – some of them

No

DO NOT READ OUT: Don’t know

TYPEDUM

DUMMY VARIABLE NOT ASKED

Have any of the following happened to your organisation in the last 12 months, even if they ended up having no impact on you?

MULTICODE

MERGE RESPONSES FROM TYPE, IMPERSONATIONHACK AND IMPERSONATIONTKVR – SEE INSTRUCTIONS BELOW

ransomware

malware other than ransomware (e.g. viruses or spyware)

denial of service attacks

hacking or attempted hacking of online bank accounts

people impersonating, in emails or online, your organisation or your staff or volunteers

phishing attacks

unauthorised accessing of files or networks by staff or volunteers

unauthorised accessing of files or networks by students

IF TYPE CODE 9 OR IMPERSONATIONHACK CODES 1-2: unauthorised accessing of files or networks by people outside your organisation

unauthorised listening into video conferences or instant messaging

IF TYPE CODE 11 OR IMPERSONATIONTKVR CODES 1-2: takeovers or attempts to take over your website, social media accounts or email accounts

any other types of cyber security breaches or attacks

Don’t know

None of these

Prefer not to say

Q54_FREQ

ASK IF ANY BREACHES OR ATTACKS (TYPEDUM CODES 1-12)

Approximately, how often in the last 12 months did you experience any of the cyber security breaches or attacks you mentioned? Was it …

READ OUT

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please select one answer

SINGLE CODE

Once only

More than once but less than once a month

Roughly once a month

Roughly once a week

Roughly once a day

Several times a day

DO NOT READ OUT: Don’t know

DO NOT READ OUT: Prefer not to say

Q55_NUMBA DELETED PRE-PILOT 2020

Q56_NUMBB DELETED PRE-PILOT 2020

Q56A_OUTCOME

ASK IF ANY BREACHES OR ATTACKS (TYPEDUM CODES 1-12)

Thinking of all the cyber security breaches or attacks experienced in the last 12 months, which, if any, of the following happened as a result?

READ OUT

Please select all that apply

MULTICODE

ROTATE LIST BUT KEEP CODES 3/4 AND 6/7 TOGETHER

Software or systems were corrupted or damaged

Personal data (e.g. on [IF BUSINESS: customers or staff/IF CHARITY: beneficiaries, donors, volunteers or staff/IF EDUCATION: students or staff]) was altered, destroyed or taken

Permanent loss of files (other than personal data)

Temporary loss of access to files or networks

Lost or stolen assets, trade secrets or intellectual property

Money was stolen or taken by the attackers

Money was paid to the attackers

Your website, applications or online services were taken down or made slower

Lost access to any third-party services you rely on

Physical devices or equipment were damaged or corrupted

Compromised accounts or systems used for illicit purposes (e.g. launching attacks)

Organisational data was altered, destroyed or taken

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: None of these

DO NOT READ OUT: Don’t know

Q56B_DATATYPE

ASK IF PERSONAL OR ORGANISATIONAL DATA WAS ALTERED, DESTROYED OR TAKEN (OUTCOME CODES 2 OR 12)

You said [IF OUTCOME CODE 2: personal] [IF OUTCOME CODES 2 AND 12: and] [IF OUTCOME CODE 12: organisational] data was altered, destroyed or taken as a result of a cyber security breach or attack you experienced. Which of the following types of data were altered, destroyed or taken?

If you would rather not answer the question, then please select ‘Prefer not to say’.

READ OUT

Please select all that apply

MULTICODE

ROTATE CODES 1-7, BUT KEEP CODES 1/2 AND 3/4 TOGETHER

IF OUTCOME CODE 2: Personal data about employees (e.g. name, address, email, date of birth, bank details)

IF OUTCOME CODE 2: Personal data about customers, students, or clients (e.g. name, address, email, purchase history, bank details)

IF OUTCOME CODE 2: Special category data about employees (e.g. race, religion, political views, biometric or health data)

IF OUTCOME CODE 2: Special category data about customers, students, or clients (e.g. race, religion, political views, biometric or health data)

IF OUTCOME CODE 12: Financial data about your organisation (e.g. income, expenses, assets, liabilities)

IF OUTCOME CODE 12: Transaction data related to your organisation (e.g. purchases, sales, financial transactions)

IF OUTCOME CODE 12: Intellectual property or commercially sensitive information

SINGLE CODE

NOT PART OF ROTATION

Prefer not to say

DO NOT READ OUT: Don’t know

Q57_IMPACT

ASK IF ANY BREACHES OR ATTACKS (TYPEDUM CODES 1-12)

And have any of these breaches or attacks impacted your organisation in any of the following ways, or not?

READ OUT

Please select all that apply

MULTICODE

ROTATE LIST BUT KEEP CODES 3/4 TOGETHER

Stopped staff from carrying out their day-to-day work

Loss of [IF BUSINESS: revenue or share value/ELSE: income]

Additional staff time to deal with the breach or attack, or to inform [IF BUSINESS: customers/IF CHARITY: beneficiaries/IF EDUCATION: students, parents] or stakeholders

Any other repair or recovery costs

New measures needed to prevent or protect against future breaches or attacks

Fines from regulators or authorities, or associated legal costs

Reputational damage

IF BUSINESS/CHARITY: Prevented provision of goods or services to [IF BUSINESS: customers/IF CHARITY: beneficiaries or service users]

Discouraged you from carrying out a future business activity you were intending to do

Complaints from [IF BUSINESS: customers/IF CHARITY: beneficiaries or stakeholders/IF EDUCATION: students or parents]

IF BUSINESS/CHARITY: Goodwill compensation or discounts given to customers

SINGLE CODE

NOT PART OF ROTATION

DO NOT READ OUT: None of these

DO NOT READ OUT: Don’t know

Q57A_OUTIMPTYPE DELETED POST-PILOT IN CSBS 2021

Q58_MONITOR DELETED PRE-PILOT IN CSBS 2018

Q61 DELETED POST-PILOT IN CSBS 2016

Q62 DELETED PRE-PILOT IN CSBS 2017

Q63_INCID DELETED PRE-PILOT 2020

Cyber crime: cyber-facilitated fraud

SHOWSCREEN_FRAUD

SHOW IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND ANY SPECIFIC BREACHES OR ATTACKS OTHER THAN IMPERSONATION (TYPEDUM CODES 1-4 OR 6-11)

The next questions focus on the following types of cyber security breaches or attacks that your organisation has experienced in the last 12 months:

SCRIPT TO SHOW ALL RESPONSES FROM TYPEDUM EXCEPT CODES 5, 12, DK, NULL AND REF – ONE RESPONSE PER LINE AND USING SHORTENED WORDING FROM TYPEDUM

IF SOME INSTANCES OF IMPERSONATION RELATED TO ANOTHER BREACH OR ATTACK, BUT NOT ALL (IMPERSONATIONHACK CODE 2 OR IMPERSONATIONTKVR CODE 2): We know you also had instances of people impersonating your organisation or staff. Here, we only want you to include these instances if they were related to another type of breach or attack.

IF NO INSTANCES OF IMPERSONATION RELATED TO ANOTHER BREACH OR ATTACK (IMPERSONATIONHACK CODE 3 OR DK AND IMPERSONATIONTKVR CODE 3 OR DK): We know you also had instances of people impersonating your organisation or staff. You can ignore these for now.

IF EXPERIENCED RANSOMWARE (TYPEDUM CODE 1): If any of the ransomware attacks you experienced involved you paying money to the attackers, please do not include this in the next question.

Q88A_FRAUD

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND ANY SPECIFIC BREACHES OR ATTACKS OTHER THAN IMPERSONATION (TYPEDUM CODES 1-4 OR 6-11)

How many times, if at all, did any of these cyber security breaches or attacks, including phishing attacks, result in the following?

READ OUT STATEMENTS

Please write in one answer for each statement

IF CATI: ASK ON SEPARATE SCREENS

IF WEB: ASK AS A COLLAPSIBLE GRID

Your organisation’s credit or debit card information being used without permission

IF ALL OR SOME INSTANCES OF IMPERSONATION RELATED TO ANOTHER BREACH OR ATTACK (IMPERSONATIONHACK CODES 1-2 OR IMPERSONATIONTKVR CODES 1-2): People impersonating your organisation or your staff using information obtained through the initial breach or attack

Attackers moving money out of your organisation’s bank account [IF EXPERIENCED RANSOMWARE (TYPEDUM=1): – if any ransomware attacks you experienced involved you paying money to the attackers, please do not include these here, unless the attackers accessed your bank account themselves]

Your organisation paying or transferring money to the attackers based on fraudulent information (e.g. a fake invoice) [IF EXPERIENCED RANSOMWARE (TYPEDUM=1): – if any ransomware attacks you experienced involved you paying or transferring money to the attackers, please do not include these here, unless you paid them based on fraudulent information such as a fake invoice]

WRITE IN RANGE 0-9,999

SOFT CHECK IF>9

SINGLE CODE

DO NOT READ OUT: Don’t know

FRAUDDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced cyber-facilitated fraud:

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF ANY FRAUDa-d>0: Yes

ELSE (INCLUDING IF FRAUDa-d ALL MISSING): No

FRAUDCOUNTDUM

DUMMY VARIABLE NOT ASKED

Number of cyber-facilitated fraud experienced (among those experiencing any):

IF EXPERIENCED CYBER-FACILITATED FRAUD (FRAUDDUM CODE 1) CODE AS FOLLOWS, ELSE MISSING:

FRAUDa + FRAUDb + FRAUDc + FRAUDd

Q88B_FRAUDCOUNT DELETED PRE-PILOT IN CSBS 2024

Q88C_FRAUDCOUNTDK DELETED PRE-PILOT IN CSBS 2024

Q88D_FRAUDCONT

ASK IF EXPERIENCED CYBER-FACILITATED FRAUD (FRAUDDUM CODE 1) AND MORE THAN ONE BREACH OR ATTACK OTHER THAN IMPERSONATION (2 OR MORE TYPEDUM CODES 1-4 OR 6-11)

The instances you just mentioned are instances of fraud.

IF FRAUDCOUNTDUM>1: Of the [FRAUDCOUNTDUM] instances of fraud your organisation experienced in the last 12 months, how many were the direct result of each of the following?

PROBE FULLY, I.E. NO NEED TO READ OUT ALL STATEMENTS IF ALL INSTANCES OF FRAUD HAVE ALREADY BEEN ACCOUNTED FOR

IF FRAUDCOUNTDUM=1: Which of the following directly resulted in this fraud?

INTERVIEWER NOTE: PUT 1 FOR “YES” AND 0 FOR “NO”

Please put 1 for “yes” and 0 for “no”

ASK AS A GRID (NOT COLLAPSIBLE)

SCRIPT TO SHOW ONLY STATEMENTS IF EQUIVALENT STATEMENT MENTIONED AT TYPEDUM

Ransomware

Malware other than ransomware (e.g. viruses or spyware)

Denial of service attacks

Hacking or attempted hacking of online bank accounts

Phishing attacks

Unauthorised accessing of files or networks by staff [IF CHARITY: or volunteers]

Unauthorised accessing of files or networks by people outside your organisation

Unauthorised listening into video conferences or instant messaging

Takeovers or attempts to take over your website, social media accounts or email accounts

WRITE IN RANGE 0-[FRAUDCOUNTDUM NUMBER]

HARD CHECK IF TOTAL ACROSS ALL STATEMENTS =0

SINGLE CODE

DO NOT READ OUT: Don’t know

FRAUDCONTDUM

DUMMY VARIABLE NOT ASKED (SEPARATE VARIABLE FOR EACH STATEMENT AT FRAUDCONT)

Cyber security breaches or attacks resulting in fraud.

IF FRAUDCONTa-i≥0: TAKE ANSWER FROM FRAUDCONT

IF EXPERIENCED CYBER-FACILITATED FRAUD (FRAUDDUM CODE 1) AND ONLY ONE BREACH OR ATTACK OTHER THAN IMPERSONATION (ONLY 1 OF TYPEDUM CODES 1-4 OR 6-11): TAKE ANSWER FROM FRAUDCOUNTDUM AND APPLY AS FOLLOWS:

IF TYPEDUM CODE 1: FRAUDCONTDUMa = FRAUDCOUNTDUM NUMBER

IF TYPEDUM CODE 2: FRAUDCONTDUMb = FRAUDCOUNTDUM NUMBER

IF TYPEDUM CODE 3: FRAUDCONTDUMc = FRAUDCOUNTDUM NUMBER

IF TYPEDUM CODE 4: FRAUDCONTDUMd = FRAUDCOUNTDUM NUMBER

IF TYPEDUM CODE 6: FRAUDCONTDUMe = FRAUDCOUNTDUM NUMBER

IF TYPEDUM CODE 7: FRAUDCONTDUMf = FRAUDCOUNTDUM NUMBER

IF TYPEDUM CODE 8: FRAUDCONTDUMg = FRAUDCOUNTDUM NUMBER

IF TYPEDUM CODE 9: FRAUDCONTDUMh = FRAUDCOUNTDUM NUMBER

IF TYPEDUM CODE 10: FRAUDCONTDUMi = FRAUDCOUNTDUM NUMBER

IF TYPEDUM CODE 11: FRAUDCONTDUMj = FRAUDCOUNTDUM NUMBER

ELSE: MISSING

Q88E_FRAUDCOSTA

ASK IF EXPERIENCED CYBER-FACILITATED FRAUD (FRAUDDUM CODE 1)

IF FRAUDCOUNTDUM>1: Across these [FRAUDCOUNTDUM NUMBER] instances of fraud, what was the total cost to your organisation?

IF FRAUDCOUNTDUM=1: What was the total cost to your organisation of this fraud?

This includes:

the direct cost of any money taken from bank accounts, credit or debit cards, or paid to the fraudsters, including as a result of phishing emails

other direct costs such as legal fees, insurance excess payments, or buying new software

the cost of staff time or external contractors to help resolve or investigate issues

the cost of any damage or disruption, such as lost revenue

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1–£999,999

SOFT CHECK IF>£999

SINGLE CODE

No cost incurred

DO NOT READ OUT: Don’t know

DO NOT READ OUT: Prefer not to say

Q88F_FRAUDCOSTB

ASK IF DON’T KNOW TOTAL COST OF CYBER-FACILITATED FRAUD (FRAUDCOSTA CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Less than £100

£100 to less than £250

£250 to less than £500

£500 to less than £1,000

£1,000 to less than £2,000

£2,000 to less than £5,000

£5,000 to less than £10,000

£10,000 to less than £20,000

£20,000 to less than £50,000

£50,000 to less than £100,000

£100,000 or more

DO NOT READ OUT: Don’t know

Cyber crime: ransomware

Q11A_MICROSITE DELETED PRE-PILOT IN CSBS 2024

Q83X_RANSCHK

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND HAD RANSOMWARE THAT LED TO FRAUD (FRAUDCONTDUMa>0)

IF FRAUDCONTDUMa>1: Just to check, other than the [FRAUDCONTDUMa NUMBER] instances that led to fraud, did you experience any other instances in the last 12 months where devices were targeted with ransomware, even if the attacks were unsuccessful or did not impact your organisation?

IF FRAUDCONTDUMa=1: Just to check, other than the instance that led to fraud, did you experience any other instances in the last 12 months where devices were targeted with ransomware, even if the attacks were unsuccessful or did not impact your organisation?

SINGLE CODE

Yes

No

DO NOT READ OUT: Don’t know

Q83A_RANSCOUNT DELETED PRE-PILOT IN CSBS 2024

Q83B_RANSCOUNTDK DELETED PRE-PILOT IN CSBS 2024

Q83B2_RANSNONE DELETED PRE-PILOT IN CSBS 2024

Q83E_RANSSOFT

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2)

AND

EXPERIENCED RANSOMWARE WITHOUT FRAUD (TYPEDUM CODE 1 AND FRAUDDUM NOT CODE 1) OR EXPERIENCED FRAUD THAT DIDN’T INVOLVE THEIR RANSOMWARE (TYPEDUM CODE 1 AND FRAUDDUM CODE 1 AND (RANSCHK CODE 1 OR MISSING))

IF RANSOMWARE THAT DID NOT LEAD TO FRAUD (RANSCHK NOT CODE 1): You said you experienced at least one instance in the last 12 months where devices were targeted with ransomware.

IF RANSOMWARE THAT LED TO FRAUD (RANSCHK CODE 1): Aside from the [FRAUDCONTDUMa NUMBER] [instance/instances] that led to fraud, in how many of the ransomware attacks you faced in the last 12 months was a financial ransom demanded?

IF RANSOMWARE THAT DID NOT LEAD TO FRAUD (RANSCHK NOT CODE 1): In how many of the ransomware attacks you faced in the last 12 months was a financial ransom demanded?

The financial ransom demanded may be in the form of bitcoin or other cryptocurrency.

WRITE IN RANGE 0-9,999

SOFT CHECK IF 0: Just to check, is it the case that no ransom has been demanded in any ransomware attack your business has faced?

SOFT CHECK IF>9

SINGLE CODE

DO NOT READ OUT: Don’t know

Q83F_RANSSOFTDK DELETED PRE-PILOT IN CSBS 2024

RANSSOFTDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced ransomware cyber crime:

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF RANSSOFT>0: Yes

ELSE (INCLUDING IF RANSSOFT MISSING): No

SHOWSCREEN_RANS

SHOW IF EXPERIENCED RANSOMWARE CYBER CRIME (RANSSOFTDUM CODE 1)

IF RANSSOFT>1: This next question is specifically about these [RANSSOFT NUMBER] ransomware attacks you experienced where a financial ransom was demanded [IF FRAUD (RANSCHK CODE 1):, which did not lead to fraud].

IF RANSSOFT=1: This next question is about the one ransomware attack you experienced where a financial ransom was demanded [IF FRAUD (RANSCHK CODE 1):, which did not lead to fraud].

Q83C_RANSFIN DELETED PRE-PILOT IN CSBS 2024

Q83D_RANSFINDK DELETED PRE-PILOT IN CSBS 2024

Q83G_RANSCONT DELETED PRE-PILOT IN CSBS 2024

Q83H_RANSDEMA

ASK IF EXPERIENCED RANSOMWARE CYBER CRIME (RANSSOFTDUM CODE 1)

IF RANSSOFT>1: Across these [RANSSOFT NUMBER] ransomware attacks where a financial ransom was demanded, what was the sum total demanded in ransoms?

IF RANSSOFT=1: What was the total ransom amount demanded in this ransomware attack?

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1–£999,999

SOFT CHECK IF>£999

SOFT CHECK IF<£10

SINGLE CODE

DO NOT READ OUT: Don’t know

DO NOT READ OUT: Prefer not to say

Q83HX_RANSDEMA_CHK

ASK BESPOKE SOFT CHECK IF VERY LOW RANSOMWARE PAYMENT (RANSDEMA<£10)

You said that the amount demanded was £[RANSDEMA NUMBER].

Can you confirm if the incident or incidents you are referring specifically involved ransomware? As a reminder, ransomware is a type of malware that tells you to pay a ransom to restore your files or stop them being made public.

SINGLE CODE

Yes – specifically involved ransomware

No – involved a different type of cyber security breach or attack

Q83I_RANSDEMB

ASK IF DON’T KNOW SUM TOTAL OF RANSOMS DEMANDED (RANSDEMA CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Less than £100

£100 to less than £250

£250 to less than £500

£500 to less than £1,000

£1,000 to less than £2,000

£2,000 to less than £5,000

£5,000 to less than £10,000

£10,000 to less than £20,000

£20,000 to less than £50,000

£50,000 to less than £100,000

£100,000 to less than £250,000

£250,000 or more

DO NOT READ OUT: Don’t know

Q83J_RANSPAYYN

ASK IF CAN RECALL SUM TOTAL OF RANSOMS DEMANDED (RANSDEMA >1 OR RANSDEMB CODES 1-12) AND DID NOT CORRECT THEIR ANSWER (RANSDEMA_CHK NOT CODE 2)

And did you pay any of this amount to the attackers?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Yes, totally

Yes, partially

No

DO NOT READ OUT: Don’t know

Q83K_RANSPAYA

ASK IF PARTIALLY PAID RANSOM (RANSPAYYN CODE 2)

IF RANSSOFT >1: Across the [RANSSOFT NUMBER] ransomware attacks where a financial ransom was demanded, what was the sum total you ended up paying in ransoms to the attackers?

IF RANSSOFT=1: What was the total ransom amount you ended up paying to the attackers?

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1–[RANSDEMA NUMBER OR TOP OF RANSDEMB BAND]

SOFT CHECK IF <£10

SINGLE CODE

DO NOT READ OUT: Don’t know

DO NOT READ OUT: Prefer not to say

Q83L_RANSPAYB

ASK IF DON’T KNOW SUM TOTAL OF RANSOMS PAID (RANSPAYA CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

ONLY SHOW CODES UNDER OR EQUAL TO ANSWER AT RANSDEMA OR RANSDEMB

Less than £100

£100 to less than £250

£250 to less than £500

£500 to less than £1,000

£1,000 to less than £2,000

£2,000 to less than £5,000

£5,000 to less than £10,000

£10,000 to less than £20,000

£20,000 to less than £50,000

£50,000 to less than £100,000

£100,000 to less than £250,000

£250,000 or more

DO NOT READ OUT: Don’t know

Q83M_RANSCOSTA

ASK IF EXPERIENCED RANSOMWARE CYBER CRIME (RANSSOFTDUM CODE 1) AND DID NOT CORRECT THEIR ANSWER (RANSDEMA_CHK NOT CODE 2)

IF RANSSOFT>1: Across these [RANSSOFT NUMBER] ransomware attacks where a financial ransom was demanded, what was the total cost to your organisation?

IF RANSSOFT=1: What was the total cost of this ransomware attack where a financial ransom was demanded to your organisation?

This includes:

the direct cost of any ransoms paid

other direct costs such as legal fees, insurance excess payments, or buying new software

the cost of staff time or external contractors to help resolve or investigate issues

the cost of any damage or disruption, such as lost revenue, or deleted files.

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1–£999,999

SOFT CHECK IF>£999

SOFT CHECK IF<£10

SINGLE CODE

No cost incurred

DO NOT READ OUT: Don’t know

DO NOT READ OUT: Prefer not to say

Q83MX_RANSCOSTA_CHK

ASK BESPOKE SOFT CHECK IF VERY LOW RANSOMWARE COST (RANSCOSTA<£10)

You said that the total cost was £[RANSDEMA NUMBER].

Can you confirm if the incident or incidents you are referring specifically involved ransomware? As a reminder, ransomware is a type of malware that tells you to pay a ransom to restore your files or stop them being made public.

SINGLE CODE

Yes – specifically involved ransomware

No – involved a different type of cyber security breach or attack

Q83N_RANSCOSTB

ASK IF DON’T KNOW TOTAL COST OF RANSOMWARE CYBER CRIME (RANSCOSTA CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Less than £100

£100 to less than £250

£250 to less than £500

£500 to less than £1,000

£1,000 to less than £2,000

£2,000 to less than £5,000

£5,000 to less than £10,000

£10,000 to less than £20,000

£20,000 to less than £50,000

£50,000 to less than £100,000

£100,000 to less than £250,000

£250,000 or more

DO NOT READ OUT: Don’t know

Cyber crime: unauthorised access

HACKDUM

DUMMY VARIABLE NOT ASKED

Number of unauthorised access events that led to fraud (used for later text substitution):

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

FRAUDCONTDUMf + FRAUDCONTDUMg + FRAUDCONTDUMh

Q85A_HACKCOUNT

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND EXPERIENCED UNAUTHORISED ACCESS (TYPEDUM CODES 7-10)

You said you experienced at least one instance in the last 12 months where someone tried to access your files, networks, instant messages or conference calls without authorisation, even if they were unsuccessful or did not impact your organisation.

SCRIPT TO CHANGE INSTANCE/INSTANCES AND ATTACK/ATTACKS IN TEXT SUBS BELOW IF NUMBER>1.

IF HAD UNAUTHORISED ACCESS THAT LED TO FRAUD (HACKDUM>0) AND RANSOMWARE CYBER CRIME (RANSSOFTDUM CODE 1):

Just to check, how many of these, if any, were separate from the [HACKDUM NUMBER] [instance/instances] that led to fraud, as well as the [RANSSOFT NUMBER] ransomware [attack/attacks] you mentioned where a financial ransom was demanded.

IF HAD UNAUTHORISED ACCESS THAT LED TO FRAUD (HACKDUM>0) AND NO RANSOMWARE CYBER CRIME (RANSSOFTDUM NOT CODE 1):

Just to check, how many of these, if any, were separate from the [HACKDUM NUMBER] [instance/instances] that led to fraud.

IF HAD NO UNAUTHORISED ACCESS THAT LED TO FRAUD (HACKDUM NOT>0) AND RANSOMWARE CYBER CRIME (RANSSOFTDUM CODE 1):

Just to check, how many of these, if any, were separate from the [RANSSOFT NUMBER] ransomware [attack/attacks] you mentioned where a financial ransom was demanded.

IF HAD NO UNAUTHORISED ACCESS THAT LED TO FRAUD (HACKDUM NOT>0) AND NO RANSOMWARE CYBER CRIME (RANSSOFTDUM NOT CODE 1):

How many times did this happen?

IF HAD NO UNAUTHORISED ACCESS THAT LED TO FRAUD (HACKDUM NOT>0) AND NO ATTACKS WHERE A RANSOM WAS DEMANDED (RANSSOFTDUM NOT CODE 1): WRITE IN RANGE 1-9,999

ELSE: WRITE IN RANGE 0-9,999

SOFT CHECK IF>9

SINGLE CODE

DO NOT READ OUT: Don’t know

Q85B_HACKCOUNTDK

ASK IF DON’T KNOW HOW MANY UNAUTHORISED ACCESS EVENTS EXPERIENCED (HACKCOUNT CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

1

2 to 3

4 to 5

6 to 10

11 to 20

21 to 50

51 to 100

More than 100

DO NOT READ OUT: Don’t know

Q85B2_HACKNONE DELETED PRE-PILOT IN CSBS 2024

Q85C_HACKFIN DELETED PRE-PILOT IN CSBS 2024

Q85D_HACKFINDK DELETED PRE-PILOT IN CSBS 2024

HACKCOUNTDUM

DUMMY VARIABLE NOT ASKED

Number of instances of unauthorised access (used for later text substitution):

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF HACKCOUNT>1 OR HACKCOUNTDK CODES 2-8: More than one

IF HACKCOUNT=1 OR HACKCOUNTDK CODE 1: One

ELSE: None

Q85E_HACKSIV

ASK IF ONE OR MORE UNAUTHORISED ACCESS EVENTS (HACKCOUNTDUM CODES 1-2)

Deliberate breaches or attacks are where someone knowingly gains unauthorised access. This is different to accidental breaches where, for example, an employee has accidentally accessed a file they did not have permission to use.

Successful breaches or attacks are ones that penetrated your system and overcame any defensive cyber security measures you had in place.

INTERVIEWER NOTE: PROBE IF THEY FEEL THEY UNDERSTAND BEFORE CONTINUING. REPEAT PART OR ALL OF EXPLANATION IF NECESSARY.

IF HACKCOUNTDUM CODE 1: How many, if any, of the [HACKCOUNT NUMBER/HACKCOUNTDK CODE] instances of unauthorised access you faced were both deliberate and successful at penetrating your system?

IF HACKCOUNTDUM CODE 2: Was the instance of unauthorised access you faced both deliberate and successful at penetrating your system?

IF HAD UNAUTHORISED ACCESS THAT LED TO FRAUD (HACKDUM>0) OR ATTACKS WHRE A RANSOM WAS DEMANDED (RANSSOFTDUM CODE 1): Just as a reminder, this is separate from any instances that led to fraud, or involved ransomware.

IF HACKCOUNTDUM CODE 2: INTERVIEWER NOTE: PUT 1 FOR “YES” AND 0 FOR “NO”

IF HACKCOUNTDUM CODE 2: Please put 1 for “yes” and 0 for “no”

WRITE IN RANGE 0-[HACKCOUNT NUMBER OR TOP OF HACKCOUNTDK BAND]

SOFT CHECK IF 0: Just to check, were none of the instances of unauthorised access you faced deliberate and successful? I.e. were they all either accidental or did not penetrate your system?

SINGLE CODE

DO NOT READ OUT: Don’t know

Q85F_HACKSIVDK DELETED PRE-PILOT IN CSBS 2024

Q85G_HACKCONT DELETED PRE-PILOT IN CSBS 2024

HACKSIVDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced unauthorised access cyber crime:

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF HACKSIV>0: Yes

ELSE (INCLUDING IF HACKSIV MISSING): No

Q85H_HACKEXTCOUNT

SHOW IF EXPERIENCED UNAUTHORISED ACCESS CYBER CRIME (HACKSIVDUM CODE 1)

IF HACKSIV>1: How many of these [HACKSIV NUMBER] deliberate instances, if any, involved the attackers demanding a payment to end the unauthorised access?

IF HACKSIV=1: Did this one deliberate instance involve the attackers demanding a payment to end the unauthorised access?

IF HACKSIV=1: INTERVIEWER NOTE: PUT 1 FOR “YES” AND 0 FOR “NO”

IF HACKSIV=1: Please put 1 for “yes” and 0 for “no”

WRITE IN RANGE 0-[HACKSIV NUMBER]

SINGLE CODE

DO NOT READ OUT: Don’t know

HACKEXTDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced extortion from unauthorised access (among those experiencing any):

SINGLE CODE

IF EXPERIENCED UNAUTHORISED ACCESS CYBER CRIME (HACKSIVDUM CODE 1) CODE AS FOLLOWS, ELSE MISSING:

IF HACKEXTCOUNT>0: Yes

ELSE: No

Q85I_HACKEXTCOUNTDK DELETED PRE-PILOT IN CSBS 2024

Q85J_HACKCOSTA

ASK IF EXPERIENCED UNAUTHORISED ACCESS CYBER CRIME (HACKSIVDUM CODE 1)

IF HACKSIV>1: Across these [HACKSIV NUMBER] deliberate instances of unauthorised access, what was the total cost to your organisation?

IF HACKSIV=1: What was the total cost of this deliberate instance of unauthorised access to your organisation?

This includes:

IF HACKEXTDUM CODE 1: any payments made to the attackers to end the attack

any other direct costs such as legal fees, insurance excess payments, or buying new software

the cost of staff time or external contractors to help resolve or investigate issues

the cost of any damage or disruption, such as lost revenue, or deleted files.

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1–£999,999

SOFT CHECK IF>£999

SINGLE CODE

No cost incurred

DO NOT READ OUT: Don’t know

DO NOT READ OUT: Prefer not to say

Q85K_HACKCOSTB

ASK IF DON’T KNOW TOTAL COST OF UNAUTHORISED ACCESS CYBER CRIME (HACKCOSTA CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Less than £100

£100 to less than £250

£250 to less than £500

£500 to less than £1,000

£1,000 to less than £2,000

£2,000 to less than £5,000

£5,000 to less than £10,000

£10,000 to less than £20,000

£20,000 to less than £50,000

£50,000 to less than £100,000

£100,000 to less than £250,000

£250,000 or more

DO NOT READ OUT: Don’t know

Cyber crime: online takeovers

TKVRDUM

DUMMY VARIABLE NOT ASKED

Number of online takeovers that led to fraud (used for later text substitution):

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

FRAUDCONTDUMd + FRAUDCONTDUMi

Q86A_TKVRCOUNT

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND EXPERIENCED ONLINE TAKEOVERS (TYPEDUM CODE 4 OR 11)

You said you experienced at least one instance in the last 12 months where someone tried to take over your website, social media, email accounts, or online bank account, even if they were unsuccessful or did not impact your organisation.

SCRIPT TO CHANGE INSTANCE/INSTANCES AND ATTACK/ATTACKS IN TEXT SUBS BELOW IF NUMBER>1.

IF HAD ONLINE TAKEOVERS THAT LED TO FRAUD (TKVRDUM>0) AND RANSOMWARE CYBER CRIME (RANSSOFTDUM CODE 1):

Just to check, how many of these, if any, were separate from the [TKVRDUM NUMBER] [instance/instances] that led to fraud, as well as the [RANSSOFT NUMBER] ransomware [attack/attacks] you mentioned where a financial ransom was demanded.

IF HAD ONLINE TAKEOVERS THAT LED TO FRAUD (TKVRDUM>0) AND NO RANSOMWARE CYBER CRIME (RANSSOFTDUM NOT CODE 1):

Just to check, how many of these, if any, were separate from the [TKVRDUM NUMBER] [instance/instances] that led to fraud.

IF HAD NO ONLINE TAKEOVERS THAT LED TO FRAUD (TKVRDUM NOT>0) AND RANSOMWARE CYBER CRIME (RANSSOFTDUM CODE 1):

Just to check, how many of these, if any, were separate from the [RANSSOFT NUMBER] ransomware [attack/attacks] you mentioned where a financial ransom was demanded.

IF HAD NO ONLINE TAKEOVERS THAT LED TO FRAUD (TKVRDUM NOT>0) AND NO RANSOMWARE CYBER CRIME (RANSSOFTDUM NOT CODE 1):

How many times did this happen?

IF HAD NO ONLINE TAKEOVERS THAT LED TO FRAUD (HACKDUM NOT>0) AND NO ATTACKS WHRE A RANSOM WAS DEMANDED (RANSSOFTDUM NOT CODE 1): WRITE IN RANGE 1-9,999

ELSE: WRITE IN RANGE 0-9,999

SOFT CHECK IF>9

SINGLE CODE

DO NOT READ OUT: Don’t know

Q86B_TKVRCOUNTDK

ASK IF DON’T KNOW HOW MANY ONLINE TAKEOVERS EXPERIENCED (TKVRCOUNT CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

1

2 to 3

4 to 5

6 to 10

11 to 20

21 to 50

51 to 100

More than 100

DO NOT READ OUT: Don’t know

Q86B2_TKVRNONE DELETED PRE-PILOT IN CSBS 2024

TKVRCOUNTDUM

DUMMY VARIABLE NOT ASKED

Number of instances of online takeover (used for later text substitution):

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF TKVRCOUNT>1 OR TKVRCOUNTDK CODES 2-8: More than one

IF TKVRCOUNT=1 OR TKVRCOUNTDK CODE 1: One

ELSE: None

Q86C_TKVRSUC

ASK IF ONE OR MORE ONLINE TAKEOVERS (TKVRCOUNTDUM CODES 1-2)

IF TKVRCOUNTDUM CODE 1: How many, if any, of the [TKVRCOUNT NUMBER/TKVRCOUNTDK CODE] instances of attempted online takeover you faced were successful?

IF TKVRCOUNTDUM CODE 2: Was the instance of attempted online takeover you faced successful?

IF HAD ONLINE TAKEOVERS THAT LED TO FRAUD (TKVRDUM>0) OR ATTACKS WHRE A RANSOM WAS DEMANDED (RANSSOFTDUM CODE 1): Just as a reminder, this is separate from any instances that led to fraud, or involved ransomware.

IF TKVRCOUNTDUM CODE 2: INTERVIEWER NOTE: PUT 1 FOR “YES” AND 0 FOR “NO”

IF TKVRCOUNTDUM CODE 2: Please put 1 for “yes” and 0 for “no”

WRITE IN RANGE 0-[TKVRCOUNT NUMBER OR TOP OF TKVRCOUNTDK BAND]

SOFT CHECK IF 0: Just to check, were none of the instances of attempted online takeover you faced successful? I.e. were they all cases where someone tried and failed to gain access?

SINGLE CODE

DO NOT READ OUT: Don’t know

Q86D_TKVRSUCDK DELETED PRE-PILOT IN CSBS 2024

Q86E_TKVRFIN DELETED PRE-PILOT IN CSBS 2024

Q86F_TKVRFINDK DELETED PRE-PILOT IN CSBS 2024

Q86G_TKVRCONT DELETED PRE-PILOT IN CSBS 2024

TKVRSUCDUM

DUMMY VARIABLE NOT ASKED

Whether online takeover cyber crime:

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF TKVRSUC>0: Yes

ELSE (INCLUDING IF TKVRSUC MISSING): No

Q86H_TKVREXTCOUNT

SHOW IF EXPERIENCED ONLNE TAKEOVER CYBER CRIME (TKVRSUCDUM CODE 1)

IF TKVRSUC>1: How many of these [TKVRSUC NUMBER] successful online takeovers, if any, involved the attackers demanding a payment to end the takeover?

IF TKVRSUC=1: Did this one successful online takeover involve the attackers demanding a payment to end the takeover?

IF TKVRSUC=1: INTERVIEWER NOTE: PUT 1 FOR “YES” AND 0 FOR “NO”

IF TKVRSUC=1: Please put 1 for “yes” and 0 for “no”

WRITE IN RANGE 0-[TKVRSUC NUMBER]

SINGLE CODE

DO NOT READ OUT: Don’t know

TKVREXTDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced extortion from online takeovers (among those experiencing any):

SINGLE CODE

IF EXPERIENCED ONLNE TAKEOVER CYBER CRIME (TKVRSUCDUM CODE 1) CODE AS FOLLOWS, ELSE MISSING:

IF TKVREXTCOUNT>1: Yes

ELSE: No

Q86I_TKVREXTCOUNTDK DELETED PRE-PILOT IN CSBS 2024

Q86J_TKVRCOSTA

ASK IF EXPERIENCED ONLINE TAKEOVER CYBER CRIME (TKVRSUCDUM CODE 1)

IF TKVRSUC>1: Across these [TKVRSUC NUMBER] successful online takeovers, what was the total cost to your organisation?

IF TKVRSUC=1: What was the total cost of this successful online takeover to your organisation?

This includes:

IF TKVREXTDUM CODE 1: any payments made to the attackers to end the attack

any other direct costs such as legal fees, insurance excess payments, or buying new software

the cost of staff time or external contractors to help resolve or investigate issues

the cost of any damage or disruption, such as lost revenue, or deleted files.

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1–£999,999

SOFT CHECK IF>£999

SINGLE CODE

No cost incurred

DO NOT READ OUT: Don’t know

DO NOT READ OUT: Prefer not to say

Q86K_TKVRCOSTB

ASK IF DON’T KNOW TOTAL COST OF ONLINE TAKEOVER CYBER CRIME (TKVRCOSTA CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Less than £100

£100 to less than £250

£250 to less than £500

£500 to less than £1,000

£1,000 to less than £2,000

£2,000 to less than £5,000

£5,000 to less than £10,000

£10,000 to less than £20,000

£20,000 to less than £50,000

£50,000 to less than £100,000

£100,000 to less than £250,000

£250,000 or more

DO NOT READ OUT: Don’t know

Cyber crime: hacking (dummy variables)

HACKMERGEDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced hacking cyber crime:

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF HACKSIVDUM CODE 1 OR TKVRSUCDUM CODE 1: Yes

ELSE (INCLUDING IF HACKSIVDUM OR TKVRDUM MISSING): No

HACKNUMDUM

DUMMY VARIABLE NOT ASKED

Number of hacking cyber crimes experienced (among those experiencing any):

IF EXPERIENCED HACKING CYBER CRIME (HACKMERGEDUM CODE 1) CODE AS FOLLOWS, ELSE MISSING:

HACKSIV + TKVRSUC (TREATING ANY DK VALUES AS MISSING, SO AS 0 IN THE CALCULATION)

Cyber crime: denial of service

DOSDUM

DUMMY VARIABLE NOT ASKED

Any successful and deliberate cyber security breach or attack, or cyber-facilitated fraud so far (used for later text substitution):

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF FRAUDDUM CODE 1 OR RANSSOFTDUM CODE 1 OR HACKMERGEDUM CODE 1: Yes

ELSE: No

SHOWSCREEN_DOSCHK

SHOW IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND EXPERIENCED DENIAL OF SERVICE ATTACKS (TYPEDUM CODE 3) AND ANY CYBER CRIME OR CYBER-FACILITATED FRAUD SO FAR (DOSDUM CODE 1)

So far, you’ve told us about the following distinct cyber security breaches or attacks from the last 12 months that were both successful and deliberate:

SCRIPT TO CHANGE INSTANCE/INSTANCES AND ATTACK/ATTACKS IN TEXT SUBS BELOW IF NUMBER>1.

SCRIPT TO ONLY SHOW EACH BULLET BASED ON THE FOLLOWING ROUTING:

IF FRAUDDUM CODE 1: [FRAUDCOUNTDUM NUMBER] [instance/instances] in total that led to fraud

IF RANSSOFTDUM CODE 1: [RANSSOFT NUMBER] ransomware [attack/attacks] where a financial ransom was demanded

IF HACKSIVDUM CODE 1: [HACKSIV NUMBER] [instance/instances] of unauthorised access

IF TKVRSUCDUM CODE 1: [TKVRSUC NUMBER] online takeover [attack/attacks]

This next question is specifically about any unrelated instances in the last 12 months where someone tried to slow or take down your website, applications or online services, known as a denial of service attack.

INTERVIEWER NOTE: PROBE IF THEY FEEL THEY UNDERSTAND BEFORE CONTINUING. REPEAT PART OR ALL OF EXPLANATION IF NECESSARY.

Q87A_DOSCOUNT

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND EXPERIENCED DENIAL OF SERVICE ATTACKS (TYPEDUM CODE 3)

You said you experienced at least one denial of service attack in the last 12 months, even if the attacks were unsuccessful or did not impact your organisation. How many times did this happen?

IF ANY CYBER CRIME OR CYBER-FACILITATED FRAUD SO FAR (DOSDUM CODE 1): Please exclude any instances related to the successful and deliberate breaches or attacks you have already told us about. If that means you have already mentioned all your denial of service attacks, you can say this.

WRITE IN RANGE 1-9,999

SOFT CHECK IF>9

SINGLE CODE

IF DOSDUM CODE 1: DO NOT READ OUT: Already mentioned all denial of service attacks

DO NOT READ OUT: Don’t know

Q87B_DOSCOUNTDK

ASK IF DON’T KNOW HOW MANY DENIAL OF SERVICE ATTACKS EXPERIENCED (DOSCOUNT CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

1

2 to 3

4 to 5

6 to 10

11 to 20

21 to 50

51 to 100

More than 100

DO NOT READ OUT: Don’t know

Q87B2_DOSNONE DELETED PRE-PILOT IN CSBS 2024

Q87C_DOSFIN DELETED PRE-PILOT IN CSBS 2024

Q87D_DOSFINDK DELETED PRE-PILOT IN CSBS 2024

DOSCOUNTDUM

DUMMY VARIABLE NOT ASKED

Number of denial of service attacks (used for later text substitution):

SINGLE CODE

IF DOSCOUNT>1 OR DOSCOUNTDK CODES 2-8: More than one

IF DOSCOUNT=1 OR DOSCOUNTDK CODE 1: One

ELSE: None

Q87E_DOSSOFT

ASK IF ONE OR MORE DENIAL OF SERVICE ATTACKS (DOSCOUNTDUM CODES 1-2)

INTERVIEWER READ OUT IF NOT PREVIOUSLY MENTIONED: Some breaches or attacks are unsuccessful, because they are stopped by an organisation’s internal or third-party software before they make an impact. Others are successful, and overcome internal or third-party software.

INTERVIEWER NOTE: PROBE IF THEY FEEL THEY UNDERSTAND BEFORE CONTINUING. REPEAT PART OR ALL OF EXPLANATION IF NECESSARY.

IF DOSCOUNTDUM CODE 1: How many, if any, of the [DOSCOUNT NUMBER/DOSCOUNTDK CODE] denial of service attacks you faced were successful? I.e. they overcame internal or third-party software.

IF DOSCOUNTDUM CODE 2: Was the denial of service attack you faced successful? I.e. it overcame internal or third-party software.

IF ANY CYBER CRIME SO FAR (DOSDUM CODE 1): Just as a reminder, this is aside from the instances that led to fraud, or other successful and deliberate breaches or attacks you have already told us about.

IF DOSCOUNTDUM CODE 2: INTERVIEWER NOTE: PUT 1 FOR “YES” AND 0 FOR “NO”

IF DOSCOUNTDUM CODE 2: Please put 1 for “yes” and 0 for “no”

WRITE IN RANGE 0-[DOSCOUNT NUMBER OR TOP OF DOSCOUNTDK BAND]

SOFT CHECK IF 0: Just to check, were none of the denial of service attacks you faced successful? I.e. were they all stopped by internal or third-party software before they made an impact?

SINGLE CODE

DO NOT READ OUT: Don’t know

Q87F_DOSSOFTDK DELETED PRE-PILOT IN CSBS 2024

DOSSOFTDUM

DUMMY VARIABLE NOT ASKED

Number of successful denial of service attacks (used for later text substitution):

SINGLE CODE

IF DOSSOFT>1: More than one

IF DOSSOFT=1: One

ELSE: None

Q87G_DOSSIV

ASK IF ONE OR MORE SUCCESSFUL DENIAL OF SERVICE ATTACKS (DOSSOFTDUM CODES 1-2)

Deliberate denial of service attacks are where someone knowingly overloads your systems to cause them to crash. This is different to non-deliberate instances where, for example, service is denied because a website is experiencing high traffic.

INTERVIEWER NOTE: PROBE IF THEY FEEL THEY UNDERSTAND BEFORE CONTINUING. REPEAT PART OR ALL OF EXPLANATION IF NECESSARY.

IF DOSSOFTDUM CODE 1: As far as you know, how many of your [DOSSOFT NUMBER] successful denial of service attacks in the last 12 months were deliberate?

IF DOSSOFTDUM CODE 2: As far as you know, was your successful denial of service attacks deliberate?

IF DOSSOFTDUM CODE 2: INTERVIEWER NOTE: PUT 1 FOR “YES” AND 0 FOR “NO”

IF DOSSOFTDUM CODE 2: Please put 1 for “yes” and 0 for “no”

WRITE IN RANGE 0-[DOSSOFT NUMBER]

SOFT CHECK IF 0: Just to check, were none of your successful denial of service attacks deliberate? I.e. were they all instances of non-deliberate high traffic?

SINGLE CODE

DO NOT READ OUT: Don’t know

Q87H_DOSSIVDK DELETED PRE-PILOT IN CSBS 2024

Q87I_DOSCONT DELETED PRE-PILOT IN CSBS 2024

DOSSIVDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced denial of service cyber crime:

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF DOSSIV>0: Yes

ELSE (INCLUDING IF DOSSIV MISSING): No

Q87J_DOSEXTCOUNT

SHOW IF EXPERIENCED DENIAL OF SERVICE CYBER CRIME (DOSSIVDUM CODE 1)

IF DOSSIV>1: How many of these [DOSSIV NUMBER] successful and deliberate denial of service attacks, if any, involved the attackers demanding a payment to end the attack?

IF DOSSIV=1: Did this one successful and deliberate denial of service attack involve the attackers demanding a payment to end the attack?

IF DOSSIV=1: INTERVIEWER NOTE: PUT 1 FOR “YES” AND 0 FOR “NO”

IF DOSSIV=1: Please put 1 for “yes” and 0 for “no”

WRITE IN RANGE 0-[DOSSIV NUMBER]

SINGLE CODE

DO NOT READ OUT: Don’t know

DOSEXTDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced extortion from denial of service attacks (among those experiencing any):

SINGLE CODE

IF EXPERIENCED DENIAL OF SERVICE CYBER CRIME (DOSSIVDUM CODE 1) CODE AS FOLLOWS, ELSE MISSING:

IF DOSEXTCOUNT>0: Yes

ELSE: No

Q87K_DOSEXTCOUNTDK DELETED PRE-PILOT IN CSBS 2024

Q87L_DOSCOSTA

ASK IF EXPERIENCED DENIAL OF SERVICE CYBER CRIME (DOSSIVDUM CODE 1)

IF DOSSIV>1: Across these [DOSSIV NUMBER] successful and deliberate denial of service attacks, what was the total cost to your organisation?

IF DOSSIV=1: What was the total cost of these successful and deliberate denial of service attack to your organisation?

This includes:

IF DOSEXTDUM CODE 1: any payments made to the attackers to end the attack

any other direct costs such as legal fees, insurance excess payments, or buying new software

the cost of staff time or external contractors to help resolve or investigate issues

the cost of any damage or disruption, such as lost revenue, or deleted files.

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1–£999,999

SOFT CHECK IF>£999

SINGLE CODE

No cost incurred

DO NOT READ OUT: Don’t know

DO NOT READ OUT: Prefer not to say

Q87M_DOSCOSTB

ASK IF DON’T KNOW TOTAL COST OF DENIAL OF SERVICE CYBER CRIME (DOSCOSTA CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Less than £100

£100 to less than £250

£250 to less than £500

£500 to less than £1,000

£1,000 to less than £2,000

£2,000 to less than £5,000

£5,000 to less than £10,000

£10,000 to less than £20,000

£20,000 to less than £50,000

£50,000 to less than £100,000

£100,000 to less than £250,000

£250,000 or more

DO NOT READ OUT: Don’t know

Cyber crime: other malware

VIRUSDUM

DUMMY VARIABLE NOT ASKED

Any successful and deliberate cyber security breach or attack, or cyber-facilitated fraud so far (used for later text substitution):

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF FRAUDDUM CODE 1 OR RANSSOFTDUM CODE 1 OR HACKMERGEDUM CODE 1 OR DOSSIVDUM CODE 1: Yes

ELSE: No

SHOWSCREEN_VIRUSCHK

SHOW IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND EXPERIENCED OTHER MALWARE (TYPEDUM CODE 2) AND ANY CYBER CRIME OR CYBER-FACILITATED FRAUD SO FAR (VIRUSDUM CODE 1)

So far, you’ve told us about the following distinct cyber security breaches or attacks from the last 12 months that were both successful and deliberate:

SCRIPT TO CHANGE INSTANCE/INSTANCES AND ATTACK/ATTACKS IN TEXT SUBS BELOW IF NUMBER>1.

SCRIPT TO ONLY SHOW EACH BULLET BASED ON THE FOLLOWING ROUTING:

IF FRAUDDUM CODE 1: [FRAUDCOUNTDUM NUMBER] [instance/instances] in total that led to fraud

IF RANSSOFTDUM CODE 1: [RANSSOFT NUMBER] ransomware [attack/attacks] where a financial ransom was demanded

IF HACKSIVDUM CODE 1: [HACKSIV NUMBER] [instance/instances] of unauthorised access

IF TKVRSUCDUM CODE 1: [TKVRSUC NUMBER] online takeover [attack/attacks]

IF DOSSOFTDUM CODE 1: [DOSSOFT NUMBER] denial of service [attack/attacks]

This next question is specifically about any unrelated instances in the last 12 months where your organisation’s devices were targeted with malware such as viruses or spyware.

INTERVIEWER NOTE: PROBE IF THEY FEEL THEY UNDERSTAND BEFORE CONTINUING. REPEAT PART OR ALL OF EXPLANATION IF NECESSARY.

Q84A_VIRUSCOUNT DELETED PRE-PILOT IN CSBS 2024

Q84B_VIRUSCOUNTDK DELETED PRE-PILOT IN CSBS 2024

Q84B2_VIRUSNONE DELETED PRE-PILOT IN CSBS 2024

Q84C_VIRUSFIN DELETED PRE-PILOT IN CSBS 2024

Q84D_VIRUSFINDK DELETED PRE-PILOT IN CSBS 2024

Q84E_VIRUSSOFT

ASK IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND EXPERIENCED OTHER MALWARE (TYPEDUM CODE 2)

You said you experienced at least one instance in the last 12 months where devices were targeted with malware such as viruses or spyware.

INTERVIEWER READ OUT IF NOT PREVIOUSLY MENTIONED: Some breaches or attacks are unsuccessful, because they are stopped by an organisation’s internal or third-party software before they make an impact. Others are successful, and overcome internal or third-party software.

INTERVIEWER NOTE: PROBE IF THEY FEEL THEY UNDERSTAND BEFORE CONTINUING. REPEAT PART OR ALL OF EXPLANATION IF NECESSARY.

How many, if any, of the malware attacks you faced were successful? I.e. they overcame internal or third-party software.

IF ANY CYBER CRIME SO FAR (VIRUSDUM CODE 1): Just as a reminder, this is aside from the instances that led to fraud, or other successful and deliberate breaches or attacks you have already told us about.

WRITE IN RANGE 0-9,999

SOFT CHECK IF 0: Just to check, were none of the malware attacks you faced successful? I.e. were they all stopped by internal or third-party software before they made an impact?

SINGLE CODE

DO NOT READ OUT: Don’t know

Q84F_VIRUSSOFTDK DELETED PRE-PILOT IN CSBS 2024

Q84G_VIRUSCONT DELETED PRE-PILOT IN CSBS 2024

VIRUSSOFTDUM

DUMMY VARIABLE NOT ASKED

Whether organisation experienced other malware cyber crime:

SINGLE CODE

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF VIRUSSOFT>0: Yes

ELSE (INCLUDING IF VIRUSSOFT MISSING): No

SHOWSCREEN_VIRUS

SHOW IF EXPERIENCED OTHER MALWARE CYBER CRIME (VIRUSSOFTDUM CODE 1)

IF VIRUSSOFT>1: This next question is specifically about the [VIRUSSOFT NUMBER] successful malware attacks you experienced. [IF ANY CYBER CRIME SO FAR (VIRUSDUM CODE 1): These are the ones that did not lead to fraud, or involve the other successful and deliberate cyber security breaches or attacks you have already told us about].

IF VIRUSSOFT=1: This next question is about the one successful malware attack you experienced. [IF ANY CYBER CRIME SO FAR (VIRUSDUM CODE 1): This is the one that did not lead to fraud, or involve the other successful and deliberate cyber security breaches or attacks you have already told us about].

Q84I_VIRUSCOSTA

ASK IF EXPERIENCED OTHER MALWARE CYBER CRIME (VIRUSSOFTDUM CODE 1)

IF VIRUSSOFT>1: Across these [VIRUSSOFT NUMBER] successful malware attacks, what was the total cost to your organisation?

IF VIRUSSOFT=1: What was the total cost of this successful malware attack to your organisation?

This includes:

any direct costs such as legal fees, insurance excess payments, or buying new software

the cost of staff time or external contractors to help resolve or investigate issues

the cost of any damage or disruption, such as lost revenue, or deleted files.

PROBE FOR BEST ESTIMATE BEFORE CODING DK

REASSURE ABOUT CONFIDENTIALITY AND ANONYMISATION BEFORE CODING REF

Please write your answer as a whole number in £ below. You don’t need to write the £ sign.

WRITE IN RANGE £1–£999,999

SOFT CHECK IF>£999

SINGLE CODE

No cost incurred

DO NOT READ OUT: Don’t know

DO NOT READ OUT: Prefer not to say

Q84J_VIRUSCOSTB

ASK IF DON’T KNOW TOTAL COST OF MALWARE CYBER CRIME (VIRUSCOSTA CODE DK)

Was it approximately … ?

PROMPT TO CODE

Please select one answer

SINGLE CODE

Less than £100

£100 to less than £250

£250 to less than £500

£500 to less than £1,000

£1,000 to less than £2,000

£2,000 to less than £5,000

£5,000 to less than £10,000

£10,000 to less than £20,000

£20,000 to less than £50,000

£50,000 to less than £100,000

£100,000 to less than £250,000

£250,000 or more

DO NOT READ OUT: Don’t know

Cyber crime: phishing

PHISHDUM

DUMMY VARIABLE NOT ASKED

Any successful and deliberate cyber security breach or attack, or cyber-facilitated fraud so far (used for later text substitution):

IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) CODE AS FOLLOWS, ELSE MISSING:

IF FRAUDDUM CODE 1 OR RANSSOFTDUM CODE 1 OR HACKMERGEDUM CODE 1 OR DOSSIVDUM CODE 1 OR VIRUSSOFTDUM CODE 1: Yes

ELSE: No

SHOWSCREEN_PHISHCHK

SHOW IF BUSINESS/CHARITY (TYPEXDUM CODES 1-2) AND EXPERIENCED OTHER MALWARE (TYPEDUM CODE 2) AND ANY CYBER CRIME OR CYBER-FACILITATED FRAUD SO FAR (PHISHDUM CODE 1)