The Gaming Boardroom

Where the gambling industry comes to think

Underinvestment in cyber security: Quantifying cyber security behaviour in UK businesses

Steve Tyler Exec Content

Underinvestment in cyber security: Quantifying cyber security behaviour in UK businesses

Metadata

Article Date: 2025
Article URL: https://www.tandfonline.com/doi/full/10.1080/00472778.2025.2549068?af=R
Article Image: Figure 1 (framework)

Summary

This paper introduces a practical behavioural framework to explain why many UK micro- and small businesses underinvest in cyber security. Using the UK Cyber Security Breaches Survey (2018–2024, n=9,412) the authors classify businesses into five types: optimal, risk-accepting, overconfident, procrastinator, and defers responsibility. Key findings are that fewer than one third of micro- and small businesses behave optimally, and that procrastination and overconfidence are the dominant causes of underinvestment. The study also finds that cyber insurance and outsourcing correlate with higher odds of optimal behaviour and quantifies how far each type is from recommended controls (NCSC 10 Steps / Cyber Essentials).

Key Points

  1. Five behavioural types defined: optimal, risk-accepting, overconfident, procrastinator, and defers responsibility.
  2. Data from the UK Cyber Security Breaches Survey (2018–2024; 9,412 firms) used to algorithmically classify businesses and estimate uncertainty in classification.
  3. Less than a third of micro- and small businesses are classified as optimal; proportion increases with firm size.
  4. Procrastination and overconfidence are the main drivers of underinvestment in micro- and small firms; these types implement roughly half the recommended controls.
  5. Risk-accepting and deferring-responsibility are less common overall but vary by size and sector.
  6. Cyber insurance and outsourcing are associated with significantly higher probability of being classified as optimal (robust to sector controls).
  7. Large sectoral variation: finance/insurance performs best; food/hospitality performs worst (high procrastination).
  8. Observed decline in the share of optimal firms from 2018–2024, with rises in procrastination and risk-accepting in some groups.

Content summary

The authors develop an algorithmic decision framework built on six yes/no questions to assign a primary behavioural type to each business. They map multiple survey measures to each question (96 permutation checks) to ensure robustness and to provide uncertainty estimates for each classification. Analysis shows that micro-businesses are most likely to be overconfident or procrastinating; large firms are likelier to be optimal or risk-accepting. The paper examines temporal trends, sectoral differences, and the associations of cyber insurance and outsourcing with behaviour. It measures how far each type is from NCSC’s 10 Steps and Cyber Essentials, showing overconfident and procrastinator types implement substantially fewer controls. The authors discuss policy implications: awareness campaigns alone may not be enough where procrastination dominates; incentives, regulation, or nudges that force action may be required. The framework is also positioned as a tool to track changes as technologies (e.g. AI, cloud) transform the threat landscape.

Context and relevance

This research is relevant to policymakers, regulators, trade bodies and MSPs trying to raise business cyber resilience. It provides empirical quantification of behavioural barriers — not just awareness gaps — showing that many small firms know about cyber threats but delay action or overestimate their protections. The sectoral breakdown is useful for targeting interventions (e.g. food/hospitality vs finance). The finding that insurance and outsourcing are associated with better practice informs debates about incentives and the role of the market in improving baseline controls.

Why should I read this?

Quick and useful: if you care about making small firms safer (policy, insurer, MSP or trade body), this paper tells you where the real bottlenecks are — it’s not always ignorance, it’s often people putting it off or thinking they’re already covered. Short version: awareness campaigns alone won’t fix it; you need nudges, incentives or funded fixes.

Author-style

Punchy — the authors make a clear case that tailored, evidence-based policy is needed and back it with robust survey-based classification and regression analysis. If you work on small-business cyber resilience, the results are directly actionable.

Source

Source: https://www.tandfonline.com/doi/full/10.1080/00472778.2025.2549068?af=R