“…Models of managing cyber risk at the level of an individual firm suggest that expenditure should not exceed 37 per cent of the expected costs of a security incident (Gordon and Loeb 2002;Gordon and Loeb 2006;Baryshnikov 2012;Geer 2015;Gordon et al 2015). Yet, accurately measuring cybersecurity events is hugely challenging, as measures often suffer from problems of the denominator (Jardine 2015(Jardine , 2018(Jardine , 2020, incompatible metrics (Brecht and Nowey 2013), insufficient attention to over time trends (Geer and Jardine 2017;Jardine 2020), measures distorted by political or economic incentives (Anderson et al 2008;Anderson et al 2013;Lawson and Middleton 2019), a lack of data transparency necessitating clever measurement techniques (Woods, Moore, and Simpson 2019), reporting biases (Florêncio and Herley 2011) and data aggregation problems (Jardine 2017b; Jardine 2020). Issues of technological flux likewise present a challenge where past data might supremely fail to predict future events.…”