In September 2025, a group of researchers at the University of Bristol and Imperial College London (including RISCS Advisory Board members Simon Shiu and Ola Michalec) published a flagship report: ‘The UK Cyber Growth Action Plan’. The work contains 9 high-level recommendations and 24 targeted actions to support the development of the sector. Conclusions from the report are particularly timely given that cyber has been named one of the ‘frontier industries’ in the recent Industrial Strategy. As we’re keenly awaiting the official government response in the form of the updated National Cyber Strategy, let’s pause to reflect: what do we mean by ‘cyber growth’ and how can we research it?
Growth can refer to abstract metrics like GDP (Gross Domestic Product) and GVA (Gross Value Added) as well as empirical data on firm revenues, jobs, exports, skills pipelines, or even public trust. Each of these tells a different story, and none on their own captures the full picture. In calling for ‘cyber growth’, our aim is not to propose a single definitive metric, but to show why cyber growth needs to be understood across multiple dimensions if it is to inform policy, investment, and public debate.
What we already measure
The UK already tracks a substantial number of cyber-related indicators through official statistics and reports commissioned by the UK Government. One of the most well-known measures is GVA, which estimates the direct economic contribution of a given sector. Recent modelling puts the cyber sector’s GVA at £7.8 billion in 2025, representing a 21% increase on the previous year. This figure is often used as shorthand for sectoral success, and it is especially relevant to policy discussions about supporting firm growth and scale-up.
Another set of indicators focuses on the negative outcomes of cyber breaches and attacks. Government surveys suggest that around 43% of businesses and 30% of charities experienced a cyber attack in 2025, with phishing by far the most common. Among those affected, a smaller proportion report tangible negative outcomes, such as financial loss or operational disruption. While these figures are useful, they are self-reported, highly variable, and difficult to compare over time. They also only capture the immediate part of the impact, missing out the long-term consequences such as trust or reputation.
Skills and workforce data form a third pillar of cyber growth measurement. Student enrolments in cyber security courses have increased, with just under 21,000 students enrolled in graduate-level cyber security courses in 2024. Employment within the cyber security sector has also grown, reaching over 67,000 full-time equivalents in 2025. These figures provide insight into labour supply and demand, but they exclude in-house cyber professionals working outside the sector itself. They also do not include generalist computer science students with cyber security expertise.
Recruitment and retention indicators complicate the picture further. Despite persistent claims of a global cyber skills shortage, job postings in the UK cyber sector fell sharply between 2023 and 2024. This apparent contradiction highlights the need to look beyond headline narratives and examine hiring practices, training investment, and wider economic conditions in more detail. In particular, we ought to pay close attention to the impact of AI on graduate hiring in IT and monitor this against the quality of AI-generated code and longitudinal performance of companies.
Exports offer another lens on cyber growth. UK cyber and physical security exports were valued at £11 billion in 2023, with Europe and North America as the main destinations. This figure is something to be proud of – we’re the third biggest exporters of security products and services, behind only the US and China.
Finally, DSIT tracks the number of cyber security firms operating in the UK, currently estimated at just over 2,100. Because cyber security lacks its own Standard Industrial Classification code, this figure relies on combining public and proprietary datasets, which introduces uncertainty but still provides valuable insight into firm size, location, and specialisation.
Why accounting for cyber growth is hard
Despite this breadth of data, tracking cyber growth remains challenging. A fundamental problem is the lack of a clear sectoral boundary. Without a dedicated classification code, cyber security is difficult to separate from the wider IT and digital economy. Estimates of size and growth will continue to remain imperfect, as they depend heavily on modelling choices and definitions.
Those definitions are themselves contested. What counts as cyber security is not fixed. Some definitions focus narrowly on technical protections against breaches, while others include privacy, data governance, misinformation, or even physical safety. These debates are not just academic; they directly affect which activities are counted as ‘growth’ and which are not.
Another challenge lies in valuing avoided losses. Much of cyber security’s benefit comes from recognising incidents that did not affect an organisation, or harms mitigated before they escalate. Modelling these avoided losses at national scale is inherently uncertain, especially when incidents are unevenly distributed and often under-reported.
Finally, conventional growth metrics such as GDP or GVA say little about whether cyber growth improves resilience, trust, or wellbeing at the societal scale. A sector can expand economically while producing low-quality products, exacerbating inequalities in access to technology, or eroding public confidence. If these effects are ignored, policy risks rewarding the wrong kinds of growth.
Towards a pluralistic approach
Taken together, these challenges point to the need for a pluralistic approach to measuring cyber growth. Rather than relying on a single headline figure, cyber growth should be understood as a portfolio of economic, social, and institutional outcomes. Likewise, cyber policy spans multiple departments, each responsible for its own distinctive agenda. From DSIT, the Home Office to HMRC, the NCSC, and the Department for Business and Trade, policymakers balance various competing interests. But cyber growth doesn’t have to be a matter of choosing between innovating and protecting. A richer evidence base can help de-risk policy choices, identify where growth is genuinely sustainable, and improve public trust in technology-led interventions.
Where research should go next
There are several areas that stand out as priorities for future research.
One is the trajectories of startups over time. We should strive to understand how, when, and why UK cyber start-ups fail, scale, or exit. This would offer a more nuanced picture of growth than firm counts alone. In particular, qualitative analyses of promotional narratives of hyped-up start-ups and successful paradigm changes can reveal patterns that are invisible in quantitative data.
Public engagement is equally important. Existing surveys tend to measure acceptance or awareness, but future work should treat trust as relational and historically shaped, rather than as a simple deficit of knowledge. This is particularly relevant for large-scale digital infrastructure projects that depend on public consent.
Place-based dynamics offer another lens. Cyber growth is unevenly distributed across the UK, and administrative boundaries do not always reflect how cyber communities organise themselves. Case studies can help capture these local dynamics more effectively than national aggregates. A follow-up study to the Cyber Growth Action Plan will help to establish structures for successful place-based incubation of innovation.
Finally, cyber growth should be assessed in terms of its so-called spillover effects. Improvements in cyber security can enable productivity gains, innovation, and trust in other sectors. Measuring these effects is difficult, but essential if cyber is to be understood as an enabling infrastructure rather than a standalone industry.
You can read the Cyber Growth Action Plan here.
Questions? Comments? Feel free to reach out to Ola Michalec via email (ola.michalec@bristol.ac.uk) or on LinkedIn!
Bio: Dr Ola Michalec is a Lecturer at the University of Bristol, and RISCS alumna. A qualitative social scientist by background, she is interested in policies and politics of digital innovations and critical infrastructures. Ola’s research informs key policy developments across the NCSC, Cabinet Office, and Ofgem. Her collaborations with designers and artists were exhibited at the V&A Museum as a part of Digital Design Weekend 2023.