This project will design, build, and evaluate a lightweight, explainable cyber risk assessment method tailored to small and medium-sized enterprises (SMEs). While both quantitative approaches (e.g. numeric estimation of asset value, loss probability, threat frequency) and qualitative approaches (e.g. expert judgement and control checklists) exist, most established methods are too time-consuming, data-hungry, or specialist-led for SMEs with limited time, skills, and budget. The aim here is to create an approach that preserves rigour but can be completed quickly by non-specialists and produces clear, actionable next steps.
The work will proceed in four stages. 1. Requirements and design: Review academic and practitioner literature to extract SME-specific needs, then set design principles: plain language, minimal data entry, transparent scoring, prioritised actions, and zero-infrastructure deployment.
2. Method and prototype: Implement a browser-only tool (React + Vite, plain CSS) that assembles a short, context-aware questionnaire (sector and size aware) mapped to practical domains such as MFA, access control, patching, backups, awareness, governance, supplier risk, and fraud. Responses are recorded on a five-point maturity scale (Yes/No normalised to that scale), combined into a weighted 0–100 risk score with Low/Medium/High banding, and accompanied by “why you got this score” explanations and a ranked action list. A professional PDF report is generated on-device for privacy.
3. Evaluation: Recruit SME practitioners and two to three experts to test the prototype. Collect 1–5 ratings for usability, clarity, perceived accuracy, action usefulness, and PDF quality, plus short comments. Where feasible, note completion time. Success criteria target median ≥4 for usability and clarity and qualitative evidence that actions are implementable. All participation will follow supervisor-approved ethics and be fully anonymised.
4. Refinement and reporting: Iterate on question wording, weighting transparency, and report layout based on feedback. Deliver the final dissertation with clear architecture and scoring diagrams, an anonymised summary of findings, and a short video walkthrough.
Deliverables: a working client-side prototype with build instructions; a documented assessment method and scoring template; evaluation results and analysis; diagrams of architecture, data flow, and scoring; and a video demonstration. The expected outcome is a practical, privacy-preserving assessment that an SME can complete in minutes, producing an explainable score and concrete, prioritised actions suitable for pre-assurance triage and future extension.