Government struggling to measure benefits of cyber security strategy, says National Audit Office

But Whitehall has made good progress in implementing the programme, particularly among larger businesses

The government is struggling to demonstrate a clear link between the large number of individual projects being delivered as part of its National Cyber Security Programme (NCSP), and an overall picture of the benefits it has achieved, according to the National Audit Office (NAO).

The NAO has released a report detailing progress the government has made with the programme. Its evidence was based on semi-structured interviews with programme staff and delivery partners, financial analysis and document reviews, interviews with industry representatives, a round-table discussion with academics and a short survey of 34 stakeholders.

It found that the government has made good progress in improving its understanding of the most sophisticated threats to national security. However, the level of understanding of threats to wider public services is varied.

"While exports in UK cyber products and services have increased by 22 per cent between 2012 and 2013, progress in encouraging trade and exports has been slow, and according to NAO's survey of stakeholders, this is the objective against which the government currently had the poorest performance," the NAO states.

There has been progress, however, in encouraging business and citizens to mitigate risks, particularly among larger firms. However, the impact of the government's cyber security strategy on SMEs has been "limited", according to the NAO, due to poor communication.

One of the core aims of the cyber security strategy is to improve security skills and awareness within the UK workforce. The report states that the government has encouraged many education and training initiatives to stimulate the development of relevant skills, but it says that the demand for those skills "remains considerable".

One of the initiatives is the Cyber Security Challenge, which is 45 per cent funded by the NCSP. The NAO said the challenge has proved popular with participants and was effective at raising awareness but said that its ability to scale up its operations is not yet proven.

There had been "mixed progress" in delivering training programmes within the public sector, the NAO said, with successes in training senior information risk officers and other information assurance roles. It said the apprenticeship scheme for the intelligence community had been successfully delivering a new cadre of people into posts. The main negative point was the training of police, which has suffered from delays in establishing courses and a much slower take-up of officers attending than expected.

NAO found that the programme's financial management and governance mechanisms were "strong", and that the government is on track to spend the programme's budget of £860m by March 2016.

Overall, it said that the government continues to make good progress in implementing the programme, which is helping "to build capability, mitigate risk and change attitudes".

It warns that cyber threats are continuing to evolve and the government must increase the pace of change in some areas to meet its objectives.