New research program systematically records material, immaterial and cascading damage caused by cybercrime.
With ARCH, the Cyberagentur aims to rethink the measurement of harm caused by cybercrime. The plan is to develop a model to systematically record not only financial but also intangible and cascading harms caused by cybercrime in Germany.
The Agentur für Innovation in der Cybersicherheit GmbH (Cyberagentur) is launching, with ARCH, a research project designed to comprehensively assess the multidimensional impacts of cybercrime in Germany. In addition to financial losses, psychological, organizational, and societal impacts will be in the analytical focus.
With the ceremonial signing of the contract on April 30, 2026, between the Agentur für Innovation in der Cybersicherheit GmbH (Cyberagentur) and the Université de Montréal as part of the research program “Harm caused by Cybercrime (SCK),” the project “Assessing Risks and Cybercrime Harms” (ARCH) enters its implementation phase. The contract was awarded to a high-caliber research consortium consisting of the Université de Montréal (consortium leader), Flare Systems, the Max Planck Institute in Freiburg, the Cyberintelligence Institute, and the Freie Universität Berlin. The group’s aim is to develop a model that systematically, reproducibly, and verifiably captures the material and immaterial harms of cybercrime in Germany—across short, medium, and longtime horizons. Previously overlooked cascade effects will also be looked at. For the Cyberagentur, ARCH represents another building block in the thematic focus “Cybervigilant Society.”
The scientific and security policy starting point is clear: Germany currently lacks metrics and methodologies that comprehensively map the harm caused by cybercrime. Direct monetary losses capture only a portion of the harm and only a portion of the scope of the phenomenon. Losses of trust, psychological stress, reputational damage, business interruptions, resource strain in the restoration of IT infrastructures, and long-term follow-up costs are often underrepresented in previous analyses. ARCH aims to address precisely this methodological gap. “Without reliable data, there is a risk that cyber threats will be overestimated or underestimated, which can lead to misplaced priorities and inefficient use of resources,” says Dr. Nicole Hartlapp, head of the research focus area “Cybervigilant Society.”
ARCH aims to provide, for the first time, a multidimensional assessment framework that brings together direct, indirect, and cascading harm across various domains of impact and maps them in a harm matrix. In doing so, ARCH seeks to address not only the question of the magnitude of harm but also its severity, duration, and societal impact. Using a dual scale, cyber incidents will be assigned both a monetary value and a qualitative index for intangible harms, such as stress or loss of trust.
“The holistic view of the harm caused by cybercrime not only enables us to assess cyber incidents more accurately, but also allows us to focus on types of harm that have received too little attention to date or are difficult to quantify,” says Dr. Nicole Hartlapp, who, with the start of the implementation phase, is handing over the baton of program leadership to Joline Wochnik, research officer in the focus area Cybervigilant Society.
The project is of particular relevance to law enforcement agencies and other institutions that not only document cybercrime but also want to strategically anticipate and effectively address it. These tools also allow policymakers to better analyze harm distributions, identify new priorities, and prioritize resources for prevention based on simulations.
From a scientific perspective as well, ARCH marks a shift in perspective in the analysis of cybercrime. “Cybercrime is no longer just about stolen data—it’s about stolen confidence. Each attack erodes trust in our institutions, weakens social resilience, and leaves psychological and economic scars that go far beyond the immediate loss,” says Prof. David Décary-Hétu, project leader. “With the ARCH project, we are finally measuring what truly matters: the full spectrum of harm that cyberattacks inflict on individuals, organizations, and society.”
ARCH thus combines scientific precision, interdisciplinary methodology, and operational applicability. The project also aims to build expertise and involve early-career researchers. From the Cyberagentur’s perspective, the project is a strategic step toward assessing cybercrime in the future not just through individual cases or isolated estimates, but through robust evidence. In this way, the Cyberagentur contributes to the targeted use of public resources in the fight against cybercrime.