New research program systematically records material, immaterial and cascading damage caused by cybercrime.
Cyberagentur’s aim with ARCH is to rethink the measurement of damage caused by cybercrime. A new systematic recording of not only financial, but also immaterial and cascading damage caused by cybercrime in Germany is being developed. With ARCH, the Agentur für Innovation in der Cybersicherheit GmbH (Cyberagentur) is launching a research project that aims to capture the holistic damage caused by cybercrime in Germany in a multidimensional way. In addition to financial losses, psychological, organizational and societal effects are also moving into the analytical focus.
With the ceremonial signing of the contract on April 30, 2026 between the Agentur für Innovation in der Cybersicherheit GmbH (Cyberagentur) and the Université de Montréal as part of the research program “Damage caused by cybercrime (SCK)”, the project “Assessing Risks and Cybercrime Harms” (ARCH) is entering the implementation phase. The contract was awarded to a top-class research consortium consisting of the Université de Montréal (consortium leader), Flare Systems, the Max Planck Institute Freiburg, the Cyberintelligence Institute and the Freie Universität Berlin. The aim of the team is to develop a model that systematically, reproducibly and verifiably records the material and immaterial damage caused by cybercrime in Germany – over short, medium and long time horizons. Cascading effects that have not yet been taken into account are also included. For the Cyberagentur, ARCH is thus a further building block in the thematic focus “Cybervigilant Society”.
The scientific and security policy starting point is clear: Germany currently lacks metrics and methodologies that comprehensively map the damage caused by cybercrime. Direct monetary losses only cover part of the damage and only part of the phenomenon. Loss of trust, psychological stress, reputational damage, business interruptions, resource pressure in the restoration of IT infrastructures and long-term follow-up costs often remain underexposed in previous considerations. ARCH aims to address precisely this methodological gap. “Without reliable data, there is a risk that cyber threats will be overestimated or underestimated, which can lead to incorrect priorities and inefficient use of resources,” says Dr. Nicole Hartlapp, head of the “Cybervigilant Society” focus area.
For the first time, ARCH aims to provide a multidimensional assessment framework that brings together direct, indirect and cascading damage across different impact domains and maps it in a damage matrix. ARCH aims to answer not only the question of the amount of damage, but also its severity, duration and social reach. With the help of a dual scale, damage events are to be given both a monetary assessment and a qualitative index for immaterial damage, such as stress or loss of trust.
“The holistic view of the damage caused by cybercrime not only enables us to assess cyber incidents more accurately, but also allows us to focus on damage that has so far received too little attention and is difficult to map,” says Dr. Nicole Hartlapp, who is handing over the baton of program management to Joline Wochnik, research officer in the Cybervigilante Gesellschaft unit, at the start of the implementation phase.
The project is particularly relevant for law enforcement agencies and other institutions that not only document cybercrime, but also have to strategically anticipate and effectively address it. With this toolkit, political decision-makers can also better analyse damage distributions, identify new areas of focus and prioritize resources for prevention based on simulations.
From a scientific point of view, ARCH also marks a change of perspective in the analysis of cybercrime. “Cybercrime is no longer just about stolen data – it’s about stolen trust. Every attack undermines trust in our institutions, weakens social resilience and leaves psychological and economic scars that go far beyond the immediate loss,” says Prof. David Décary-Hétu, project leader. “With the ARCH project, we are finally measuring what really matters: the full spectrum of damage that cyberattacks cause to individuals, organizations and society.” [English version: “Cybercrime is no longer just about stolen data-it’s about stolen confidence. Each attack erodes trust in our institutions, weakens social resilience, and leaves psychological and economic scars that go far beyond the immediate loss,” says Prof. David Décary-Hétu, project leader. “With the ARCH project, we are finally measuring what truly matters: the full spectrum of harm that cyberattacks inflict on individuals, organizations, and society.”]
ARCH thus combines scientific precision, interdisciplinary methodology and operational applicability. The project will be accompanied by the development of expertise and the involvement of young scientists. From the Cyberagentur’s point of view, the project is a strategic step towards assessing cybercrime in the future not just on the basis of individual cases or isolated estimates, but on the basis of reliable evidence. In this way, the Cyberagentur is making a contribution to the targeted use of public resources in the fight against cybercrime.