Lancaster University Cyber Essentials Study: What the Evidence Actually Says
Lancaster University Cyber Essentials Study: What the Evidence Actually Says
The most cited evidence for CE's effectiveness is the Lancaster University study. You'll see it referenced in government procurement guidance, insurance documentation, and marketing materials from certification bodies. Usually quoted as something like "CE stops 99% of attacks." That's not what the study found. What it found is more nuanced and more useful.
What the study tested
Lancaster University (2015) tested 200 known internet-borne vulnerabilities (identified by CVE number) against the five Cyber Essentials controls. For each vulnerability, the researchers assessed whether the CE controls would have fully mitigated it, partially mitigated it, or left it unmitigated.
The study was commissioned by the UK government to evaluate whether CE was effective at what it claimed to do: protect against commodity, internet-borne attacks.
The actual numbers
| Outcome | Count | Percentage |
|---|---|---|
| Fully mitigated | 131 | 65.5% |
| Partially mitigated | 60 | 30.0% |
| Unmitigated | 9 | 4.5% |
| Total | 200 | 100% |
131 out of 200 vulnerabilities were fully mitigated by the five CE controls. That means if a business had implemented CE properly, those 131 attack vectors would have been stopped completely.
Another 60 were partially mitigated by the controls. The CE controls reduced the impact or made exploitation harder, but didn't eliminate the risk entirely. Partial mitigation might mean the vulnerability could still be exploited under specific conditions, or that the control reduced the attack surface without closing it completely.
The remaining 9 were completely unmitigated by any control. The five CE controls did not address these attack vectors at all. These represent the boundary of what CE can do.
Where the "99%" comes from
If you add fully mitigated (131) and partially mitigated (60), you get 191 out of 200, which is 95.5%. Some references round this to "over 99%" by interpreting "partially mitigated" as "substantially addressed." The figure depends on how generously you define mitigation.
The honest number is 65.5% fully mitigated and 95.5% at least partially addressed. The distinction between "fully stopped" and "made harder" matters when you're assessing your residual risk.
When I reference this study to clients, I use the full breakdown: 131 fully mitigated, 60 partially mitigated. It's more honest and it's more useful, because it shows exactly what CE does well and where the gaps exist.
What CE fully mitigated
The 131 fully mitigated vulnerabilities clustered around the types of attack CE is designed to prevent:
- Unpatched software exploits: Vulnerabilities in operating systems and applications that patches would have fixed. This is the largest category and demonstrates why the 14-day patching requirement matters.
- Default configuration exploits: Attacks that relied on unchanged default passwords, unnecessary services running, or insecure defaults. Secure configuration stops these.
- Network-based attacks from the internet: Attacks that required inbound access through a firewall. Default-deny firewall rules prevent them.
- Known malware: Threats that signature-based antivirus would detect. Malware protection stops these.
These are all commodity attacks, automated and indiscriminate, targeting known weaknesses in common software. This is exactly what CE was built for, and the evidence shows it works.
What CE partially mitigated
The 60 partially mitigated vulnerabilities fell into categories where CE reduces risk but doesn't eliminate it:
- Attacks with multiple stages: CE might stop one stage of an attack chain but not all of them. A patched system blocks the initial exploit, but if the attacker finds another way in, the downstream steps aren't addressed.
- Privilege escalation: Access control (CE control 4) limits who has admin privileges, which makes privilege escalation harder but doesn't prevent it entirely.
- Client-side attacks: Malicious documents or web content that exploit application vulnerabilities. Patching helps, but if the vulnerability isn't yet patched (zero-day window), the control is partial.
Partial mitigation is still valuable. Making an attack harder, slower, or less likely to succeed is a real security benefit. But it's not the same as stopping it.
What CE didn't mitigate
The 9 unmitigated vulnerabilities represent attack types outside CE's design scope:
- Social engineering: Attacks that trick users into taking actions (clicking links, opening files, providing credentials) that bypass technical controls. CE doesn't cover security awareness training.
- Targeted attacks: Attacks designed for a specific organisation, using custom tools and techniques that don't match known signatures or exploit known vulnerabilities.
- Supply chain compromise: Attacks that come through trusted software updates or third-party services. CE covers your configuration of those services, not whether the service itself has been compromised.
- Physical access attacks: If someone has physical access to a device, CE's technical controls can be bypassed.
These 9 vulnerabilities aren't a failure of CE. They're a boundary condition that defines the edges of CE's design scope. CE explicitly targets commodity internet-borne attacks and does not claim to address these categories. It doesn't claim to cover social engineering, targeted attacks, or supply chain compromise. Those sit in other NIST CSF functions (Govern, Detect, Respond) that CE doesn't address.
What the study means for your business
The evidence supports a clear conclusion: if you implement CE's five controls properly, you are significantly better protected against the most common types of cyber attack than if you don't. The controls work for what they're designed to do.
The evidence also shows that CE has limits. 9 out of 200 vulnerabilities were unmitigated. 60 were only partially addressed by the controls. The attacks that cause the biggest damage (targeted ransomware, supply chain compromise, social engineering) tend to fall into those categories. (referenced in the comprehensive governance benchmarking report).
CE is the baseline, and a strong one with real evidence behind it. But it's one function out of six in the NIST CSF, and the evidence shows exactly where the boundary is.
If you want to understand what sits outside that boundary, read the 6 things Cyber Essentials doesn't cover. If you want to know whether your current controls meet the baseline, the readiness quiz takes five minutes with no commitment required.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and assessment tips. No spam and no sales pitches, just useful updates.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- Why Cyber Essentials Isn't Enough
- The 6 Things Cyber Essentials Doesn't Cover
- Do You Need More Than Cyber Essentials?
- Cyber Essentials 14-Day Patching: What the Requirement Actually Means
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber 365: Why Year-Round Vulnerability Scanning Is the New Cyber Essentials Baseline
The Danzell scheme platform that came in April 2026 made year-round vulnerability scanning and managed patching the new Cyber Essentials baseline, not the upgrade. What that operationally means, what it covers, and how the Cyber 365 programme delivers it.
Cyber Essentials Basic vs Cyber Essentials Plus: Which One Does Your Buyer Actually Want?
Cyber Essentials Basic is a self-assessment certificate. Cyber Essentials Plus adds an external assessor sampling the controls in your estate. Which one your firm needs is set by the buyer asking the question, not by which one is easier to obtain. The differences, the costs, the timelines, and how to read the procurement requirement correctly.
Cyber Essentials Plus vs PCI DSS Self-Assessment: Which Cyber Standard Does Your Card-Handling Firm Actually Need?
Cyber Essentials Plus is the UK government scheme for the IT estate. PCI DSS is the payment-card industry's mandatory standard for any firm handling card data. They cover different scopes and run alongside each other, not as alternatives. The differences, the overlap, and how UK retailers handle both.
Cyber Essentials vs Cyber Assessment Framework (CAF): Which UK Cyber Standard Does Your Sector Actually Need?
Cyber Essentials is the UK government scheme for general business. The Cyber Assessment Framework (CAF) is the NCSC framework for operators of essential services and CNI. Which one your firm needs is set by sector classification, not by which is harder. The differences, the overlap, and the procurement context.
Cyber Essentials vs NIST CSF: Which Cyber Framework Do UK Firms with US Exposure Actually Need?
Cyber Essentials is the UK government scheme. NIST CSF is the US federal cybersecurity framework. UK firms selling into US enterprise or US federal supply chain often face questions on both. The differences, the overlap, and how to read the requirement correctly.
Cyber Essentials Plus vs SOC 2: Which Cyber Standard Does Your Customer Base Actually Need?
Cyber Essentials Plus is the UK government scheme. SOC 2 is the global SaaS attestation standard. Both prove cyber controls. Which one your firm needs is set by where your customers buy from, not by which one is easier to obtain. The two standards side by side, the cost and timeline reality, and the cases where holding both is the right answer.
The Danzell Question Set Guide: What Changed in the April 2026 Cyber Essentials Update
The Danzell assessment platform replaced Marlin in April 2026, bringing year-round scanning and patching into explicit scope. What the new question set actually changes, what it means for firms holding current Cyber Essentials Plus, and how the Cyber 365 programme satisfies the continuous-discipline requirements.
IASME Cyber Assurance vs Cyber Essentials Plus: Which IASME Tier Does Your Procurement Actually Want?
IASME Cyber Assurance is IASME's audit-based cybersecurity standard. Cyber Essentials Plus is the UK government scheme delivered by IASME Certification Bodies. Both come from IASME. They prove different things. The differences, the procurement context, and the 2026 framework changes.
PPN 09/14 Compliance Guide: How UK Suppliers Meet the Cabinet Office Cyber Essentials Floor
Procurement Policy Note 09/14 set Cyber Essentials as the procurement floor for UK central government suppliers handling personal data or providing certain ICT services. What PPN 09/14 actually requires, where CE Plus fits in the framework, and how UK suppliers satisfy the cyber section of central government bid questionnaires.
Willow to Danzell Migration Guide: What UK Firms Need to Do Between Cyber Essentials Platform Versions
The Willow scheme version led into the Danzell platform from April 2026. What changed between Willow and Danzell, what the migration means for firms holding current Cyber Essentials, and how the Cyber 365 programme bridges the year-round-discipline expectation Danzell now makes explicit.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.