IT security and risk management often ignore or underestimate the human factor (psychological, behavioural, societal, organisational and economic aspects) in the identification of cyber-risks, their quantitative economic impact and the costs of countermeasures. Cyber-attacks can harm intangible assets like reputation, IPR, expertise, and know-how. And there is severe imbalance between the efficiency of attacks and inadequate defences, due in part to the lack of quantitative information for decision makers to prioritise security investments. To foster a culture of risk management by an individual organisation or a complete sector, HERMENEUT answers: What is the real fallout of a data compromise and the long-run consequences on associated assets? What are the losses for intangible assets? Do other type of attacks (beyond data breach) severely impact intangible and tangible assets? HERMENEUT assesses vulnerabilities of organisations and corresponding tangible and intangible assets at risk, taking into account the business plans of the attacker, the commoditisation level of the target organisations, the exposure of the target and including human factors as well as estimating the likelihood that a potential cyber-attack exploits identified vulnerabilities. HERMENEUT’s cyber-security cost-benefit approach combines integrated assessment of vulnerabilities and their likelihoods with an innovative macro- and micro-economic model for intangible costs, delivering a quantitative estimation of the risks for an organisation or a business sector and investment guidelines for mitigation measures. 11 partners from 6 countries deliver an innovative methodology and advanced macro- and micro-economic models and make it available to the European research community. HERMENEUT implements its innovations in a decision support tool, tested with 2 users in healthcare and an IPR-intensive industry.