This document reports on the development of a Benefit Harm Index (BHI) modelling approach, which is designed to support risk-aware decision making on information cybersecurity investments for the adoption of the possible hard (traditional) and soft mitigation measure.