IDEAS home Printed from https://ideas.repec.org/a/inm/ormnsc/v68y2022i12p8979-9002.html
   My bibliography  Save this article

Economics of Ransomware: Risk Interdependence and Large-Scale Attacks

Author

Listed:
  • Terrence August

    (Rady School of Management, University of California at San Diego, La Jolla, California 92093)

  • Duy Dao

    (Haskayne School of Business, University of Calgary, Calgary, Alberta T2N 1N4, Canada)

  • Marius Florin Niculescu

    (Scheller College of Business, Georgia Institute of Technology, Atlanta, Georgia 30308)

Abstract

Recently, the development of ransomware strains and changes in the marketplace for malware have greatly reduced the entry barrier for attackers to conduct large-scale ransomware attacks. In this paper, we examine how this mode of cyberattack impacts software vendors and consumer behavior. When victims face an added option to mitigate losses via a ransom payment, both the equilibrium market size and the vendor’s profit under optimal pricing can actually increase in the ransom demand. Profit can also increase in the scale of residual losses following a ransom payment (which reflect the trustworthiness of the ransomware operator). We show that for intermediate levels of risk, the vendor restricts software adoption by substantially hiking up price. This lies in stark contrast to outcomes in a benchmark case involving traditional malware (non-ransomware) where the vendor decreases price as security risk increases. Social welfare is higher under ransomware compared with the benchmark in both sufficiently low- and high-risk settings. However, for intermediate risk, it is better from a social standpoint if consumers do not have an option to pay ransom. We also show that the expected ransom paid is nonmonotone in risk, increasing when risk is moderate despite a decreasing ransom-paying population. For ransomware attacks on other vectors (beyond patchable vulnerabilities), there can still be an incentive to hike price. However, market size and profits instead weakly decrease in the ransom amount. When studying a generalized model that includes both traditional and ransomware attacks, our results remain robust to a wide range of scenarios, including threat landscapes where ransomware has only a small presence.

Suggested Citation

  • Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    • Handle: RePEc:inm:ormnsc:v:68:y:2022:i:12:p:8979-9002
    DOI: 10.1287/mnsc.2022.4300
    as

    Download full text from publisher

    File URL: http://dx.doi.org/10.1287/mnsc.2022.4300
    Download Restriction: no
    File URL: https://libkey.io/10.1287/mnsc.2022.4300?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Hasan Cavusoglu & Huseyin Cavusoglu & Jun Zhang, 2008. "Security Patch Management: Share the Burden or Share the Damage?," Management Science, INFORMS, vol. 54(4), pages 657-670, April.
    2. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    3. Ashish Arora & Rahul Telang & Hao Xu, 2008. "Optimal Policy for Software Vulnerability Disclosure," Management Science, INFORMS, vol. 54(4), pages 642-656, April.
    4. Jay Pil Choi & Chaim Fershtman & Neil Gandal, 2010. "Network Security: Vulnerabilities And Disclosure Policy," Journal of Industrial Economics, Wiley Blackwell, vol. 58(4), pages 868-894, December.
    5. Terrence August & Duy Dao & Kihoon Kim, 2019. "Market Segmentation and Software Security: Pricing Patching Rights," Management Science, INFORMS, vol. 65(10), pages 4575-4597, October.
    6. Anna Cartwright & Edward Cartwright, 2019. "Ransomware and Reputation," Games, MDPI, vol. 10(2), pages 1-14, June.
    7. Lapan, Harvey E & Sandler, Todd, 1988. "To Bargain or Not to Bargain: That Is the Question," American Economic Review, American Economic Association, vol. 78(2), pages 16-21, May.
    8. Esther Gal-Or & Anindya Ghose, 2005. "The Economic Incentives for Sharing Security Information," Information Systems Research, INFORMS, vol. 16(2), pages 186-208, June.
    9. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.
    10. Terrence August & Tunay I. Tunca, 2008. "Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions," Information Systems Research, INFORMS, vol. 19(1), pages 48-70, March.
    11. Ioannidis, Christos & Pym, David & Williams, Julian, 2012. "Information security trade-offs and optimal patching policies," European Journal of Operational Research, Elsevier, vol. 216(2), pages 434-444.
    12. Khusrav Gaibulloev & Todd Sandler, 2009. "Hostage Taking: Determinants of Terrorist Logistical and Negotiation Success," Journal of Peace Research, Peace Research Institute Oslo, vol. 46(6), pages 739-756, November.
    13. Kunreuther, Howard & Heal, Geoffrey, 2003. "Interdependent Security," Journal of Risk and Uncertainty, Springer, vol. 26(2-3), pages 231-249, March-May.
    14. Brandt, Patrick T. & Sandler, Todd, 2009. "Hostage taking: Understanding terrorism event dynamics," Journal of Policy Modeling, Elsevier, vol. 31(5), pages 758-778, September.
    15. Asunur Cezar & Huseyin Cavusoglu & Srinivasan Raghunathan, 2017. "Sourcing Information Security Operations: The Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions," Production and Operations Management, Production and Operations Management Society, vol. 26(5), pages 860-879, May.
    16. Karthik Kannan & Rahul Telang, 2005. "Market for Software Vulnerabilities? Think Again," Management Science, INFORMS, vol. 51(5), pages 726-740, May.
    17. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    18. Brandt, Patrick T. & George, Justin & Sandler, Todd, 2016. "Why concessions should not be made to terrorist kidnappers," European Journal of Political Economy, Elsevier, vol. 44(C), pages 41-52.
    19. Karthik Kannan & Mohammad S. Rahman & Mohit Tawarmalani, 2016. "Economic and Policy Implications of Restricted Patch Distribution," Management Science, INFORMS, vol. 62(11), pages 3161-3182, November.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    2. Terrence August & Duy Dao & Kihoon Kim, 2019. "Market Segmentation and Software Security: Pricing Patching Rights," Management Science, INFORMS, vol. 65(10), pages 4575-4597, October.
    3. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.
    4. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.
    5. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    6. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    7. Kerim Peren Arin & Eberhard Feess & Torben Kuhlenkasper & Otto F. M. Reich, 2019. "Negotiating with Terrorists: The Costs of Compliance," Southern Economic Journal, John Wiley & Sons, vol. 86(1), pages 305-317, July.
    8. Zan Zhang & Guofang Nan & Yong Tan, 2020. "Cloud Services vs. On-Premises Software: Competition Under Security Risk and Product Customization," Information Systems Research, INFORMS, vol. 31(3), pages 848-864, September.
    9. Terrence August & Marius Florin Niculescu, 2013. "The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing," Management Science, INFORMS, vol. 59(12), pages 2702-2726, December.
    10. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    11. Kim, Wukki & Sandler, Todd, 2021. "Duration and competing-risks determinants of terrorist hostage-taking incidents," European Journal of Political Economy, Elsevier, vol. 70(C).
    12. Brandt, Patrick T. & George, Justin & Sandler, Todd, 2016. "Why concessions should not be made to terrorist kidnappers," European Journal of Political Economy, Elsevier, vol. 44(C), pages 41-52.
    13. Meierrieks, Daniel & Renner, Laura, 2021. "Islamist terrorism and the role of women," Discussion Paper Series 2021-02, University of Freiburg, Wilfried Guth Endowed Chair for Constitutional Political Economy and Competition Policy.
    14. Charlinda Santifort & Todd Sandler, 2013. "Terrorist success in hostage-taking missions: 1978–2010," Public Choice, Springer, vol. 156(1), pages 125-137, July.
    15. Huseyin Cavusoglu & Srinivasan Raghunathan & Hasan Cavusoglu, 2009. "Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems," Information Systems Research, INFORMS, vol. 20(2), pages 198-217, June.
    16. Amitava Dutta & Rahul Roy, 2008. "Dynamics of organizational information security," System Dynamics Review, System Dynamics Society, vol. 24(3), pages 349-375, September.
    17. Lam, Wing Man Wynne, 2016. "Attack-prevention and damage-control investments in cybersecurity," Information Economics and Policy, Elsevier, vol. 37(C), pages 42-51.
    18. Kay-Yut Chen & Jingguo Wang & Yan Lang, 2022. "Coping with Digital Extortion: An Experimental Study of Benefit Appeals and Normative Appeals," Management Science, INFORMS, vol. 68(7), pages 5269-5286, July.
    19. Meierrieks, Daniel & Renner, Laura, 2023. "Islamist terrorism and the status of women," European Journal of Political Economy, Elsevier, vol. 78(C).
    20. Bienz, Carsten & Juranek, Steffen, 2020. "Software vulnerabilities and bug bounty programs," Discussion Papers 2020/4, Norwegian School of Economics, Department of Business and Management Science.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:inm:ormnsc:v:68:y:2022:i:12:p:8979-9002. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Chris Asher (email available below). General contact details of provider: https://edirc.repec.org/data/inforea.html .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.