With ransomware attacks on the rise, many organizations are trying to decide if they can hold firm against attackers or will be forced to pay to decrypt their files. New research out of the University of Texas at Austin investigates how these decisions are made.
Defenders have two basic options: invest in systems that will reduce the chance of being exploited or refuse to pay the ransom, discouraging attackers from further disruption. Both options have incentive issues, the researchers wrote in their paper, “Coping with Digital Extortion: An Experimental Study on Benefit Appeals and Normative Appeals.”
Enhancing enterprise security can be expensive and refusing to pay can take business processes offline for an indefinite time – both disincentives for defenders. While organizations understand that paying ransoms encourages attackers to continue their exploits, negotiating with the attackers can whittle down the ransom demand, an incentive for the victim.
“When you’re trying to run a business, there is almost always a ransom that becomes similar to a break-even point,” Jingguo Wang, a professor of information systems and operations management at the university, told UTA News.
The researchers used behavioral game theory to study how human subjects analyzed strategic decisions around investing in cybersecurity or refusing to pay ransoms. They also explored how organizations can be nudged toward adopting strategies that decrease their exposure to digital extortion.
One potential solution to the ransomware problem at large is to strengthen social norms through community support of good behavior (investing in security solutions and refusing to pay ransoms). These normative appeals to what an organization ought to do and descriptions of what others are doing are effective at nudging the defenders into investing in security solutions and refusing to pay, the researchers said.
Further, when defenders refuse to pay the ransom, extortionists lower their demands considerably and the attack rate slightly. Investing in security defenses only slightly lowers the ransom demand and the rate of attack, they found.
The decision process is complicated by an organization’s competing priorities and the multiple mitigation strategies available. Interventions or appeals can drive defenders in the right direction, but they “may not have enough impacts to change investment rate and payment rate of a community significantly, particularly when attackers can influence the will of the defenders by lowering ransoms,” the researchers said in their paper.
“We must convince companies that just because the bad actors come down on the ransom, it doesn’t make it right to pay them — and you’ll probably continue to have problems,” Wang said. “We need to encourage firms to do the right thing in security investing. Recognizing the long-term benefits of this approach could help other companies come to the right decision.”