Professors study ideal responses to ransomware attacks

Credit: CC0 Public Domain

A pair of College of Business professors and their doctoral student at The University of Texas at Arlington are exploring how ransomware attacks sometimes pit organizations against the law enforcement agencies trying to protect them.

Kay-Yut Chen, Jingguo Wang and Yan Lang are authors of a new study in the journal Management Science titled "Coping with Digital Extortion: An Experimental Study on Benefit Appeals and Normative Appeals." Chen and Wang are professors of information systems and operations management at UTA. Lang is a doctoral student in the department.

A attack is like a cyber hijacking, with criminals infiltrating and seizing an organization's data or computer systems and demanding a payment or ransom to restore access.

In its study, the UTA trio explains that companies are finding that it makes sense to negotiate with their attackers to drive down the cost of the ransom. But such behavior in turn incentivizes attackers to continue their and runs counter to FBI guidance.

"From a policy perspective, the FBI is telling businesses not to give in," Wang said. "But we've found that when you're trying to run a business, there is almost always a ransom that becomes similar to a break-even point."

This study investigates in part how to nudge companies toward adopting strategies that decrease the risk of digital extortion. The researchers used behavioral game theory to study tactics such as investing in cybersecurity or refusing to pay ransoms and used human subject experiments to analyze strategic decisions made by interacting players.

"We reason that when companies are hit with ransomware attacks, even if they pay the ransom, they still must pay for added security," Chen said.

National data shows these ransomware attacks are spiking, with experts saying an organization is attacked by ransomware every 40 seconds. Earlier this year, one of the nation's largest pipelines, carrying gasoline and jet fuel from Texas to the East Coast, shut down after a .

"We must convince companies that just because the bad actors come down on the ransom, it doesn't make it right to pay them—and you'll probably continue to have problems," Wang said. "We need to encourage firms to do the right thing in security investing. Recognizing the long-term benefits of this approach could help other companies come to the right decision."

Journal information: Management Science
Citation: Professors study ideal responses to ransomware attacks (2021, June 30) retrieved 16 July 2024 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Explore further

NCCoE preliminary draft report on ransomware risk management


Feedback to editors