Professors study ideal responses to ransomware attacks

A pair of College of Business professors and their doctoral student at The University of Texas at Arlington are exploring how ransomware attacks sometimes pit organizations against the law enforcement agencies trying to protect them.

Kay-Yut Chen, Jingguo Wang and Yan Lang are authors of a new study in the journal Management Science titled "Coping with Digital Extortion: An Experimental Study on Benefit Appeals and Normative Appeals." Chen and Wang are professors of information systems and operations management at UTA. Lang is a doctoral student in the department.

A ransomware attack is like a cyber hijacking, with criminals infiltrating and seizing an organization's data or computer systems and demanding a payment or ransom to restore access.

In its study, the UTA trio explains that companies are finding that it makes sense to negotiate with their attackers to drive down the cost of the ransom. But such behavior in turn incentivizes attackers to continue their illegal activities and runs counter to FBI guidance.

"From a policy perspective, the FBI is telling businesses not to give in," Wang said. "But we've found that when you're trying to run a business, there is almost always a ransom that becomes similar to a break-even point."

This study investigates in part how to nudge companies toward adopting strategies that decrease the risk of digital extortion. The researchers used behavioral game theory to study tactics such as investing in cybersecurity or refusing to pay ransoms and used human subject experiments to analyze strategic decisions made by interacting players.

"We reason that when companies are hit with ransomware attacks, even if they pay the ransom, they still must pay for added security," Chen said.

National data shows these ransomware attacks are spiking, with experts saying an organization is attacked by ransomware every 40 seconds. Earlier this year, one of the nation's largest pipelines, carrying gasoline and jet fuel from Texas to the East Coast, shut down after a ransomware attack.

"We must convince companies that just because the bad actors come down on the ransom, it doesn't make it right to pay them—and you'll probably continue to have problems," Wang said. "We need to encourage firms to do the right thing in security investing. Recognizing the long-term benefits of this approach could help other companies come to the right decision."