Dr Anna Cartwright

Micro and small businesses are increasingly reliant on digital and online technology. They have, though, very limited resources and expertise to devote to cyber security. There is, thus, a pressing economic and social challenge of how to improve cyber security in small businesses. We look at the potential role of IT companies as a conduit through which to cascade information on best practice, focusing on the United Kingdom. We first present an analysis of the UK’s Cyber Security Breaches Survey (2018–2021) distinguishing different channels through which micro and small businesses access information on cyber security. We find that the main channel, by far, is through IT companies. Very few businesses directly access information from the government or law enforcement. To further explore the role of IT companies we conducted a series of focus groups and interviews with experts in IT and cyber security for small businesses in the UK. One theme to emerge is that IT companies, while they can be part of the solution, can also be part of the problem and so a number of interventions are needed if IT companies are to effectively disseminate best practice. These include advice and guidance for micro and small businesses on how to distinguish ‘good’ IT companies, as well as appropriate support for IT companies, who themselves are typically micro and small businesses that lack expertise on cyber security.

In this paper, we analyse how cyber insurance influences the cost–benefit decision-making process of a ransomware victim. Specifically, we ask whether organisations with cyber insurance are more likely to pay a ransom than non-insureds. We propose a game-theoretic framework with which to categorise and distinguish different channels through which insurance may influence victim decision making. This allows us to identify ways in which insurance may incentivise or disincentivise payment of the ransom. Our framework is informed by data from semi-structured interviews with 65 professionals with expertise in cyber insurance, cybersecurity and/or ransomware, as well as data from the U.K. Cyber Security Breaches Survey. We find that perceptions are divided on whether victims with insurance are more (or less) likely to pay a ransom. Our model can reconcile these views once we take into account context specifics, such as the severity of the attack as measured by business interruption and restoration and/or the exfiltration of sensitive data.

Cyber insurance and ransomware are two of the most studied areas within security research and practice to date, and their interplay continues to raise concerns in industry and government. This article offers substantial new insights and analysis into the complex question of whether cyber insurance can help organisations in mitigating the threat of ransomware, particularly its impacts. Having conducted an interview or workshop with 96 industry professionals spanning the cyber insurance, cyber security, ransomware negotiations, policy, and law enforcement sectors, we identify that ransomware has been a key cause of the ‘hardening’ of the cyber insurance market, which is exhibited at almost all levels of the market. Such hardening has been beneficial in raising the security standards required prior to purchase, but has also created a situation where some organisations may not be able to acquire viable cyber insurance at all. In presenting the outcomes of our thematic analysis of the interview and workshop outputs, the paper provides significant new empirical evidence to support the theory that cyber insurance can act as a form of governance for improving cyber security amongst organisations. Nonetheless, the hardening market does nothing to increase the penetration of cyber insurance. Questions were also raised as to the likelihood of unintended unethical – and potentially illegal – outcomes given the professionalisation of a remediation process that has to determine the most cost-effective solution to an organisation being held ransom. We conclude that insurance, at best, can help to mitigate the ransomware threat for those that can access it, as part of a wider basket of actions that must also come from different stakeholders.

We explore the economics of ransomware on production supply chains. Integrated supply chains result in a mutual-dependence between firms that can be exploited by cyber-criminals. For instance, we show that by targeting one firm in the network the criminals can potentially hold multiple firms to ransom. Overlapping security systems may also allow the criminals to strike at weak points in the network. For instance, it may be optimal for the attacker to target a supplier in order to ransom a large producer at the heart of the production network. We introduce a game theoretic model of an attack on a supply chain and solve for two types of Nash equilibria. We then study a hub and spoke example before providing simulation results for a general case. We find that the total ransom the criminals can demand is increasing in the average path length of the network. Thus, the ransom is lowest for a hub and spoke network and highest for a line network. Mitigation strategies are discussed.

Purpose
​​​​​​​Ransomware is a relatively new form of financial extortion that is proving a major cyber-security threat to individuals and organisations. This study aims to investigate factors that may influence an individual's willingness to engage in a ransom payment.

Design/methodology/approach
This study ran a large survey (n = 1,798) on a representative sample of the UK population. This study elicited willingness to pay (WTP) ransomware and also reasons for not wanting to pay a ransom to criminals. This study then used non-parametric tests and regression analysis to identify factors that influence WTP.

Findings
This study finds that women and younger age groups are significantly more willing to pay a ransom, as are those who store photos. There is a strong positive relationship between concern for data breach and WTP a ransom.

Originality/value
To the best of the authors’ knowledge, this is the first large scale study to look at WTP ransomware. This study identifies a range of factors that can help inform law enforcement to target advice about ransomware attacks.