Cartwright, Anna; Cartwright, Edward; MacColl, Jamie; Mott, Gareth; Turner, Sarah; Sullivan, James; Nurse, Jason RC; (2023) How cyber insurance influences the ransomware payment decision: theory and evidence. The Geneva Papers on Risk and Insurance - Issues and Practice , 48 (2) pp. 300-331. 10.1057/s41288-023-00288-8.

Preview

Text GPRI-2023-Insurance-ransomware-payment.pdf - Accepted Version Download (618kB) | Preview

Abstract

In this paper, we analyse how cyber insurance influences the cost–benefit decision-making process of a ransomware victim. Specifically, we ask whether organisations with cyber insurance are more likely to pay a ransom than non-insureds. We propose a game-theoretic framework with which to categorise and distinguish different channels through which insurance may influence victim decision making. This allows us to identify ways in which insurance may incentivise or disincentivise payment of the ransom. Our framework is informed by data from semi-structured interviews with 65 professionals with expertise in cyber insurance, cybersecurity and/or ransomware, as well as data from the U.K. Cyber Security Breaches Survey. We find that perceptions are divided on whether victims with insurance are more (or less) likely to pay a ransom. Our model can reconcile these views once we take into account context specifics, such as the severity of the attack as measured by business interruption and restoration and/or the exfiltration of sensitive data.

Download activity - last month

Export as XMLJSONCSV

Download activity - last 12 months

Export as JSONCSVXML

Downloads by country - last 12 months

Export as JSONCSVXML

Archive Staff Only

View Item