Cyber Risk: Ransomware Experiments & Behavioral Insights
Delve into the world of cyber risk with a focus on ransomware, individual behavior, and decision-making. Explore research questions on risk attitudes, framing effects, and the psychology of cyber-security choices in this insightful study by Edward Cartwright, Anna Stepanova, and Lian Xue.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Ransomware in the lab: An experiment on cyber risk taking Edward Cartwright, Anna Stepanova, Lian Xue
Ransomware and individual behaviour An embarrassingly large number of individuals and SMEs do not use basic cyber-security measures such as regular, off-line back-ups. Risk taking? Perception gap? Procrastination? A large number of individuals and even larger number of firms are willing to pay ransoms to criminals to recover files after an attack. Risk taking? Loss aversion?
Research Questions Individual risk attitudes in cyber-security: oWillingness to pay to back up? oWillingness to pay to recover the files (ransom)? oPassively risk taking (not back up) Influence of framing on preferences: oGain framing regain files that are lost oLoss framing lose files you have
Background literature Individual decision making under risk Prospect theory and loss aversion (Kahnaman and Tversky, 1979; Cicchetti and Dubin, 1994) oPeople tend to be risk averse in the domain of sure gains and risk seeking in the domain of sure losses. oLosses are weighted more heavily than gains. oPeople are willing to pay a premium to avoid risks of loss. Omission/ action bias (Sprance et al. 1991; Haldt and Baro 1996; Carlin and Robinson 2009) Back up the files-> risk avoidance / not back up: passive risk-taking Pay ransom to criminals (recovery)-> active risk seeking
Background literature Framing and risky decisions Preference reversal under logically equivalent choices with different framings (Tversky and Kahneman 1981; Kuhberger 1998) o For example (Tversky and Kahneman): Imagine that there will an outbreak of an unusual disease expected to kill 600. Program A: 200 will be saved. Program B: 1/3 probability that 600 will be saved & 2/3 no people will be saved. Program C: 400 will die. Program D: 1/3 probability that nobody will die & 1/3 600 will die. Framing effects & omission bias (Wang 1996; Tanner and Medin 2004) o Omission/ action bias could be sensitive to negative/positive framings.
Methodology The game The back up and recovery game Two stage individual game with perfect information. The back-up stage o Initial endowment: File worth 100 Tokens; o Initial probability of attack is: p=0.5 (exogenous parameter); o Individual choose I to allocate to insurance; o Insurance decreases the probability of attack from p to (100p I)/(100 I). The recovery stage o If the file is not attacked, the game ends; o Otherwise, individual choose R to allocate to recovery account; o Ransom (R) increase the probability individual will get the file back to R/100.
Theoretical predictions Gain framing: o Potential gain of the file worth 100 Tokens, o Prediction: back up all (I= 50) and recover none (R=0). Loss framing: o Potential loss of the file worth 100 Tokens, o Prediction: back up none (I=0) and recover positive amount (R>0).
Results 1. Back-up (just) preferred to ransom
Framing effects are in predicted direction but weak: 1. Decreasing trend in R in Gain framing. 2. Higher R investment in loss framing than gain framing. Results 2.
Results 2. Framing effects by individual Dospert scales Weber, E. U., Blais, A.-R., & Betz, N. (2002). 1. Extreme risk seeking individuals are immune to framing effects. 2. Extreme risk averse individuals invest more in back up compared with risk seeking individuals.
Payment lovers: Participants who pay equally high amount to both I and R. Individual by types: aggregate Results 3. Ransom lover: Participants who have strong preference to pay ransom rather than back up. Back up lover: Participants who have strong preference to back up rather than pay ransom. Payment averse: Participants who do not spend much in either I or R (inaction).
In general, participants take active actions (low rate of payment averse). In both LL & GG, back up lover is more popular than ransom lover across periods. Tendency to switch to back-up lovers as participants gain more experiences. Results 3. Individual by types: over-time
Results 4. Effects of past experience 1. Higher investment in back up if Not attacked in last round. Mann-Whitney Effect size r = 0.38 (p < 0.001) 2. Higher investment in recovery if Attacked but Recovered in last round. Mann-Whitney Effect size r = 0.42 (p = 0.028) Robust after controlling for individual effects Related literature: The present bias & Myopia loss aversion
Conclusion We simulate a Ramsomware attack scenario using the back up- recovery game in laboratory settings. Participants do not fully back up (77% do not fully back up; 23% fully pay ransom); however in average do invest more in back up than recovery. Framing effects is small, extreme risk seeking individuals are immune to framing effects. Choices are sensitive to most recent results of back up/ recovery. oFurther research: o1. Ethical/ moral framings of investment in back-up and recovery. o2. Varying costs of back-up & recovery.
