Ransomware: new game theory experiment explains why paying is counterproductive

A recently published paper from the University of Texas at Arlington explores how firms go about deciding whether to pay up or not.

In the last year or so, data suggests that cybercrime has risen by around 125%, with ransomware attacks a major factor in this explosive growth. This tremendous growth is by no means a new phenomenon, with data from the European Union revealing a 365% surge in ransomware during 2019.

With attacks not only targeting vital infrastructure, such as utility companies and healthcare providers, but companies large and small, it can easily feel like a problem that is mushrooming out of control, especially as research shows that securing criminal convictions for ransomware attacks is incredibly rare.

It’s perhaps no surprise that a growing number of organizations are simply choosing to pay the ransom as quickly as possible, with a burgeoning market in cyber insurance helping organizations internalize the risks associated with ransomware attacks as a simple cost of doing business in the modern world.

Coping with digital extortion

Firms typically have two choices in such situations: they can either invest in their cybersecurity in the hope that this will minimize any security breaches, or they can implement a policy of always refusing to pay the ransom, which managers hope will deter attackers. Both are approaches with clear issues associated with them. This investment can be expensive, however, and is by no means a guarantee of success.

Meanwhile, by refusing to negotiate with criminals, the business can experience lengthy system outages that can have significant implications for the operational health of the business.

Despite this, organizations are also well aware that paying the ransom demand merely encourages further ransomware attacks, especially in the likely event that news of both the vulnerabilities and compliance with the ransom demand may quickly spread among the cybercriminal underworld.

Most commercial decisions will have a break-even point at which continuing to invest makes no financial sense in terms of the returns you get from that investment, and cybersecurity is no different.

Normative behavior

The researchers used behavioral game theory to explore the options available to managers. For instance, they suggest that the establishment of norms is important, especially as these norms tend to revolve around the virtue of investing in cybersecurity and not caving into the actions of cybercriminals who manage to breach one's defenses.

If these social norms could be strengthened through greater community support for proactive behaviors, such as investing in cybersecurity and refusing to deal with the demands of cybercriminals, then it can help to create norms across the economy that shift the narrative.

Such norms help to describe not only what organizations should do but also what others are doing, and can be effective in nudging companies in a particular direction.

"Specifically, we find that the defender enjoys a significantly positive utility if she conforms to normative appeals," the researchers write. "Different interventions result in different levels of utility impacts on investing and not-paying. Some may have a stronger impact on investing, while others on not-paying."

Lowering expectations

When these norms become established and there becomes a growing willingness to refuse any negotiations with cybercriminals, the researchers believe that it will result in criminals not only reducing their demands considerably but also the rate at which they attack.

"Numerical analyses show when the defenders’ utility of not-paying increases, that the attacker lowers ransoms considerably and attack rate slightly," the researchers explain.

"When the defenders’ utility of investing increases, the attack lowers both ransoms and attack rate very slightly. Ransoms are more likely to be decreased for the utility of not-paying, while attack rate is more likely to be decreased for the utility of investing."

Ultimately, normative behaviors are likely to be key to reducing the deluge of ransomware attacks currently experienced across the economy. Whether through industry forums, special interest groups, or other relevant organizations, if awareness can be raised as to the threat posed by digital extortion and a degree of conformity reached as to the best way of tackling that threat, it stands the best chance of success at scale.

Obviously, the ransomware task force established by the Justice Department could help to provide such a forum, but for this to work, it will require social norms to be established and rolled out across the economy so that organizations can easily identify what is expected of them.

"A practical example is to create forums that showcase successes in how mitigation strategies thwart attacks," the researchers conclude. "Other organizations may follow suit, and the practice can snowball into a standard that the community is willing to follow."