“Extortionality” in Ransomware Attacks: A Microeconomic Study of Extortion and Externality
研究了勒索软件攻击中企业支付赎金产生的负外部性,通过多期博弈模型分析不同攻击者策略下税收、补贴或禁令等政策工具的有效性,为政策制定者提供干预框架。
Practice- and Policy-Oriented Abstract Ransomware attacks have emerged as one of the biggest threats to cybersecurity. Faced with business disruptions, many organizations accede to ransom demands, and in doing so, they embolden the attackers to launch more attacks, elevating the chance of a future breach for others. We study this externality using a multiperiod game among multiple firms, each of which has a choice to pay or not pay if breached in a particular period, its action having implications for future periods. How should a policymaker intervene to mitigate this externality, and is prohibition necessary? What might work or how it might work as a policy tool depends critically on the behavior of the attacker (extortionist). If the attacker is not strategic, fiscal interventions could work, and a complete prohibition on ransom payment is unnecessary. If the attackers are strategic, though, they may respond to the policymaker’s tax/subsidy in a manner that could increase victims’ propensity to pay, rendering fiscal intervention ineffective as a policy lever. In such a case, prohibition may be the only way to mitigate the externality. Overall, our analysis provides a framework for comparing different types of policy interventions and raises concerns for policymakers and social planners to pause and ponder.