Skip to main content

How Cyber-Insurance Influences the Ransomware Payment Decision: Theory and Evidence

Cartwright, Anna, Cartwright, Edward, MacColl, Jamie, Mott, Gareth, Turner, Sarah, Sullivan, James, Nurse, Jason R. C. (2023) How Cyber-Insurance Influences the Ransomware Payment Decision: Theory and Evidence. The Geneva Papers on Risk and Insurance - Issues and Practice, 48 . pp. 300-331. E-ISSN 1468-0440. (doi:10.1057/s41288-023-00288-8) (Access to this publication is currently restricted. You may be able to access a copy if URLs are provided) (KAR id:100212)

PDF Author's Accepted Manuscript
Language: English

Restricted to Repository staff only until 8 March 2024.
Contact us about this Publication
[thumbnail of GPRI-2023-Insurance-ransomware-payment.pdf]
Official URL:
https://doi.org/10.1057/s41288-023-00288-8

Abstract

In this paper we analyse how cyber-insurance influences the cost-benefit decision making process of a ransomware victim. Specifically, we ask whether organizations with cyber-insurance are more likely to pay a ransom than non-insureds. We propose a game-theoretic framework with which to categorize and distinguish different channels through which insurance may influence victim decision making. This allows us to identify ways in which insurance may incentivize or disincentivize payment of the ransom. Our framework is informed by data from semi-structured interviews with 65 professionals with expertise in cyber-insurance, cybersecurity and/or ransomware, as well as data from the UK Cyber Security Breaches Survey. We find that perceptions are very divided on whether victims with insurance are more (or less) likely to pay a ransom. Our model can reconcile these views once we take into account context specifics, such as the severity of the attack as measured by business interruption and restoration and/or the exfiltration of sensitive data.

Item Type: Article
DOI/Identification number: 10.1057/s41288-023-00288-8
Additional information: For the purpose of open access, the author has applied a CC BY public copyright licence to any Author Accepted Manuscript version arising from this submission.
Uncontrolled keywords: Ransomware, Insurance, Cyber security, Double extortion, Moral hazard, Negotiation
Subjects: H Social Sciences
H Social Sciences > HB Economic Theory
Q Science
Q Science > QA Mathematics (inc Computing science)
T Technology
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
University-wide institutes > Institute of Cyber Security for Society
Funders: Government Communications Headquarters (https://ror.org/052mq0r90)
Engineering and Physical Sciences Research Council (https://ror.org/0439y7842)
Depositing User: Jason Nurse
Date Deposited: 24 Feb 2023 13:30 UTC
Last Modified: 27 Feb 2024 10:59 UTC
Resource URI: https://kar.kent.ac.uk/id/eprint/100212 (The current URI for this page, for reference purposes)

University of Kent Author Information

  • Depositors only (login required):

Total unique views for this document in KAR since July 2020. For more details click on the image.