Mott, Gareth, Turner, Sarah, Nurse, Jason R. C., MacColl, Jamie, Sullivan, James, Cartwright, Anna, Cartwright, Edward (2023) Between a rock and a hard(ening) place: Cyber insurance in the ransomware era. Computers & Security, 128 . Article Number 103162. ISSN 0167-4048. (doi:10.1016/j.cose.2023.103162) (KAR id:100308)
PDF
Publisher pdf
Language: English
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
|
|
Download this file (PDF/814kB) |
Preview |
Request a format suitable for use with assistive technology e.g. a screenreader | |
PDF
Author's Accepted Manuscript
Language: English Restricted to Repository staff only
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
|
|
Contact us about this Publication
|
|
Official URL: https://doi.org/10.1016/j.cose.2023.103162 |
Abstract
Cyber insurance and ransomware are two of the most studied areas within security research and practice to date, and their interplay continues to raise concerns in industry and government. This article offers substantial new insights and analysis into the complex question of whether cyber insurance can help organisations in mitigating the threat of ransomware, particularly its impacts. Having conducted an interview or workshop with 96 industry professionals spanning the cyber insurance, cyber security, ransomware negotiations, policy, and law enforcement sectors, we identify that ransomware has been a key cause of the ‘hardening’ of the cyber insurance market, which is exhibited at almost all levels of the market. Such hardening has been beneficial in raising the security standards required prior to purchase, but has also created a situation where some organisations may not be able to acquire viable cyber insurance at all. In presenting the outcomes of our thematic analysis of the interview and workshop outputs, the paper provides significant new empirical evidence to support the theory that cyber insurance can act as a form of governance for improving cyber security among organisations. Nonetheless, the hardening market does nothing to increase the penetration of cyber insurance. Questions were also raised as to the likelihood of unintended unethical – and potentially illegal – outcomes given the professionalisation of a remediation process that has to determine the most cost-effective solution to an organisation being held ransom. We conclude that insurance, at best, can help to mitigate the ransomware threat for those that can access it, as part of a wider basket of actions that must also come from different stakeholders.
Item Type: | Article |
---|---|
DOI/Identification number: | 10.1016/j.cose.2023.103162 |
Additional information: | For the purpose of open access, the author has applied a CC BY public copyright licence to any Author Accepted Manuscript version arising from this submission. |
Uncontrolled keywords: | cyber security, ransomware, cyber insurance, security incidents, harms, cyber policy, resilience, critical national infrastructure, malware |
Subjects: |
H Social Sciences > H Social Sciences (General) Q Science > QA Mathematics (inc Computing science) T Technology |
Divisions: |
Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing University-wide institutes > Institute of Cyber Security for Society |
Funders: |
Government Communications Headquarters (https://ror.org/052mq0r90)
Engineering and Physical Sciences Research Council (https://ror.org/0439y7842) |
Depositing User: | Jason Nurse |
Date Deposited: | 03 Mar 2023 12:01 UTC |
Last Modified: | 27 Feb 2024 10:58 UTC |
Resource URI: | https://kar.kent.ac.uk/id/eprint/100308 (The current URI for this page, for reference purposes) |
- Link to SensusAccess
- Export to:
- RefWorks
- EPrints3 XML
- BibTeX
- CSV
- Depositors only (login required):