Skip to main content
Kent Academic Repository

Between a rock and a hard(ening) place: Cyber insurance in the ransomware era

Mott, Gareth, Turner, Sarah, Nurse, Jason R. C., MacColl, Jamie, Sullivan, James, Cartwright, Anna, Cartwright, Edward (2023) Between a rock and a hard(ening) place: Cyber insurance in the ransomware era. Computers & Security, 128 . Article Number 103162. ISSN 0167-4048. (doi:10.1016/j.cose.2023.103162) (KAR id:100308)

Abstract

Cyber insurance and ransomware are two of the most studied areas within security research and practice to date, and their interplay continues to raise concerns in industry and government. This article offers substantial new insights and analysis into the complex question of whether cyber insurance can help organisations in mitigating the threat of ransomware, particularly its impacts. Having conducted an interview or workshop with 96 industry professionals spanning the cyber insurance, cyber security, ransomware negotiations, policy, and law enforcement sectors, we identify that ransomware has been a key cause of the ‘hardening’ of the cyber insurance market, which is exhibited at almost all levels of the market. Such hardening has been beneficial in raising the security standards required prior to purchase, but has also created a situation where some organisations may not be able to acquire viable cyber insurance at all. In presenting the outcomes of our thematic analysis of the interview and workshop outputs, the paper provides significant new empirical evidence to support the theory that cyber insurance can act as a form of governance for improving cyber security among organisations. Nonetheless, the hardening market does nothing to increase the penetration of cyber insurance. Questions were also raised as to the likelihood of unintended unethical – and potentially illegal – outcomes given the professionalisation of a remediation process that has to determine the most cost-effective solution to an organisation being held ransom. We conclude that insurance, at best, can help to mitigate the ransomware threat for those that can access it, as part of a wider basket of actions that must also come from different stakeholders.

Item Type: Article
DOI/Identification number: 10.1016/j.cose.2023.103162
Additional information: For the purpose of open access, the author has applied a CC BY public copyright licence to any Author Accepted Manuscript version arising from this submission.
Uncontrolled keywords: cyber security, ransomware, cyber insurance, security incidents, harms, cyber policy, resilience, critical national infrastructure, malware
Subjects: H Social Sciences > H Social Sciences (General)
Q Science > QA Mathematics (inc Computing science)
T Technology
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
University-wide institutes > Institute of Cyber Security for Society
Funders: Government Communications Headquarters (https://ror.org/052mq0r90)
Engineering and Physical Sciences Research Council (https://ror.org/0439y7842)
Depositing User: Jason Nurse
Date Deposited: 03 Mar 2023 12:01 UTC
Last Modified: 27 Feb 2024 10:58 UTC
Resource URI: https://kar.kent.ac.uk/id/eprint/100308 (The current URI for this page, for reference purposes)

University of Kent Author Information

  • Depositors only (login required):

Total unique views for this document in KAR since July 2020. For more details click on the image.