“Extortionality” in Ransomware Attacks: A Microeconomic Study of Extortion and Externality

Ransomware, a digital form of extortion, has emerged as one of the biggest threats to cybersecurity. Faced with business disruptions, many organizations accede to ransom demands, and in doing so, they incentivize attackers to launch more attacks, elevating the chance of a future breach, not just for themselves but for others as well. We study this externality using a multiperiod game among multiple firms, each of which has a choice to pay or not pay if breached in a particular period, its choice having implications for all of them in the future. How should a policymaker intervene to mitigate this externality, and is prohibition really necessary? Our study raises several important questions and provides practical insights. Specifically, what might work or how it might work as a policy tool depends critically on the behavior of a third party—the ransomware attacker—an economic agent absent from a typical externality setup. If the attacker is not strategic, fiscal interventions could work, and a complete prohibition on ransom payment is unnecessary. If the attackers are strategic, though, they could respond to the policymaker’s tax/subsidy in a manner that may actually increase victims’ propensity to pay, rendering fiscal intervention ineffective as a policy lever. In such a case, prohibition may be the only way to mitigate the externality. Overall, our model of “extortionality”—externality due to extortion—provides a framework for comparing different types of policy interventions and raises concerns for policymakers and social planners to pause and ponder.

History: Olivia Sheng, Senior Editor; Zhengrui Jiang, Associate Editor.

Supplemental Material: The online appendix is available at https://doi.org/10.1287/isre.2024.1160.