Help
Cart
Skip main navigation

Available Issues

April 10, 2013 - April 2, 2026

Available Issues

April 10, 2013 - April 2, 2026

“Extortionality” in Ransomware Attacks: A Microeconomic Study of Extortion and Externality

Published Online:2 May 2025https://doi.org/10.1287/isre.2024.1160

References

  • Amir R, Jakubczyk M, Knauff M (2008) Symmetric versus asymmetric equilibria in symmetric supermodular games. Internat. J. Game Theory 37(3):307–320.CrossrefGoogle Scholar
  • Arora A, Caulkins JP, Telang R (2006) Sell first, fix later: Impact of patching on software quality. Management Sci. 52(3):465–471.LinkGoogle Scholar
  • Arora A, Telang R, Xu H (2008) Optimal policy for software vulnerability disclosure. Management Sci. 54(4):642–656.LinkGoogle Scholar
  • August T, Dao D, Niculescu MF (2022) Economics of ransomware: Risk interdependence and large-scale attacks. Management Sci. 68(12):8979–9002.LinkGoogle Scholar
  • August T, Tunca TI (2006) Network software security and user incentives. Management Sci. 52(11):1703–1720.LinkGoogle Scholar
  • August T, Tunca TI (2008) Let the pirates patch? An economic analysis of software security patch restrictions. Inform. Systems Res. 19(1):48–70.LinkGoogle Scholar
  • Block W, Anderson GM (2000) Blackmail, extortion, and exchange. New York Law Rev. 44(3):541–561.Google Scholar
  • Block W, Tinsley P (2008) Should the law prohibit paying ransom to kidnappers? Amer. Rev. Political Econom. 6(2):40–45.CrossrefGoogle Scholar
  • Cabral LMB (1988) Asymmetric equilibria in symmetric games with many players. Econom. Lett. 27(3):205–208.CrossrefGoogle Scholar
  • Cartwright A, Cartwright E (2019) Ransomware and reputation. Games 10(2):26.CrossrefGoogle Scholar
  • Cartwright E, Castro JH, Cartwright A (2019) To pay or not: Game theoretic models of ransomware. J. Cybersecurity 5(1):1–12.CrossrefGoogle Scholar
  • Cavusoglu H, Raghunathan S, Yue WT (2008) Decision-theoretic and game-theoretic approaches to IT security investment. J. Management Inform. Systems 25(2):281–304.CrossrefGoogle Scholar
  • Chen KY, Wang J, Lang Y (2022) Coping with digital extortion: An experimental study of benefit appeals and normative appeals. Management Sci. 68(7):5269–5286.LinkGoogle Scholar
  • Choudhary V, Zhang Z (2015) Patching the cloud: The impact of SaaS on patching strategy and the timing of software release. Inform. Systems Res. 26(4):845–858.LinkGoogle Scholar
  • Coker J (2024) 78% of organizations suffer repeat ransomware attacks after paying. Infosecurity Magazine (February 23), https://infosecurity-magazine.com/news/orgs-repeat-ransomware-paying.Google Scholar
  • Cooter RD (1989) The Coase theorem. Eatwell J, Millgate M, Newman P, eds. Allocation, Information and Markets (Palgrave Macmillan, London), 64–70.CrossrefGoogle Scholar
  • Daniel M, Turner M (2021) Should ransomware payments be made illegal? Wall Street J. (September 7), https://www.wsj.com/articles/ransomware-payment-illegal-ban-11631047209.Google Scholar
  • Dey D, Ghoshal A, Lahiri A (2022) Circumventing circumvention: An economic analysis of the role of education and enforcement. Management Sci. 68(4):2914–2931.LinkGoogle Scholar
  • Dey D, Lahiri A, Zhang G (2012) Hacker behavior, network effects, and the security software market. J. Management Inform. Systems 29(2):77–108.CrossrefGoogle Scholar
  • Dey D, Lahiri A, Zhang G (2014) Quality competition and market segmentation in the security software market. MIS Quart. 38(2):589–606.CrossrefGoogle Scholar
  • Dey D, Lahiri A, Zhang G (2015) Optimal policies for security patch management. INFORMS J. Comput. 27(3):462–477.LinkGoogle Scholar
  • Dhillon G, Talib YYA, Picoto WN (2020) The mediating role of psychological empowerment in information security compliance intentions. J. Assoc. Inform. Systems 21(1):152–174.Google Scholar
  • DiMolfetta D (2024) Ransomware payment debate resurfaces amid Change Healthcare incident. Nextgov (March 18), https://www.nextgov.com/cybersecurity/2024/03/ransomware-payment-debate-resurfaces-amid-change-healthcare-incident/395026/.Google Scholar
  • Fey M (2012) Symmetric games with only asymmetric equilibria. Games Econom. Behav. 75(1):424–427.CrossrefGoogle Scholar
  • Fudenberg D, Levine DK (1988) Open-loop and closed-loop equilibria in dynamic games with many players. J. Econom. Theory 44(1):1–18.CrossrefGoogle Scholar
  • Galbreth MR, Shor M (2010) The impact of malicious agents on the enterprise software industry. MIS Quart. 34(3):595–612.CrossrefGoogle Scholar
  • Gehring T, Dorsch C, Dörfler T (2019) Precedent and doctrine in organisational decision-making: The power of informal institutional rules in the united nations security council’s activities on terrorism. J. Internat. Relations Development 22(1):107–135.CrossrefGoogle Scholar
  • Ghoshal A, Lahiri A, Dey D (2017) Drawing a line in the sand: Commitment problem in ending software support. MIS Quart. 41(4):1227–1447.CrossrefGoogle Scholar
  • Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans. Inform. System Security 5(4):438–457.CrossrefGoogle Scholar
  • Hausken K (2017) Security investment, hacking, and information sharing between firms and between hackers. Games 8(2):23.CrossrefGoogle Scholar
  • Hausken K (2020) Cyber resilience in firms, organizations and societies. Internet Things 11:100204.CrossrefGoogle Scholar
  • Hausken K, Levitin G (2012) Review of systems defense and attack models. Internat. J. Performability Engrg. 8(4):355–366.CrossrefGoogle Scholar
  • Hefti A (2017) Equilibria in symmetric games: Theory and applications. Theory Econom. 12(3):979–1002.CrossrefGoogle Scholar
  • Hernandez-Castro J, Cartwright A, Cartwright E (2020) An economic analysis of ransomware and its welfare consequences. Roy. Soc. Open Sci. 7(3):1–14.Google Scholar
  • Hui K-L, Ke PF, Yao Y, Yue WT (2019) Bilateral liability-based contracts in information security outsourcing. Inform. Systems Res. 30(2):411–429.LinkGoogle Scholar
  • Kannan K, Telang R (2005) Market for software vulnerabilities? Think again. Management Sci. 51(5):726–740.LinkGoogle Scholar
  • Kannan K, Rahman M, Tawarmalani M (2016) Economic and policy implications of restricted patch distribution. Management Sci. 62(11):3161–3182.LinkGoogle Scholar
  • Kumar RL, Park S, Subramaniam C (2008) Understanding the value of countermeasure portfolios in information systems security. J. Management Inform. Systems 25(2):241–279.CrossrefGoogle Scholar
  • Laffont J-J (1989) Externalities. Eatwell J, Millgate M, Newman P, eds. Allocation, Information and Markets (Palgrave Macmillan, London), 112–116.CrossrefGoogle Scholar
  • Laszka A, Farhang S, Grossklags J (2017) On the economics of ransomware. Rass S, An B, Kiekintveld C, Fang F, Schauer S, eds. Decision Game Theory Security. GameSec 2017, Lecture Notes in Computer Science, vol. 10575 (Springer, Cham, Switzerland).Google Scholar
  • Lee CH, Geng X, Raghunathan S (2013) Contracting information security in the presence of double moral hazard. Inform. Systems Res. 24(2):295–311.LinkGoogle Scholar
  • Li X, Whinston AB (2020) The economics of cybercrime. Preprint, submitted June 11, http://dx.doi.org/10.2139/ssrn.3603694.Google Scholar
  • Maskin ES (1994) The invisible hand and externalities. Amer. Econom. Rev. 84(2):333–337.Google Scholar
  • Mcintosh T, Susnjak T, Liu T, Xu D, Watters Amd Liu PD, Hao Y, Ng A, Halgamuge M (2024) Ransomware reloaded: Re-examining its trend, research and mitigation in the era of data exfiltration. ACM Comput. Surveys 57(1):1–40.CrossrefGoogle Scholar
  • Meurs T, Cartwright E, Cartwright A, Junger M, Abhishta A (2024) Deception in double extortion ransomware attacks: An analysis of profitability and credibility. Comput. Security 138:103670.CrossrefGoogle Scholar
  • Mitra S, Ransbotham S (2015) Information disclosure and the diffusion of information security attacks. Inform. Systems Res. 26(3):565–584.LinkGoogle Scholar
  • Moorthy KS (1988) Product and price competition in a duopoly. Marketing Sci. 7(2):141–168.LinkGoogle Scholar
  • Morgan S (2023) Global ransomware damage costs predicted to exceed $265 billion by 2031. Cybercrime Magazine (July 7), https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/.Google Scholar
  • Mott G, Turner S, Nurse JRC, MacColl J, Sullivan J, Cartwright A, Cartwright E (2023) Between a rock and a hard(ening) place: Cyber insurance in the ransomware era. Comput. Security 128:103162.CrossrefGoogle Scholar
  • Mukhopadhyay A, Jain S (2024) A framework for cyber-risk insurance against ransomware: A mixed-method approach. Internat. J. Inform. Management 74:102724.CrossrefGoogle Scholar
  • Oz H, Aris A, Levi A, Uluagac AS (2022) A survey on ransomware: Evolution, taxonomy, and defense solutions. ACM Comput. Surveys 54(11s):1–37.CrossrefGoogle Scholar
  • Png IPL, Wang Q-H (2009) Information security: Facilitating user precautions vis-à-vis enforcement against attackers. J. Management Inform. Systems 26(2):97–121.CrossrefGoogle Scholar
  • Ransbotham S, Mitra S (2009) Choice and chance: A conceptual model of paths to information security compromise. Inform. Systems Res. 20(1):121–139.LinkGoogle Scholar
  • Rasmusen E (2007) Games and Information: An Introduction to Game Theory, 4th ed. (Blackwell, Malden, MA).Google Scholar
  • Ray S (2023) Ransomware attacks upgraded to ‘national security threat’ in new White House cybersecurity strategy. Forbes (May 2), https://forbes.com/sites/siladityaray/2023/03/02/ransomware-attacks-upgraded-to-national-security-threat-in-new-white-house-cybersecurity-strategy/.Google Scholar
  • Razaulla S, Fachkha C, Markarian C, Gawanmeh A, Mansoor W, Fung BCM, Assi C (2023) The age of ransomware: A survey on the evolution, taxonomy, and research directions. IEEE Access 11:40698–40723.CrossrefGoogle Scholar
  • Seals T (2021) Multi-gov task force plans to take down the ransomware economy. Threatpost (April 29), https://threatpost.com/gov-task-force-ransomware-economy/165715/.Google Scholar
  • Shavell S (1993) An economic analysis of threats and illegality: Blackmail, extortion, and robbery. Univ. Pennsylvania Law Rev. 141(5):1877–1903.CrossrefGoogle Scholar
  • Shi F (2020) Ransomware attacks: Why it should be illegal to pay the ransom. Dark Reading (February 4), https://www.darkreading.com/risk/ransomware-attacks-why-it-should-be-illegal-to-pay-the-ransom/a/d-id/1336905?_mc=rss\_x\_drr\_edt\_aud\_dr\_x\_x-rss-simple.Google Scholar
  • Shi F (2021) Threat spotlight: Ransomware trends. Barrcuda Blogs (August 12), https://blog.barracuda.com/2021/08/12/threat-spotlight-ransomware-trends/.Google Scholar
  • Sun L, Srivastava RP, Mock TJ (2006) An information systems security risk assessment model under the Dempster-Shafer theory of belief functions. J. Management Inform. Systems 22(4):109–142.CrossrefGoogle Scholar
  • Sussman B (2020) As ransomware payments double, some want them banned. Secureworld (January 27), https://www.secureworldexpo.com/industry-news/ransomware-payments-double-some-want-ransoms-payment-ban.Google Scholar
  • Tirole J (1994) The Theory of Industrial Organization (MIT Press, Cambridge, MA).Google Scholar
  • Travers T (2023) Repeat ransomware attacks: What’s putting victims at risk? Barracuda Blogs (March 28), https://blog.barracuda.com/2023/03/28/repeat-ransomware-attacks.Google Scholar
  • Yeltekin S, Cai Y, Judd KL (2017) Computing equilibria of dynamic games. Oper. Res. 65(2):337–356.LinkGoogle Scholar
Previous
Back to Top
Next
INFORMS site uses cookies to store information on your computer. Some are essential to make our site work; Others help us improve the user experience. By using this site, you consent to the placement of these cookies. Please read our Privacy Statement to learn more.
Agree