Help
Cart
Skip main navigation

Available Issues

April 10, 2013 - June 5, 2026

Available Issues

April 10, 2013 - June 5, 2026

Coping with Digital Extortion: An Experimental Study of Benefit Appeals and Normative Appeals

Published Online:22 Nov 2021https://doi.org/10.1287/mnsc.2021.4154

References

  • Anderson R, Moore T (2006) The economics of information security. Science 314:610–613.CrossrefGoogle Scholar
  • Bornstein G, Yaniv I (1998) Individual and group behavior in the ultimatum game: Are groups more “rational” players? Experiment. Econom. 1(1):101–108.CrossrefGoogle Scholar
  • Brewer R (2016) Ransomware attacks detection, prevention and cure. Network Security 2016(9):5–9.CrossrefGoogle Scholar
  • Bulgurcu B, Cavusoglu H, Benbasat I (2010) Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. Management Inform. Systems Quart. 34(3):523–548.CrossrefGoogle Scholar
  • Cavusoglu H, Raghunathan S, Yue WT (2008) Decision-theoretic and game-theoretic approaches to it security investment. J. Management Inform. Systems 25(2):281–304.CrossrefGoogle Scholar
  • Chen Y, Su X, Zhao X (2012) Modeling bounded rationality in capacity allocation games with the quantal response equilibrium. Management Sci. 58(10):1952–1962.LinkGoogle Scholar
  • Cialdini RB (2001) Influence: Science and Practice (Allyn & Bacon, Boston).Google Scholar
  • Cialdini RB (2007) Descriptive social norms as underappreciated sources of social control. Psychometrika 72(2):263–268.CrossrefGoogle Scholar
  • Cialdini RB, Trost MR (1998) Social Influence: Social Norms, Conformity and Compliance (McGraw-Hill, New York).Google Scholar
  • Cialdini RB, Kallgren CA, Reno RR (1991) A focus theory of normative conduct: A theoretical refinement and reevaluation of the role of norms in human behavior. Berkowitz L, ed. Advances in Experimental Social Psychology, vol. 24 (Academic Press, San Diego, CA), 201–234.Google Scholar
  • Cialdini RB, Reno RR, Kallgren CA (1990) A focus theory of normative conduct: Recycling the concept of norms to reduce littering in public places. J. Personality Soc. Psych. 58(6):1015–1026.CrossrefGoogle Scholar
  • Cremonini M, Dmitri N (2009) Risks and benefits of signaling information system characteristics to strategic attackers. J. Management Inform. Systems 26(3):241–274.CrossrefGoogle Scholar
  • Crowdstrike (2020) 2020 global threat report. CrowdStrike. Accessed September 12, 2021, https://www.crowdstrike.com/resources/reports/2020-crowdstrike-global-threat-report/.Google Scholar
  • Cui H, Raju JS, Zhang ZJ (2007) Fairness and channel coordination. Management Sci. 53(8):1303–1314.LinkGoogle Scholar
  • Das S, Kramer A, Dabbish L, Hong JI (2014) Increasing security sensitivity with social proof: A large scale experimental confirmation. Proc. SIGSAC Conf. Comput. Comm. Security (ACM, New York), 739–749.Google Scholar
  • Das S, Kramer A, Dabbish L, Hong J (2015) The role of social influence in security feature adoption. Proc. 18th ACM Conf. Comput. Supported Cooperative Work Soc. Comput. (ACM, New York), 1416–1426.Google Scholar
  • Dewally M, Flaherty SMV, Tomasi S (2017) The impact of social norms on female corporate board membership inclusion. Management Finance 43(10):1093–1116.Google Scholar
  • Dietz T, Fitzgerald A, Shwom R (2005) Environmental values. Annual Rev. Environ. Resources 30:335–372.CrossrefGoogle Scholar
  • Donohue K, Katok E, Leider S (2018) The Handbook of Behavioral Operations, Wiley Series in Operations Research and Management Science (John Wiley & Sons, Hoboken, NJ).Google Scholar
  • Ehrenfeld JM (2017) Wannacry, cybersecurity and health information technology: A time to act. J. Medical Systems 41(7):104.CrossrefGoogle Scholar
  • Everett C (2016) Ransomware: To pay or not to pay. Comput. Fraud Security 2016(4):8–12.CrossrefGoogle Scholar
  • FBI (2016) Incidents of ransomware on the rise. Accessed September 12, 2021, https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise.Google Scholar
  • Gal-Or E, Ghose A (2005) The economic incentives for sharing security information. Inform. Systems Res. 16(2):186–208.LinkGoogle Scholar
  • Garicano L, Rossi-Hansberg E (2006) Organization and inequality in a knowledge economy. Quart. J. Econom. 121(4):1383–1435.CrossrefGoogle Scholar
  • Gazet A (2010) Comparative analysis of various ransomware virii. J. Comput. Virology 6(1):77–90.CrossrefGoogle Scholar
  • Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans. Inform. System Security 5(4):438–457.CrossrefGoogle Scholar
  • Gupta A, Kannan K, Sanyal P (2018) Economic experiments in information systems. Management Inform. Systems Quart. 42(2):595–606.CrossrefGoogle Scholar
  • Hauser DJ, Schwarz N (2016) Attentive Turkers: Mturk participants perform better on online attention checks than do subject pool participants. Behav. Res. Methods 48(1):400–407.CrossrefGoogle Scholar
  • Heal G, Kunreuther H (2007) Modeling interdependent risks. Risk Anal. 27(3):621–634.CrossrefGoogle Scholar
  • Herath T, Rao HR (2009) Protection motivation and deterrence: A framework for security policy compliance in organisations. Eur. J. Inform. Systems 18(2):106–125.CrossrefGoogle Scholar
  • Herath T, Chen R, Wang J, Banjara K, Wilbur J, Rao HR (2014) Security services as coping mechanisms: An investigation into user intention to adopt an email authentication service. Inform. Systems J. 24(1):61–84.CrossrefGoogle Scholar
  • Ho TH, Zhang J (2008) Designing pricing contracts for boundedly rational customers: Does the framing of the fixed fee matter? Management Sci. 54(4):686–700.LinkGoogle Scholar
  • Kalkanci B, Chen KY, Erhun F (2011) Contract complexity and performance under asymmetric demand information: An experimental evaluation. Management Sci. 57(4):689–704.LinkGoogle Scholar
  • Kannan K, Rahman MS, Tawarmalani M (2016) Economic and policy implications of restricted patch distribution. Management Sci. 62(11):3161–3182.LinkGoogle Scholar
  • Kaspersky (2016) Story of the year: The ransomware revolution. Kaspersky Laboratory. Accessed September 12, 2021, https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07182404/KSB2016_Story_of_the_Year_ENG.pdf.Google Scholar
  • Kharraz A, Arshad S, Mulliner C, Robertson W, Kirda E (2016) Unveil: A large-scale, automated approach to detecting ransomware. Proc. 25th USENIX Security Sympos. (USENIX, Austin, TX), 757–772.Google Scholar
  • Kharraz A, Robertson W, Balzarotti D, Bilge L, Kirda E (2015) Cutting the Gordian Knot: A look under the hood of Ransomware attacks. Proc. 12th Conf. Detection Intrusions Malware Vulnerability Assessment (IEEE, New York), 3–24.Google Scholar
  • Kunreuther H, Heal G (2003) Interdependent security. J. Risk Uncertainity 26(2003):231–249.CrossrefGoogle Scholar
  • Laszka A, Farhang S, Grossklags J (2017) On the economics of ransomware. Proc. GameSec 2017 (Springer, Berlin).Google Scholar
  • Lee YS, Seo YW, Siemsen E (2018) Running behavioral operations experiments using Amazon’s Mechanical Turk. Production Oper. Management 27(5):973–989.CrossrefGoogle Scholar
  • Li S, Chen K-Y, Rong Y (2020) The behavioral promise and pitfalls in compensating store managers. Management Sci. 66(10):4899–4919.LinkGoogle Scholar
  • Lim N, Ho TH (2007) Designing price contracts for boundedly rational customers: Does the number of blocks matter? Marketing Sci. 26(3):312–326.LinkGoogle Scholar
  • Liska A, Gallo T (2017) Ransomware: Defending Against Digital Extortion (O’Reilly Media, Inc., Sebastopol, CA).Google Scholar
  • Luo X, Liao Q (2007) Awareness education as the key to ransomware prevention. Inform. Systems Security 16(4):195–202.CrossrefGoogle Scholar
  • Mathews L (2018) Why you should never pay a ransomware ransom. Forbes (March 9), https://www.forbes.com/sites/leemathews/2018/03/09/why-you-should-never-pay-a-ransomware-ransom/?sh=77c1df017531.Google Scholar
  • McKelvey RD, Palfrey TR (1995) Quantal response equilibria for normal form games. Games Econom. Behav. 10(1):6–38.CrossrefGoogle Scholar
  • McKelvey RD, Palfrey TR (1998) Quantal response equilibria for extensive form games. Experiment. Econom. 1(1):9–41.CrossrefGoogle Scholar
  • Molinillo S, Japutra A (2017) Organizational adoption of digital information and technology: A theoretical review. Bottom Line 30(1):33–46.CrossrefGoogle Scholar
  • Peer E, Vosgerau J, Acquisti A (2014) Reputation as a sufficient condition for data quality on Amazon Mechanical Turk. Behav. Res. Methods 46(4):1023–1031.CrossrefGoogle Scholar
  • Radware (2018) Global application & network security report 2017-2018. Radware Ltd. Accessed September 12, 2021, https://www.radware.com/ert-report-2018/.Google Scholar
  • Sancho D (2017) Digital extortion: A forward-looking view. Trend Micro (January 30), https://www.trendmicro.com/en_us/research/18/a/digital-extortion-forward-looking-view.html.Google Scholar
  • Scaife N, Carter H, Traynor P, Butler KRB (2016) Cryptolock (and drop it): Stopping ransomware attacks on user data. Proc. 2016 IEEE 36th Internat. Conf. Distributed Comput. Systems (IEEE, New York), 303–312.Google Scholar
  • Simon HA (1947) Administrative Behavior: A Study of Decision-Making Processes in Administrative Organization (Macmillan Publishers, New York).Google Scholar
  • Sittig DF, Singh H (2016) A socio-technical approach to preventing, mitigating, and recovering from ransomware attacks. Appl. Clinical Informatics 7(2):624–632.CrossrefGoogle Scholar
  • Slonim R, Roth AE (1998) Learning in high stakes ultimatum games: An experiment in the Slovak Republic. Econometrica 66(3):569–596.CrossrefGoogle Scholar
  • Su X (2008) Bounded rationality in newsvendor models. Manufacturing Service Oper. Management 10(4):566–589.LinkGoogle Scholar
  • Terzani S, Turzo T (2020) Religious social norms and corporate sustainability: The effect of religiosity on environmental, social, and governance disclosure. Corporate Soc. Responsibility Environ. Management 28(1):485–496.CrossrefGoogle Scholar
  • Thakkar D (2017) Preventing Digital Extortion: Mitigate Ransomware, DDoS, and Other Cyberextortion Attacks (Packt Publishing, Birmingham, United Kingdom).Google Scholar
  • Tversky A, Kahneman D (1974) Judgment under uncertainty: Heuristics and biases. Science 185(4157):1124–1131.CrossrefGoogle Scholar
  • Varian H (2004) System reliability and free riding. Jean Camp L, Lewis S, eds. Economics of Information Security (Springer, Boston), 1–15.Google Scholar
  • Verizon (2020) Verizon mobile security index 2020 report. Verizon. Accessed September 12, 2021, https://enterprise.verizon.com/business/content/dam/resources/reports/2020/2020-msi-public-sector.pdf.Google Scholar
  • Wang J, Chaudhury A, Rao HR (2008) A value-at-risk approach to information security investment. Inform. Systems Res. 19(1):106–120.LinkGoogle Scholar
  • Wang J, Chen R, Herath T, Rao HR (2009) Visual email authentication and identification services: An investigation of the effect on email use. Decision Support Systems 48(1):92–102.CrossrefGoogle Scholar
  • White K, Peloza J (2009) Self-benefit vs. other-benefit marketing appeals: Their effectiveness in generating charitable support. J. Marketing 73(July):109–124.CrossrefGoogle Scholar
  • White K, Simpson B (2013) When do (and don’t) normative appeals influence sustainable consumer behaviors? J. Marketing 77(2):78–95.CrossrefGoogle Scholar
  • Wu DY, Chen KY (2014) Supply chain contract design: Impact of bounded rationality and individual heterogeneity. Production Oper. Management 23(2):253–268.CrossrefGoogle Scholar
  • Yazdanmehr A, Wang J (2016) Employees’ information security policy compliance: A norm activation perspective. Decision Support Systems 92(December):36–46.CrossrefGoogle Scholar
  • Zhao X, Xue L, Whinston AB (2013) Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. J. Management Inform. Systems 30(1):123–152.CrossrefGoogle Scholar
Previous
Back to Top
Next
INFORMS site uses cookies to store information on your computer. Some are essential to make our site work; Others help us improve the user experience. By using this site, you consent to the placement of these cookies. Please read our Privacy Statement to learn more.
Agree