CeDEx Seminar - Edward Cartwright (De Montfort University, Leicester)

Ransomware in the Lab: An experiment on cyber risk-taking

Abstract: Ransomware is relatively new form of cyber-attack in which a victim’s files are encrypted and a ransom is demanded for release of the key to decrypt the files. We develop a simple game-theoretical framework with which to study ransomware. In the first stage an individual can spend money to insure against cyber-attack. In the second stage the individual, if attacked, can spend resource to try and recover her files. We report the results of two experiments in which we evaluate attitudes to risk and compare a loss and gain frame. We observe considerable heterogeneity in behaviour with a large proportion of ‘back-up lovers’ who are risk averse and ‘ransom lovers’ who are risk taking. If the large amount of risk taking we observe was translated into real behaviour then individuals would be exposed to ‘dangerous’ levels of cyber risk. This is consistent with the general perception that cyber risks are under appreciated. While the gain-loss framing effect is in the direction predicted by prospect theory it is not large.