Deterrence, Backup, or Insurance: Game-Theoretic Modeling of Ransomware-Reference-Cited by-同舟云学术

Deterrence, Backup, or Insurance: Game-Theoretic Modeling of Ransomware

Published:2023-02-23 Issue:2 Volume:14 Page:20
ISSN:2073-4336
Container-title:Games
language:en
Short-container-title:Games

Author:

Yin Tongxin¹^ORCID,Sarabi Armin¹^ORCID,Liu Mingyan¹^ORCID

Affiliation:

1. Department of Electrical Engineering and Computer Science, University of Michigan-Ann Arbor, Ann Arbor, MI 48105, USA

Abstract

In this paper, we present a game-theoretic analysis of ransomware. To this end, we provide theoretical and empirical analysis of a two-player Attacker-Defender (A-D) game, as well as a Defender-Insurer (D-I) game; in the latter, the attacker is assumed to be a non-strategic third party. Our model assumes that the defender can invest in two types of protection against ransomware attacks: (1) general protection through a deterrence effort, making attacks less likely to succeed, and (2) a backup effort serving the purpose of recourse, allowing the defender to recover from successful attacks. The attacker then decides on a ransom amount in the event of a successful attack, with the defender choosing to pay ransom immediately, or to try to recover their data first while bearing a recovery cost for this recovery attempt. Note that recovery is not guaranteed to be successful, which may eventually lead to the defender paying the demanded ransom. Our analysis of the A-D game shows that the equilibrium falls into one of three scenarios: (1) the defender will pay the ransom immediately without having invested any effort in backup, (2) the defender will pay the ransom while leveraging backups as a credible threat to force a lower ransom demand, and (3) the defender will try to recover data, only paying the ransom when recovery fails. We observe that the backup effort will be entirely abandoned when recovery is too expensive, leading to the (worst-case) first scenario which rules out recovery. Furthermore, our analysis of the D-I game suggests that the introduction of insurance leads to moral hazard as expected, with the defender reducing their efforts; less obvious is the interesting observation that this reduction is mostly in their backup effort.

Funder

ARO

National Science Foundation

Publisher

MDPI AG

Subject

Applied Mathematics,Statistics, Probability and Uncertainty,Statistics and Probability

Link

https://www.mdpi.com/2073-4336/14/2/20/pdf

Reference32 articles.

1. AAG (2023, January 23). The Latest 2023 Ransomware Statistics. Available online: https://aag-it.com/the-latest-ransomware-statistics.

2. astra (2023, January 23). Ransomware Attack Statistics 2023: Trends, Cost, 100+ Stats. Available online: https://www.getastra.com/blog/security-audit/ransomware-attack-statistics.

3. Court, T.I.S. (2023, January 23). G&G Oil Co. of Indiana v. Continental Western Insurance Co, Available online: https://public.courts.in.gov/Appellate/Document?id=80c1670f-405d-47c2-9e2d-a7216b272666.

4. Conversation, T. (2023, January 23). Colonial Pipeline Forked over $4.4M to end Cyberattack—But is Paying a Ransom ever the Ethical Thing to do?. Available online: https://theconversation.com/colonial-pipeline-forked-over-4-4m-to-end-cyberattack-but-is-paying-a-ransom-ever-the-ethical-thing-to-do-161383.

5. Subgame perfect implementation;Moore;Econom. J. Econom. Soc.,1988

Cited by 2 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Ransomware Reloaded: Re-examining Its Trend, Research and Mitigation in the Era of Data Exfiltration;ACM Computing Surveys;2024-08-30

2. Double-Sided Information Asymmetry in Double Extortion Ransomware;Lecture Notes in Computer Science;2023