Improving defender decision making when responding to ransomware infections and other forms of cyber extortion has been a research topic of mine for several years now. It was sparked by the fairly common advice I heard, and continue to hear, from experts, law enforcement and security vendors: don't ever pay the ransom.
This advice seems to be unanimous. If this is the "best" advice, why do so many people and companies pay the ransom? Take a moment and think about the problem: let's assume that some victims will ignore the advice of "don't ever pay." Where can we influence the entire ransomware decision making cycle, from pre-infection to ransom negotiations?
The first talk I gave on this was at BSides Seattle in 2016, describing cyber extortion in detail and ending in a demonstration on how to perform a quantitative risk analysis on extortion.
I gave two subsequent talks at NBTcon 3 in late 2016 and BSides San Francisco in early 2017. These two talks were focused on analyzing the ransomware decision making process through the lens of game theory. Game theory is a favorite topic among strategists and economists because it breaks down complex interactions into steps in a decision tree that are relatively easy to understand and analyze. After additional study of game theory and decision making under uncertainty, I've reconsidered it's use to analyze ransomware infections. One underlying assumption of game theory is that the actors are rational decision makers. Humans, in the face of uncertainty and risk, are anything but rational decision makers (see Kahneman, Thaler, Taleb, many others.) Humans are filled with all kinds of cognitive biases when making risk decisions and – even when aware of the biases – have to work very hard to control for them (see Hubbard, many others) and are still often unsuccessful.
My current thought on the topic is that we, as defenders, can still influence the ransomware problem, but it's best analyzed with basic decision science, and not through game theory.
I summarized the problems and possible solutions in a rather lengthy ISACA Journal article I wrote on the topic, called "The Downstream Effects of Cyber Extortion." It's behind a paywall – the article is summarized in a free blog post called "Decision Analysis of Ransomware Incidents".
I'm always happy to discuss further in email or comments below.