How cyber insurance influences the ransomware payment decision: theory and evidence

In this paper, we analyse how cyber insurance influences the cost-benefit decision-making process of a ransomware victim. Specifically, we ask whether organisations with cyber insurance are more likely to pay a ransom than non-insureds. We propose a game-theoretic framework with which to categorise and distinguish different channels through which insurance may influence victim decision making. This allows us to identify ways in which insurance may incentivise or disincentivise payment of the ransom. Our framework is informed by data from semi-structured interviews with 65 professionals with expertise in cyber insurance, cybersecurity and/or ransomware, as well as data from the U.K. Cyber Security Breaches Survey. We find that perceptions are divided on whether victims with insurance are more (or less) likely to pay a ransom. Our model can reconcile these views once we take into account context specifics, such as the severity of the attack as measured by business interruption and restoration and/or the exfiltration of sensitive data.