A framework for cyber-risk insurance against ransomware: A mixed-method approach

IF 20.1 1区管理学 Q1 INFORMATION SCIENCE & LIBRARY SCIENCE

International Journal of Information Management Pub Date : 2023-11-03 DOI:10.1016/j.ijinfomgt.2023.102724

Arunabha Mukhopadhyay, Swati Jain

{"title":"A framework for cyber-risk insurance against ransomware: A mixed-method approach","authors":"Arunabha Mukhopadhyay, Swati Jain","doi":"10.1016/j.ijinfomgt.2023.102724","DOIUrl":null,"url":null,"abstract":"<div><p>Hackers follow a standard cyber kill chain process and install ransomware payloads using phishing emails on firms belonging to critical industry, resulting in huge losses in revenue, reputation, and customer churn. This study uses a mixed-method explanatory approach to mitigate ransomware attacks. We present the quantitative Ransomware Risk Management Model (R2M2) based on protection motivation theory (PMT). The Ransomware Risk Assessment module based on the threat appraisal component of PMT and the National Institute of Standards and Technology (NIST) guidelines can help the chief information security officer (CISO) to assess the risk using predictive analytics techniques. The Ransomware Risk Quantification module uses collective risk modeling to compute the severity of a ransomware attack on an organization. The Ransomware Risk Mitigation module helps the CISO to minimize the probability and impact of a ransomware attack on their organization by (i) investing in perimeter security technologies and training to ensure prepare, deter, detect, restrain, recover, and review mitigation strategies, (ii) adopting the National Institue of Standards and Technology (NIST) Cybersecurity Framework to ensure business resilience, and (iii) mitigating the residual risk by investing in cyber-risk insurance. We validated the proposed method using a qualitative study by interviewing participants form firms affected by ransomware, managed security service providers, security consultants, and cyber-risk insurers.</p></div>","PeriodicalId":48422,"journal":{"name":"International Journal of Information Management","volume":"74 ","pages":"Article 102724"},"PeriodicalIF":20.1000,"publicationDate":"2023-11-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0268401223001056/pdfft?md5=3d251a9afa04505d27c683328e832cbf&pid=1-s2.0-S0268401223001056-main.pdf","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Information Management","FirstCategoryId":"91","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0268401223001056","RegionNum":1,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"INFORMATION SCIENCE & LIBRARY SCIENCE","Score":null,"Total":0}

引用次数: 0

Abstract

Hackers follow a standard cyber kill chain process and install ransomware payloads using phishing emails on firms belonging to critical industry, resulting in huge losses in revenue, reputation, and customer churn. This study uses a mixed-method explanatory approach to mitigate ransomware attacks. We present the quantitative Ransomware Risk Management Model (R2M2) based on protection motivation theory (PMT). The Ransomware Risk Assessment module based on the threat appraisal component of PMT and the National Institute of Standards and Technology (NIST) guidelines can help the chief information security officer (CISO) to assess the risk using predictive analytics techniques. The Ransomware Risk Quantification module uses collective risk modeling to compute the severity of a ransomware attack on an organization. The Ransomware Risk Mitigation module helps the CISO to minimize the probability and impact of a ransomware attack on their organization by (i) investing in perimeter security technologies and training to ensure prepare, deter, detect, restrain, recover, and review mitigation strategies, (ii) adopting the National Institue of Standards and Technology (NIST) Cybersecurity Framework to ensure business resilience, and (iii) mitigating the residual risk by investing in cyber-risk insurance. We validated the proposed method using a qualitative study by interviewing participants form firms affected by ransomware, managed security service providers, security consultants, and cyber-risk insurers.

查看原文本刊更多论文

针对勒索软件的网络风险保险框架:一种混合方法

黑客遵循标准的网络杀伤链流程，使用网络钓鱼电子邮件对关键行业的公司安装勒索软件，导致收入、声誉和客户流失方面的巨大损失。本研究使用混合方法解释方法来减轻勒索软件攻击。提出了基于保护动机理论(PMT)的定量勒索软件风险管理模型(R2M2)。基于PMT威胁评估组件和美国国家标准与技术研究院(NIST)指南的勒索软件风险评估模块可以帮助首席信息安全官(CISO)使用预测分析技术评估风险。勒索软件风险量化模块使用集体风险建模来计算组织遭受勒索软件攻击的严重程度。勒索软件风险缓解模块帮助首席信息安全官通过以下方式将勒索软件攻击对其组织的可能性和影响降至最低:(i)投资于外围安全技术和培训，以确保准备、阻止、检测、抑制、恢复和审查缓解策略;(ii)采用美国国家标准与技术研究院(NIST)网络安全框架，以确保业务弹性;(iii)通过投资网络风险保险，降低剩余风险。我们通过访谈受勒索软件影响的公司、托管安全服务提供商、安全顾问和网络风险保险公司的参与者，对所提出的方法进行了定性研究。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

International Journal of Information Management INFORMATION SCIENCE & LIBRARY SCIENCE-

CiteScore

53.10

自引率

6.20%

发文量

111

审稿时长

24 days

期刊介绍： The International Journal of Information Management (IJIM) is a distinguished, international, and peer-reviewed journal dedicated to providing its readers with top-notch analysis and discussions within the evolving field of information management. Key features of the journal include: Comprehensive Coverage: IJIM keeps readers informed with major papers, reports, and reviews. Topical Relevance: The journal remains current and relevant through Viewpoint articles and regular features like Research Notes, Case Studies, and a Reviews section, ensuring readers are updated on contemporary issues. Focus on Quality: IJIM prioritizes high-quality papers that address contemporary issues in information management.