Ransomware Harms and the Factors that Influence the Victim Organization’s Experience
Introduction
Ransomware is a growing concern in the cybersecurity industry and causes harm to an organization or company, and even produces physiological harm to individuals who have been affected. Ransomware attacks seek to do three things within an organization: place fear upon the victims, interrupt, and leverage data, and monetize the attack. However, these attacks do just as much harm to individuals who work for a company as it does to the organization itself. The article relates to social sciences because it examines the intersection of psychology and cybersecurity while describing the physical, economic, reputational, social, and psychological effects of victimization. Specifically, this article hypothesizes, “what harms do individual victims of ransomware experience in an organization and what factors alleviate or aggravate those harms?”
Research Methods
To address the harms of ransomware attacks, eighty-three interviews were conducted with professionals that include ransomware victims, incident responders, ransom negotiators, law enforcement, and government officials. These interviews were semi-structured to allow each participant the flexibility needed to emphasis the problems arisen from attacks that most related to each person involved.
Data and Analysis
Analysis of the data shows that participants had individual and personal effects from these attacks. The data shows that these ransomware attacks affect multiple disciplines of social sciences because these cyber-attacks cross into many areas of study. Physically, participants noted their lack of sleep, lack of proper nutrition, lack of adequate sleep, weight changes, and minor and major illnesses such as heart palpitations and even stroke. Economically, individuals were subjected to cancellation of vacations and annual leave, increase of future risk due to fraud, loss of salary, and economic risk to personal assets. Psychologically, participants described feelings of anger, confusion, embarrassment, guilt, isolation, post-traumatic stress disorder, self-doubt, shame, and even suicidal thoughts. Reputationally, victims were met with less trust from the organization, less trust from clients represented by the organization, and exposure to individual’s social media accounts. Socially, individuals were subjected to disruption to of family routines, inability to exercise bereavement rights, and an inability to undertake childcare duties and services. The data shows that in addition to individual victims being affected, IT staff tasked to fix issues become overworked and overwhelmed. Often, the personal effects go overlooked and under reported causing an exacerbation of problems.
Concepts Related to Social Sciences
In relation to social sciences, this article addresses how ransomware cyber-attacks affect the individual people involved in the attacks, not just the organization that was targeted. There is psychological harm done that can damage someone physically and physiologically, which involve Maslow’s Hierarchy of Needs. Analysis of the data shows that all five levels in the hierarchy are impacted, leading to the overall malaise from employees that were targeted directly and indirectly. These attacks lead to economic problems for the organization, as well as individual employees due to employees working overtime to mitigate attacks or employees losing pay because of the toll the attack has taken on them.
Challenges, Concerns, and Contributions
The authors of this study show there are significant challenges and concerns that may affect marginalized group and society. Marginalized groups may find themselves as targets in increasing numbers due to the stigma placed upon them. Also, marginalized groups may find themselves scapegoated for attacks and thus, become ostracized in the process leading to stereotyping and discriminatory practices in the future. For society, this study will help to contribute how understanding actions taken by an organization can affect the livelihood of employees, that employees’ wellbeing is just as important as the health of the organization and improve practices to reduce risks through awareness and training of potential threats. Another major contribution is how if companies learned how these attacks affected the employees directly and indirectly, they are able to provide resources necessary to avoid the social, psychological, and economic ramifications of attacks.
Conclusion
To summarize the findings, ransomware attacks cause more than just damage to a company or organization, they affect individual employees as well. Individual victims are scrutinized for perceived errors and lapses of judgement, while employees from IT departments become overburdened with additional responsibilities. Companies and organizations should be aware of the harms their employees face during cyber-attacks, and that proper investment into their employees will enhance prosperity overall. When employees feel taken care of by their job, they tend to reciprocate the sentiments and strive to perform better. Addressing employee needs is a way companies can protect their biggest assets, the staff.
References
Gareth Mott, Sarah Turner, Jason R C Nurse, Nandita Pattnaik, Jamie MacColl, Pia Huesch, James Sullivan, ‘There was a bit of PTSD every time I walked through the office door’: Ransomware harms and the factors that influence the victim organization’s experience, Journal of Cybersecurity, Volume 10, Issue 1, 2024, tyae013, https://doi.org/10.1093/cybsec/tyae013