“An empirical study of ransomware attacks on organizations: an assessment of severity and salient factors affecting vulnerability,” written by Lena Y. Connolly et al and published in the Journal of Cybersecurity in December of 2020, collected quantitative and qualitative on fifty-five instances of ransomware attacks across fifty organizations in the United Kingdom and the United States to assess what effect characteristics of both the attack and the organization had on the severity of the attack. The primary method of data collection came from interviews with IT professionals of the effected organizations and police officers of the UK’s cybercrime unit.

           Quantitative and qualitative data was collected through an initial set of interviews, and this data was used to develop an Impact Assessment Instrument, measuring three levels of severity across several factors to determine overall severity of a ransomware attack. The Instrument was then used as a framework for conducting an additional round of interviews with other organizations. These factors include how long business continuity was disrupted, how long it took to recover data, how many devices were affected, how much encrypted data was critical to business operations, and how much information was lost. Results were weighted in such a way that any single factor receiving a high severity rating would lead to an overall high severity rating, to better reflect how the victims themselves view the attack (Connolly et al 2020).

           The study sought to answer six separate hypotheses. It was determined that an organization’s size has no bearing on the severity of a ransomware attack, with both small and mid-size enterprises (SMEs) and large organizations facing similar levels of severity. Additionally, the type of crypto-ransomware used and whether machine or human vulnerabilities were targeted were found to have no affect on severity of an attack. It was found, however, that an organization’s sector affected ransomware severity, with private organizations facing harsher consequences from an attack via disrupted business and loss of reputation and customers. Security posture, as well, played a key role in severity of a ransomware attack, with a possible connection to the previous hypothesis being that among the organizations studied, public organizations, due to regulatory mandates, had higher security postures than public organizations. Whether or not a ransomware attack was targeted or opportunistic was also found to influence severity, with targeted attacks being more severe and demanding far higher ransoms than opportunistic strikes (Connolly et al 2020).

            Notably, this study highlights the relativism of cybersecurity issues through the wide array of organizations which had been targeted by ransomware attacks. Organizations examined in the study include not only IT businesses, but “government, law enforcement, education, healthcare, financial services, construction, retail, logistics, utility providers, and several other categories” across both the private and public sectors. The study makes a strong argument for determinism playing a role in ransomware attacks, with weak security postures generating more severe attacks, and known vulnerabilities within an organization being exploited multiple times. As this study found three separate factors which influence severity of a ransomware attack, it could be argued that the study’s findings lack parsimony (Connolly et al 2020).

Reference

Connolly, L. Y., Wall, D. S., Lang, M., & Oddson, B. (2020). An empirical study of ransomware attacks on organizations: An assessment of severity and salient factors affecting vulnerability. Journal of Cybersecurity, 6(1). https://doi.org/10.1093/cybsec/tyaa023