Featured article

‘There was a bit of PTSD every time I walked through the office door’: Ransomware harms and the factors that influence the victim organization’s experience

Gareth Mott, Sarah Turner, Jason R C Nurse, Nandita Pattnaik, Jamie MacColl, Pia Huesch, and James Sullivan

Published in the Journal of Cybersecurity, Volume 10, Issue 1, 2024. OUP.

Ransomware is a pernicious contemporary cyber threat for organizations, with ransomware operators intentionally leveraging a range of harms against their victims in order to solicit increasingly significant ransom payments. This article advances current research by engaging in a topical analysis into the depth and breadth of harms experienced by victim organizations and their members of staff. We, therefore, enhance the understanding of the negative experiences from ransomware attacks, particularly looking beyond the financial impact which dominates current narratives. Having conducted an interview or workshop with 83 professionals including ransomware victims, incident responders, ransom negotiators, law enforcement, and government, we identify a wide array of severe harms. For organizations, the risk of business interruption and/or data exposure presents potentially highly impactful financial and reputational harm(s). The victim organization’s staff can also experience a range of under-reported harms, which include physiological and physical harms that may be acute. We also identify factors that can either alleviate or aggravate the experiencing of harms at the organizational and employee level; including ransomware preparedness, leadership culture, and crisis communication. Given the scale and scope of the identified harms, the paper provides significant new empirical evidence to emphasize ransomware’s positioning as a whole-of-organization crisis phenomenon, as opposed to an ‘IT problem’. We argue that the wider discourse surrounding ransomware harms and impacts should be reflective of the nature of the real-term experience(s) of victims. This, in turn, could help guide efforts to alleviate ransomware harms, through improved organizational ransomware preparedness and tailored post-ransomware mitigation.

[pdf] [doi]