{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,25]],"date-time":"2026-04-25T22:57:27Z","timestamp":1777157847798,"version":"3.51.4"},"reference-count":52,"publisher":"Association for Computing Machinery (ACM)","issue":"4","license":[{"start":{"date-parts":[[2023,10,20]],"date-time":"2023-10-20T00:00:00Z","timestamp":1697760000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"A RISCS Fellowship in Quantification and Cyber Risk for A. Cartwright"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2023,12,31]]},"abstract":"<jats:p>We explore the economics of ransomware on production supply chains. Integrated supply chains result in a mutual-dependence between firms that can be exploited by cyber-criminals. For instance, we show that by targeting one firm in the network the criminals can potentially hold multiple firms to ransom. Overlapping security systems may also allow the criminals to strike at weak points in the network. For instance, it may be optimal for the attacker to target a supplier in order to ransom a large producer at the heart of the production network. We introduce a game theoretic model of an attack on a supply chain and solve for two types of Nash equilibria. We then study a hub and spoke example before providing simulation results for a general case. We find that the total ransom the criminals can demand is increasing in the average path length of the network. Thus, the ransom is lowest for a hub and spoke network and highest for a line network. Mitigation strategies are discussed.<\/jats:p>","DOI":"10.1145\/3579647","type":"journal-article","created":{"date-parts":[[2023,2,10]],"date-time":"2023-02-10T12:00:20Z","timestamp":1676030420000},"page":"1-14","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":14,"title":["The Economics of Ransomware Attacks on Integrated Supply Chain Networks"],"prefix":"10.1145","volume":"4","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-1965-842X","authenticated-orcid":false,"given":"Anna","family":"Cartwright","sequence":"first","affiliation":[{"name":"Oxford Brookes University, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0194-9368","authenticated-orcid":false,"given":"Edward","family":"Cartwright","sequence":"additional","affiliation":[{"name":"De Montfort University, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2023,10,20]]},"reference":[{"key":"e_1_3_2_2_2","first-page":"47","article-title":"Ransomware, cyber sanctions, and the problem of timing","volume":"63","author":"Abely Christine","year":"2022","unstructured":"Christine Abely. 2022. Ransomware, cyber sanctions, and the problem of timing. BCL Rev. E. Supp. I- 63 (2022), 47.","journal-title":"BCL Rev. E. Supp. I-"},{"key":"e_1_3_2_3_2","unstructured":"Helen Sydney Adams. 2022. Why manufacturing supply chains are at risk of cyberattacks . Manufacturing. (2022). Retrieved February 8 2023 from https:\/\/manufacturingdigital.com\/procurement-and-supply-chain\/why-manufacturing-supply-chains-are-at-risk-of-cyberattacks."},{"issue":"2","key":"e_1_3_2_4_2","first-page":"48","article-title":"Ransomware: A survey and trends","volume":"6","author":"Aurangzeb Sana","year":"2017","unstructured":"Sana Aurangzeb, Muhammad Aleem, Muhammad Azhar Iqbal, Muhammad Arshad Islam, et\u00a0al. 2017. Ransomware: A survey and trends. Journal of Information Assurance & Security 6, 2 (2017), 48\u201358.","journal-title":"Journal of Information Assurance & Security"},{"key":"e_1_3_2_5_2","unstructured":"Joshua Becker. 2021. Cyber attacks on rise as criminals target Australian agricultural supply chains . ABC News. (2021). Retrieved February 8 2023 from https:\/\/www.abc.net.au\/news\/rural\/2021-06-04\/cyber-attacks-on-rise-in-agriculture-industry\/100188712."},{"issue":"4","key":"e_1_3_2_6_2","doi-asserted-by":"crossref","first-page":"28","DOI":"10.22215\/timreview\/888","article-title":"Cybersecurity and cyber-resilient supply chains","volume":"5","author":"Boyes Hugh","year":"2015","unstructured":"Hugh Boyes. 2015. Cybersecurity and cyber-resilient supply chains. Technology Innovation Management Review 5, 4 (2015), 28\u201334.","journal-title":"Technology Innovation Management Review"},{"key":"e_1_3_2_7_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.technovation.2014.02.001"},{"key":"e_1_3_2_8_2","first-page":"69","volume-title":"Advances in Human Factors in Cybersecurity: Proceedings of the AHFE 2018 International Conference on Human Factors in Cybersecurity, July 21\u201325, 2018, Loews Sapphire Falls Resort at Universal Studios, Orlando, Florida, USA 9","author":"Caporusso Nicholas","year":"2019","unstructured":"Nicholas Caporusso, Singhtararaksme Chea, and Raied Abukhaled. 2019. A game-theoretical model of ransomware. In Advances in Human Factors in Cybersecurity: Proceedings of the AHFE 2018 International Conference on Human Factors in Cybersecurity, July 21\u201325, 2018, Loews Sapphire Falls Resort at Universal Studios, Orlando, Florida, USA 9. Springer, 69\u201378."},{"issue":"2","key":"e_1_3_2_9_2","doi-asserted-by":"crossref","first-page":"26","DOI":"10.3390\/g10020026","article-title":"Ransomware and reputation","volume":"10","author":"Cartwright Anna","year":"2019","unstructured":"Anna Cartwright and Edward Cartwright. 2019. Ransomware and reputation. Games 10, 2 (2019), 26.","journal-title":"Games"},{"issue":"1","key":"e_1_3_2_10_2","doi-asserted-by":"crossref","first-page":"tyz009","DOI":"10.1093\/cybsec\/tyz009","article-title":"To pay or not: Game theoretic models of ransomware","volume":"5","author":"Cartwright Edward","year":"2019","unstructured":"Edward Cartwright, Julio Hernandez Castro, and Anna Cartwright. 2019. To pay or not: Game theoretic models of ransomware. Journal of Cybersecurity 5, 1 (2019), tyz009.","journal-title":"Journal of Cybersecurity"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1108\/SCM-09-2017-0289"},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2019.101568"},{"issue":"1","key":"e_1_3_2_13_2","first-page":"405","article-title":"A supply chain network game theory model of cybersecurity investments with nonlinear budget constraints Anna Nagurney Isenberg School of Management","volume":"248","author":"Daniele Patrizia","year":"2017","unstructured":"Patrizia Daniele and Shivani Shukla. 2017. A supply chain network game theory model of cybersecurity investments with nonlinear budget constraints Anna Nagurney Isenberg School of Management. Annals of Operations Research 248, 1 (2017), 405\u2013427.","journal-title":"Annals of Operations Research"},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10683-007-9178-9"},{"key":"e_1_3_2_15_2","article-title":"Should we outlaw ransomware payments?","author":"Dey Debabrata","year":"2021","unstructured":"Debabrata Dey and Atanu Lahiri. 2021. Should we outlaw ransomware payments? Proceedings of the 54th Hawaii International Conference on System Sciences (2021). Retrieved February 8, 2023 from http:\/\/hdl.handle.net\/10125\/71414.","journal-title":"Proceedings of the 54th Hawaii International Conference on System Sciences"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1016\/S1361-3723(16)30036-7"},{"key":"e_1_3_2_17_2","article-title":"Should the ransomware be paid?","author":"Fang Rui","year":"2020","unstructured":"Rui Fang, Maochao Xu, and Peng Zhao. 2020. Should the ransomware be paid? arXiv preprint arXiv:2010.06700 (2020).","journal-title":"arXiv preprint arXiv:2010.06700"},{"key":"e_1_3_2_18_2","unstructured":"Anthony M. Freed. 2021. REvil\/Sodinokibi ransomware gang extorts Apple through supply chain attack. Cybereason. (2021). Retrieved February 8 2023 from https:\/\/www.cybereason.com\/blog\/sodinokibi-ransomware-gang-extorts-apple-through-supply-chain-attack."},{"key":"e_1_3_2_19_2","volume-title":"Game Theory","author":"Fudenberg Drew","year":"1991","unstructured":"Drew Fudenberg and Jean Tirole. 1991. Game Theory. MIT Press."},{"issue":"2","key":"e_1_3_2_20_2","doi-asserted-by":"crossref","first-page":"223","DOI":"10.1108\/SCM-10-2018-0357","article-title":"Managing cyber risk in supply chains: A review and research agenda","volume":"25","author":"Ghadge Abhijeet","year":"2020","unstructured":"Abhijeet Ghadge, Maximilian Wei\u00df, Nigel D. Caldwell, and Richard Wilding. 2020. Managing cyber risk in supply chains: A review and research agenda. Supply Chain Management: An International Journal 25, 2 (2020), 223\u2013240.","journal-title":"Supply Chain Management: An International Journal"},{"key":"e_1_3_2_21_2","article-title":"\u201cWe wait, because we know you.\u201d Inside the ransomware negotiation economics.","volume":"12","author":"Hack Pepijn","year":"2021","unstructured":"Pepijn Hack and Zong-Yu Wu. 2021. \u201cWe wait, because we know you.\u201d Inside the ransomware negotiation economics. NCC Group, Nov. 12 (2021). https:\/\/research.nccgroup.com\/2021\/11\/12\/we-wait-because-we-know-you-inside-the-ransomware-negotiation-economics\/.","journal-title":"NCC Group, Nov."},{"issue":"1","key":"e_1_3_2_22_2","doi-asserted-by":"crossref","first-page":"5","DOI":"10.1177\/1548512918808410","article-title":"Models for restoration decision making for a supply chain network after a cyber attack","volume":"17","author":"Heath Emily A.","year":"2020","unstructured":"Emily A. Heath, John E. Mitchell, and Thomas C. Sharkey. 2020. Models for restoration decision making for a supply chain network after a cyber attack. The Journal of Defense Modeling and Simulation 17, 1 (2020), 5\u201319.","journal-title":"The Journal of Defense Modeling and Simulation"},{"issue":"3","key":"e_1_3_2_23_2","doi-asserted-by":"crossref","first-page":"190023","DOI":"10.1098\/rsos.190023","article-title":"An economic analysis of ransomware and its welfare consequences","volume":"7","author":"Hernandez-Castro Julio","year":"2020","unstructured":"Julio Hernandez-Castro, Anna Cartwright, and Edward Cartwright. 2020. An economic analysis of ransomware and its welfare consequences. Royal Society Open Science 7, 3 (2020), 190023.","journal-title":"Royal Society Open Science"},{"key":"e_1_3_2_24_2","article-title":"NHS cyberattack may prove to be a valuable wake up call","volume":"357","author":"Hoeksma Jon","year":"2017","unstructured":"Jon Hoeksma. 2017. NHS cyberattack may prove to be a valuable wake up call. BMJ 357 (2017).","journal-title":"BMJ"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1016\/S1353-4858(20)30118-5"},{"key":"e_1_3_2_26_2","volume-title":"X-Force Threat Intelligence Index 2022","year":"2022","unstructured":"IBM. 2022. X-Force Threat Intelligence Index 2022. IBM Report. IBM. https:\/\/www.ibm.com\/downloads\/cas\/ADLMYLAZ."},{"key":"e_1_3_2_27_2","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-319-69305-7","volume-title":"Structural Dynamics and Resilience in Supply Chain Risk Management","author":"Ivanov Dmitry","year":"2018","unstructured":"Dmitry Ivanov et\u00a0al. 2018. Structural Dynamics and Resilience in Supply Chain Risk Management. Vol. 265. Springer."},{"issue":"3","key":"e_1_3_2_28_2","doi-asserted-by":"crossref","first-page":"719","DOI":"10.1016\/j.jfineco.2019.05.019","article-title":"Risk management, firm reputation, and the impact of successful cyberattacks on target firms","volume":"139","author":"Kamiya Shinichi","year":"2021","unstructured":"Shinichi Kamiya, Jun-Koo Kang, Jungmin Kim, Andreas Milidonis, and Ren\u00e9 M. Stulz. 2021. Risk management, firm reputation, and the impact of successful cyberattacks on target firms. Journal of Financial Economics 139, 3 (2021), 719\u2013749.","journal-title":"Journal of Financial Economics"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1002\/smj.4250150908"},{"key":"e_1_3_2_30_2","doi-asserted-by":"crossref","first-page":"397","DOI":"10.1007\/978-3-319-68711-7_21","volume-title":"Decision and Game Theory for Security: 8th International Conference, GameSec 2017, Vienna, Austria, October 23\u201325, 2017, Proceedings","author":"Laszka Aron","year":"2017","unstructured":"Aron Laszka, Sadegh Farhang, and Jens Grossklags. 2017. On the economics of ransomware. In Decision and Game Theory for Security: 8th International Conference, GameSec 2017, Vienna, Austria, October 23\u201325, 2017, Proceedings. Springer, 397\u2013417."},{"issue":"4","key":"e_1_3_2_31_2","doi-asserted-by":"crossref","first-page":"355","DOI":"10.23940\/ijpe.12.4.p355.mag","article-title":"Review of systems defense and attack models","volume":"8","author":"Levitin Gregory","year":"2012","unstructured":"Gregory Levitin and Kjell Hausken. 2012. Review of systems defense and attack models. International Journal of Performability Engineering 8, 4 (2012), 355.","journal-title":"International Journal of Performability Engineering"},{"key":"e_1_3_2_32_2","doi-asserted-by":"crossref","first-page":"107529","DOI":"10.1016\/j.ijpe.2019.107529","article-title":"Network characteristics and supply chain resilience under conditions of risk propagation","volume":"223","author":"Li Yuhong","year":"2020","unstructured":"Yuhong Li, Christopher W. Zobel, Onur Seref, and Dean Chatfield. 2020. Network characteristics and supply chain resilience under conditions of risk propagation. International Journal of Production Economics 223 (2020), 107529.","journal-title":"International Journal of Production Economics"},{"key":"e_1_3_2_33_2","first-page":"1","volume-title":"Proceedings of the 15th International Conference on Availability, Reliability and Security","author":"Li Zhen","year":"2020","unstructured":"Zhen Li and Qi Liao. 2020. Ransomware 2.0: To sell, or not to sell a game-theoretical model of data-selling ransomware. In Proceedings of the 15th International Conference on Availability, Reliability and Security. 1\u20139."},{"issue":"10","key":"e_1_3_2_34_2","doi-asserted-by":"crossref","first-page":"8","DOI":"10.1016\/S1353-4858(16)30096-4","article-title":"Ransomware: Taking businesses hostage","volume":"2016","author":"Mansfield-Devine Steve","year":"2016","unstructured":"Steve Mansfield-Devine. 2016. Ransomware: Taking businesses hostage. Network Security 2016, 10 (2016), 8\u201317.","journal-title":"Network Security"},{"key":"e_1_3_2_35_2","volume-title":"Global Supply Chains: Trade and Economic Policies for Developing Countries","author":"Nicita Alessandro","year":"2013","unstructured":"Alessandro Nicita, Victor Ognivtsev, Miho Shirotori, et\u00a0al. 2013. Global Supply Chains: Trade and Economic Policies for Developing Countries. UN."},{"key":"e_1_3_2_36_2","doi-asserted-by":"crossref","first-page":"135","DOI":"10.1109\/MERCon.2017.7980470","volume-title":"2017 Moratuwa Engineering Research Conference (MERCon)","author":"Perera Supun","year":"2017","unstructured":"Supun Perera, H. Niles Perera, and Dharshana Kasthurirathna. 2017. Structural characteristics of complex supply chain networks. In 2017 Moratuwa Engineering Research Conference (MERCon). IEEE, 135\u2013140."},{"key":"e_1_3_2_37_2","article-title":"Topological structure of manufacturing industry supply chain networks","volume":"2018","author":"Perera Supun S.","year":"2018","unstructured":"Supun S. Perera, Michael G. H. Bell, Mahendrarajah Piraveenan, Dharshana Kasthurirathna, and Mamata Parhi. 2018. Topological structure of manufacturing industry supply chain networks. Complexity 2018 (2018).","journal-title":"Complexity"},{"issue":"1","key":"e_1_3_2_38_2","doi-asserted-by":"crossref","first-page":"56","DOI":"10.1111\/jbl.12202","article-title":"The evolution of resilience in supply chain management: A retrospective on ensuring supply chain resilience","volume":"40","author":"Pettit Timothy J.","year":"2019","unstructured":"Timothy J. Pettit, Keely L. Croxton, and Joseph Fiksel. 2019. The evolution of resilience in supply chain management: A retrospective on ensuring supply chain resilience. Journal of Business Logistics 40, 1 (2019), 56\u201365.","journal-title":"Journal of Business Logistics"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1002\/j.2158-1592.2010.tb00125.x"},{"key":"e_1_3_2_40_2","volume-title":"2022 State of the Phish","year":"2022","unstructured":"Proofpoint. 2022. 2022 State of the Phish. Proofpoint Report. https:\/\/www.proofpoint.com\/uk\/resources\/threat-reports\/state-of-phish."},{"issue":"2","key":"e_1_3_2_41_2","doi-asserted-by":"crossref","first-page":"100013","DOI":"10.1016\/j.jjimei.2021.100013","article-title":"Information security breaches due to ransomware attacks-a systematic literature review","volume":"1","author":"Reshmi T. R.","year":"2021","unstructured":"T. R. Reshmi. 2021. Information security breaches due to ransomware attacks-a systematic literature review. International Journal of Information Management Data Insights 1, 2 (2021), 100013.","journal-title":"International Journal of Information Management Data Insights"},{"key":"e_1_3_2_42_2","unstructured":"Anna Ribeiro. 2021. One year after SolarWinds attack more needs to be done to boost cybersecurity in industrial sector . Industrial Cyber. (2021). Retrieved February 9 2023 from https:\/\/industrialcyber.co\/critical-infrastructure\/one-year-after-solarwinds-attack-more-needs-to-be-done-to-boost-cybersecurity-in-industrial-sector\/."},{"issue":"1","key":"e_1_3_2_43_2","first-page":"10","article-title":"Ransomware: Evolution, mitigation and prevention","volume":"13","author":"Richardson Ronny","year":"2017","unstructured":"Ronny Richardson and Max M. North. 2017. Ransomware: Evolution, mitigation and prevention. International Management Review 13, 1 (2017), 10.","journal-title":"International Management Review"},{"issue":"1","key":"e_1_3_2_44_2","first-page":"5","article-title":"Ransomware: The landscape is shifting-a concise report","volume":"17","author":"Richardson Ronny","year":"2021","unstructured":"Ronny Richardson, Max M. North, and David Garofalo. 2021. Ransomware: The landscape is shifting-a concise report. International Management Review 17, 1 (2021), 5\u201386.","journal-title":"International Management Review"},{"key":"e_1_3_2_45_2","article-title":"New risks in ransomware: Supply chain attacks and cryptocurrency","author":"Robinson Amy","year":"2022","unstructured":"Amy Robinson, Casey Corcoran, and James Waldo. 2022. New risks in ransomware: Supply chain attacks and cryptocurrency. Science, Technology, and Public Policy Program Reports (2022).","journal-title":"Science, Technology, and Public Policy Program Reports"},{"key":"e_1_3_2_46_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.ejor.2019.09.017"},{"key":"e_1_3_2_47_2","doi-asserted-by":"crossref","first-page":"691","DOI":"10.1109\/INFOCOMMST.2018.8632153","volume-title":"2018 International Scientific-Practical Conference Problems of Infocommunications. Science and Technology (PIC S&T)","author":"Snihurov Arkadii","year":"2018","unstructured":"Arkadii Snihurov, Oleksandr Shulhin, and Vitaly Balashov. 2018. Experimental studies of ransomware for developing cybersecurity measures. In 2018 International Scientific-Practical Conference Problems of Infocommunications. Science and Technology (PIC S&T). IEEE, 691\u2013695."},{"key":"e_1_3_2_48_2","doi-asserted-by":"publisher","DOI":"10.1108\/09600030010351444"},{"key":"e_1_3_2_49_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.physa.2015.09.082"},{"key":"e_1_3_2_50_2","unstructured":"Joel Witts. 2021. The Apple ransomware attack: Supply chains under siege. (2021). Retrieved February 9 2023 from https:\/\/expertinsights.com\/insights\/the-apple-ransomware-attack-supply-chains-are-under-siege\/."},{"key":"e_1_3_2_51_2","unstructured":"Emma Woollacott. 2022. Ransomware attacks on the shipping logistics organizations rising as coronavirus vaccine supply chain targeted. (2022). Retrieved February 9 2023 from Ransomwareattacksontheshipping logisticsorganizationsrisingascoronavirusvaccinesupplychaintargeted."},{"issue":"1","key":"e_1_3_2_52_2","doi-asserted-by":"crossref","first-page":"tyaa023","DOI":"10.1093\/cybsec\/tyaa023","article-title":"An empirical study of ransomware attacks on organizations: An assessment of severity and salient factors affecting vulnerability","volume":"6","author":"Connolly Lena Yuryna","year":"2020","unstructured":"Lena Yuryna Connolly, David S. Wall, Michael Lang, and Bruce Oddson. 2020. An empirical study of ransomware attacks on organizations: An assessment of severity and salient factors affecting vulnerability. Journal of Cybersecurity 6, 1 (2020), tyaa023.","journal-title":"Journal of Cybersecurity"},{"key":"e_1_3_2_53_2","article-title":"Addressing crypto-ransomware attacks: Before you decide whether to-pay or not-to.","author":"Aaron Zhaoshun Wang Zimba,","year":"2019","unstructured":"Zhaoshun Wang Zimba, Aaron and Mumbi Chishimba. 2019. Addressing crypto-ransomware attacks: Before you decide whether to-pay or not-to. Journal of Computer Information Systems (2019).","journal-title":"Journal of Computer Information Systems"}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3579647","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3579647","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T17:48:44Z","timestamp":1750182524000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3579647"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,10,20]]},"references-count":52,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2023,12,31]]}},"alternative-id":["10.1145\/3579647"],"URL":"https:\/\/doi.org\/10.1145\/3579647","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"value":"2692-1626","type":"print"},{"value":"2576-5337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,10,20]]},"assertion":[{"value":"2021-11-28","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-12-15","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-10-20","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}