Abstract
Ransomware attacks present organisations with complex and consequential decisions regarding whether to pay ransom demands. This dissertation synthesises existing empirical research, theoretical models, and policy analyses to examine the conditions under which organisations choose to pay ransoms and the justifications they employ for such decisions. Through a comprehensive literature review of 50 relevant studies identified from an initial corpus of over 1,000 papers, this research identifies three primary factors influencing payment decisions: the unavailability of functional data backups, immediate threats to business continuity, and recommendations from cybersecurity experts and insurers. Organisations justify ransom payments predominantly through appeals to operational necessity, data protection obligations, and ethical imperatives in critical sectors such as healthcare. The analysis reveals that while most organisations prefer not to pay—with payment rates typically below 30%—real-world constraints frequently override these preferences. The findings highlight significant legal ambiguities surrounding ransom payments, the uncertain efficacy of payment in securing data recovery, and the complex role of cyber insurance in shaping organisational responses. This dissertation concludes by identifying research gaps and proposing directions for future investigation into long-term outcomes and policy interventions.
Introduction
Ransomware attacks have emerged as one of the most significant cybersecurity threats facing organisations globally, with incidents increasing in both frequency and sophistication over the past decade. These attacks, which involve malicious actors encrypting organisational data and demanding payment for its release, create profound operational, financial, and ethical dilemmas for victims. The decision of whether to pay a ransom demand represents a critical juncture that can determine organisational survival, yet the factors influencing this decision and the rationalisations employed to justify payment remain insufficiently understood.
The contemporary ransomware landscape presents organisations with increasingly complex threat scenarios. Traditional attacks focused solely on data encryption have evolved into sophisticated “double extortion” schemes, wherein attackers not only encrypt data but also threaten to publish sensitive information publicly if demands are not met (Meurs et al., 2023). This evolution has fundamentally altered the risk calculus for organisations, as even those with comprehensive backup systems may find themselves compelled to consider payment to prevent data exposure.
Understanding ransomware payment decisions carries significant academic and practical importance. From an academic perspective, these decisions represent a fascinating intersection of organisational behaviour, crisis management, economic decision-making, and ethical reasoning under extreme uncertainty. Practically, the collective decisions of ransomware victims shape the broader cybercrime ecosystem; payments to attackers provide resources that fund future attacks, creating a feedback loop that perpetuates the threat (Hernandez-Castro, Cartwright and Cartwright, 2020). Policymakers, law enforcement agencies, and cybersecurity professionals require evidence-based understanding of payment decisions to develop effective interventions and guidance.
The legal and regulatory environment surrounding ransomware payments adds further complexity. In many jurisdictions, paying ransoms exists in a legal grey area, potentially violating sanctions regimes or anti-money laundering regulations depending on the identity of the attackers (Westbrook, 2021; Krivokapić et al., 2023). Organisations must therefore navigate not only immediate operational pressures but also potential legal liabilities that may emerge from their response decisions.
This dissertation addresses the research question: under what circumstances do organisations pay ransomware demands, and how do they justify these decisions? By synthesising existing research across multiple disciplines—including cybersecurity, criminology, economics, and organisational behaviour—this work provides a comprehensive analysis of ransomware payment decision-making that informs both academic understanding and practical guidance.
Aim and objectives
The primary aim of this dissertation is to critically examine and synthesise existing research on organisational ransomware payment decisions to identify the conditions under which payments occur and the justification mechanisms organisations employ.
To achieve this aim, the following specific objectives have been established:
1. To identify and analyse the primary factors that influence organisational decisions regarding ransomware payment, including technical preparedness, external advice, and threat characteristics.
2. To examine the justification mechanisms and rationalisations that organisations employ when deciding to pay ransomware demands.
3. To evaluate the economic and game-theoretic models that explain ransomware payment behaviour and their implications for understanding rational decision-making under threat.
4. To assess the legal, ethical, and regulatory considerations that shape ransomware response decisions across different organisational contexts and jurisdictions.
5. To identify gaps in current research and propose directions for future investigation that would enhance understanding of ransomware payment decisions.
Methodology
This dissertation employs a systematic literature review methodology to synthesise existing research on ransomware payment decisions. This approach is appropriate given the diverse nature of the research landscape, which encompasses empirical studies, theoretical models, policy analyses, and case reports across multiple disciplines.
Search strategy
A comprehensive literature search was conducted across major academic databases, including Semantic Scholar and PubMed, encompassing over 170 million research papers. The search strategy employed 21 targeted queries organised into eight thematic areas: foundational frameworks, decision-making factors, economic and game-theoretic models, ethical and legal perspectives, negotiation strategies, insurance influences, psychological factors, and empirical case studies.
Search terms included combinations of “ransomware,” “ransom payment,” “extortion,” “cyber attack response,” “payment decision,” “business continuity,” “data backup,” and related terminology. Boolean operators were used to refine searches and ensure comprehensive coverage of the literature.
Inclusion and exclusion criteria
Papers were included if they: (a) addressed ransomware attacks on organisations specifically; (b) examined factors influencing payment decisions or justification mechanisms; (c) were published in peer-reviewed journals, conference proceedings, or reputable working paper series; and (d) were available in English. Papers were excluded if they: (a) focused exclusively on technical aspects of ransomware without addressing organisational response; (b) were opinion pieces without empirical or theoretical grounding; or (c) were published in non-peer-reviewed outlets lacking academic rigour.
Selection process
The selection process followed a four-phase approach. Initial searches identified 1,091 papers. After removing duplicates, 486 papers remained for screening. Eligibility assessment based on abstracts and titles reduced this to 253 papers. Full-text review of these papers, focusing on relevance, quality, and contribution to the research questions, resulted in a final sample of 50 papers included in this review.
Data extraction and synthesis
Data extraction focused on identifying key findings related to payment prevalence, influencing factors, justification mechanisms, and theoretical frameworks. A narrative synthesis approach was adopted to integrate findings across studies, organised thematically according to the research objectives. Where studies provided quantitative data on payment rates or influencing factors, these were compared and synthesised to identify patterns and areas of consensus or disagreement.
Quality assessment
Quality was assessed using criteria appropriate to each study type. Empirical studies were evaluated based on sample size, methodological rigour, and transparency of reporting. Theoretical and modelling studies were assessed based on the clarity of assumptions, logical consistency, and practical applicability. Studies drawing on policy analysis were evaluated based on the breadth of evidence considered and the coherence of argumentation.
Literature review
Prevalence and patterns of ransom payment
The empirical evidence consistently indicates that most organisations do not pay ransomware demands, although payment rates vary considerably depending on organisational characteristics and attack circumstances. Surveys of ransomware victims typically report payment rates below 30%, suggesting that non-payment remains the majority response (Mujeye, 2022; Muhly and Leo, 2024; Cartwright et al., 2022). However, this aggregate figure masks significant variation across sectors, organisation sizes, and attack characteristics.
Small and medium-sized enterprises (SMEs) demonstrate higher propensity to pay ransoms compared to larger organisations (Matthijsse et al., 2024; Voce and Morgan, 2021). This pattern reflects the resource constraints that characterise smaller organisations: limited investment in cybersecurity infrastructure, less comprehensive backup systems, and reduced capacity to absorb operational disruption during recovery periods. For SMEs, the ransom demand may represent a smaller financial burden relative to the costs of extended downtime or data loss, making payment appear economically rational.
Sectoral differences in payment behaviour are particularly pronounced in healthcare settings, where the imperative to restore critical services can override other considerations (Ghayoomi et al., 2021). Healthcare organisations face unique pressures: patient safety concerns, regulatory requirements around data availability, and the life-or-death nature of some services create compelling arguments for rapid restoration, even at the cost of ransom payment. This sectoral vulnerability has not escaped the notice of ransomware operators, who increasingly target healthcare organisations precisely because of their perceived willingness to pay.
Temporal patterns in payment behaviour suggest evolution in both attacker tactics and victim responses. The emergence of double extortion tactics—wherein attackers threaten to publish stolen data in addition to encrypting systems—has altered the landscape significantly (Meurs et al., 2023). Traditional defences against ransomware focused on maintaining robust backup systems that would render encryption ineffective as leverage. Double extortion undermines this defence, as organisations may face reputational, regulatory, and legal consequences from data exposure regardless of their ability to restore systems independently.
Key factors influencing payment decisions
The literature identifies several primary factors that influence organisational decisions regarding ransomware payment. These factors operate at technical, organisational, and environmental levels, often interacting in complex ways to shape outcomes.
The availability and integrity of data backups represents the single most important technical factor in payment decisions (Matthijsse et al., 2024; Meurs et al., 2023). Organisations with recent, complete, and tested backups can restore operations without paying ransoms, removing the primary leverage that attackers possess. Conversely, organisations lacking such backups—whether due to resource constraints, inadequate planning, or attacker actions that compromise backup systems—face stark choices between payment and potentially catastrophic data loss. Research consistently demonstrates a strong correlation between backup availability and non-payment, highlighting the preventive value of robust backup strategies.
External advice plays a crucial role in shaping payment decisions, particularly recommendations from cybersecurity incident response firms and insurance providers (Matthijsse et al., 2024; Cartwright et al., 2023). Organisations experiencing ransomware attacks frequently lack internal expertise to assess their options effectively, making them heavily reliant on external guidance. The nature of this advice varies; some experts recommend against payment on principle, while others adopt pragmatic approaches that consider organisational circumstances. Insurance providers occupy a particularly influential position, as their policies may cover ransom payments and their preferred incident response partners may guide negotiations with attackers.
The severity and nature of the attack significantly influence payment propensity. Attacks that threaten core business operations, involve particularly sensitive data, or impose time-critical pressures on restoration create stronger arguments for payment (Connolly and Borrion, 2022; Hofmann, 2020). The potential costs of non-payment—including lost revenue, regulatory fines, reputational damage, and customer harm—enter the calculus alongside the ransom amount and probability of successful recovery following payment.
Trust in attackers’ credibility represents an important but often overlooked factor. Rational payment requires some expectation that attackers will honour their commitments by providing functional decryption tools following payment (Cartwright, Castro and Cartwright, 2019; Cartwright, Cartwright and Xue, 2025). Attackers have economic incentives to maintain reputations for reliability, as word of consistent non-delivery would undermine future victims’ willingness to pay. However, the reliability of different ransomware groups varies considerably, and organisations have limited ability to assess credibility in the midst of an attack.
Justification mechanisms for payment
When organisations choose to pay ransomware demands, they employ various justification mechanisms that frame payment as acceptable or necessary despite countervailing considerations. These justifications operate at individual, organisational, and societal levels.
Business continuity arguments form the primary justification for payment. Organisations frame ransom payment as a necessary cost of operational survival, particularly when alternatives would involve extended downtime, permanent data loss, or existential threats to the enterprise (Hofmann, 2020). This framing treats payment as analogous to other business expenses incurred to maintain operations, removing some of the ethical stigma associated with capitulating to criminals.
Legal and regulatory obligations provide additional justification frameworks. Organisations holding sensitive personal data face regulatory requirements around data protection and breach notification that create pressures toward rapid resolution of ransomware incidents. Payment may be framed as fulfilling data protection obligations by securing the return of encrypted data or preventing its public release. However, this justification exists in tension with potential legal liabilities arising from payment itself (Krivokapić et al., 2023; Hashmi and Hashmi, 2023).
Ethical imperatives prove particularly relevant in critical sectors. Healthcare organisations, in particular, can invoke patient welfare arguments to justify payment when attacks threaten clinical systems (Ghayoomi et al., 2021). The principle of avoiding harm to vulnerable individuals provides strong ethical grounding for payment decisions, even where financial or policy considerations might argue against it. Similar arguments apply in other critical infrastructure contexts where ransomware attacks could endanger public safety.
External advice serves both as an influencing factor and a justification mechanism. Organisations can distribute responsibility for payment decisions by emphasising that they followed expert recommendations (Matthijsse et al., 2024). This diffusion of accountability may facilitate payment by reducing the perceived personal responsibility of decision-makers and providing cover against subsequent criticism.
The framing of payment as a “last resort” appears consistently across justification narratives (Westbrook, 2021). Organisations emphasise that they explored all alternatives before concluding that payment was necessary, positioning themselves as reluctant rather than willing participants in the ransomware economy. This framing acknowledges the problematic nature of payment while arguing that exceptional circumstances justify exception from normal principles.
Economic and game-theoretic perspectives
Economic analysis and game-theoretic modelling provide theoretical frameworks for understanding ransomware payment decisions as rational responses to structured incentive environments. These approaches complement empirical studies by identifying optimal strategies under varying conditions and explaining observed patterns of behaviour.
Game-theoretic models conceptualise ransomware interactions as games between rational actors—victims and attackers—each seeking to maximise their expected utility (Cartwright, Castro and Cartwright, 2019; Fang, Xu and Zhao, 2022). Victims weigh the ransom amount against expected losses from non-payment, adjusted for the probability that payment will successfully secure data recovery. Attackers set ransom amounts to maximise expected revenue, balancing the desire for higher payments against the reduced probability of payment that higher demands entail.
The optimal ransom amount from an attacker’s perspective depends on the victim’s perceived value of the encrypted data and their available alternatives (Fang, Xu and Zhao, 2020). Sophisticated attackers conduct research on victims to calibrate demands appropriately, targeting amounts high enough to be profitable but low enough to secure payment. This explains the wide variation in ransom demands across incidents and the evolution toward more targeted attacks on organisations perceived as able and willing to pay.
Insurance introduces important dynamics into the game-theoretic analysis. Cyber insurance coverage may increase the amounts that organisations are willing or able to pay, potentially inflating ransom demands when attackers are aware of coverage (Meurs et al., 2023; Cartwright et al., 2023). However, the relationship between insurance and payment is nuanced; insurers may also provide access to expert negotiators who can reduce demands, and may impose conditions on coverage that discourage payment. Empirical evidence suggests that insurance affects the average amount paid rather than the likelihood of payment per se.
Externalities and spillover effects complicate individual decision-making. Each ransom payment funds future attacks, imposing costs on other potential victims and society at large (August, Dao and Niculescu, 2022; Dey and Lahiri, 2025). Individual organisations, however, have limited incentive to account for these external costs in their decisions, creating a collective action problem wherein individually rational choices produce socially suboptimal outcomes. This externality provides economic justification for policy interventions that alter the incentive environment facing potential victims.
Behavioural economics perspectives introduce considerations of bounded rationality, loss aversion, and framing effects (Sharma, 2024; Cartwright, Cartwright and Xue, 2025). Ransomware incidents create high-stress environments that may compromise rational analysis, leading decision-makers to over-weight immediate losses relative to more abstract future considerations. Attackers exploit these psychological factors through ransom screen design, artificial time pressures, and other manipulation techniques.
Legal, ethical, and regulatory considerations
The legal landscape surrounding ransomware payments is characterised by ambiguity and cross-jurisdictional variation that complicates organisational decision-making. While paying ransoms is not explicitly illegal in most jurisdictions, payments may violate sanctions laws, anti-money laundering regulations, or other provisions depending on the identity of recipients and the circumstances of payment (Westbrook, 2021; Hashmi and Hashmi, 2023).
Sanctions compliance presents significant legal risks, particularly in the United States where the Office of Foreign Assets Control (OFAC) has issued guidance indicating that ransom payments to sanctioned entities or jurisdictions may incur strict liability penalties regardless of victims’ knowledge. Similar provisions exist in other jurisdictions, creating potential criminal and civil liability for organisations that inadvertently fund sanctioned actors through ransom payments.
Proposals for explicit criminalisation of ransom payments have generated debate within policy and academic circles. Proponents argue that banning payments would reduce attackers’ expected returns and thereby decrease attack frequency (Bil, 2023). Opponents contend that criminalisation would harm victims without effectively deterring well-resourced criminal enterprises, and that victims forced to choose between legal liability and operational survival face impossible choices that warrant protection rather than punishment.
The concept of a “safe harbour” for ransomware payments under certain conditions has been proposed as a middle ground (Westbrook, 2021). Under such frameworks, organisations that meet specified requirements—such as prompt reporting to law enforcement, cooperation with investigations, and demonstrated efforts at cyber hygiene—would receive protection from liability for payments made in good faith. This approach seeks to balance deterrence of payment with recognition of victim circumstances.
Ethical analysis of ransomware payment extends beyond legal compliance to consider broader moral obligations. Arguments against payment emphasise the contribution to a criminal ecosystem that harms future victims, the potential funding of other illegal activities, and the principled position that criminal demands should not be rewarded. Arguments in favour emphasise duties to organisational stakeholders, including employees whose livelihoods depend on operational continuity, customers whose data may be exposed, and—in healthcare and critical infrastructure contexts—individuals whose safety may be endangered by operational disruption.
The role of cyber insurance
Cyber insurance has emerged as an increasingly important factor in ransomware response, although its effects on payment decisions remain contested (Cartwright et al., 2023). The growth of the cyber insurance market has paralleled the rise of ransomware, with insurers offering policies that may cover ransom payments, business interruption losses, incident response costs, and liability arising from breaches.
Insurance coverage affects the economics of ransomware response by shifting some costs from victims to insurers. This risk transfer may alter victims’ willingness to pay by reducing the direct financial burden, although insurers may also impose conditions that constrain victim choices. The involvement of insurer-appointed incident response firms introduces additional actors into the decision-making process, whose advice may reflect insurers’ interests in addition to victims’ welfare.
Empirical research suggests that insured organisations tend to pay higher average ransoms rather than necessarily being more likely to pay (Meurs et al., 2023). This pattern may reflect several mechanisms: insured organisations may have greater ability to pay higher amounts; insurer-funded negotiators may secure different outcomes than organisations negotiating independently; or attackers may specifically target insured organisations and calibrate demands accordingly.
The sustainability of cyber insurance as a ransomware response mechanism faces challenges. High claims experience has led some insurers to exit the market or dramatically increase premiums, while others have introduced exclusions for ransomware or imposed strict requirements around security controls. The potential for adverse selection—wherein organisations with poor security are most likely to purchase coverage—creates actuarial challenges that may limit the long-term viability of comprehensive ransomware coverage.
Psychological and organisational factors
Individual and organisational psychology shapes ransomware response in ways that complement economic analysis. Crisis decision-making occurs under conditions of extreme stress, time pressure, and uncertainty that may degrade rational analysis and amplify emotional responses (Connolly and Borrion, 2022; Mott et al., 2024).
Research on ransomware victims documents significant psychological impacts, including anxiety, trauma responses, and long-term effects on individual and organisational wellbeing. These effects may influence both immediate decisions and longer-term organisational behaviour, including investments in security measures and attitudes toward future incidents. Understanding the human experience of ransomware victimisation provides important context for evaluating decision-making processes.
Organisational culture and prior experience with cyber incidents shape preparedness and response capabilities. Organisations with established incident response procedures, clear chains of command for crisis decisions, and prior exposure to cyber incidents may respond more effectively than those encountering ransomware for the first time. This suggests the value of simulation exercises and planning activities that prepare organisations for ransomware scenarios before they occur.
Discussion
The synthesis of existing research reveals a complex landscape in which ransomware payment decisions emerge from the interaction of technical, economic, organisational, and environmental factors. This discussion critically examines the key findings in relation to the stated objectives and considers their implications for theory, practice, and policy.
Addressing the research objectives
The first objective sought to identify primary factors influencing payment decisions. The evidence strongly supports the central importance of backup availability, expert advice, and threat severity as determinants of payment behaviour. These factors operate hierarchically: backup availability serves as a threshold condition, with organisations possessing functional backups rarely paying regardless of other considerations. For organisations lacking backups, expert advice and threat characteristics assume greater importance in shaping decisions. This hierarchical relationship has important practical implications, suggesting that backup investments should receive priority in organisational cybersecurity strategies.
The second objective addressed justification mechanisms. The literature reveals a consistent pattern of justifications centred on operational necessity, regulatory compliance, and ethical imperatives. Importantly, these justifications are not merely post-hoc rationalisations but actively shape decision-making by providing frames through which decision-makers interpret their situations. The prevalence of “last resort” framing suggests awareness that payment is problematic, combined with belief that exceptional circumstances warrant exception from general principles.
The third objective examined economic and game-theoretic models. These models provide valuable insights into the strategic dynamics of ransomware interactions, although their practical applicability is constrained by the information asymmetries and bounded rationality that characterise real-world incidents. The models highlight the collective action problem created by ransomware: individually rational payment decisions generate negative externalities for other potential victims, suggesting a potential role for policy interventions that alter incentive structures.
The fourth objective assessed legal and ethical considerations. The analysis reveals significant ambiguity in the legal treatment of ransom payments across jurisdictions, creating uncertainty that compounds the difficulty of decision-making during incidents. Ethical considerations cut both ways: duties to stakeholders may argue for payment in some circumstances while concern for broader societal impacts argues against. The lack of clear guidance leaves organisations navigating complex moral terrain without adequate support.
The fifth objective identified research gaps. Significant gaps exist regarding long-term outcomes following payment versus non-payment decisions, the effects of different policy interventions, and the dynamics of ransomware in specific sectors and organisational contexts. These gaps reflect both the relative novelty of ransomware as a research topic and the practical difficulties of studying criminal phenomena and organisational crisis responses.
Critical analysis of findings
Several aspects of the findings warrant critical examination. First, the reported payment rates of less than 30% may underestimate actual payment frequency due to reporting biases. Organisations that pay ransoms may be less likely to report incidents or participate in research, and payments are sometimes made through intermediaries that obscure the transaction. The true prevalence of payment remains uncertain, although the general finding that most organisations do not pay is likely robust.
Second, the emphasis on backup availability as a decisive factor may oversimplify the decision calculus. While functional backups clearly reduce payment likelihood, the calculation involves expected restoration time, potential data loss between backup points, and the costs of recovery operations. An organisation with backups may still face weeks of downtime and significant residual losses, making payment attractive in some circumstances.
Third, the role of expert advice raises questions about the interests and incentives of advisors. Incident response firms and negotiation specialists have financial interests in their services being retained, which may influence the advice they provide. Insurance providers face different incentives depending on policy terms and claims experience. Critical evaluation of advisor recommendations should consider these potential conflicts.
Fourth, the game-theoretic models assume levels of rationality and information that may not obtain in practice. Attackers vary widely in sophistication, and some ransomware operations appear to operate with limited strategic calculation. Victims frequently lack information about attacker reliability, making assessments of payment utility highly uncertain. The models provide useful frameworks but should not be mistaken for descriptions of actual decision processes.
Implications for theory
The findings contribute to several theoretical domains. For crisis decision-making theory, ransomware incidents represent a distinctive case that combines external threat, time pressure, and moral complexity. The observed patterns of justification and the influence of external advice align with broader research on decision-making under stress, while adding ransomware-specific insights.
For criminological theory, the findings illuminate the economics of cybercrime and the dynamics of victim-offender interactions in digital contexts. The importance of attacker credibility in payment decisions connects to broader theoretical work on reputation and trust in illegal markets. The emergence of double extortion tactics represents criminal innovation in response to victim countermeasures, demonstrating the adaptive nature of sophisticated cybercriminal enterprises.
For organisational theory, the findings highlight how organisational characteristics—size, sector, resource availability, and prior experience—shape vulnerability and response capability. The influence of external advisors demonstrates the importance of boundary-spanning relationships in crisis management, while the role of insurance illustrates how risk transfer mechanisms affect organisational behaviour.
Implications for practice
Practical implications emerge for organisations, cybersecurity professionals, insurers, and policymakers. For organisations, the primacy of backup availability in payment decisions underscores the value of investments in robust, tested, and resilient backup systems. Organisations should also develop incident response plans that address ransomware scenarios specifically, including clear decision-making protocols and pre-established relationships with external advisors.
For cybersecurity professionals providing incident response services, the findings highlight their influential role in shaping organisational decisions. This influence carries responsibility to provide balanced advice that considers organisational circumstances while acknowledging broader implications of payment. Developing standards and guidelines for ransomware response advice would enhance professional accountability.
For insurers, the findings suggest that coverage decisions and policy terms significantly affect ransomware outcomes. Insurers should consider how their practices influence incentive structures and whether policy innovations could better align individual and collective interests. Requirements around security controls and incident response procedures may help reduce claims experience while improving organisational resilience.
For policymakers, the findings highlight tensions between protecting victims and deterring the broader ransomware ecosystem. Policies that criminalise payment without addressing underlying vulnerabilities may harm victims without effectively reducing attacks. Alternative approaches, including safe harbour provisions, mandatory reporting requirements, and investments in organisational cybersecurity capabilities, may better balance competing objectives.
Limitations of the current evidence
The evidence base, while growing rapidly, contains significant limitations. Most empirical research relies on surveys and self-reports, which are subject to recall bias, social desirability effects, and sample selection issues. Organisations that experience ransomware incidents may be reluctant to participate in research, particularly if they paid ransoms or experienced significant harm.
The theoretical models make simplifying assumptions that may not hold in practice, including assumptions about attacker and victim rationality, information availability, and the structure of the strategic interaction. While these simplifications enable analytical tractability, they limit the models’ descriptive accuracy and prescriptive validity.
The legal and regulatory analysis is complicated by rapid evolution in this area and significant cross-jurisdictional variation. Findings relevant to one jurisdiction may not generalise to others, and regulatory changes may outpace academic analysis. Ongoing monitoring of legal developments is necessary to maintain currency.
Conclusions
This dissertation has examined the conditions under which organisations pay ransomware demands and the justifications they employ for these decisions. Through systematic review and synthesis of existing research, several clear findings emerge.
Organisations generally prefer not to pay ransomware demands, with payment rates typically falling below 30% across studied populations. However, payment becomes substantially more likely when organisations lack functional backups, face severe threats to business continuity, or receive expert advice recommending payment. The emergence of double extortion tactics has complicated the decision landscape by undermining the protective value of backups against data exposure threats.
Organisations justify payment decisions primarily through appeals to business continuity necessity, regulatory and legal compliance obligations, and ethical imperatives regarding stakeholder welfare. These justifications frame payment as a reluctant last resort rather than a willing capitulation, distributing moral responsibility across circumstances and advisors.
Economic and game-theoretic models illuminate the strategic dynamics of ransomware interactions while highlighting the collective action problems created by individually rational payment decisions. Legal and regulatory frameworks remain ambiguous in most jurisdictions, creating uncertainty that compounds decision-making difficulty.
The stated objectives have been substantially achieved. The analysis has identified key factors influencing payment decisions, examined justification mechanisms, evaluated theoretical models, assessed legal and ethical considerations, and identified significant gaps in current research. The findings provide an evidence base to inform organisational practice, professional guidance, and policy development.
Looking forward, several research priorities emerge. Longitudinal studies tracking organisations following ransomware incidents would illuminate long-term outcomes of different response strategies. Comparative analysis across jurisdictions would enhance understanding of how legal and regulatory environments shape behaviour. Experimental and quasi-experimental evaluation of policy interventions would provide evidence on effective approaches to reducing ransomware impacts.
The ransomware threat continues to evolve, presenting ongoing challenges for organisations and societies. This dissertation contributes to the growing body of knowledge necessary to inform effective responses, while acknowledging that much remains to be learned about this consequential domain of cybersecurity decision-making.
References
August, T., Dao, D. and Niculescu, M., 2022. Economics of Ransomware: Risk Interdependence and Large-Scale Attacks. *Management Science*, 68, pp. 8979-9002. https://doi.org/10.1287/mnsc.2022.4300
Bil, J., 2023. Consequences of paying a ransom while ransomware attack. *Cybersecurity & Cybercrime*. https://doi.org/10.5604/01.3001.0053.8023
Boticiu, S. and Teichmann, F., 2023. How does one negotiate with ransomware attackers? *International Cybersecurity Law Review*, 5, pp. 55-65. https://doi.org/10.1365/s43439-023-00106-w
Cartwright, A., Cartwright, E., MacColl, J., Mott, G., Turner, S., Sullivan, J. and Nurse, J., 2023. How cyber insurance influences the ransomware payment decision: theory and evidence. *The Geneva Papers on Risk and Insurance – Issues and Practice*, 48, pp. 300-331. https://doi.org/10.1057/s41288-023-00288-8
Cartwright, A., Cartwright, E., Xue, L. and Hernandez-Castro, J., 2022. An investigation of individual willingness to pay ransomware. *Journal of Financial Crime*. https://doi.org/10.1108/jfc-02-2022-0055
Cartwright, E., Cartwright, A. and Xue, L., 2025. Ransomware Splash Screens, Loss Aversion and Trust: Insights from Behavioral Economics. *Journal of Cybersecurity and Privacy*, 5, pp. 69. https://doi.org/10.3390/jcp5030069
Cartwright, E., Castro, J. and Cartwright, A., 2019. To pay or not: game theoretic models of ransomware. *Journal of Cybersecurity*, 5, pp. tyz009. https://doi.org/10.1093/cybsec/tyz009
Connolly, A. and Borrion, H., 2022. Reducing Ransomware Crime: Analysis of Victims’ Payment Decisions. *Computers & Security*, 119, pp. 102760. https://doi.org/10.1016/j.cose.2022.102760
Connolly, L. and Borrion, H., 2020. Your Money or Your Business: Decision-Making Processes in Ransomware Attacks. Working Paper.
Connolly, L. and Wall, D., 2019. The rise of crypto-ransomware in a changing cybercrime landscape: Taxonomising countermeasures. *Computers & Security*, 87. https://doi.org/10.1016/j.cose.2019.101568
Dey, D. and Lahiri, A., 2025. “Extortionality” in Ransomware Attacks: A Microeconomic Study of Extortion and Externality. *Information Systems Research*. https://doi.org/10.1287/isre.2024.1160
Everett, C., 2016. Ransomware: to pay or not to pay? *Computer Fraud & Security*, 2016, pp. 8-12. https://doi.org/10.1016/s1361-3723(16)30036-7
Fang, R., Xu, M. and Zhao, P., 2020. Should the Ransomware be Paid. *arXiv: General Economics*.
Fang, R., Xu, M. and Zhao, P., 2022. Determination of ransomware payment based on Bayesian game models. *Computers & Security*, 116, pp. 102685. https://doi.org/10.1016/j.cose.2022.102685
Ghayoomi, H., Laskey, K., Miller-Hooks, E., Hooks, C. and Tariverdi, M., 2021. Assessing resilience of hospitals to cyberattack. *Digital Health*, 7. https://doi.org/10.1177/20552076211059366
Hashmi, S. and Hashmi, S., 2023. Ransom-Ware and the Legal Risks of Ransom Payment. *SSRN Electronic Journal*. https://doi.org/10.2139/ssrn.4433327
Hernandez-Castro, J., Cartwright, A. and Cartwright, E., 2020. An economic analysis of ransomware and its welfare consequences. *Royal Society Open Science*, 7. https://doi.org/10.1098/rsos.190023
Hofmann, T., 2020. How organisations can ethically negotiate ransomware payments. *Network Security*, 2020, pp. 13-17. https://doi.org/10.1016/s1353-4858(20)30118-5
Krivokapić, Đ., Nikolić, A., Stefanović, A. and Milosavljević, M., 2023. Financial, Accounting and Tax Implications of Ransomware Attack. *Studia Iuridica Lublinensia*. https://doi.org/10.17951/sil.2023.32.1.191-211
Leo, P. and Muhly, F., 2022. A Ransomware Decision Game Whitepaper.
Matthijsse, S., Moneva, A., Van ‘t Hoff-De Goede, M. and Leukfeldt, E., 2024. Examining ransomware payment decision-making among small- and medium-sized enterprises. *European Journal of Criminology*, 22, pp. 625-645. https://doi.org/10.1177/14773708241285671
Meurs, T., Cartwright, E., Cartwright, A., Junger, M. and Abhishta, A., 2023. Deception in double extortion ransomware attacks: An analysis of profitability and credibility. *Computers & Security*, 138, pp. 103670. https://doi.org/10.1016/j.cose.2023.103670
Meurs, T., Cartwright, E., Cartwright, A., Junger, M., Hoheisel, R., Tews, E. and Abhishta, A., 2023. Ransomware Economics: A Two-Step Approach To Model Ransom Paid. *2023 APWG Symposium on Electronic Crime Research (eCrime)*, pp. 1-13. https://doi.org/10.1109/ecrime61234.2023.10485506
Mott, G., Turner, S., Nurse, J., Pattnaik, N., MacColl, J., Huesch, P. and Sullivan, J., 2024. ‘There was a bit of PTSD every time I walked through the office door’: Ransomware harms and the factors that influence the victim organization’s experience. *Journal of Cybersecurity*, 10. https://doi.org/10.1093/cybsec/tyae013
Muhly, F. and Leo, P., 2024. Your decision: Senior professionals’ decision making during a simulated ransomware attack. *Cyber Security: A Peer-Reviewed Journal*. https://doi.org/10.69554/zhtz2185
Mujeye, S., 2022. Ransomware: To Pay or Not to Pay? The results of what IT professionals recommend. *Proceedings of the 2022 5th International Conference on Software Engineering and Information Management*. https://doi.org/10.1145/3520084.3520096
National Cyber Security Centre, 2023. *Ransomware: what board members should know*. London: National Cyber Security Centre. Available at: https://www.ncsc.gov.uk/guidance/board-toolkit-five-questions-for-your-boards-agenda [Accessed 15 January 2025].
Paquet-Clouston, M., Haslhofer, B. and Dupont, B., 2018. Ransomware Payments in the Bitcoin Ecosystem. *ArXiv*, abs/1804.04080. https://doi.org/10.1093/cybsec/tyz003
Sharma, P., 2024. Taming the Ransomware Threats: Leveraging Prospect Theory for Rational Payment Decisions. *ArXiv*, abs/2409.09744. https://doi.org/10.48550/arxiv.2409.09744
Voce, I. and Morgan, A., 2021. *Ransomware victimisation among Australian computer users*. Canberra: Australian Institute of Criminology. https://doi.org/10.52922/sb78382
Westbrook, A., 2021. A Safe Harbor for Ransomware Payments: Protecting Stakeholders, Hardening Targets, and Defending National Security. *Cybersecurity*. https://doi.org/10.2139/ssrn.3899370
