Risk assessment of ransomware attacks

There appears to be a trend in which more and more large organisations are falling victim to targeted ransomware attacks. Dutch examples include the attack on Maastricht University in December 2019, and science financier NWO in February 2021. To reduce the risk of cyber attacks and enhance cyber resilience, organisations can carry out risk assessments. Due to the ongoing developments surrounding ransomware attacks and their serious consequences, the National Cyber Security Centre (NCSC) has requested research into the specific risk factors involved in such attacks. The underlying issue is the insufficient allocation of resources for cybersecurity at policy level within medium-sized and small organisations, both private and semi-public, due to the underestimation of risks. The IT department often recognises the need for improved cybersecurity, but convincing management of this can be challenging for them. Policymakers must therefore be made aware of the risks the organisation faces and the costs of a ransomware attack. There is a perception that organisations becoming increasingly dependent on ICT are not sufficiently aware of the risks. Moreover, these risks do not only affect one specific organisation, but also have clear chain dependencies: a disruption in one party leads to other effects in the chain. This research aims to identify and quantify factors that influence ransomware attacks. What are these factors and can they be quantified? A second objective is to provide insight into raising awareness among the target audience. The target audience consists of board members of medium-sized and small organisations, both in the public and private sectors. They should be aware of the likelihood and risk of ransomware attacks. Additionally, they should also gain insight into the risk factors. The research addresses the following research questions:

1. What risks do ransomware attacks pose?
2. What do ransomware attacks look like nowadays and what tools are used?
3. Which types of parties are involved in these attacks?
4. What internal and external factors contribute to ransomware risks for an organisation?
5. To what extent can these factors be quantified?
6. Which tool can raise awareness among policymakers in medium-sized and small organisations about the risks of ransomware?
7. What are the key factors for companies and organisations to start using this tool?

Various methods were employed for conducting this research: literature review, exploration of existing risk assessment models, exploration of cybersecurity insurances, interviews, case studies of affected organisations in the Netherlands, and validation sessions. This research aims to provide an up-to-date overview of the issues at hand.