Can Global, Extended, and Repeated Ransomware Attacks Overcome the User's Status Quo Bias and Cause a Switch of System?

Introduction

In the story of David versus Goliath, an underdog manages to beat a much larger and stronger opponent. This metaphor can be used to describe the ransomware (RW) attacks. They may have limited resources like David while the organizations being targeted and the institutions supporting them are often like Goliath with extensive resources. We would like to believe, in this case, that the large organizations and institutions will emerge victorious by limiting the harm inflicted on them and their users. Is this, however, the case? The user has come to expect a reliable service from the train operators, airports and other services and products they use with minimal delay or downtime. Most users also experience secure transactions, secure storage and responsible use of personal information. Examples of core service failure such as extended periods without access to services are rare and are usually limited to an economic crisis and failing organizations (Mansfield-Devine, 2020). Most users have also not experienced breaches of security that would reveal their personal information (Simoiu, Symantec, Bonneau, & Goel, 2019). This has built a trust in the institutions, organizations and the way personal information is handled. It has also created an e-loyalty (Carter, Wright, Thatcher, & Klein, 2014) expressed as an inertia and habit of the user in favour of the current systems used in e-commerce (Polites & Karahanna, 2012). The user however, is now facing the new phenomenon of global, extended and repeated RW attacks. While many users are directly affected by these attacks the reports in the media, social media and word of mouth serve to further magnify the impact. This may cause a momentary, or more extended, erosion of trust in the organizations they are directly in contact with and the institutions that support them. These attacks may also influence the user to such a degree that they overcome the inertia they have in favour of existing systems.

RW attacks use a malware to encrypt files on a computer and request a monetary amount, usually in Bitcoin, for the files to be unencrypted and made available for use again (Mercaldo, Nardone, & Santone, 2016). Ransomware attacks cost approximately 45 billion dollars in 2018 (Online Trust Alliance 2019). While each attack may have some variation in how the computer is infected, what files are encrypted and how the encryption is reversed, they are similar in their approach (Kharraz, Robertson, Balzarotti, Bilge, & Kirda, 2015). This form of malware is not new but its ability to disrupt an organization’s core services repeatedly and for a prolonged period has increased. The effectiveness has increased because a combination of technologies and circumstances, are more favourable now than ten or fifteen years ago. For example, technologies such as digital currencies and circumstances such as outdated, unsupported operating systems have enabled and amplified attacks (Kshetri & Voas, 2017).

Recent RW attacks such as WannaCry, Petya, NotPetya, exPetr, Bad Rabbit, Sodinokibi-REvil (Simoiu et al., 2019; Yaqoob et al., 2017) are critical incidents that may have had an impact on the user and the willingness to engage in e-commerce as they did before. Since the start of the century business to consumer e-commerce has expanded with more people adopting it and existing users utilizing it more regularly. These repeated attacks may erode trust and loyalty. The user may stop engaging with the online vendor they had a habit of using if that vendor is attacked. A switch might be made to an online vendor that has not been attacked or an offline vendor less dependent on information systems. The user may switch to a new solution completely or partially. For example, the user may continue to use the same vendor but limit the value exchanged or the personal information shared. Lastly, the decision may be made to abstain from the exchange of value that was intended to be made. Improving the understanding of this phenomenon on the e-commerce user, will enable remedial action to be taken before, during and after an attack. Therefore: