Abstract
Purpose
The purpose of this paper is to provide an overview of the trends and challenges relating to research into the human aspects of ransomware.
Design/methodology/approach
A systematic mapping study was carried out to investigate the trends in studies into the human aspects of ransomware, identify challenges encountered by researchers and propose directions for future research. For each of the identified papers from this study, the authors mapped the year of publication, the type of paper, research strategy and data generation method, types of participants included, theories incorporated and lastly, the authors mapped the challenges encountered by the researchers.
Findings
Fifty-nine papers published between 2006 and 2022 are included in the study. The findings indicate that literature on the human aspects of ransomware was scarce prior to 2016. The most-used participant groups in this area are students and cybersecurity professionals, and most studies rely on a survey strategy using the questionnaire to collect data. In addition, many papers did not use theories for their research, but from those that did, game theory was used most often. Furthermore, the most reported challenge is that being hit with ransomware is a sensitive topic, which results in individuals and organisations being reluctant to share their experiences.
Research limitations/implications
This mapping study reveals that the body of literature in the area of human aspects of ransomware has increased over the past couple of years. The findings highlight that being transparent about ransomware attacks, when possible, can help others. Moreover, senior management plays an important role in shaping the information security culture of an organisation, whether to have a culture of transparency or of secrecy.
Originality/value
This study is the first of its kind of systematic mapping studies contributing to the body of knowledge on the human aspects of ransomware.
Keywords
Citation
Murray, G., Falkeling, M. and Gao, S. (2024), "Trends and challenges in research into the human aspects of ransomware: a systematic mapping study", Information and Computer Security, Vol. ahead-of-print No. ahead-of-print. https://doi.org/10.1108/ICS-12-2022-0195
Publisher
:Emerald Publishing Limited
Copyright © 2024, Garret Murray, Malin Falkeling and Shang Gao.
License
Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial & non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence may be seen at http://creativecommons.org/licences/by/4.0/legalcode
1. Introduction
In December 2021, the Swedish municipality of Kalix suffered a ransomware attack against its systems. Ransomware is malware that holds a victim’s data hostage. To regain access, the victim must pay a ransom to the attacker (Andronio et al., 2015). The attack had several consequences for the municipality, its employees and those who rely on its services. This included 1,600 employees being unable to use their computers, home care services unable to access their schedules or patients’ care records, surveillance and ventilation systems failing and employee salaries and invoices having to be paid manually as financial systems could not be accessed (Larsson, 2022). As of March 2022, three months after the attack, the municipality was still recovering. Similar events have taken place around the world. For instance, the largest fuel pipeline in the USA was attacked with ransomware which led to shortages of fuel across the east coast, resulting from the company having to shut down its pipelines in 2021 (Turton and Mehrotra, 2021). In September 2021, a ransomware attack against the Irish Health System resulted in patients’ personal data being stolen and published online (Gallagher, 2021). The examples above highlight the severity of the ransomware threat, and the effect an attack can have on not only those who are attacked but also those who rely on the services provided by the organisations that are victims of these attacks.
Technical aspects of mitigating and recovering from ransomware have been the main focus of security literature (Connolly and Wall, 2019; Connolly et al., 2017). Technical aspects include technical controls and measures such as “email hygiene, backup and recovery procedures, centrally-controlled vulnerability management and upgrades, detection and monitoring, and web protection” (Connolly and Wall, 2019, p. 7). However, the human aspects of ransomware have been studied to a far lesser extent (Connolly and Wall, 2019; Connolly et al., 2017). The human aspects of information security relate to people’s perceptions, attitudes and behaviours as well as controls for managing these (da Veiga and Martins, 2015). Human aspects of information security can be seen as information security issues that relate to people (i.e. users). Previous studies (e.g. Furnell and Clarke, 2012) have found that user-oriented aspects of information security, such as training and education, were prone to receiving less attention than technical aspects of information security such as technical controls in terms of antivirus software and firewalls. Humans are often the cause of ransomware attacks by either creating ransomware or allowing ransomware to occur. Human aspects of ransomware refer to how users’ perceptions, attitude and behaviour affect or are affected by ransomware attacks. Users can be victims of ransomware, non-victims of ransomware or information security professionals.
Following the Kalix ransomware incident, the municipality director said that they believe the individual poses the biggest risk to security, and that improving employee knowledge is a priority (Larsson, 2022). This sentiment is backed up by the statistics: rather than being caused by technical vulnerabilities in information systems (IS), the majority of data breaches involve a human element (ENISA, 2021). Attackers can persuade individuals to click on unsafe links or download malicious files by exploiting their weaknesses and desires (Hadnagy, 2011).
In recent years, there has been a notable increase in ransomware attacks. While existing research surveys on ransomware have predominantly focused on technical aspects (e.g. Beaman et al., 2021; Kok et al., 2019), there is a noticeable gap in the literature concerning the human aspects of ransomware. Previous studies (e.g. Safa et al., 2016) have emphasised the importance of considering human aspects alongside technical aspects in mitigating the risks associated with information security attacks. Given the significant role that human aspects (e.g. perceptions, attitudes and behaviours) play in ransomware incidents, there is an increasing need for literature studies to delve into the human aspects of ransomware further.
The human aspects of ransomware and the human aspects of general information security share similarities but also differ in terms of scope and focus. For instance, ransomware differs from other security risks in terms of user behaviour in several ways. Firstly, users are directly faced with financial decisions due to ransom demands, while the financial impact of other threats (e.g. the costs associated with fraud) might be indirect. Secondly, users are often immediately aware of a ransomware attack because they are locked out of the system and receive a request to pay a ransom. By contrast, other threats (e.g. phishing) might not be immediately obvious to the user. Furthermore, users are more motivated to back up their data regularly to prevent ransomware attacks, whereas they might be less attentive with regular backups in response to other security risks.
While there are some literature studies focusing on the human aspects of information security (e.g. Khando et al., 2021), there is a lack of studies focusing on the human aspects of ransomware. To address this gap, this research aims to provide an overview of the trends and challenges relating to research into the human aspects of ransomware. By identifying the trends and challenges in this field, we can consolidate the current understanding of the human facets of ransomware. Moreover, it can pinpoint new directions for future research, thereby advancing our comprehension of the human aspects of ransomware and enhancing strategies for ransomware attack mitigation and prevention.
To achieve this goal, a systematic mapping approach has been chosen as the methodology. Compared to a systematic literature review, the scope of a systematic mapping study is broader, as the aim is to provide an overview of the research area. Previous studies (Budgen et al., 2008; Lemos et al., 2012) have also indicated that the main benefit of a systematic mapping study is that it presents an unbiased evaluation of current literature by pointing out gaps and trends within the field of study.
The structure of the rest of this paper is as follows. Section 2 discusses the background and related work. Section 3 defines the research questions, and provides details about the chosen research methodology. Section 4 presents the results. Section 5 discusses the results of this study and the threats to the validity of the research. Lastly, the paper is concluded in Section 6.
2. Background
2.1 Ransomware
Malware has been used as a general term for all sorts of malicious software. Ransomware is a type of malware that holds a victim’s data hostage and, to regain access, the victim must pay a ransom to the attacker (Andronio et al., 2015). Viruses are another type of malware designed to corrupt a user’s files and cause unexpected malfunctions. However, unlike ransomware, viruses do not lock users’ files or demand a fee for their recovery. Thus, the major difference between ransomware and other information security attacks is that ransomware is designed for the purpose of demanding money from victims. Ransomware attacks can target a diverse range of entities, such as individuals, businesses, government agencies, health-care providers. Ransomware attacks can result in serious consequences for their targets, including financial losses, data breaches and operational disruptions.
There are three main categories of ransomware: crypto, locker and scareware (Beaman et al., 2021). Crypto ransomware encrypts the victim’s files but does not interfere with the basic functions of the device. If the victim follows the instructions of the attacker and pays the ransom, their files are decrypted. The purpose of locker ransomware, on the other hand, is to block the basic functions of the device such as the screen and keyboard until the ransom is paid. Scareware does not encrypt files or lock the device but can take the form of pop-up ads that use scare tactics and manipulation to get the victim to pay a ransom (Kok et al., 2019).
2.2 Human aspects of information security
Information security cannot rely solely on technical solutions (Furnell and Clarke, 2012). Human aspects of information security must also be considered to mitigate information security risks effectively. Human aspects of information security play an important role in addressing various information security attacks (e.g. social engineering, malware, ransomware). For example, human vulnerabilities can be exploited through social engineering techniques. Social engineering has been defined in terms of malware as “a combination of psychological and technical ploys, which includes luring a computer user to execute the malware, and combating any existing technical countermeasures” (Abraham and Chengalur-Smith, 2010, p. 183). Phishing, a form of social engineering, is a notable example.
The human aspects of information security relate to people’s perceptions, attitudes and behaviours as well as controls for managing these (da Veiga and Martins, 2015). Addressing human aspects involves promoting positive security behaviour, enhancing information security awareness, fostering an information security culture and implementing effective training programs. For instance, Crossler et al. (2013) indicated that a combination of technical solutions and users’ security behaviour plays a major role in information security management. Promoting positive security behaviour among users is essential for organisations to create a robust information security environment. Additionally, employees’ lack of compliance with information security policies has been recognised as a persistent challenge for many organisations (Karlsson et al., 2017). When employees comply with these policies, it enhances the effectiveness of information security technical controls. Moreover, Desolda et al. (2021) found that user information security awareness was one of the most critical aspects in phishing attacks. Khando et al. (2021) conducted a systematic literature review to identify various methods and factors used to enhance employees’ information security awareness in organisations, and found that the PDCA cycle model has proved its efficiency in creating content for the ISA programmes in previous empirical studies.
Furthermore, da Veiga and Martins (2015) stated that one way of addressing the human aspects is to improve the information security culture within an organisation so that employee behaviours comply with the information security policy. Information security controls such as training and awareness can also positively influence employees’ security behaviour and, in turn, the culture of an organisation (da Veiga and Martins, 2015). In addition, a lack of ongoing education and training has been identified as one of the top information security issues related to social engineering attacks (Campbell, 2019). The implementation of SETA (i.e. security education, training and awareness) programmes among employees can be used as a means to tackle acts of human errors related to social engineering attacks (Luo et al., 2011). In summary, addressing human aspects through improved awareness, security behaviour, training and organisational culture is essential for enhancing information security resilience alongside technical measures.
2.3 Research in ransomware focusing on human aspects
Ransomware, unlike other types of information security attacks such as viruses or adware, demands monetary payment in exchange for restoring users’ access to files or data, whereas these attacks are often aimed at replicating, deleting or overburdening system resources (Bekkers et al., 2023).
Human aspects of ransomware relate to people’s perceptions, attitudes and behaviours in relation to ransomware, as well as controls for managing these, such as training and awareness. Compared to technical aspects (e.g. ransomware detection), human-related aspects, such as ransomware awareness training, usability of the ransomware detection technology and information security policies, need to receive more attention. For example, implementing a comprehensive ransomware education programme would enhance users’ understanding of ransomware and associated threats, empowering them with the skills and knowledge to mitigate risks. As a result, users may change their behaviour and security practice after learning about the severe consequences of the ransomware.
Some publications have delved into the human aspects of ransomware. For instance, Chandra et al. (2022) proposed a process model aimed at enhancing the awareness of disaster teams to facilitate decision-making in response to ransomware attacks. Additionally, Bello and Maurushat (2020) introduced specific cybersecurity training and awareness approaches designed to mitigate ransomware threats. However, a comprehensive understanding of the current state of the human aspects of ransomware is still lacking. This mapping study contributes to filling this gap by conducting a literature review specifically focusing on the human aspects of a specific type of information security, namely, ransomware.
2.4 Existing ransomware literature studies
There are some mapping studies and literature reviews aiming to synthesise previous work on ransomware. Table 1 presents a summary of the themes covered by previous reviews. McIntosh et al. (2022) found the lack of user involvement as one of the major limitations of existing anti-ransomware research. Kapoor et al. (2021) contributed with a theoretical framework for classifying techniques used for defending against ransomware and found good cyber hygiene is the most effective strategy for ransomware avoidance at the individual level. Moreover, Oz et al. (2022) presented a comprehensive literature review on ransomware and ransomware defence research with respect to PCs/workstations, mobile devices and IoT/CPS platforms. In addition, Beaman et al. (2021) provided a summary of existing approaches for ransomware prevention and detection, most of which focus on the technical aspects, such as honeypots, network traffic analysis and machine learning. Furthermore, Kok et al. (2019) conducted a review of the ransomware threat and the current detection techniques, outlined the differences between locker and crypto-ransomware and discussed different attack techniques that can be used when creating ransomware. Lastly, Ferreira (2018) conducted a detailed review of the literature on ransomware from 2015 to 2018. According to the results, previous studies tended to focus on the analysis of ransomware structures and development/testing of detection solutions and suggested that more human and behavioural-related solutions need to be developed.
Our analysis of the existing literature reviews (see Table 1) demonstrates that the majority of literature studies focus on technical aspects of ransomware (e.g. ransomware prevention and detection). There is evidently a lack of review studies focused on the human aspects of ransomware. The lack of such reviews could be an indication a lack of studies in this area. Ferreira (2018) pointed out that only 6% of the papers reviewed by the author focused on human-related solutions; however, Ferreira also found that the number of papers that did so increased drastically in 2017.
Considering that Ferreira conducted the review in February 2018, there is a need for updated research to offer a current overview of trends and challenges. Additionally, the findings from Ferreira (2018) emphasised the necessity for more research on social-technical solutions to manage the human aspects of ransomware. Our literature study extends Ferreira’s research by examining additional literature beyond 2018. Furthermore, this study also addresses Ferreira’s call for research into the human aspects of ransomware by answering the proposed research questions (RQs) in Section 3.1.
3. Method
This systematic mapping study was conducted in accordance with the method proposed by Petersen et al. (2008), which was developed for use in the field of software engineering and has since become the most commonly applied process for mapping studies across research areas (Macrinici et al., 2018; Torquato and Vieira, 2020).
Figure 1 illustrates the mapping process workflow and all the phases that we have gone through during this research. The method includes five steps, each with a corresponding outcome.
3.1 Research questions
The aim of this systematic mapping study is to provide an overview of the trends and challenges relating to research into the human aspects of ransomware. Seven RQs were chosen to structure the overview. Table 2 presents the RQs and their associated motivation.
3.2 Conducting search and screening of papers
Following the definition of the research questions, a search for articles to include was conducted in April 2022. The search and screening process is outlined in Figure 2, the first step of which was to search the Scopus and the Web of Science databases. The keywords used for the search string were derived from our background research, as detailed in the previous sections. The search string had to contain the keyword “ransomware” and also include additional terms related to the human aspects, given that this is the focus of this paper. Section 2.2 defined what the human aspects of ransomware are, and so keywords were pulled from this section to ensure consistency throughout our study. Humayun et al. (2020) suggested including synonyms for the derived search terms, and therefore, we decided that it was appropriate to apply this technique to “human aspects”. We felt that it was appropriate to include “social engineering” as this threat targets the user (Gupta et al., 2016), and social engineering has been described as the main attack vector for ransomware (ENISA, 2021). Therefore, its inclusion in the search string may help to find relevant papers for our study. The search was done using the following search string:ransomware AND (‘human aspect*’ OR ‘human factor*’ OR ‘human element*’ OR ‘informal aspect*’ OR ‘social aspect*’ OR awareness OR training OR culture OR ‘social engineering’ OR ‘information security behavio*’ OR ‘perception*’ OR ‘attitude*’).
This search string generated 174 results in the Scopus database and 136 results in the Web of Science, a total of 310 articles. To identify articles relevant to the aim of our study, we examined the abstracts of each of the articles against our inclusion and exclusion criteria. The inclusion criteria were influenced by our definition of “human aspects of ransomware”: people’s perceptions, attitudes and behaviours in relation to ransomware. The inclusion and exclusion criteria are detailed in Table 3. In cases where the abstract did not provide enough information for us to exclude or include articles, we inspected other parts of the articles, as advised by Petersen et al. (2008).
After screening the initial 310 articles, 17 articles were included from Web of Science and 30 from Scopus. After removing 11 duplicates, the first set of articles to be included in the mapping study included 36 articles. As a second search strategy, we examined the reference lists of the first set of included articles. This is a method known as (backward) snowballing (Wohlin et al., 2013). Snowballing is helpful for identifying additional articles relevant to the aim of a mapping study. The decision to look more closely at a referenced paper was determined based on its title and how it was used in the paper referencing it. The papers found from snowballing were vetted using the inclusion and exclusion criteria before being included. The snowballing technique was only applied to our first set of included articles. The final number of articles to be included in the mapping study, after the initial search in databases, followed by the use of the snowballing strategy, was 59.
3.3 Analysis and classification
The relevant classification scheme(s) for answering each RQ is presented below:
We should identify the publication channels for the retrieved articles.
We aim to present the number of articles on the human aspects of ransomware published each year. This could highlight if there has been a change in publication frequency.
We use the following established classification scheme by Wieringa et al. (2006), to sort papers according to their research type.
Evaluation research
The trademark of evaluation research is that the researcher evaluates an existing technique in practice. This could be through empirical means using case studies, surveys or other forms of field research or through conceptual means using mathematics or logic.
Validation research
Validation research is similar to evaluation research, but it evaluates a technique not yet implemented in practice. This is not typically done through field research, but rather in a laboratory experiment or through mathematical analysis.
Proposal of a solution
In a proposal of solution, the researcher proposes a novel technique and provides a proof-of-concept, but does not perform a full-blown validation (Wieringa et al., 2006, p. 105). Validating a proposal of a solution is validation research.
Philosophical paper
In a philosophical paper, the author presents a new way of looking at and structuring the world. This could be through a new conceptual framework.
Opinion paper
Opinion papers “do not describe new research results, designs, or conceptual frameworks, but rather are the author’s opinions of what we should do” (Wieringa et al., 2006, p. 104). The author might present their views about what they think is the desired direction of the research in their field.
Experience paper
The last class of papers are experience papers, which consist of the author’s personal experience (Wieringa et al., 2006). In the case of this mapping study, this could be a paper in which the author discusses their personal experience of ransomware.
We used the predefined categories for research strategies and data generation methods by Oates (2006). The characteristics of the research strategies from Oates (2006) are described as follows:
Survey
According to Oates (2006), a survey strategy includes data generation methods such as interviews, observations, questionnaires and documents.
Design and creation
The contribution of the design and creation strategy is an IT artefact (Oates, 2006). The design and creation strategy is considered “research” if the artefact produced contributes with new knowledge (Oates, 2006) while also demonstrating “academic qualities such as analysis, explanation, argument, justification and critical evaluation” (p. 109).
Experiment
An experimental research strategy is characterised by the use of observations and measurements to test cause and effect. The process typically consists of a pre-measurement of some factor, manipulation of the circumstances and a re-measurement of said factor to discover changes (Oates, 2006).
Case study
The aim is to gain deep insight into the case, to be able to answer why and how a phenomenon occurs in that context. The focus is on depth rather than breadth.
Action research
The role of the researcher performing action research is to collaborate with the participants (Oates, 2006). The goal of action research is to make improvements to people’s everyday practices, with the researcher onsite with the participants in their setting.
Ethnography
Ethnography is concerned with learning about a culture, whether that be a national culture or the culture of an organisation The outcome of an ethnographic study is a “holistic description of the culture, including social, cultural and economic aspects of the situation” (Oates, 2006, p. 174).
The followings are classified as data generation methods: interviews, observations, questionnaires and documents.
We aim to answer what groups are included as participants in studies on the human aspects of ransomware. Previous findings suggest that students and IS professionals are overused in empirical IS security studies, and that this can be problematic if they do not reflect the population of interest (Lebek et al., 2014). Ransomware attacks are indiscriminate, and entire public and private sectors are targeted. Therefore, this question will also answer if it is still the case that these two groups are the most used, and identify any underrepresented groups.
We should identify theories used in studies that discuss the human aspects of ransomware.
We should identify common challenges of conducting research into the human aspects of ransomware.
3.4 Data extraction
During the data extraction phase, we extracted the information needed from each of the included articles to help us address our RQs and sorted the information into a data extraction form, one form for each article. The form can be seen in Table 4. In the data extraction scheme “Value” column, we filled in the final category for each of the questions, from the classification schemes. This form draws mainly from Petersen et al. (2015).
3.5 Mapping
To present the results of the mapping study, we use frequency tables and different types of plots. By counting the frequency of studies in each category for each research question, it is possible to spot trends and possibilities for future research (Petersen et al., 2008).
4. Results
In this section, we present the results of the mapping study by answering RQ1–RQ7.
4.1 What are the main publication channels for research on the human aspects of ransomware?
Based on the 59 papers that were selected for review, we found that the publication venue was limited to journals (35 papers) and conference proceedings (24 papers). This is visualised in Figure 3. There was a wide dispersion among the targeted venues, with all but five of the venues publishing one paper only. Of the five venues with more than one paper, two were journals (Computer Fraud and Security and Network Security) and three were conferences (Hawaii International Conference on System Sciences, the International Conference on Computer Science and Artificial Intelligence and the International Conference on Decision and Game Theory for Security). The full results with the names of each of the targeted venues and the number of published papers can be seen in Appendix.
4.2 What are the trends in the publication frequency for research on the human aspects of ransomware?
Figure 4 shows the number of articles published per year. The articles identified for this systematic mapping study were published between the years 2006 and 2022. The years 2017 and 2021 saw the highest number of papers at 11 papers. After the year 2007, we see a gap until 2015, after which we see a steady increase until the year 2017. Then the number of articles decreased, before peaking again in 2021. This study only took into account the first three months of 2022, which should explain the sudden decrease in 2022. Three of the papers were published in 2022.
4.3 What are the types of papers published that discuss the human aspects of ransomware?
We were able to classify all 59 papers reviewed according to our chosen classification scheme presented in section 3.3. Of the 59 papers, all but one received a single classification. The paper by Hull et al. (2019) was classified as both validation research and evaluation research given that there were two parts to this paper, i.e. technical and human aspects. The technical part focused on validating a new model, whereas the human aspects part focused on evaluating a problem relating to the human aspects of ransomware using formal, documented techniques.
Overall, proposal of solution papers were the most abundant within our study (i.e. 19 papers). These papers suggested some form of a new solution to addressing the human aspects of ransomware. Evaluation research was the classification with the second-highest number of papers, with 14 papers (23.7%) involving evaluating an existing technique that has been used within human aspects of ransomware research. Opinion papers made up 11 papers and validation research ten of the papers. The two classifications with the joint lowest number of papers were philosophical papers and personal experience papers. The distribution of papers per type has been visualised in Figure 5.
4.4 What are the applied research strategies and data generation methods for studies that discuss the human aspects of ransomware?
The most applied research strategy is the survey strategy, which is used by 35 papers, 27 of them using only the survey strategy. Among the survey studies, the most applied data generation method is the questionnaire, which is used in 20 studies, followed by the interview method, used in 15 studies. Documents were used in nine studies and observations in one study. One study used “quizzes” created by software and that adapted to each participant’s knowledge level. Interviews plus questionnaires were the most popular combination of data generation methods, used by three studies. Tied for second-most applied research strategy are the design and creation strategy and experiment strategy, used by six studies. The experiment strategy, and design and creation strategy, were often used in combination with a survey strategy.
Four papers used game theory to investigate how different ransomware scenarios might play out, but did not state a research strategy, and do not fit any of those defined by Oates (2006). Similarly, one study simulated a ransomware attack against the employees of a pharmaceutical company, but cannot be classified as having used any of the strategies as there was no survey of participants or documents, no experimental design and no creation of a new IT artefact. These papers are recorded as “Other”. Papers for which no research method could be deduced were classified as “None”. Fifteen articles did not specify a research strategy, and 23 did not specify a data generation method. Table 5 and Table 6 show the distribution of research strategies and data generation methods, respectively.
4.5 What are the types of participants used in studies that discuss the human aspects of ransomware?
As mentioned in the methodology, the purpose of this question is to identify the groups that are included as participants in studies on the human aspects of ransomware. Thirty-four of the papers used participants in their study, and 25 papers did not. Some papers used more than one type of participant. For example, Kollek et al. (2021) used two types of participants, i.e. physicians and nurses. To answer this question, we had to group some of the different types of participants. Based on our results, which can be seen in Table 7, the two groups that were used most often as participants were students and cybersecurity professionals. Out of all the papers that used participants within their study, students and cybersecurity professionals were used in 20.6% of the papers. Medical staff were used in 17.6% of papers involving participants. Ransomware victims, as well as university staff, were in joint third position, with both groups being used in five out of 34 papers (14.7%) that involved participants. At the opposite end of the scale, public-sector employees were only represented as participants in two papers (5.9%). IT experts, senior management, parents of students, law enforcement, hackers and private sector employees were only mentioned as participants within one paper each.
Of the papers that used ransomware victims as participants (Button et al., 2021; Connolly and Wall, 2019; Sabharwal and Sharma, 2020; Shinde et al., 2016; Uandykova et al., 2020), one interesting observation was that all five of these papers used a survey strategy that relied on self-reporting from the victims.
4.6 What theories are used in studies that discuss the human aspects of ransomware?
Nine of the 59 papers explicitly stated that they used at least one theory. Six different theories were identified, the most featured one being game theory, which was used in four papers. This is followed by the theory of planned behaviour (TPB), which was used in two of the papers. Protection motivation theory (PMT), routine activity theory (RAT), communicative constitution of organisation (CCO) theory and Agamben’s (2005) “state of exception” were used in one paper each. The majority of the included articles (i.e. 50) did not use a theory. Table 8 shows the distribution of theories in the included articles.
4.6.1 Game theory.
Game theory was used by Caporusso et al. (2019), Dey and Lahiri (2021), Cartwright and Cartwright (2019) and Laszka et al. (2017) to examine ransomware scenarios. Using game theory to study ransomware attack scenarios allowed the researchers to analyse the potential strategies of the victim and the attacker, and demonstrate the outcomes of these different strategies. As well as game theory, Dey and Lahiri (2021) used a Markov decision process (MDP) to set up a multi-period game in which the decision of a firm to pay the ransom increases the probability of future attacks.
4.6.2 Theory of planned behaviour.
Chandarman and Van Niekerk (2017) and Singh and Singh (2022) used the TPB to investigate individuals’ cyber security awareness as well as their intentions to adopt and comply with computer security measures. The ransomware threat is one cyber security issue examined.
4.6.3 Protection motivation theory.
Ophoff and Lakay (2019) examined users’ motivation to adopt protective measures against ransomware, using PMT as their theoretical foundation. They found support for using this theory in the context of the ransomware threat. Ophoff and Lakay (2019) discovered that if a person believes that the effects of falling victim to ransomware will be severe, and that they are vulnerable to such an attack, they will feel fear. This in turn can cause them to take measures that will help them to avoid ransomware victimisation, or mitigate the effects if they do fall victim.
4.6.4 Routine activity theory.
Ghazi-Tehrani and Pontell (2021) showed the utility of the RAT in the context of cybercrime. They stated that RAT is a criminological theory used to explain victimology. Ghazi-Tehrani and Pontell (2021) also suggested that their findings from using RAT should be built upon to further explain ransomware victimisation.
4.6.5 Communicative constitution of organisation (CCO) theory and “state of exception”.
Knebel et al. (2021) combined CCO theory and “state of exception” from Agamben (2005) to explain ransomware attacks. The authors likened organisations getting hit by ransomware attacks to “the historical state of siege” (p. 95) that would occur when an army besieges a city, as the ransomware attack disrupts the organisation and causes a state of exception where communication halts.
4.7 What challenges do researchers of studies into the human aspects of ransomware encounter?
After analysing each paper and collating the results, we noticed that many papers do not include challenges that the researchers faced in trying to carry out their research. In total, 13 out of 59 papers provided us with input to answer this question. Table 9 shows ten challenges identified. Some challenges were mentioned by several papers, and other challenges were only mentioned by a single paper. Sections 4.7.1 to 4.7.10 illustrate each of the identified challenges.
4.7.1 C1 – being hit by ransomware is a sensitive or embarrassing subject.
This was the most common challenge reported within the papers reviewed. Hull et al. (2019) wrote that they had to amend the scope of their research due to the fact that being hit with ransomware can be a sensitive topic. Three papers (Simoiu et al., 2019; Zhao et al., 2019, Zhao et al., 2018) mentioned social-desirability bias as a challenge, which Zhao et al. (2018) described as a situation in which participants try to answer questions in a way that they believe that others will look favourably upon. Simoiu et al. (2019) provided an example of this: participants felt too embarrassed to report that they had paid a ransom.
4.7.2 C2 – relying on self-reporting.
This was the second most reported challenge and, in some aspects, could be related to the first challenge. Zhang-Kennedy et al. (2018) stated that as their study relied on self-reporting, it is possible that participants misremembered or left out details, or selectively shared with the researchers. Simoiu et al. (2019) relied on participants correctly identifying a ransomware attack and mentioned that a limitation of their research was that they could not guarantee that ransomware attacks were identified correctly. Zhao et al. (2018) and Zhao et al. (2019) mentioned that recall bias could be a factor to overcome when conducting such research.
4.7.3 C3 – simulating the impact of a real ransomware incident is not possible.
The third challenge alludes to the fact it is difficult or not possible due to ethical or legal concerns to conduct some aspects of ransomware research. For example, Yilmaz et al. (2021) noted that it is not possible to construct a real ransomware incident where the participant is presented with “a surprising and stressful scenario of their files being encrypted in front of their eyes” (p. 5). Arief et al. (2020) also mentioned that if participants are expecting to see a ransomware splash screen within a study, this might have a lesser impact on the participants than if they were presented with the splash screen during a real ransomware attack.
4.7.4 C4 – data availability for cybercrimes.
Ghazi-Tehrani and Pontell (2021, p. 334) stated that “while data availability for cyber-crime are increasing, there remains a noticeable lack compared to other subfields of criminology”. Likewise, Knebel et al. (2021) stated that “given the sensitivity of the subject, reliable statistics on ransomware attacks are inconclusive” (p. 103). A lack of accurate reporting of the statistics and available information about attacks could potentially make it more difficult to find suitable participants or cases to study.
4.7.5 C5 – non-transparency and secrecy about cyberattacks.
Similar in nature to the first challenge, non-transparency and secrecy about ransomware attack instances pose a challenge to conducting research into the human aspects of ransomware. Knebel et al. (2021) mentioned that fear of reputation loss or of disclosing vulnerabilities increases the tendency of businesses to underreport cybercrimes. They stated that there can be a dependence on whistleblowers or investigative journalism to conduct studies in this field.
4.7.6 C6 – hackers who design ransomware are not available for research projects.
Another challenge to studying the human aspects of ransomware that was raised by Knebel et al. (2021) is that hackers or malware writers are not available for participation in research projects. This makes it more difficult to study the attackers’ thought processes or their moral battles.
4.7.7 C7 – restricted access to sensitive environments.
Another challenge that was raised is that some environments are restricted and therefore present obvious obstacles to researching within this field. For example, Singh and Singh (2022) mentioned that the “sensitive hospital environment, restricted access and shift rotation; made conducting fieldwork at the chosen sites, extremely challenging” (p. 252).
4.7.8 C8 – different jurisdictional boundaries and resource limitations.
Moore et al. (2019) suggested that if part of the research project is to analyse collaboration, depending on the scope of the study, jurisdictional boundaries and resource limitations can present challenges to overcome. For example, they stated that any researcher who is looking to use their method “is likely to be obliged to work through significant local negotiations and scenario evaluation in order to confirm that there are no insurmountable conflicting interests or jurisdictional barriers to collaborative incident response in their own communities of interest” (p. 7).
4.7.9 C9 – ransomware is constantly evolving.
Han et al. (2017) suggested that one potential challenge to conducting research in this area is the creativity of the attackers and that ransomware is constantly evolving. They suggested that it is very difficult to prevent the spread of ransomware because of this.
4.7.10 C10 – challenging to develop games aimed at spreading awareness.
Dion et al. (2017) focused on developing a game to increase awareness, and raised a couple of challenges that they encountered in this area. Firstly, they mentioned that creating (electronic) games requires experienced programmers and therefore is resource-dependent. Secondly, they stated that it can be quite difficult to find the right balance between entertainment and education. They stated that an overly complex gameplay could be too distracting, limiting its ability to spread awareness, and on the other hand, focusing more on education and less gameplay could result in a loss of interest in the game.
5. Discussion
Previous studies (e.g. McIntosh et al., 2022) have indicated the lack of survey studies on human aspects of ransomware. This mapping study has provided an overview of the literature of trends and challenges into the human aspects of ransomware. The findings from this study advance the understanding of the research on ransomware from human aspects. It also identifies the challenges that can drive the research regarding human aspects of ransomware in the future. In this section, we discuss the main findings of the mapping study, make suggestions for future research and lastly, go over the threats to the validity of the study.
5.1 Discussion of the results
5.1.1 Spikes in publication frequency coincide with major ransomware attacks.
We can see some correlation between the number of papers published relating to the human aspects of ransomware, and major ransomware attacks that were widely reported in the popular press. For example, the years with the most articles published were 2017 and 2021, both with 11 papers each. A major year for ransomware attacks was 2017, with WannaCry infecting more than 200,000 computers worldwide (Dossett, 2021), and Petya ransomware emerged in 2016 and continued to cause havoc (Kaspersky, 2021) and then a new variant appeared in June 2017 (Aidan et al., 2017). In 2021, there were also several widely reported ransomware attacks. Firstly, there was the attack against Kaseya, which impacted approximately 1,500 businesses worldwide (Dossett, 2021), and was responsible for the major Swedish supermarket Coop having to close its doors for six days as a result (Truesec, 2022). This year was also affected by both the HSE (McNamee, 2021) and the colonial pipeline attacks (Kshetri and Voas, 2022) that were mentioned in the introduction of this paper. It should be noted that ransomware has been around since 1989 (Chesti et al., 2020); however, from our results, we have only seen a very limited number of papers relating to the human aspects of ransomware before 2016. This is consistent with the findings of Ferreira (2018) who noted that there was a lack of ransomware research before 2017. This could indicate that this area has only recently been properly considered and is therefore an area where further research is required.
5.1.2 Ransomware research tends to be retrospective and rely on self-reporting.
A survey strategy using questionnaires was found to be the most used combination of research strategy and data generation method used by the papers included in this mapping study. It is likely that some of the challenges raised by the papers reviewed affected the chosen research strategy [e.g. C3 (Simulating the impact of a real ransomware incident is not possible)]. Putting participants through the stress of a real ransomware incident is a questionable strategy, as it could raise ethical and legal concerns (Yilmaz et al., 2021). One way that the researchers have attempted to simulate ransomware attacks is by showing different ransomware splash screens, or by sending out fake phishing emails, the impact of which might not be comparable to a real attack, especially in a lab setting. It is also difficult to predict when a ransomware attack will occur, which, together with the secrecy surrounding this issue, make attacks difficult to investigate in real time. Perhaps due to this, studies that examine real ransomware attacks tend to be retrospective, i.e. the researchers examine the effects of the event after it has occurred. For example, it was noted that all papers that included “ransomware victims” as a category of participants used a survey strategy, relying on self-reporting. Yet, using the survey strategy has its own limitations; one being that participants might suffer from recall bias, as discussed in C2 (Relying on self-reporting). Previous studies (e.g. Crossler et al., 2013) also indicated the challenge with acquiring access to quality data for information security behavioural studies. The challenge of relying on self-reporting has been raised by multiple sources (Krumpal, 2013; Kwak et al., 2021).
5.1.3 New artefacts tend to lack thorough evaluation.
Similarly, we can also see that design and creation research has only been used six times. It is perhaps the same unpredictability of when and whose systems will be infected by ransomware that has prevented more design and creation research from being conducted in this area. For example, if we look at the guidance for conducting design and creation research as per Oates (2006), evaluation of the design or creation is a requirement. Likewise, Hevner, March, Park and Ram’s (2004) third guideline for conducting design science is “design evaluation”, which states “the utility, quality, and efficacy of a design artefact must be rigorously demonstrated via well-executed evaluation methods” (p. 83). Therefore, researchers studying a new design or creation that aims to investigate how humans are affected by a ransomware attack may find it difficult to evaluate their creation by potentially being impacted by challenges C1, C3, C4, C5, C7 and potentially even C8. For example, if a researcher wanted to create a new model for predicting human behaviour when dealing with the aftermath of a ransomware attack, they may be required to find participants that are in the early stages or have recently suffered from a ransomware attack, which presents an obvious challenge.
This could also be helpful to explain why we found in our results for RQ3 that proposal of solution papers were in greater numbers than other types of papers. These papers may provide a proof of concept or proof by demonstration and therefore are not as thorough as the evaluation required in validation research. As Oates (2006, p. 116) wrote, IS researchers may find that they are expected to demonstrate the efficacy of their creation in a real-life context, which may require research strategies such as survey, case study or action research. However, the researchers may discover that they run into the same challenges listed in the previous paragraph when trying to evaluate beyond a proof of concept.
5.1.4 Lack of theories being incorporated.
Looking at the results of the study, it seems that our findings would support the argument of Sarker et al. (2013) who highlighted a lack of theories being used in qualitative IS research. Only ten out of 59 papers explicitly mentioned that they had incorporated a theory in their study. Worth mentioning is that two studies used the TPB (Chandarman and Van Niekerk, 2017; Singh and Singh, 2022), one used PMT (Ophoff and Lakay, 2019) and one study used the extended parallel process model, which incorporates elements of PMT (Masuch et al., 2021). Both TPB and PMT have been used many times to study humans’ behavioural aspects of information security (Herath and Rao, 2009; Ifinedo, 2012; Sommestad et al., 2015b, 2015a, 2019). For instance, PMT has been used as a base research model to study users’ compliance with information security policies in organisational settings. Bayl-Smith et al. (2022) investigated users’ response to a phishing attack on the basis of PMT. And, TPB has been applied to examine the factors influencing internet banking users’ intention to click URLs in phishing emails (Manoharan et al., 2022). Therefore, it is slightly surprising to see so few studies adopting one of these theories in this area.
5.1.5 Students and information systems professionals are widely used as participants.
The findings of this mapping study support the claim of Lebek et al. (2014) that students and IS professionals are widely used in empirical IS security studies. Students and cybersecurity professionals were found to be the most used type of participant, being included in seven papers. This finding is also in line with the used types of participants in the general studies on human aspects of information security. For instance, Zwilling et al. (2022) used students as samples to study cyber security awareness, knowledge and behaviour. One paper used IT experts. In a recent report by Trellix (2022) and also referred to by Palmer (2022), the top three sectors that were attacked with ransomware were banking/financial with 22%, utilities with 20% and retailers with 16%. This report has education at 9%, and therefore, this does suggest that students have been over-represented within the papers reviewed as part of this study. However, a report by Sophos Ltd (2021) seems to contradict this as they indicated that the education and retail sectors were the most targeted among the sectors reviewed, with 44% of respondents from these sectors stating that they had been attacked with ransomware. This could be an indication that the representation of students is justified.
On the other hand, among the sectors surveyed, the report by Sophos Ltd (2021) has the health-care industry quite low in their comparison of sectors hit by ransomware, at 34% of respondents from a particular sector being hit with ransomware. The report stated that the global average is 37%. They mentioned that this is slightly surprising but argued that attacks against health-care facilities may be over-represented in the popular press given their obligation to make attacks public knowledge. It could be that some of the ransomware attackers are hesitant to attack health-care facilities given the potential detrimental implications to people’s lives. For example, after the HSE attack, those in charge of the Irish health service decided not to pay, and the attackers provided them with the decryption key regardless (Schiller and Molony, 2021). This could be a very interesting topic to research; however, such a study is likely to run into the challenge we identified as C6, i.e. hackers are unavailable for research studies. When we look at the results from our study, medical staff were the joint second-most-used type of participant, and so, it could be that medical staff are actually over-represented within this field. The report by Trellix (2022) did not mention health care, and so, a comparison could not be made.
Both of these reports had retail within the top three sectors hit by ransomware, and if we look at our results, none of the papers listed retail employees as their participants. Furthermore, only one paper used senior management, and the industries from which the senior management came were listed as financial, technology, construction, transportation, education and health organisations, and therefore not retail. There does appear to be an under-representation of retail employees as well as senior management. Out of our listed challenges raised through RQ7, this under-representation may be partially due to C1, C4, C5 and C7. For example, following the HSE attack, those responsible for managing the attack refused to comment publicly on the ransom amount (Ryan, 2021), and therefore, this type of secrecy may limit the information available to researchers.
5.1.6 Lack of transparency due to ransomware being a sensitive topic.
Out of all the challenges to conducting research into the human aspects of ransomware that were identified, the most reported challenge was that being hit with ransomware is a sensitive or embarrassing topic. This can have several implications for researchers. One is that participants might only selectively share their experience with ransomware if they fear that their behaviours will be looked down upon by the researcher. It can be a sensitive subject for organisations as well, which leads to challenge number four: the non-transparency and secrecy surrounding cyberattacks. Organisations could fear losing their reputation if they admit that they have been successfully attacked with ransomware. They could also fear disclosing their vulnerabilities by opening up about their experience. Despite the risks, there are benefits to being transparent in that others can learn from their experience. Following the ransomware attack in Kalix, municipality representatives expressed their desire to be as honest and open as possible, something they wished other affected cities had done. They believed that by doing so, they would help to bring the topic to the attention of others (Larsson, 2022).
5.1.7 Practical implications.
The aim and main contribution of this mapping study lies in providing researchers with an understanding of the current trends and challenges for research in the area of human aspects of ransomware. However, there are some practical implications as well. For one, the findings highlight that being transparent about ransomware attacks, when possible, can help others. Ransomware victimisation can be a sensitive or embarrassing subject to discuss, but experiences should be shared. Secondly, senior management plays an important role in shaping the information security culture of an organisation, whether to have a culture of transparency or of secrecy. The culture of the organisation in turn affects employees’ perceptions, attitudes and behaviours. If an employee falls victim to ransomware and is ashamed or afraid to admit it, that can worsen the situation. Thirdly, this study reinforces the need to include relevant solutions to address the identified challenges with studying the human aspects of ransomware. In addition to advanced technologies defending ransomware attacks, human aspects of ransomware need to be equally accounted for to mitigate and prevent ransomware attacks. For instance, the challenges identified in this study provide some opportunities to further explore the relationship between humans and ransomware attacks in organisational settings. As a result, this would offer some additional insights for building secured information security environments in organisational settings.
The human aspects of ransomware and general information security exhibit both similarities and differences. While they share commonalities in the importance of awareness programmes and educational training, they differ in how human behaviors are exploited and influenced. For instance, ransomware encrypts files and data, making them inaccessible to users, whereas phishing attacks aim to extract sensitive information (e.g. login credentials, personal data) from users. Consequently, these would lead to different responses from users. Ransomware attacks may prompt changes in security behaviour among users and organisations (e.g. regular data backups to mitigate the impact of ransomware attacks), while phishing attacks can enhance users’ security behaviours, such as scrutinising incoming messages, verifying sender identities and refraining from clicking on unknown web links.
Despite these differences, both types of attacks highlight the critical role of information security awareness programmes and users’ security education training. Some users may unintentionally facilitate ransomware attacks by clicking on malicious links or downloading infected files, while others may inadvertently aid phishing attacks by disclosing sensitive information in response to deceptive communications (e.g. emails). Thus, well-designed information security awareness programs and users’ security education training are essential in mitigating the risks posed by both ransomware and phishing attacks. For instance, gamified concepts can be used to create information security awareness programmes.
5.2 Suggestions for future research
We now present three suggestions for future research based on the results of this mapping study.
5.2.1 Diversify the selection of participants.
As pointed out during the discussion and as can be seen from our results, students and IS professionals were two of the most included groups as participants in studies related to the human aspects of ransomware. Only one study mentioned that it included senior management as a category of participants. This is surprising within the study of the human aspects of ransomware, given that it has been shown that information security culture comes from the top of the organisation (da Veiga and Eloff, 2007; Hu et al., 2012). Individual difference can be an important factor to explain differences in users’ information security behaviour when it comes to ransomware attacks. Therefore, based on our findings, we believe that there is a need for more studies that include senior management as participants. The inclusion of senior management from many different companies could allow for an analysis between senior management who have had to deal with a ransomware attack during the duration of the study, and those that did not.
Secondly, we identified through our research that there is a lack of studies that include retail employees, yet the retail sector has been identified as among the top targets for ransomware by the attackers (Sophos Ltd, 2021; Trellix, 2022). Therefore, this would be an interesting group to study. A comparative study using a survey strategy could potentially investigate why it is that this group is targeted more than others.
5.2.2 Study the ransomware threat first-hand.
We noticed through our results that all papers that stated that they used ransomware victims as a category of participants relied on a survey strategy and were dependent upon self-reporting. Other studies have tried to simulate ransomware attacks through the use of experimental strategies, which have limited impact in comparison to real attacks. It would therefore be interesting if research in this area could entail the researchers being directly involved, or at least observing first-hand, the immediate response to a ransomware attack. This could be through, for example, a case study or action research approach, two approaches that we could not identify in any of the papers we reviewed. These types of study designs may be challenging to implement due to the spontaneous nature of ransomware attacks and the fact that non-transparency and secrecy appear to be so widespread. If achieved, however, it would provide the information security community great insight into human attitudes and behaviours during the efforts to respond to a ransomware attack, and such a strategy could overcome the limitations presented by self-reporting and simulations. Being given access to the aftermath of a ransomware attack could also mean that researchers creating new artefacts are able to evaluate them in a real-life context.
5.2.3 Study the ransomware threat through the lens of information systems theories.
Lastly, future studies into the human aspects of ransomware should try to incorporate relevant theories such as PMT and TPB. There is good support for using these theories to study individuals’ security behaviours (Ifinedo, 2012) and, given that ransomware is increasingly attempting to exploit human vulnerabilities (ENISA, 2021), there is merit in using them. Specifically, Ophoff and Lakay (2019) found great support for using PMT in the context of the ransomware threat but suggest that future research should further examine the fear appeal element of the theory.
5.3 Threats to validity
The goal of a systematic mapping study is to provide a broad overview of the topic of investigation. To do so accurately requires that the researchers can identify all the relevant studies. Missing relevant papers can be a threat to the validity of a systematic mapping study (Petersen et al., 2015). In our case, we might have missed relevant papers because we searched only two databases (i.e. Scopus and Web of Science), or because the search string was not effective. The adoption of the snowballing technique was an attempt to increase our chances of finding articles not covered by our search string or selection of databases. The search string was adapted from our chosen definition of “human aspects of ransomware”: the perceptions, attitudes and behaviour of people in relation to ransomware. This definition also inspired our inclusion criteria. Using this definition affected which papers we decided to include in this study, but using a different definition could have produced other results.
Another threat to validity is researcher bias during the data extraction and classification phase, specifically when sorting papers for RQ3 and RQ4. We used the classification scheme proposed by Wieringa et al. (2006) to sort papers, and although these authors described what characterises the different types of papers, the sorting is still subjective and could have affected our results. When sorting papers according to their research strategy, although we tried to sort only according to what is mentioned in a paper, we sometimes had to make our own interpretations based on Oates’s (2006) descriptions. In an attempt to combat researcher bias, we reviewed each other’s data extractions and classifications, as advised by Petersen et al. (2015). We also performed extractions on five selected articles and compared forms, as advised by Kitchenham (2004).
Another validity concern regarding our data classification, and specifically RQ4, is that researchers might report that they have used a certain strategy or method in their study, but upon closer inspection, it could be the case that the strategy or method has not been carried out in accordance with its definition (Petersen et al., 2008). This could lead to us reporting skewed results as the methodology was not examined in as much detail as one would in a systematic review, for example. However, Petersen et al. (2008) believe that because a mapping study can consider more papers than a systematic review, this threat is somewhat alleviated.
The last threat to validity relates to RQ5. There is a possibility that the categories of participants are overlapping. For example, two of the groups are “ransomware victims” and “ransomware non-victims” and only studies that have clearly described their participants as belonging to one of these groups are counted here. We cannot know for sure whether the other types of participants have suffered from a ransomware attack or not, if this was not specified in the study. This means that the numbers for these two categories only take into consideration the studies where ransomware victimisation or non-victimisation of participants is explicitly mentioned. This is also the case for other categories; a participant might in reality belong to more than one group but is only categorised according to what is mentioned in the study.
6. Conclusions
This paper presented a systematic mapping study that analysed the challenges and trends of research into the human aspects of ransomware. This mapping study followed a method proposed by Petersen et al. (2008). Out of 310 papers found through the Scopus and Web of Science databases, 36 were relevant for our study. Following this, and to ensure that as many relevant papers were included in our paper, we used backwards snowballing, which left us with a total of 59 papers reviewed. We mapped each of the papers by publication channel, year of publication, type of paper (using the classification scheme proposed by Wieringa et al. (2006), research strategy and data generation methods, the types of participants included and lastly, by the theories used in each paper. Furthermore, we identified specific challenges that were encountered by the researchers in their attempts to study the human aspects of ransomware.
The results indicate that papers that have been published in this area are split between journals and conference papers with a higher proportion published in journals. We have highlighted that although ransomware has been around since 1989, research studying the human aspects of ransomware was scarce prior to 2016, but has significantly increased since then, indicating that this is a relatively recent topic of interest for researchers. We found that out of all papers reviewed, papers classified as proposal of solution were the most abundant, while philosophical and personal experience papers were the least published papers in this area. We found that the survey research strategy was the most commonly used, while students and cybersecurity professionals were the most frequently used participants. We found that many papers did not use theories for their research but, from those that did, game theory was used most often. Out of the challenges encountered by researchers in this field, the most reported was that being hit with ransomware is a sensitive or embarrassing subject, and this can make it difficult for researchers to find participants for their studies. This can in turn put limitations on the type of research that can be done in this area of study.
This study offers some insight to assist future researchers who wish to study the human aspects of ransomware, by:
highlighting challenges faced when conducting research in this area so that researchers can better plan their studies from the beginning; and
suggesting areas where further research is required and thereby calling attention to potential research gaps, which could be considered for further exploration.
Figures
Figure 1.
The systematic mapping process
Figure 2.
The literature search and screening process
Figure 3.
Publication channel type
Figure 4.
Number of articles per publication year
Figure 5.
Number of articles per paper type
Themes covered by previous reviews
| Paper(s) | Themes covered |
|---|---|
| McIntosh et al. (2022) | Technical (programmatic and data-centric) and human-focused (user-centric) approaches to combat ransomware |
| Kapoor et al. (2021) | Technical aspects of ransomware detection and mitigation, human aspects of ransomware avoidance |
| Oz et al. (2022) | Ransomware and ransomware defence research with respect to PCs/workstations, mobile devices and IoT/CPS platforms |
| Beaman et al. (2021) | Technical aspects, focusing mainly on the efficacy of anti-ransomware products, and user awareness |
| Kok et al. (2019) | Technical aspects of detection and analysis techniques |
| Ferreira (2018) | Overview of current research into ransomware. Calls for more research into social-technical solutions to help manage human aspects |
Source: Created by authors
RQs and motivation
| RQs | Motivation |
|---|---|
| RQ1. What are the main publication channels for research on the human aspects of ransomware? | To identify where research on the human aspects of ransomware can be found as well as relevant publication outlets for future studies |
| RQ2. What are the trends in the publication frequency for research on the human aspects of ransomware? | To identify the publication trends on research into human aspects of ransomware over time |
| RQ3. What are the types of papers published that discuss the human aspects of ransomware? | To gain a good understanding of different types of studies published in the current literature into the human aspects of ransomware |
| RQ4. What are the applied research strategies and data generation methods for studies that discuss the human aspects of ransomware? | To discover applied research strategies and data-generated methods that have been used in the current literature into the human aspects of ransomware |
| RQ5. What are the types of participants used in studies that discuss the human aspects of ransomware? | To explore types of participants that reported, in the current literature, on the human aspects of ransomware |
| RQ6. What theories are used in studies that discuss the human aspects of ransomware? | To outline theories that have been used in the current literature on the human aspects of ransomware |
| RQ7. What challenges do researchers of studies into the human aspects of ransomware encounter? | To identify challenges reported by researchers of the current literature into the human aspects of ransomware |
Source: Created by authors
Inclusion and exclusion criteria
| Inclusion criteria | Exclusion criteria |
|---|---|
| Studies that discuss people’s perceptions, attitudes and/or behaviours in relation to ransomware | Studies that do not address how people’s perceptions, attitudes and/or behaviours affect or are affected by ransomware attacks |
| Articles that are not in English | |
| Papers where the stated main output is a systematic literature review or mapping study | |
| Book chapters | |
| Studies not accessible in full text | |
| Duplicate studies |
Source: Created by authors
Data extraction form
| Data item | Value | RQ |
|---|---|---|
| Study ID | N/A | |
| Title | N/A | |
| Author(s) | N/A | |
| Publication channel | RQ1 | |
| Publication year | RQ2 | |
| Paper type | RQ3 | |
| Research strategy and data generation method | RQ4 | |
| Participants | RQ5 | |
| Theory used | RQ6 | |
| Challenges | RQ7 |
Source: Created by authors
Distribution of research strategies
Source: Created by authors
Distribution of data generation methods
Source: Created by authors
The types of participants used in the included articles
Source: Created by authors
Distribution of theories used in the articles
Source: Created by authors
The identified challenges
| Categories of challenges | No. | References |
|---|---|---|
| C1. Being hit by ransomware is a sensitive or embarrassing subject | 5 | (Hull et al., 2019; Simoiu et al., 2019; Zhang-Kennedy et al., 2018; Zhao et al., 2019; Zhao et al., 2018) |
| C2. Relying on self-reporting | 4 | (Simoiu et al., 2019; Zhang-Kennedy et al., 2018; Zhao et al., 2019; Zhao et al., 2018) |
| C3. Simulating the impact of a real ransomware incident is not possible | 2 | (Arief et al., 2020; Yilmaz et al., 2021) |
| C4. Data availability for cybercrimes | 2 | (Ghazi-Tehrani and Pontell, 2021; Knebel et al., 2021) |
| C5. Non-transparency and secrecy about cyberattacks | 1 | (Knebel et al., 2021) |
| C6. Hackers designing ransomware are not available for research projects | 1 | (Knebel et al., 2021) |
| C7. Restricted access to sensitive environments | 1 | (Singh and Singh, 2022) |
| C8. Different jurisdictional boundaries and resource limitations | 1 | (Moore et al., 2019) |
| C9. Ransomware is constantly evolving | 1 | (Han et al., 2017) |
| C10. Challenging to develop games aimed at spreading awareness | 1 | (Dion et al., 2017) |
Source: Created by authors
Publication channels of the included papers
| Publication channels | No. | References |
|---|---|---|
| JOURNALS | ||
| Computer Fraud & Security | 4 | (Everett, 2016; Fimin, 2017; Mansfield-Devine, 2017; Simmonds, 2017) |
| Network Security | 2 | (Brewer, 2016; Mansfield-Devine, 2016) |
| ACI – Applied Clinical Informatics | 1 | (Sittig and Singh, 2016) |
| BMJ Health and Care Informatics | 1 | (Priestman et al., 2019) |
| Computers and Security | 1 | (Connolly and Wall, 2019) |
| Crime Science | 1 | (Hull et al., 2019) |
| Disaster Medicine and Public Health Preparedness | 1 | (Kollek et al., 2021) |
| Education and Information Technologies | 1 | (Tan et al., 2020) |
| Entrepreneurship and Sustainability Issues | 1 | (Uandykova et al., 2020) |
| Games | 1 | (Cartwright and Cartwright, 2019) |
| IEEE Access | 1 | (Kandasamy et al., 2022) |
| Indonesian Journal of Electrical Engineering and Computer Science | 1 | (Shammugam et al., 2021) |
| Information Systems Security | 1 | (Luo and Liao, 2007) |
| Innovations in Clinical Neuroscience | 1 | (Pope, 2016) |
| International Conference on Computing, Analytics and Security Trends (CAST) | 1 | (Shinde et al., 2016) |
| International Journal For Quality In Health Care | 1 | (Muthuppalaniappan and Stevenson, 2021) |
| International Journal of Information Technology | 1 | (Abu-Amara et al., 2021) |
| International Management Review | 1 | (Richardson and North, 2017) |
| Issues in Information Systems | 1 | (Ali et al., 2016) |
| ITNOW | 1 | (Kenyon and McCafferty, 2016) |
| Journal of Information Security and Applications | 1 | (Yilmaz et al., 2021) |
| Journal of Information, Communication and Ethics in Society | 1 | (Knebel et al., 2021) |
| Journal of Surgical Education | 1 | (Zhao et al., 2019) |
| Journal of Surgical Research | 1 | (Zhao et al., 2018) |
| Journal of Theoretical and Applied Information Technology | 1 | (Singh and Singh, 2022) |
| Multimedia Tools and Applications | 1 | (Yeom et al., 2021) |
| Sustainability | 1 | (Chandra et al., 2022) |
| The African Journal of Information and Communication (AJIC) | 1 | (Chandarman and Van Niekerk, 2017) |
| The European Review of Organised Crime | 1 | (Wall, 2015) |
| The Surgeon: Journal of The Royal Colleges of Surgeons of Edinburgh And Ireland | 1 | (Feeley et al., 2021) |
| Victims and Offenders | 1 | (Ghazi-Tehrani and Pontell, 2021) |
| CONFERENCES | ||
| Hawaii International Conference on System Sciences | 2 | (Dey and Lahiri, 2021; Masuch et al., 2021) |
| International Conference on Computer Science and Artificial Intelligence | 2 | (Dion et al., 2017; Han et al., 2017) |
| International Conference on Decision and Game Theory for Security | 2 | (Cartwright et al., 2019; Laszka et al., 2017) |
| 27th USENIX Security Symposium | 1 | (Zhang-Kennedy et al., 2018) |
| AVAR International Conference | 1 | (Giri and Jyoti, 2006) |
| CHILEAN Conference on Electrical, Electronics Engineering, Information and Communication Technologies (CHILECON) | 1 | (Gallegos-Segovia et al., 2017) |
| Computer Science On-line Conference | 1 | (Bello and Maurushat, 2020) |
| European Conference on Cyber Warfare and Security | 1 | (Byrne and Thorpe, 2017) |
| International Conference on Applied Human Factors and Ergonomics | 1 | (Caporusso et al., 2019) |
| International Conference on Augmented Reality, Virtual Reality and Computer Graphics | 1 | (Kabil et al., 2020) |
| International Conference on Cooperative Design, Visualization, and Engineering | 1 | (Kabil et al., 2018a, 2018b) |
| International Conference on Cyber Situational Awareness, Data Analytics And Assessment (CyberSA) | 1 | (Moore et al., 2019) |
| International Conference on Emerging Technology in Modelling and Graphics | 1 | (Sabharwal and Sharma, 2020) |
| International Conference on Information Processing | 1 | (Sannd and Cook, 2018) |
| International Conference on Information Systems Security | 1 | (Kabil et al., 2018b) |
| International Conference on Information Systems Security and Privacy | 1 | (Arief et al., 2020) |
| International Conference on Smart Computing and Electronic Enterprise | 1 | (Lika et al., 2018) |
| International Conference on Theory and Practice of Electronic Governance | 1 | (Agarwal and Singhal, 2017) |
| International Information Security Conference | 1 | (Ophoff and Lakay, 2019) |
| SOUPS'19: Proceedings of the Fifteenth USENIX Conference on Usable Privacy and Security | 1 | (Simoiu et al., 2019) |
Source: Created by authors
Appendix
References
Abraham, S. and Chengalur-Smith, I. (2010), “An overview of social engineering malware: Trends, tactics, and implications”, Technology in Society, Vol. 32 No. 3, pp. 183-196.
Abu-Amara, F., Almansoori, R., Alharbi, S., Alharbi, M. and Alshehhi, A. (2021), “A novel SETA-based gamification framework to raise cybersecurity awareness”, International Journal of Information Technology, Vol. 13 No. 6, pp. 2371-2380.
Agamben, G. (2005), State of Exception, The University of Chicago Press, Chicago.
Agarwal, C. and Singhal, A. (2017), “Securing our digital natives: a study of commonly experience internet safety issues and a One-Stop solution”, Proceedings of the 10th International Conference on Theory and Practice of Electronic Governance, 178-186. New Delhi AA India: ACM.
Aidan, J.S., Verma, H.K. and Awasthi, L.K. (2017), “Comprehensive survey on petya ransomware attack”, 2017 International Conference on Next Generation Computing and Information Systems (ICNGCIS), 122-125. Jammu: IEEE.
Ali, A., Murthy, R. and Kohun, F. (2016), “Recovering from the nightmare of ransomware – how savvy users get hit with viruses and malware: a personal case study”, Issues in Information Systems, Vol. 17 No. IV, pp. 58-69.
Andronio, N., Zanero, S. and Maggi, F. (2015), “HelDroid: Dissecting and detecting mobile ransomware”, in Bos, H., Monrose, F. and Blanc, G. (Eds), Research in Attacks, Intrusions, and Defenses, Springer International Publishing, Cham, pp. 382-404.
Arief, B., Periam, A., Cetin, O. and Hernandez-Castro, J. (2020), “Using eyetracker to find ways to mitigate ransomware”, Proceedings of the 6th International Conference on Information Systems Security and Privacy, 448-456. Valletta, Malta: SCITEPRESS - Science and Technology Publications.
Bayl-Smith, P., Taib, R., Yu, K. and Wiggins, M. (2022), “Response to a phishing attack: persuasion and protection motivation in an organizational context”, Information and Computer Security, Vol. 30 No. 1, pp. 63-78.
Beaman, C., Barkworth, A., Akande, T.D., Hakak, S. and Khan, M.K. (2021), “Ransomware: Recent advances, analysis, challenges and future research directions”, Computers and Security, Vol. 111, p. 102490.
Bekkers, L., van 't Hoff-de Goede, S., Misana-ter Huurne, E., van Houten, Y., Spithoven, R. and Leukfeldt, E.R. (2023), “Protecting your business against ransomware attacks? Explaining the motivations of entrepreneurs to take future protective measures against cybercrimes using an extended protection motivation theory model”, Computers and Security, Vol. 127, p. 103099.
Bello, A. and Maurushat, A. (2020), “Technical and behavioural training and awareness solutions for mitigating ransomware attacks”, in Silhavy, R. (Ed.), Applied Informatics and Cybernetics in Intelligent Systems, Springer International Publishing, Cham, pp. 164-176.
Brewer, R. (2016), “Ransomware attacks: Detection, prevention and cure”, Network Security, Vol. 2016 No. 9, pp. 5-9.
Budgen, D., Turner, M., Brereton, P. and Kitchenham, B. (2008), “Using mapping studies in software engineering”, Proceedings of PPIG 2008, 195-204. Lancaster University.
Button, M., Blackbourn, D., Sugiura, L., Shepherd, D., Kapend, R. and Wang, V. (2021), “From feeling like rape to a minor inconvenience: Victims’ accounts of the impact of computer misuse crime in the United Kingdom”, Telematics and Informatics, Vol. 64, p. 101675.
Byrne, D. and Thorpe, C. (2017), “Jigsaw: an investigation and countermeasure for ransomware attacks”, Presented at the European Conference on Cyber Warfare and Security, Reading.
Campbell, C.C. (2019), “Solutions for counteracting human deception in social engineering attacks”, Information Technology and People, Vol. 32 No. 5, pp. 1130-1152.
Caporusso, N., Chea, S. and Abukhaled, R. (2019), “A Game-Theoretical model of ransomware”, in Ahram, T. Z. and Nicholson, D. (Eds), Advances in Human Factors in Cybersecurity, pp. 69-78. Springer International Publishing, Cham.
Cartwright, A. and Cartwright, E. (2019), “Ransomware and reputation”, Games, Vol. 10 No. 2, p. 26.
Cartwright, A., Cartwright, E. and Xue, L. (2019), “Investing in prevention or paying for recovery—attitudes to cyber risk”, in Alpcan, T., Vorobeychik, Y., Baras, J. S. and Dán, G. (Eds), Decision and Game Theory for Security, Springer International Publishing, Cham, pp. 135-151.
Chandarman, R. and Van Niekerk, B. (2017), “Students’ cybersecurity awareness at a private tertiary educational institution”, The African Journal of Information and Communication, No. 20, pp. 133-155.
Chandra, N.A., Ratna, A.A.P. and Ramli, K. (2022), “Development and simulation of cyberdisaster situation awareness models”, Sustainability, Vol. 14 No. 3, p. 1133.
Chesti, I.A., Humayun, M., Sama, N.U. and Jhanjhi, N. (2020), “Evolution, mitigation, and prevention of ransomware”, 2020 2nd International Conference on Computer and Information Sciences (ICCIS), 1-6.
Connolly, L.Y. and Wall, D.S. (2019), “The rise of crypto-ransomware in a changing cybercrime landscape: taxonomising countermeasures”, Computers and Security, Vol. 87, p. 101568.
Connolly, L.Y., Lang, M., Gathegi, J. and Tygar, D.J. (2017), “Organisational culture, procedural countermeasures, and employee security behaviour: a qualitative study”, Information and Computer Security, Vol. 25 No. 2, pp. 118-136.
Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M. and Baskerville, R. (2013), “Future directions for behavioral information security research”, Computers and Security, Vol. 32, pp. 90-101.
da Veiga, A. and Eloff, J.H.P. (2007), “An information security governance framework”, Information Systems Management, Vol. 24 No. 4, pp. 361-372.
da Veiga, A. and Martins, N. (2015), “Improving the information security culture through monitoring and implementation actions illustrated through a case study”, Computers and Security, Vol. 49, pp. 162-176.
Desolda, G., Ferro, L.S., Marrella, A., Catarci, T. and Costabile, M.F. (2021), “Human factors in phishing attacks: a systematic literature review”, ACM Computing Surveys, Vol. 54 No. 8, pp. 1-35.
Dey, D. and Lahiri, A. (2021), “Should We outlaw ransomware payments?”, Presented at the HI International Conference on System Sciences.
Dion, Y.L., Joshua, A.A. and Brohi, S.N. (2017), “Negation of ransomware via gamification and enforcement of standards”, Proceedings of the 2017 International Conference on Computer Science and Artificial Intelligence - CSAI 2017, 203-208. Jakarta, Indonesia: ACM Press.
Dossett, J. (2021), “A timeline of the biggest ransomware attacks”, CNET website, available at: www.cnet.com/personal-finance/crypto/a-timeline-of-the-biggest-ransomware-attacks/ (accessed 9 May 2022).
ENISA (2021), “ENISA threat landscape 2021: April 2020 to mid july 2021”, LU: Publications Office, available at: www.data.europa.eu/doi/10.2824/324797
Everett, C. (2016), “Ransomware: to pay or not to pay?”, Computer Fraud and Security, Vol. 2016 No. 4, pp. 8-12.
Feeley, A., Lee, M., Crowley, M., Feeley, I., Roopnarinesingh, R., Geraghty, S., Cosgrave, B., Sheehan, E. and Merghani, K. (2021), “Under viral attack: an orthopaedic response to challenges faced by regional referral centres during a national cyber-attack”, The Surgeon: journal of the Royal Colleges of Surgeons of Edinburgh and Ireland, Vol. 20 No. 5.
Ferreira, A. (2018), “Why ransomware needs a human touch”, 2018 International Carnahan Conference on Security Technology (ICCST), 1-5.
Fimin, M. (2017), “Are employees part of the ransomware problem?”, Computer Fraud and Security, Vol. 2017 No. 8, pp. 15-17.
Furnell, S. and Clarke, N. (2012), “Power to the people? The evolving recognition of human aspects of security”, Computers and Security, Vol. 31 No. 8, pp. 983-988.
Gallagher, C. (2021), “HSE confirms data of 520 patients published online”, The Irish Times website, available at: www.irishtimes.com/news/crime-and-law/hse-confirms-data-of-520-patients-published-online-1.4578136 (accessed 1 February 2022).
Gallegos-Segovia, P.L., Bravo-Torres, J.F., Larios-Rosillo, V.M., Vintimilla-Tapia, P.E., Yuquilima-Albarado, I.F. and Jara-Saltos, J.D. (2017), “Social engineering as an attack vector for ransomware”, 2017 CHILEAN Conference on Electrical, Electronics Engineering, Information and Communication Technologies (CHILECON), 1-6. Pucon: IEEE.
Ghazi-Tehrani, A.K. and Pontell, H.N. (2021), “Phishing evolves: analyzing the enduring cybercrime”, Victims and Offenders, Vol. 16 No. 3, pp. 316-342.
Giri, B.N. and Jyoti, N. (2006), “The emergence of ransomware”, Presented at the AVAR International Conference, Auckland.
Gupta, S., Singhal, A. and Kapoor, A. (2016), “A literature survey on social engineering attacks: Phishing attack”, 2016 International Conference on Computing, Communication and Automation (ICCCA), 537-540.
Hadnagy, C. (2011), Social Engineering: The Art of Human Hacking, Wiley, Indianapolis, IN.
Han, J.W., Hoe, O.J., Wing, J.S. and Brohi, S.N. (2017), “A conceptual security approach with awareness strategy and implementation policy to eliminate ransomware”, Proceedings of the 2017 International Conference on Computer Science and Artificial Intelligence - CSAI 2017, 222-226. Jakarta, Indonesia: ACM Press.
Herath, T. and Rao, H.R. (2009), “Protection motivation and deterrence: a framework for security policy compliance in organisations”, European Journal of Information Systems, Vol. 18 No. 2, pp. 106-125.
Hevner, A.R., March, S.T., Park, J. and Ram, S. (2004), “Design science in information systems research”, Management Information Systems Quarterly, Vol. 28 No. 1, pp. 75-105.
Hu, Q., Dinev, T., Hart, P. and Cooke, D. (2012), “Managing employee compliance with information security policies: the critical role of top management and organizational culture”, Decision Sciences, Vol. 43 No. 4, pp. 615-659.
Hull, G., John, H. and Arief, B. (2019), “Ransomware deployment methods and analysis: Views from a predictive model and human responses”, Crime Science, Vol. 8 No. 1, p. 2.
Humayun, M., Niazi, M., Jhanjhi, N., Alshayeb, M. and Mahmood, S. (2020), “Cyber security threats and vulnerabilities: a systematic mapping study”, Arabian Journal for Science and Engineering, Vol. 45 No. 4, pp. 3171-3189.
Ifinedo, P. (2012), “Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory”, Computers and Security, Vol. 31 No. 1, pp. 83-95.
Kabil, A., Duval, T. and Cuppens, N. (2020), “Alert characterization by Non-Expert users in a cybersecurity virtual environment: a usability study”, AVR 2020: 7th International Conference on Augmented Reality, Virtual Reality and Computer Graphics. Presented at the International Conference on Augmented Reality, Virtual Reality and Computer Graphics, Leece, Italy.
Kabil, A., Duval, T., Cuppens, N., Le Comte, G., Halgand, Y. and Ponchel, C. (2018a), “3D CyberCOP: a collaborative platform for cybersecurity data analysis and training”, in Luo, Y. (Ed.), Cooperative Design, Visualization, and Engineering, Springer International Publishing, Cham, pp. 176-183.
Kabil, A., Duval, T., Cuppens, N., Le Comte, G., Halgand, Y. and Ponchel, C. (2018b), “From cyber security activities to collaborative virtual environments practices through the 3D CyberCOP platform”, in Ganapathy, V., Jaeger, T. and Shyamasundar, R. K. (Eds), Information Systems Security, Springer International Publishing, Cham, pp. 272-287.
Kandasamy, K., Srinivas, S., Achuthan, K. and Rangan, V.P. (2022), “Digital Healthcare - Cyberattacks in Asian organizations: an analysis of vulnerabilities, risks, NIST perspectives, and recommendations”, IEEE Access, Vol. 10, pp. 12345-12364.
Kapoor, A., Gupta, A., Gupta, R., Tanwar, S., Sharma, G. and Davidson, I.E. (2021), “Ransomware detection, avoidance, and mitigation scheme: a review and future directions”, Sustainability, Vol. 14 No. 1, p. 8.
Karlsson, F., Hedström, K. and Goldkuhl, G. (2017), “Practice-based discourse analysis of information security policies”, Computers and Security, Vol. 67, pp. 267-279.
Kaspersky (2021), “The biggest ransomware threats”, available at: www.kaspersky.com website, available at: www.kaspersky.com/resource-center/threats/ransomware-threats-an-in-depth-guide (accessed 9 May 2022).
Kenyon, B. and McCafferty, J. (2016), “Ransomware recovery”, ITNOW, Vol. 58 No. 4, pp. 32-33.
Khando, K., Gao, S., Islam, S.M. and Salman, A. (2021), “Enhancing employees information security awareness in private and public organisations: a systematic literature review”, Computers and Security, Vol. 106, p. 102267.
Kitchenham, B. (2004), Procedures for Performing Systematic Reviews, Keele University.
Knebel, S., Schultz, M.D. and Seele, P. (2021), “Cyberattacks as ‘state of exception’ reconceptualizing cybersecurity from prevention to surviving and accommodating”, Journal of Information, Communication and Ethics in Society, Vol. 20 No. 1, pp. 91-109.
Kok, S.H., Abdullah, A.B., Zaman, N. and Supramaniam, M. (2019), “Ransomware, threat and detection techniques: a review”, IJCSNS International Journal of Computer Science and Network Security, Vol. 19 No. 2.
Kok, S., Abdullah, A., Jhanjhi, N. and Supramaniam, M. (2019), “Prevention of Crypto-Ransomware using a Pre-Encryption detection algorithm”, Computers, Vol. 8 No. 4, p. 79.
Kollek, D., Barrera, D., Stobert, E. and Homier, V. (2021), “The EDIT survey: Identifying emergency department information technology knowledge and training gaps”, Disaster Medicine and Public Health Preparedness, Vol. 16 No. 3.
Krumpal, I. (2013), “Determinants of social desirability bias in sensitive surveys: a literature review”, Quality and Quantity, Vol. 47 No. 4, pp. 2025-2047.
Kshetri, N. and Voas, J. (2022), “Ransomware: Pay to play?”, Computer, Vol. 55 No. 3, pp. 11-13.
Kwak, D.-H.A., Ma, X. and Kim, S. (2021), “When does social desirability become a problem? Detection and reduction of social desirability bias in information systems research”, Information and Management, Vol. 58 No. 7, p. 103500.
Larsson, P. (2022), “När kalix slocknade”, Tjugofyra7.se website, available at: www.tjugofyra7.se/artiklar/Nyhet/nar-kalix-slocknade/ (accessed 17 May 2022).
Laszka, A., Farhang, S. and Grossklags, J. (2017), “On the economics of ransomware”, in Rass, S., An, B., Kiekintveld, C., Fang, F. and Schauer, S. (Eds), Decision and Game Theory for Security, Springer International Publishing, Cham, pp. 397-417.
Lebek, B., Uffen, J., Neumann, M., Hohler, B. and H. Breitner, M. (2014), “Information security awareness and behavior: a theory-based literature review”, Management Research Review, Vol. 37 No. 12, pp. 1049-1092.
Lemos, J., Alves, C., Duboc, L. and Rodrigues, G.N. (2012), “A systematic mapping study on creativity in requirements engineering”, Proceedings of the 27th Annual ACM Symposium on Applied Computing - SAC ’12, 1083. Trento, Italy: ACM Press.
Lika, R.A., Murugiah, D., Brohi, S.N. and Ramasamy, D. (2018), “NotPetya: cyber attack prevention through awareness via gamification”, 2018 International Conference on Smart Computing and Electronic Enterprise (ICSCEE), 1-6. Shah Alam: IEEE.
Luo, X. and Liao, Q. (2007), “Awareness education as the key to ransomware prevention”, Information Systems Security, Vol. 16 No. 4, pp. 195-202.
Luo, X., Brody, R., Seazzu, A. and Burd, S. (2011), “Social engineering: the neglected human factor for information security management”, Information Resources Management Journal, Vol. 24 No. 3, pp. 1-8.
McIntosh, T., Kayes, A.S.M., Chen, Y.-P.P., Ng, A. and Watters, P. (2022), “Ransomware mitigation in the modern era: a comprehensive review, research challenges, and future directions”, ACM Computing Surveys, Vol. 54 No. 9, pp. 1-36.
McNamee, M.S. (2021), “HSE cyber-attack: Irish health service still recovering months after hack”, BBC News, available at: www.bbc.com/news/world-europe-58413448
Macrinici, D., Cartofeanu, C. and Gao, S. (2018), “Smart contract applications within blockchain technology: a systematic mapping study”, Telematics and Informatics, Vol. 35 No. 8, pp. 2337-2354.
Manoharan, S., Katuk, N., Hassan, S. and Ahmad, R. (2022), “To click or not to click the link: the factors influencing internet banking users’ intention in responding to phishing emails”, Information and Computer Security, Vol. 30 No. 1, pp. 37-62.
Mansfield-Devine, S. (2016), “Ransomware: Taking businesses hostage”, Network Security, Vol. 2016 No. 10, pp. 8-17.
Mansfield-Devine, S. (2017), “Ransomware: the most popular form of attack”, Computer Fraud and Security, Vol. 2017 No. 10, pp. 15-20.
Masuch, K., Hengstler, S., Schulze, L. and Trang, S. (2021), “The impact of threat and efficacy on information security behavior: Applying an extended parallel process model to the fear of ransomware”, Presented at the HI International Conference on System Sciences.
Moore, E.L., Fulton, S.P., Mancuso, R.A., Amador, T.K. and Likarish, D.M. (2019), “Collaborative training and response communities—an alternative to traditional cyber defense escalation”, 2019 International Conference on Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA), 1-8. Oxford, United Kingdom: IEEE.
Muthuppalaniappan, M. and Stevenson, K. (2021), “Healthcare cyber-attacks and the COVID-19 pandemic: an urgent threat to global health”, International Journal for Quality in Health Care, Vol. 33 No. 1,
Oates, B.J. (2006), Researching Information Systems and Computing, SAGE Publications, London; Thousand Oaks, Calif.
Ophoff, J. and Lakay, M. (2019), “Mitigating the ransomware threat: a protection motivation theory approach”, in Venter, H., Loock, M., Coetzee, M., Eloff, M. and Eloff, J. (Eds), Information Security, Springer International Publishing, Cham, pp. 163-175.
Oz, H., Aris, A., Levi, A. and Uluagac, A.S. (2022), “A survey on ransomware: Evolution, taxonomy, and defense solutions”, ACM Computing Surveys, Vol. 54 No. 11s.
Palmer, D. (2022), “Ransomware: over half of attacks are targeting these three industries”, ZDNet website, available at: www.zdnet.com/article/ransomware-over-half-of-attacks-are-targeting-these-three-industries/ (accessed 10 May 2022).
Petersen, K., Vakkalanka, S. and Kuzniarz, L. (2015), “Guidelines for conducting systematic mapping studies in software engineering: an update”, Information and Software Technology, Vol. 64, pp. 1-18.
Petersen, K., Feldt, R., Mujtaba, S. and Mattsson, M. (2008), “Systematic mapping studies in software engineering”, Proceedings of the 12th International Conference on Evaluation and Assessment in Software Engineering, 68-77. Swindon, GBR: BCS Learning & Development Ltd.
Pope, J. (2016), “Ransomware: Minimizing the risks”, Innovations in Clinical Neuroscience, Vol. 13 Nos 11/12, pp. 37-40.
Priestman, W., Anstis, T., Sebire, I.G., Sridharan, S. and Sebire, N.J. (2019), “Phishing in healthcare organisations: Threats, mitigation and approaches”, BMJ Health and Care Informatics, Vol. 26 No. 1, p. e100031.
Richardson, R. and North, M. (2017), “Ransomware: Evolution, mitigation and prevention”, International Management Review, Vol. 13 No. 1, pp. 10-21.
Ryan, Ó. (2021), “HSE won’t comment on ransom figure, as other departments take precautions after cyber attack”, TheJournal.ie website, available at: www.thejournal.ie/hse-cyber-attack-cancelled-appointments-5438671-May2021/ (accessed 10 May 2022).
Sabharwal, S. and Sharma, S. (2020), “Ransomware attack: India issues red alert”, Paper presented at the 1st International Conference on Emerging Technology in Modelling and Graphics, Kolkata, India, Advances in Intelligent Systems and Computing, vol 937. Springer, 471-484.
Safa, N.S., Von Solms, R. and Futcher, L. (2016), “Human aspects of information security in organisations”, Computer Fraud and Security, Vol. 2016 No. 2, pp. 15-18.
Sannd, P. and Cook, D.M. (2018), “Older adults and the authenticity of emails: Grammar, syntax, and compositional indicators of social engineering in ransomware and phishing attacks”, 2018 Fourteenth International Conference on Information Processing (ICINPRO), 1-5.
Sarker, S., Xiao, X. and Beaulieu, T. (2013), “Guest editorial: Qualitative studies in information systems: a critical review and some guiding principles”, MIS Quarterly, Vol. 37 No. 4, pp. iii-xviii.
Schiller, R. and Molony, S. (2021), “Cyber criminals hand over decryption key to unlock HSE systems”, Independent website, available at: www.independent.ie/irish-news/crime/cyber-criminals-hand-over-decryption-key-to-unlock-hse-systems-40450686.html (accessed 11 May 2022).
Shammugam, I., Narayana Samy, G., Magalingam, P., Maarop, N., Perumal, S. and Shanmugam, B. (2021), “Information security threats encountered by Malaysian public sector data centers”, Indonesian Journal of Electrical Engineering and Computer Science, Vol. 21 No. 3, p. 1820.
Shinde, R., Van der Veeken, P., Van Schooten, S. and van den Berg, J. (2016), “Ransomware: Studying transfer and mitigation”, 2016 International Conference on Computing, Analytics and Security Trends (CAST), 90-95.
Simmonds, M. (2017), “How businesses can navigate the growing tide of ransomware attacks”, Computer Fraud and Security, Vol. 2017 No. 3, pp. 9-12.
Simoiu, C., Bonneau, J., Gates, C. and Goel, S. (2019), “I was told to buy a software or lose my computer. I ignored it’: a study of ransomware”, Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), 155-174. Santa Clara, CA: USENIX Association, available at: www.usenix.org/conference/soups2019/presentation/simoiu
Singh, I. and Singh, Y. (2022), “Cyber-Security knowledge and practice of nurses in private hospitals in Northern Durban, Kwazulu-Natal”, Journal of Theoretical and Applied Information Technology, Vol. 100 No. 1
Sittig, D. and Singh, H. (2016), “A socio-technical approach to preventing, mitigating, and recovering from ransomware attacks”, Applied Clinical Informatics, Vol. 07 No. 02, pp. 624-632.
Sommestad, T., Karlzén, H. and Hallberg, J. (2015a), “A Meta-Analysis of studies on protection motivation theory and information security behaviour”, International Journal of Information Security and Privacy, Vol. 9 No. 1, pp. 26-46.
Sommestad, T., Karlzén, H. and Hallberg, J. (2015b), “The sufficiency of the theory of planned behavior for explaining information security policy compliance”, Information and Computer Security, Vol. 23 No. 2, pp. 200-217.
Sommestad, T., Karlzén, H. and Hallberg, J. (2019), “The theory of planned behavior and information security policy compliance”, Journal of Computer Information Systems, Vol. 59 No. 4, pp. 344-353.
Sophos Ltd (2021), The State of Ransomware in Healthcare 2021 [A Sophos Whitepaper], UK.
Tan, Z., Beuran, R., Hasegawa, S., Jiang, W., Zhao, M. and Tan, Y. (2020), “Adaptive security awareness training using linked open data datasets”, Education and Information Technologies, Vol. 25 No. 6, pp. 5235-5259.
Torquato, M. and Vieira, M. (2020), “Moving target defense in cloud computing: a systematic mapping study”, Computers and Security, Vol. 92, p. 101742.
Trellix (2022), “Trellix ATR threats report | January 2022”, available at: www.trellix.com/en-us/threat-center/threat-reports/jan-2022.html (accessed 10 May 2022).
Truesec (2022), “Coop back in business after hit by largest ransomware attack of all time”, Truesec website:, available at: www.truesec.com/cases/back-in-business-after-the-largestransomware-attack-of-all-time (accessed 9 May 2022).
Turton, W. and Mehrotra, K. (2021), “Hackers breached colonial pipeline using compromised password”, Bloomberg.Com, available at: www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
Uandykova, M., Lisin, A., Stepanova, D., Baitenova, L., Mutaliyeva, L., Yuksel, S. and Dincer, H. (2020), “The social and legislative principles of counteracting ransomware crime”, Entrepreneurship and Sustainability Issues, Vol. 8 No. 2, pp. 777-798.
Wall, D.S. (2015), “Dis-Organised crime: towards a distributed model of the organization of cybercrime”, SSRN Scholarly Paper No. 2677113, Rochester, New York, NY: Social Science Research Network.
Wieringa, R., Maiden, N., Mead, N. and Rolland, C. (2006), “Requirements engineering paper classification and evaluation criteria: a proposal and a discussion”, Requirements Engineering, Vol. 11 No. 1, pp. 102-107.
Wohlin, C., Runeson, P., da Mota Silveira Neto, P.A., Engström, E., do Carmo Machado, I. and de Almeida, E.S. (2013), “On the reliability of mapping studies in software engineering”, Journal of Systems and Software, Vol. 86 No. 10, pp. 2594-2610.
Yeom, S., Shin, D. and Shin, D. (2021), “Scenario-based cyber attack·defense education system on virtual machines integrated by web technologies for protection of multimedia contents in a network”, Multimedia Tools and Applications, Vol. 80 Nos 26/27, pp. 34085-34101.
Yilmaz, Y., Cetin, O., Arief, B. and Hernandez-Castro, J. (2021), “Investigating the impact of ransomware splash screens”, Journal of Information Security and Applications, Vol. 61, p. 102934.
Zhang-Kennedy, L., Assal, H., Rocheleau, J., Mohamed, R., Baig, K. and Chiasson, S. (2018), “The aftermath of a crypto-ransomware attack at a large academic institution”, 27th USENIX Security Symposium (USENIX Security 18), pp. 1061-1078. USENIX Association, Baltimore, MD.
Zhao, J.Y., Kessler, E.G. and Guo, W.A. (2019), “Interprofessional communication goes up when the electronic health record goes Down”, Journal of Surgical Education, Vol. 76 No. 2, pp. 512-518.
Zhao, J.Y., Kessler, E.G., Yu, J., Jalal, K., Cooper, C.A., Brewer, J.J., … Guo, W.A. (2018), “Impact of trauma hospital ransomware attack on surgical residency training”, Journal of Surgical Research, Vol. 232, pp. 389-397.
Zwilling, M., Klien, G., Lesjak, D., Wiechetek, Ł., Cetin, F. and Basim, H.N. (2022), “Cyber security awareness, knowledge and behavior: a comparative study”, Journal of Computer Information Systems, Vol. 62 No. 1, pp. 82-97.
Further reading
Hadlington, L. (2021), “The ‘human factor’ in cybersecurity: exploring the accidental insider”, Research Anthology on Artificial Intelligence Applications in Security, IGI Global, pp. 1960-1977.
James, K.L., Randall, N.P. and Haddaway, N.R. (2016), “A methodology for systematic mapping in environmental sciences”, Environmental Evidence, Vol. 5 No. 1, p. 7.
Kandimalla, B., Rohatgi, S., Wu, J. and Giles, C.L. (2021), “Large scale subject category classification of scholarly papers with deep attentive neural networks”, Frontiers in Research Metrics and Analytics, Vol. 5, p. 600382.
Kim, S.-W. and Gil, J.-M. (2019), “Research paper classification systems based on TF-IDF and LDA schemes”, Human-Centric Computing and Information Sciences, p. 9.
Kitchenham, B., Brereton, P. and Budgen, D. (2010), “The educational value of mapping studies of software engineering literature”, Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering - ICSE ’10, 1, 589. Cape Town, South Africa: ACM Press.
McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M. and Pattinson, M. (2017), “Individual differences and information security awareness”, Computers in Human Behavior, Vol. 69, pp. 151-156.
McIntosh, T., Watters, P., Kayes, A.S.M., Ng, A. and Chen, Y.-P.P. (2021), “Enforcing situation-aware access control to build malware-resilient file systems”, Future Generation Computer Systems, Vol. 115, pp. 568-582.
Moody, G.D., Siponen, M. and Pahnila, S. (2018), “Toward a unified model of information security policy compliance”, MIS Quarterly, Vol. 42 No. 1, pp. 285-311.
Nifakos, S., Chandramouli, K., Nikolaou, C.K., Papachristou, P., Koch, S., Panaousis, E. and Bonacina, S. (2021), “Influence of human factors on cyber security within healthcare organisations: a systematic review”, Sensors, Vol. 21 No. 15, p. 5119.