The impact the internet has on daily life is unquestionable. As cyberspace grows in prominence, the number of ransomware attacks are also reaching a record high.
Organizations and governments often focus on the financial loss and disruption to services caused by ransomware attacks; however, there are significant short- and long-term social and psychological effects that are being overlooked. These crucial but poorly understood consequences ultimately also lead to significant financial loss to organizations and governments. Without a complete picture of all damages, organizations’ cybersecurity budgets may stay stagnant and management will continue to underestimate the level of damage threats can do to organizations.
Social and Psychological Impacts
The social impacts of ransomware attacks can cause lasting damage to an enterprise, its customers and its employees. Social impacts can occur when service is disrupted. For example, because affected enterprises have to shut down operations, their employees may be temporarily laid off, which increases unemployment and can lead to financial stress.
There are strong associations between higher levels of financial stress and increased alcohol consumption, which can lead to other negative effects. Victimization can also cause individuals to be unwilling to adopt new technologies in the future, leading to people losing confidence in businesses and governments.
There is also a wide range of psychological responses to ransomware attacks. In many cases, victims respond more negatively to the effects of the attack than the attack itself, and each individual handles the threat of a cyberattack differently. Some may proactively face the problem while others may exhibit protective or avoidance behaviors to prevent attacks.
Following ransomware attacks, people may feel fear, worry, disappointment, frustration, distrust and helplessness. This can lead to long-term psychological consequences such as depression, panic attacks and post-traumatic stress disorder. Guilt and shame are also compounded when victims are blamed by their organization, family members or society for falling victim to the attack.
Although there is some acknowledgment of these impacts in the literature, few reports evaluate all damages—whether they be financial, reputational, social or psychological. In the current enterprise reporting regime, the social and psychological impacts on victims have been largely overlooked and unreported. This can be attributed to lack of awareness and lack of a reliable and standardized method to evaluate and monetarize the impacts.
What Needs to Be Done?
Like reputational damage, the psychosocial impact of ransomware attacks is difficult to measure. To ensure completeness and accurate reporting of damages, it is important for governments, enterprises and regulators to take the initiative to develop validated tools and guidelines to enable enterprises to accurately measure social and psychological impacts on victims.
This is important because trust in a government or an enterprise is key to the public’s perception of cyberrisk and cyberattacks. Open reporting can help reduce negative reactions to threats and boosts public trust and confidence in the aftermath of a ransomware attack. However, developing standard measurements and guidelines that are accepted by enterprises, government and regulators will be a complex and long process.
The first step is to raise awareness about the social and psychological consequences on people who are directly and indirectly affected by the incident. To formulate effective policies and responses, it is important for governments and enterprises to understand how people react to both risk and actual attacks.
Second, the victims need to be clearly defined and identified. Depending on the nature of the attack, the victims can include the enterprise, employees, employees’ family members, business partners and customers.
Third, the potential impacts victims can suffer following an attack need to be identified, and boundaries should be set for them. There are four main victimization impact types: physical, financial and material, psychological, and social and behavioral. These types are also often interconnected. For example, the psychological impacts of a ransomware attack are more severe where there are greater financial impacts. If victims withdraw from the cyberworld, it can significantly affect their quality of life and stability within society.
Finally, monetary figures need to be assigned for each impact. This is difficult for numerous reasons. For example, the level of anxiety one individual may feel following a ransomware attack may be much higher or lower than another individual. Should we be medically and psychologically assessing individuals? Or should we be assigning set values for each symptom?
At a minimum, a psychosocial impact statement should be included in all post-ransomware attack reports and the organization’s financial statement to provide a comprehensive review of the damage to the public and the organization’s stakeholders. Developing something like this should include input from governments, regulators, legal representatives, accountants, medical professionals and victims.
Other practical measures include raising awareness and validating and supporting victims. Workplace management, authorities and healthcare practitioners all have a duty to acknowledge when victims experience and express psychological distress, and to be proactive in helping victims access appropriate support, including counseling. Their frustration, anger, anxiety and sense of violation should be recognized and validated.
Increasing community awareness about these psychosocial impacts on victims is also essential. This can be easily achieved by greater transparency from organizations and information security professionals.
While developing a comprehensive measurement tool will continue to be a work in progress, these simple techniques can boost employee and public confidence in information security and remove some of the stigma and fear around ransomware attacks.
Taking the Initiative to Combat Ransomware Impacts
Ransomware attacks will continue growing and developing in scale, scope and impact. Therefore, it is the corporate social responsibility of organizations to recognize and report the psychosocial impacts of a ransomware attack transparently to the public and management and to support the victims.
The social and psychosocial impacts of a ransomware attack are hard to quantify. Governments and leadership must take the initiative to work with enterprises and academics to develop effective and validated tools and guidelines to measure the social and psychological impacts on victims.
There is still a lot of work to be done, but hopefully these practical tips and tools will help organizations become more aware and better at acknowledging these often-overlooked impacts of ransomware attacks.
Editor’s note: For further insights on this topic, read Joseph Cheng’s recent Journal article, “The Human Consequences of Ransomware Attacks,” ISACA Journal, volume 3, 2022.
ISACA Journal turns 50 this year! Celebrate with us—and do not forget you can still receive the print copy by visiting your preference center and opting in!