Total: 1
In recent years there has been significant interest from policymakers in addressing ransomware through policy and regulations, yet this process remains far more of an art than a science. This paper introduces a novel method for quantitatively evaluating policy proposals: we create a simulated game theoretic agent-based economic model of security and use it as a testbed for several policy interventions, including a hands-off approach, mandatory minimum investments, and mandatory cyber insurance. Notably, we find that the bottleneck for better security outcomes lies not in better defender decision-making but in improved coordination between defenders: using our model, we find that a policy requiring defenders to invest at least 2% of resources into security each round produces better overall outcomes than leaving security investment decisions to defenders even when the defenders are "perfect play" utility maximizers. This provides evidence that security is a weakest-link game and makes the case for mandatory security minimums. Using our model, we also find that cyber insurance does little to improve overall outcomes. To make our tool accessible to others, we have made the code open source and released it as an online web application.