Ransomware Part II — A Look at Theoretical Lenses
First things first, let’s take a look at theoretical lenses. Theoretical lenses are critical because they explicitly name the concepts considered for the analysis. If something is missing from the theoretical lens, it will be absent in the findings and recommendations.
If you’re reading this analysis and the suggestions don’t make sense, check the theoretical framework; anything missing from the framework will be missing from the study. — Another Strategic Management Blog, 2020
If you find yourself in disagreement with this article, you can probably identify an item that supports your viewpoint via a different theoretical framework. Feel free to comment with your option, its theoretical framework, and a few words on why it’s a better choice than Porter’s Five Forces.
This paper uses Porter’s Five Forces as a theoretical lens. Ransomware is an odd (but acceptable) topic for a doctoral program in business administration. To stay within the field of management research, we’re building the analysis on seminal work in management theory. Everyone loves Porter’s Five Forces, including the professors and peer-reviewers evaluating this work. Plus, Lahy and Found’s systematic review of theoretical frameworks suggested that Porter’s Five Forces could lend new insight into product-as-a-service industries. We stand on the shoulders of giants, especially when giants analyze numerous articles, identify which theoretical frameworks worked, and recommend areas where new researchers like me can apply specific frameworks to contribute to the field.
There are many possible theoretical lenses and all of them contribute insights to our understanding of the ransomware problem.
If you want to identify why ransomware victims choose to pay or not to pay, you might use Rational Choice Theory like Borrion and Yuryna Connolly. Suppose you’re going to look at the business-to-business practices of criminal actors. In that case, you might use Stakeholder Theory as a lens for data presented by Meland et al. If you want to understand the industry’s profitability drivers, you might pick Porter’s Five Forces.
Now that we’ve selected a theoretical lens, we need to calibrate the lens for the domain we’re analyzing. Porter discusses vendors, suppliers, and buyers. We need to apply similar terms related to ransomware. Because we’re using an evidence-based approach, we’ll use words from academic literature on cybercrime to contextualize Porter’s theory for the ransomware ecosystem.
Bayoumy et al. (2018) produced an excellent study of the Darknet ecosystem. They outline different cybercriminals’ roles and how those roles create successful (and profitable) criminal enterprise. The table below shows how their concepts relate to Porter’s. Vendors are criminals who control decryption keys and collect ransom payments. Suppliers are authors and distributors who produce inputs for ransomware development and deployment. Buyers are victims trying to purchase decryption keys to unlock compromised networks. New Entrants are crime groups trying to sell new ransomware variants. Substitutes are alternatives to the ransomware decryption keys; we’ve defined them as any other means that allow victims to resume business operations without purchasing a decryption key.
Porter (2008) → Bayoumy et al. (2020)
Vendors → Vendors/ Criminals who control decryption keys
Suppliers → Ransomware authors and distributors or affiliates
Buyers → Ransomware victims purchasing decryption keys
New Entrants → Ransomware vendors entering the marketplace
Substitutes → Products that allow victims to resume business operations
without purchasing decryption keys
It would be exciting to produce a paper on the ransomware business model and how interactions among ransomware authors, vendors, and distributors impacts profits.
Unfortunately, there’s hardly any academic literature on the relationships among criminal actors. Most of the literature deals with victim payments, so that’s where we’ll focus our analysis.
Porter’s Five Forces is an umbrella theory with several subordinate conceptual models. Within the Bargaining Power of the Buyer, there are entire works on Buyer Negotiating Leverage and Buyer Price Sensitivity. They don’t have trendy diagrams, but they have very detailed specifications on factors that allow buyers to negotiate effectively and characteristics that make buyers more price sensitive. More negotiating leverage and more price sensitivity drive down profits for vendors, aka criminals collecting ransoms.
Unfortunately, there’s hardly any academic literature on victim negotiations with criminals for ransom payments. Most of the literature deals with how ransom prices are set or whether victims should pay a ransom. There’s not much insight into back-and-forth dialogue between victims and criminals to find the right ransom price.
A process of elimination leaves us with the conceptual model used for this paper: Porter’s Model of Price-Sensitivity. Porter’s model of price-sensitivity proposes that price sensitivity increases buyer bargaining power, and four factors increase price sensitivity. Buyers are more price-sensitive when the product consumes a significant portion of their budget; when the buyer is under pressure to minimize costs; when product quality has no impact on the buyer’s operations; and when the product provides no recurring benefits.
This blog leans constructivist, so let’s explicitly state some key assumptions for our interpretation of Porters’ model of price sensitivity. We assume that what matters is how people feel. From our epistemological perspective, Buyers are more price-sensitive when they think a product consumes a significant portion of their budget; when they feel pressure to minimize costs; when they believe the product quality is unimportant; and when they think the product has no recurring benefits. An alternative approach would be quantitative analysis focused on accounting codes and budget costs. That’s not what we’re doing here.
The focus on feeling is essential because it directly influences the type of evidence we collect and analyze. In the next blog post, we’ll discuss the details of how we collected, appraised, analyzed, and synthesized the evidence.
The next blog post, Ransomware Part III, discusses methodology.
