Date of Award
Doctor of Philosophy (PhD)
Ransomware has rapidly emerged as a cyber threat which costs the global economy billions of dollars a year. Since 2015, ransomware criminals have increasingly targeted state and local government institutions. These institutions provide critical infrastructure – e.g., emergency services, water, and tax collection – yet they often operate using outdated technology due to limited budgets. This vulnerability makes state and local institutions prime targets for ransomware attacks. Many states have begun to realize the growing threat from ransomware and other cyber threats and have responded through legislative action. When and how is this legislation effective in preventing ransomware attacks? This dissertation investigates the effects of state cybersecurity legislation on the number of ransomware attacks on state and local institutions from 2015-2019. I review various arguments linking cybersecurity legislation to cybersecurity vulnerability and develop a set of hypotheses about the features of legislation that should deter and prevent ransomware attacks. The cybersecurity literature suggests increased training is a key mechanism to prevent ransomware attacks. However, I find no relationship between direct state legislation on cybersecurity training and ransomware. Instead, the statistical evidence suggests that there are fewer ransomware attacks in states with legislation that indirectly encourages training by shifting the responsibility for a cyber failure back onto vulnerable institutions. This legislation typically focuses on data breaches and often requires the institution to disclose failures, which increases reputational costs. The threat of increased costs for a cybersecurity failure changes these institutions’ cost benefit analysis and encourages these institutions to proactively improve their cybersecurity, such as through increased training. I further examine data breach laws in California and find evidence that these types of laws can promote increased cybersecurity measures. Thus, future legislation should focus on holding institutions responsible for cybersecurity failures, which should in turn lead to increased cybersecurity.
"Cybersecurity Legislation and Ransomware Attacks in the United States, 2015-2019"
(2021). Doctor of Philosophy (PhD), Dissertation, International Studies, Old Dominion University, DOI: 10.25777/c0vq-t159