As cyber-attacks continue to increase in frequency and sophistication, organisations must be better prepared to face the reality of an incident. Any organisational plan that intends to be successful at managing security risks must clearly understand the harm (i.e., negative impact) and the various parties affected in the aftermath of an attack. To this end, this article conducts a novel exploration into the multitude of real-world harms that can arise from cyber-attacks, with a particular focus on ransomware incidents given their current prominence. This exploration also leads to the proposal of a new, robust methodology for modelling harms from such incidents. We draw on publicly-available case data on high-profile ransomware incidents to examine the types of harm that emerge at various stages after a ransomware attack and how harms (e.g., an offline enterprise server) may trigger other negative, potentially more substantial impacts for stakeholders (e.g., the inability for a customer to access their social welfare benefits or bank account). Prominent findings from our analysis include the identification of a notable set of social/human harms beyond the business itself (and beyond the financial payment of a ransom) and a complex web of harms that emerge after attacks regardless of the industry sector. We also observed that deciphering the full extent and sequence of harms can be a challenging undertaking because of the lack of complete data available. This paper consequently argues for more transparency on ransomware harms, as it would lead to a better understanding of the realities of these incidents to the benefit of organisations and society more generally.

翻译：随着网络攻击的频率和复杂程度持续增加，组织必须更好地准备应对安全事件的现实。任何旨在成功管理安全风险的组织计划，都必须清晰理解攻击后产生的危害（即负面影响）以及所涉及的各利益相关方。为此，本文首次探索了网络攻击可能带来的多种现实危害，并特别关注当前突出的勒索软件事件。这一探索还提出了一种新的、稳健的方法来建模此类事件的危害。我们利用公开的高知名度勒索软件事件案例数据，考察了勒索软件攻击后不同阶段产生的危害类型，以及危害（例如企业服务器离线）如何可能引发其他负面且可能更重大的影响（例如客户无法访问其社会福利或银行账户）。分析的主要发现包括：识别出一系列显著超出企业自身范围（且超出赎金支付之外）的社会/人文危害，以及无论行业部门如何，攻击后都会出现一个复杂的危害网络。我们还观察到，由于缺乏完整数据，全面厘清危害的范围和顺序可能是一项艰巨的任务。因此，本文主张提高勒索软件危害的透明度，这将有助于更好地理解这些事件的现实情况，从而使组织和社会更广泛地受益。