Review Reports - Ransomware Splash Screens, Loss Aversion and Trust: Insights from Behavioral Economics

Round 1

Reviewer 1 Report

This manuscript explores a novel intersection between cybersecurity and behavioral economics by examining how the framing of ransomware demands influences victims’ willingness to pay. Through an experimental design involving real-world-inspired splash screens and user perception metrics, the authors aim to identify psychological drivers of compliance with ransom requests. The topic is timely and relevant, with practical implications for both cybersecurity defense strategies and understanding criminal persuasion tactics.

While the topic is very interesting, there are several issues that undermine the overall quality of the paper.

The model lacks depth. It is essentially a static utility comparison, with no game-theoretic elements, no modeling of uncertainty beyond fixed probabilities, and no dynamic feedback loops. The analysis could be significantly strengthened by incorporating more realistic decision-making dynamics, such as game-theoretic components to capture strategic interaction or feedback mechanisms to reflect changes in victim behavior over time.

I suggest improving the introduction with more background analysis and a clearer outline of the main contributions of the paper. Moreover, it would be helpful to add a dedicated related work section to better position the study within the existing literature.

I also suggest separating the discussion and conclusion into two distinct sections.

Future research directions are missing and should be included.

Author Response

Comment: This manuscript explores a novel intersection between cybersecurity and behavioral economics by examining how the framing of ransomware demands influences victims’ willingness to pay. Through an experimental design involving real-world-inspired splash screens and user perception metrics, the authors aim to identify psychological drivers of compliance with ransom requests. The topic is timely and relevant, with practical implications for both cybersecurity defense strategies and understanding criminal persuasion tactics.

Reply: Thank you for these positive comments.

Comment: While the topic is very interesting, there are several issues that undermine the overall quality of the paper. The model lacks depth. It is essentially a static utility comparison, with no game-theoretic elements, no modeling of uncertainty beyond fixed probabilities, and no dynamic feedback loops. The analysis could be significantly strengthened by incorporating more realistic decision-making dynamics, such as game-theoretic components to capture strategic interaction or feedback mechanisms to reflect changes in victim behavior over time.

Reply: We add a paragraph at the end of Section 3 where we outline one strategic consideration. We also discuss this in the imitations section. Overall we would say that our model provides novel testable hypothesis and is valuable in that sense. We agree that there possible extensions to the model to consider in more detail the strategic interaction between criminal and victim.

Comment: I suggest improving the introduction with more background analysis and a clearer outline of the main contributions of the paper. Moreover, it would be helpful to add a dedicated related work section to better position the study within the existing literature.

Reply: We have reformulated the introduction to provide a clearer outline of the main contribution. We have also added an expanded existing literature section.

Comment: I also suggest separating the discussion and conclusion into two distinct sections. Future research directions are missing and should be included.

Reply: We considered separating the discussion and conclusion but decided to keep just the conclusion given that much of the discussion takes place in the results section. We have added a future research directions section as suggested.

Reviewer 2 Report

This paper investigates how the framing of ransomware splash screens affects victims’ willingness to pay the ransom. Drawing on behavioural economics principles, the authors construct a theoretical model of gain vs loss framing and its interaction with factors such as trust, perceived helpfulness, and moral/ethical costs. They then conduct an experiment where participants rate and rank eight ransomware splash screens on dimensions such as willingness to pay (WTP), trust, anger, and perceived helpfulness. Their central finding is that positively framed demands; those that appear professional and emphasize service-like language, generate more trust and willingness to pay than threatening, negatively framed ones.

The sample is drawn solely from a university student population, which likely skews the results.

These participants may be more tech-savvy and less emotionally affected by splash screens than the general population.

The authors mention this briefly but should elaborate more in the limitations section.

Suggestion is that the work could test older or less tech-literate populations to improve ecological validity.

Participants were told to imagine losing important files, but real-world emotional salience is difficult to simulate.

The ransom context is realistic, but it might have been helpful to include emotional priming or narrative vignettes.

Add a discussion on how hypothetical bias might limit the findings.

The paper includes valuable discussion on law enforcement implications, but it skirts around the moral grey zone of studying and simulating cybercrime tactics.

While this is not a methodological flaw, the paper could more directly address potential dual-use concerns.

A few instances of minor spacing issues.

Most references are appropriate and current. However, a more detailed comparison to Rodríguez-Priego et al. (2020) and recent empirical studies on cyber threat communication would be useful.

Refer to previous comments.

Author Response

Comment: The sample is drawn solely from a university student population, which likely skews the results. These participants may be more tech-savvy and less emotionally affected by splash screens than the general population. The authors mention this briefly but should elaborate more in the limitations section. Suggestion is that the work could test older or less tech-literate populations to improve ecological validity.

Reply: We have added an extra comment to this in Section 4 and in the limitations section.

Comment: Participants were told to imagine losing important files, but real-world emotional salience is difficult to simulate. The ransom context is realistic, but it might have been helpful to include emotional priming or narrative vignettes. Add a discussion on how hypothetical bias might limit the findings.

Reply: We agree that an experiment cannot replicate the real world emotions of an attack. There are, however, ethical concerns in trying to recreate negative emotions. One finding that supports higher levels of salience are the high levels of anger participants report and their relatively high willingness to pay. If participants were not salient with the task then we would expect lower levels of willingness to pay. We comment more on this in the paper.

Comment: The paper includes valuable discussion on law enforcement implications, but it skirts around the moral grey zone of studying and simulating cybercrime tactics. While this is not a methodological flaw, the paper could more directly address potential dual-use concerns.

Reply: This is a really important comment. We have added more discussion throughout the paper on our desire to inform policy and law enforcement (rather than criminals). A full paragraph in the introduction addresses this issue.

Comment: A few instances of minor spacing issues.

Reply: We have tried to addressed this.

Comment: Most references are appropriate and current. However, a more detailed comparison to Rodríguez-Priego et al. (2020) and recent empirical studies on cyber threat communication would be useful.

Reply: We have added more on the paper of Rodríguez-Priego et al. (2020) and two other recent papers on cyber threat communication. This is in a new related literature section.

Reviewer 3 Report

The whole paper is well-organized and so great, after minor revise, it can be accept.

1. The paper mentions 8 different designs for ransomware pop ups, but does not provide detailed instructions on how to ensure consistency with other potential interfering variables. Suggest adding specific technical details, such as whether standardized templates or tools were used to generate pop ups, to ensure the reliability of experimental results.
2. The paper considers "trust" as a key variable, but does not explain how to quantify trust. Suggest adding technical details, such as whether natural language processing techniques were used to analyze participants' comments, or whether statistical models were used to verify the relationship between trust and willingness to pay.
3. The paper mentions that there are some missing data in the experiment, but does not specify the specific processing techniques. Suggest adding technical details on whether multiple imputation or maximum likelihood estimation methods were used to handle missing data to ensure the robustness of the analysis results.

Author Response

Comment: The paper mentions 8 different designs for ransomware pop ups, but does not provide detailed instructions on how to ensure consistency with other potential interfering variables. Suggest adding specific technical details, such as whether standardized templates or tools were used to generate pop ups, to ensure the reliability of experimental results.

Reply: We have clarified in the experiment design section 4 that certain details of the pop ups were consistent across splash screens, most notably the ransom amount of £300. They were also based on genuine ransom splash screens. Ultimately, however, using genuine splash screens results in some loss of experimenter control because the splash screens differ across many different characteristics. In the limitations section we discuss this more fully.

Comment: The paper considers "trust" as a key variable, but does not explain how to quantify trust. Suggest adding technical details, such as whether natural language processing techniques were used to analyze participants' comments, or whether statistical models were used to verify the relationship between trust and willingness to pay.

Reply: This is an important comment. In Section 4 we have clarified what "trust" measures; in our framework it measures confidence the criminal is capable to return access to the files and willing to return access. It, thus, captures and element of ability and intention. In Section 5 we have added an additional paragraph looking at the participants comments around trust. There were insufficient comments to perform a statistical language model. All comments, however, point to professionalism and information (or lack of it).

Comment: The paper mentions that there are some missing data in the experiment, but does not specify the specific processing techniques. Suggest adding technical details on whether multiple imputation or maximum likelihood estimation methods were used to handle missing data to ensure the robustness of the analysis results.

Reply: We have now clarified in more detail at the end of Section 4 the amount of missing data. This makes it easier to understand the notes in Section 5 on missing observations. We ignore missing data and do not attempt to impute information from the missing data. This seems consistent with a low level of missing data. In particular, we primarily use the ratings data where there was only 7 missing observations from 4000+ data points.

Reviewer 4 Report

Comments:

1. The abstract is clear and adequately presents the study's objective: to analyze how the design of ransom splash screens influences victims' willingness to pay the ransom, using insights from behavioral economics. They mention the key findings (trust as the main determinant and the better performance of the positive approach compared to the negative one). The suggestion for the section would be to briefly include the experimental method (e.g., number of participants, design) for greater context.

2. The authors' introduction contextualizes the ransomware problem and its evolution well, highlighting the importance of the business model for criminals. The justification for the study is solid, linking behavioral economics to the design of ransom demands. However, the authors could better justify in the literature what this work seeks to address (e.g., lack of behavioral studies on ransomware framing).

3. In section 2, the framing model (gain vs. loss) is well grounded in prospect theory and loss aversion. Equations (1)-(5) are clear and relevant. Figure 1 helps visualize the differences between the frames. One suggestion would be to explain in more detail how RGRG and RLRL are derived (eqs. 4 and 5) for less technical readers.

4. Hypotheses and Experimental Design (Sections 3 and 4)
In sections 3 and 4, the hypotheses are well-formulated and based on the theoretical model. The experimental design is robust: 8 ransomware screens, 6 evaluation criteria, and order control through randomization. The inclusion of qualitative feedback from participants enriches the analysis. The authors could explain how the realism of the fictitious screens was validated (e.g., whether designs identical to real cases were used).

5. The results in section 5 support the hypotheses: trust is the main predictor of willingness to pay (WTP), and positive framing performs best. Tables 2-4 and Figure 5 present the data clearly. The results for anger (Anger) have limitations because it did not vary significantly across screens, which partially contradicts H3. This could be discussed further. An additional suggestion would be to include statistical power tests to ensure adequate sample sizes.

6. In the discussion and conclusions section, the authors present an adequate discussion of the results with the literature and highlight practical implications (e.g., criminals should use positive frames). They mention the contradiction with previous studies (e.g., Yilmaz et al., 2021), which adds critical value. However, I suggest the authors could elaborate on the limitations (e.g., student sample, possible social desirability bias).

7. The references are up-to-date and relevant. The appendices (qualitative comments, fictitious screens) are a valuable addition. They could include an appendix with the full questionnaire for replicability.

Final Recommendations

The article is solid and provides novel evidence, but requires minor adjustments:
o Clarify methodological details (screen validation, statistical power).
o Discuss limitations in greater depth (e.g., generalization to non-student populations).
o Improve the accessibility of the mathematical model for non-specialist readers.

Comments:

Final Recommendations

Author Response

Comment: The abstract is clear and adequately presents the study's objective: to analyze how the design of ransom splash screens influences victims' willingness to pay the ransom, using insights from behavioral economics. They mention the key findings (trust as the main determinant and the better performance of the positive approach compared to the negative one). The suggestion for the section would be to briefly include the experimental method (e.g., number of participants, design) for greater context.

Reply: Thank you for these positive comments. We have modified the abstract to include more aspects of experiment design, including the number of subjects and the within subject design of the experiment.

Comment: The authors' introduction contextualizes the ransomware problem and its evolution well, highlighting the importance of the business model for criminals. The justification for the study is solid, linking behavioral economics to the design of ransom demands. However, the authors could better justify in the literature what this work seeks to address (e.g., lack of behavioral studies on ransomware framing).

Reply: We have rewritten the introduction and added a new section on related literature. This, hopefully, better positions our work in the literature and its contribution.

Comment: In section 2, the framing model (gain vs. loss) is well grounded in prospect theory and loss aversion. Equations (1)-(5) are clear and relevant. Figure 1 helps visualize the differences between the frames. One suggestion would be to explain in more detail how RGRG and RLRL are derived (eqs. 4 and 5) for less technical readers.

Reply: We now explain the steps in how RG and RL are derived.

Comment: Hypotheses and Experimental Design (Sections 3 and 4). In sections 3 and 4, the hypotheses are well-formulated and based on the theoretical model. The experimental design is robust: 8 ransomware screens, 6 evaluation criteria, and order control through randomization. The inclusion of qualitative feedback from participants enriches the analysis. The authors could explain how the realism of the fictitious screens was validated (e.g., whether designs identical to real cases were used).

Reply: Thank you for these positive comments. We have rewarded the explanation of the splash screens to clarify that they were based on real cases.

Comment: The results in section 5 support the hypotheses: trust is the main predictor of willingness to pay (WTP), and positive framing performs best. Tables 2-4 and Figure 5 present the data clearly. The results for anger (Anger) have limitations because it did not vary significantly across screens, which partially contradicts H3. This could be discussed further. An additional suggestion would be to include statistical power tests to ensure adequate sample sizes.

Reply: Another reviewer raised the issue of salience and whether participants react in a lab environment how they would in real life. To us, the consistently high levels of anger across all ransom splash screens show that participants had some emotional salience with the task. We comment on this further in the paper. We have also added a brief discussion of power and sample size.

Comment: In the discussion and conclusions section, the authors present an adequate discussion of the results with the literature and highlight practical implications (e.g., criminals should use positive frames). They mention the contradiction with previous studies (e.g., Yilmaz et al., 2021), which adds critical value. However, I suggest the authors could elaborate on the limitations (e.g., student sample, possible social desirability bias).

Reply: We have added a new limitations section.

Comment: The references are up-to-date and relevant. The appendices (qualitative comments, fictitious screens) are a valuable addition. They could include an appendix with the full questionnaire for replicability.

Reply: On the FigShare repository we will post the full data and full questionnaire to aid with replicability.

Round 2

Reviewer 1 Report

All other suggestions have been adequately addressed, apart from those concerning the discussion and conclusion.

I appreciate the authors’ effort to expand the conclusion and add future research directions. However, the current section is very long and is more like an extended discussion rather than a concise conclusion. I suggest shortening the conclusion to highlight the key contributions and findings in a focused way. The limitations and future research directions could remain as separate subsections (as currently structured), while the conclusion should provide a brief synthesis of the main insights and policy implications. A more concise conclusion will improve readability.

Author Response

Comment: I appreciate the authors’ effort to expand the conclusion and add future research directions. However, the current section is very long and is more like an extended discussion rather than a concise conclusion. I suggest shortening the conclusion to highlight the key contributions and findings in a focused way. The limitations and future research directions could remain as separate subsections (as currently structured), while the conclusion should provide a brief synthesis of the main insights and policy implications. A more concise conclusion will improve readability.

Reply: Thank you very much for the positive comments. We have now split the discussion and conclusion. There were things in the discussion that we needed to discuss because of other reviewers and so have retained elements of this. The conclusion is now shorter and more focussed on policy implications.

Reviewer 4 Report

Comments:

1. In the introductory section and related works, the authors clearly establish the problem of ransomware, but the connection to behavioral economics could be more fluid. While the relevance of the topic is presented, the motivation of the study could be improved by specifying the knowledge gap it seeks to fill. I suggest further elaborating on how theories such as expected utility or loss aversion directly apply to the context of ransom payments. Are there previous studies that apply these theories in cybersecurity? If so, their inclusion would strengthen the main argument of the paper.

2. The methodology section is well-detailed, especially regarding the survey design and the characterization of the ransom screens (Table 1). The use of linear regression is appropriate for analyzing the relationship between variables. However, there are methodological concerns that need to be addressed. The choice of a sample of 299 university students represents a significant limitation. Although the authors acknowledge this, a more critical discussion should be given to how sample homogeneity (age, familiarity with technology) could bias the results. Do the findings represent the reality of a broader, less technologically literate population? This analysis and its implications for the generalization of the conclusions should be further explored.

3. The results and discussion sections are presented clearly, and the tables are easy to understand. Table 4, which shows the regression coefficients, is critical. The discussion adequately interprets the results, linking them to trust and perceived usefulness. The discussion focuses on correlation, but the inference of causality could be a point of further investigation. The authors claim a "strong positive correlation" (Figure 5), but it is crucial to be cautious with language so as not to imply causality. The text should be revised to reflect that the study identifies significant associations, not cause-and-effect relationships. This is vital for scientific accuracy. I suggest a section in the discussion titled "Implications and Limitations," where this caution is explicitly addressed and future methodologies for establishing causality are proposed.

4. The conclusion section summarizes the main results and reiterates the study's contribution; future work is relevant, suggesting research on ransom amounts and other characteristics. While the future research directions are pertinent, they are somewhat general. This section could be enriched with more specific and detailed proposals. For example, instead of just mentioning "future research on ransom amounts," the authors could propose an experimental design that systematically varies the ransom amount and measures WTP, or suggest using a game model to analyze interactions between attackers and victims. This would demonstrate deeper insight and an action plan for further building on the results of the current study.

Comments:

Author Response

Comment: In the introductory section and related works, the authors clearly establish the problem of ransomware, but the connection to behavioral economics could be more fluid. While the relevance of the topic is presented, the motivation of the study could be improved by specifying the knowledge gap it seeks to fill. I suggest further elaborating on how theories such as expected utility or loss aversion directly apply to the context of ransom payments. Are there previous studies that apply these theories in cybersecurity? If so, their inclusion would strengthen the main argument of the paper.

Reply: We have added a few sentences in the introduction and then a new paragraph in the related literature discussing this in more detail. We hope that this better conveys the gap in the literature and why framing and loss aversion are relevant and important to consider. We have linked to two previous studies that discuss loss aversion and ransomware.

Comment: The methodology section is well-detailed, especially regarding the survey design and the characterization of the ransom screens (Table 1). The use of linear regression is appropriate for analyzing the relationship between variables. However, there are methodological concerns that need to be addressed. The choice of a sample of 299 university students represents a significant limitation. Although the authors acknowledge this, a more critical discussion should be given to how sample homogeneity (age, familiarity with technology) could bias the results. Do the findings represent the reality of a broader, less technologically literate population? This analysis and its implications for the generalization of the conclusions should be further explored.

Reply: We acknowledge that the use of a student subject pool is a limitation of the study. It is, however, conventional to use student samples for relatively involved surveys like this. Moreover, in settings that apply to students (and ransomware is one of those) there is evidence that students are broadly representative of the general population. In the limitations section we have extended the discussion and tried to identify the potential direction of any bias, including evidence on the relationship between loss aversion and age.

Comment: The results and discussion sections are presented clearly, and the tables are easy to understand. Table 4, which shows the regression coefficients, is critical. The discussion adequately interprets the results, linking them to trust and perceived usefulness. The discussion focuses on correlation, but the inference of causality could be a point of further investigation. The authors claim a "strong positive correlation" (Figure 5), but it is crucial to be cautious with language so as not to imply causality. The text should be revised to reflect that the study identifies significant associations, not cause-and-effect relationships. This is vital for scientific accuracy. I suggest a section in the discussion titled "Implications and Limitations," where this caution is explicitly addressed and future methodologies for establishing causality are proposed.

Reply: Thank you for raising this issue. As you point out, we do not claim causality and are careful in our use of language throughout the paper. We explicitly mentioned in the paper that causality is difficult to infer. We have mentioned this a further time in the discussion, and also made some minor modifications to the text to make sure we are not seen to claim causality. More generally, we have a theoretical model with testable hypotheses that we then test; this is entirely consistent with scientific accuracy. Inferring causality in such a context is very challenging but we have added some suggestions in the future directions section.

Comment: The conclusion section summarizes the main results and reiterates the study's contribution; future work is relevant, suggesting research on ransom amounts and other characteristics. While the future research directions are pertinent, they are somewhat general. This section could be enriched with more specific and detailed proposals. For example, instead of just mentioning "future research on ransom amounts," the authors could propose an experimental design that systematically varies the ransom amount and measures WTP, or suggest using a game model to analyze interactions between attackers and victims. This would demonstrate deeper insight and an action plan for further building on the results of the current study.

Reply: We have extended the future research directions sections as suggested.