Wednesday 11 May 2016

Ransomware is all about creating and capturing value

This week and next in ECON100 we are essentially discussing creating and capturing value (this week market power and monopolies, and next week pricing strategy). Most of the firms that we consider are selling fairly standard products that consumers want to buy. The lack of close substitutes (usually because the product is differentiated, branded, or because there are barriers to entry into the market) means that firms can sometimes derive a substantial profit from these activities.

However, not all 'business' activity is quite as benign in its effects as selling branded skateboards or pharmaceuticals. This week's Economist has an interesting article on ransomware, which can be interpreted in similar ways to what we are discussing in class:
Cybercrooks are changing their modus operandi and widening their nets for snagging the unwary... The most pernicious malware today immobilises an infected computer, encrypts its files and then demands a ransom to release them. If not paid within 12 hours or so, the computer’s content gets obliterated. To make sure the hapless victim gets the message, a bright red clock begins the count down...
No fewer than 4m incidents of ransomware were reported in the second quarter of 2015 alone. Millions more are thought to have gone unreported.
If someone bricks your computer or phone, then someone who un-bricks computers and phones is going to generate a lot of value for you (and for other hapless victims of the malware). Capturing that value simply requires pricing the 'un-bricking service' at less than the value it creates.

Creating demand for your own services is referred to as supplier-induced demand. We usually associate it with the seller having more information about the need for services than the buyer. Think about mechanics, who inspect your vehicle, and then undertake the repairs that they have advised that you need as a result of their inspection. The mechanic has an incentive to overstate the necessity for repairs. You can solve the problem of supplier-induced demand by having one firm do the inspections, and a different firm do the repairs.

However, in this case there is no information problem - the criminals are directly generating demand for their un-bricking services. Even better for the criminals, infecting computers and then un-bricking them is a low-cost activity:
Hacking into online retailers and financial institutions to steal credit-card and bank details may offer larger financial returns eventually, but selling the stolen data on the black market can be burdensome. By contrast, ransomware allows cybercrooks to get paid directly by their victims—with little effort, no special hacking skills, and negligible chance of being caught.
And to make things even better (for the criminals), demand for un-bricking services is likely to be relatively inelastic (unresponsive to price). We know that demand is less elastic when time horizons are short, and most affected people (and especially firms) want access to their data quickly (reinforced by the pressure of the visible countdown timer mentioned above):
Ransomware is especially effective because many of its victims do not have time on their side. Hospitals are particularly vulnerable, since they cannot afford to wait to access medical histories of patients requiring urgent treatment. Likewise, without the continual availability of data from suppliers, distributors and customers, modern manufacturing grinds quickly to a halt. Airlines closing flights prior to departure need to tally the “no-shows” with their “over-sold” seats. Disrupt any such mission-critical activity and costs—in human as well as financial terms—quickly get out of hand.
This relatively inelastic demand means that the criminals can charge a relatively high price for their 'services'. All of which adds up to significant profits for the criminals - potentially hundreds of millions of dollars. You'd better keep your computer and phone security up-to-date, unless you want to contribute to these profits.

No comments:

Post a Comment