Next Article in Journal
Parent–Child Relationships from Adolescence to Adulthood: An Examination of Children’s and Parent’s Reports of Intergenerational Solidarity by Race, Ethnicity, Gender, and Socioeconomic Status from 1994–2018 in the United States
Previous Article in Journal
“If We Don’t Listen to Them, We Make Them Lose More than Money:” Exploring Reasons for Underreporting and the Needs of Older Scam Victims
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Social Sciences
Volume 12
Issue 5
10.3390/socsci12050265
Review Report
socsci-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

Analyzing Reporting on Ransomware Incidents: A Case Study

Soc. Sci. 2023, 12(5), 265; https://doi.org/10.3390/socsci12050265
by André Greubel *, Daniela Andres and Martin Hennecke
Reviewer 1:
Timothy McIntosh
Reviewer 2:
Willard Munyoka
Soc. Sci. 2023, 12(5), 265; https://doi.org/10.3390/socsci12050265
Submission received: 30 March 2023 / Revised: 25 April 2023 / Accepted: 26 April 2023 / Published: 28 April 2023

Round 1

Reviewer 1 Report

My overall opinion about this article is that it is well-written and has value for publication. I can only comment this article as a cyber security researcher with special interest in ransomware. I recommend moderate revision.

 

Pros:

(1) Novel idea with good observation

(2) introduction well written

 

Major issues:

(1) Authors should try to examine the definitions of ransomware properly, from government, industry and academic sources. For example:

- government: CISA (USA): https://www.cisa.gov/stopransomware

- industry: ProofPoint https://www.proofpoint.com/threat-reference/ransomware

- academia: McIntosh, T., Kayes, A. S. M., Chen, Y. P. P., Ng, A., & Watters, P. (2021). Ransomware mitigation in the modern era: A comprehensive review, research challenges, and future directions. ACM Computing Surveys (CSUR), 54(9), 1-36.  https://doi.org/10.1145/3479393

McIntosh et al. defined ransomware as malware that aims to jeopardize users' exclusive access to data, by threatening with data loss (via encryption) or data breach (via exfiltration), until a ransom is paid.

(2) It is important to mention that the ransomware attack to Colonial Pipeline involved 100GB of stolen data. Previous ransomware (aka crypto-ransomware) only encrypted files. As better backups became the norm, the criminals evolved their ransomware business model towards data breach. 

(3) In subsection 3.4.1, better to mention that proper software testing involves both functional and security testing. "errors" in 154 should be "software defects", because errors can be runtime errors or environmental

(4) In subsection 3.4.2, regular updates aren't always preferred, because they can contain unintended new defects. In industry, often companies take the stable releases of patches, not the newerst patches. Software updates need to be tested in sandboxes, before rolling out in production environments.

(5) Section 7. It is worth ranking all 5 misconceptions according to descriding level of deviations from reality, and briefly fact-check with ransomware facts.

(6) Unless news source, maybe update some older sources of references with newer ones.

 

 

Other issues:

(1) In line 3 and line 40, authors should explain what is K-12, for readers from countries that don't have this system.

(2) Line 46. The advice to use secure passwords is outdated. Now it is recommended to use unique random passwords managed by password managers.

(3) Line 119 - 121. Needs citation.

(4) Line 122. [31] is outdated and wrong. Some ransomware variants are used for espionage with no intention of decryption.

(5) Line 123. Need to specify that NotPetya (the actual name, not simply "Petya") and WannaCry attacks were crypto-ransomware attacks without data theft, unlike Colonial Pipeline

(6) In subsection 3.4.4. The proper cyber security terminology is "defense in depth".

(7) In subsection 3.4.5. The proper cyber security terminology is "fail secure". Fail secure refers to a mode of operation in which the system defaults to a locked or closed position in the event of a power failure or other system malfunction. This is typically used in situations where security is a higher priority than safety, such as in a high-security facility or a data center. Fail secure systems are designed to prevent unauthorized access even in the event of a system failure.

(8) Line 192. You can annotate "data loss". Line 197: you can annotate "data breach"

(9) Line 223-224. Worth discussing whether payment is meant to get decryption or to suppress a data breach

(10) Line 237 in subsection 5.3. Are all the proposals justified or business-practical? Line 242. I'm sure Colonial Pipeline already has comprehensive firewall and email protection.

(11) Line 444. No date for the reference source.

(12) Line 490. Not appropriate to cite from Wikipedia in academic articles.

Author Response

Dear Reviewers,

thank you for your constructive feedback! We were able to include almost all suggestions in the current version of the draft. 

We addressed the following major issues as follows:
- Background: We added a more rigorous definition of ransomware attacks (based on McIntosh 2021 and McIntosh 2018) and contrasted it with the CISA government definition that only focuses on attacks targeting file systems. Clarified that MOST (instead of ALL) ransomware attacks do not intend to damage the system permanantily. We also clarified that data was stolen at Colonial, but not by Petya or Wannacry
- Analysis 4: The descriptions of the misconceptions were improved: It is now explained much more thoroughly how the reportings in the articles could lead to this misconception and additional references why these are misconception rather than true were added
- Added an Interpretation section and moved parts of the implication of these misconceptions to that section. Also highlighted in more details that it is necessary to have a public discussion about the consequences: Just reading the news was (at that point) likely not sufficient for political mature participation in discussion. That is an indicator that teachings about it security should have more prevalance in curricula. 

Multiple minor issues were addressed as suggested:
- Abstract: Added the location of the Colonial Pipeline to the abstract
- Section 3.1: We used substantives instead of adjectives to account for the fact that "integrity" does not have an adjective form.
- fixed spelling mistakes as suggested
- Added the fact that data was stolen in the attack in the overall description of the attack
- 3.4.1: Rephrased "errors". We opted to choose "unintended behavior" over "software defects" for (hopefully) better readability
- 3.4.2: Rephrased the last sentence to not imply that regularly scheduled updates NECESSARILY lead to secure software -- instead, we just want to say: no updates lead to lack of security over time.
- 3.4.4 / 3.4.5: Adopted suggested terminology
- 4: Annotated the attacks with the keywords data loss and data breach
- 5.3: Highlighted that the articles did not specify whether any of the measurers would have helped Colonial or whether they were business-practical
- Fixed References as Suggested

Issues not addressed:
- We did not re-order the misconceptions as we do not think we have any objective metrics to do so - we rather leave them in no particular order than to suggest anything by claiming they are ordered in any way.
- The phrase "use of secure passwords" is from within a quote of the GI recommandations. The recommendation indeed is outdated and password managers would be preferable -- but as of now, the recommendations have not been changed. We did not edit this part as the whole message of the section is: "There are very many topics in regard to it security that could be taught (see recommendations). But only 90 min to do so"

We want to especially thank our reviewers for the very constructive suggestions on how to address the issues mentioned! 

Best regards,
the Authors

Reviewer 2 Report

Thank you for the informative article. I enjoyed reading how most people have misconceptions about the modus operandi on ransomware attacks.

However there are few aspects you should address to make the article rigour:

1). some few technical errors: In line 2 you wrote, "it security" , which should be "it's security" 

In line 10: Specify the jurisdiction of this story for your global audience like myself who are not aware of this story, e.g. in the USA or Brazil etc.  

In line 111: you wrote "integer", which should be "integrity" 

2). Section 7. Analysis 4: from line 312 to 354 you need to ground (support) your analysis and results with relevant references to substantiate your findings. You have done this from line 365 - 369.

Before your Limitations of the study you should clearly state the implications of your study to theory and managerial practice.

  

Overall, this article has used good English, though there are few sections that require editing.

Author Response

Dear Reviewers,

thank you for your constructive feedback! We were able to include almost all suggestions in the current version of the draft. 

We addressed the following major issues as follows:
- Background: We added a more rigorous definition of ransomware attacks (based on McIntosh 2021 and McIntosh 2018) and contrasted it with the CISA government definition that only focuses on attacks targeting file systems. Clarified that MOST (instead of ALL) ransomware attacks do not intend to damage the system permanantily. We also clarified that data was stolen at Colonial, but not by Petya or Wannacry
- Analysis 4: The descriptions of the misconceptions were improved: It is now explained much more thoroughly how the reportings in the articles could lead to this misconception and additional references why these are misconception rather than true were added
- Added an Interpretation section and moved parts of the implication of these misconceptions to that section. Also highlighted in more details that it is necessary to have a public discussion about the consequences: Just reading the news was (at that point) likely not sufficient for political mature participation in discussion. That is an indicator that teachings about it security should have more prevalance in curricula. 

Multiple minor issues were addressed as suggested:
- Abstract: Added the location of the Colonial Pipeline to the abstract
- Section 3.1: We used substantives instead of adjectives to account for the fact that "integrity" does not have an adjective form.
- fixed spelling mistakes as suggested
- Added the fact that data was stolen in the attack in the overall description of the attack
- 3.4.1: Rephrased "errors". We opted to choose "unintended behavior" over "software defects" for (hopefully) better readability
- 3.4.2: Rephrased the last sentence to not imply that regularly scheduled updates NECESSARILY lead to secure software -- instead, we just want to say: no updates lead to lack of security over time.
- 3.4.4 / 3.4.5: Adopted suggested terminology
- 4: Annotated the attacks with the keywords data loss and data breach
- 5.3: Highlighted that the articles did not specify whether any of the measurers would have helped Colonial or whether they were business-practical
- Fixed References as Suggested

Issues not addressed:
- We did not re-order the misconceptions as we do not think we have any objective metrics to do so - we rather leave them in no particular order than to suggest anything by claiming they are ordered in any way.
- The phrase "use of secure passwords" is from within a quote of the GI recommandations. The recommendation indeed is outdated and password managers would be preferable -- but as of now, the recommendations have not been changed. We did not edit this part as the whole message of the section is: "There are very many topics in regard to it security that could be taught (see recommendations). But only 90 min to do so"

We want to especially thank our reviewers for the very constructive suggestions on how to address the issues mentioned! 

Best regards,
the Authors

Back to TopTop