Policies for Cybersecurity: an Experimental Approach

Last registered on April 10, 2025
View Trial History

Pre-Trial

Trial Information

General Information

Title
Policies for Cybersecurity: an Experimental Approach
RCT ID
AEARCTR-0015738
Initial registration date
April 03, 2025

Initial registration date is when the trial was registered.

It corresponds to when the registration was submitted to the Registry to be reviewed for publication.

First published
April 10, 2025, 7:23 AM EDT

First published corresponds to when the trial was first made public on the Registry after being reviewed.

Locations

Country
Australia
Region

Primary Investigator

Name
Zachary Breig
Affiliation
The University of Queensland
Contact Primary Investigator

Other Primary Investigator(s)

PI Name
Claudio Mezzetti
PI Affiliation
PI Name
Zarina Vakhitova
PI Affiliation

Additional Trial Information

Status
On going
Start date
2025-03-31
End date
2025-06-30
Keywords
Behavior, Crime, Violence, & Conflict, Lab
Additional Keywords
JEL code(s)
Secondary IDs
Prior work
This trial does not extend or rely on any prior RCTs.
Abstract
The focus of this study will be how different cybersecurity policy regimes affect cybersecurity outcomes. We compare "sophisticated" ransomware insurance, a policy of blocking ransom payments, and a policy of compensating to victims that lost their data. In a stylized model, we compute the game theoretic prediction for how these institutions affect outcomes. We then implement an experiment using the parameters from the model.
External Link(s)

Registration Citation

Citation
Breig, Zachary, Claudio Mezzetti and Zarina Vakhitova. 2025. "Policies for Cybersecurity: an Experimental Approach." AEA RCT Registry. April 10. https://doi.org/10.1257/rct.15738-1.0
Sponsors & Partners
Experimental Details

Interventions

Intervention(s)
Intervention (Hidden)
Intervention Start Date
2025-03-31
Intervention End Date
2025-06-30

Primary Outcomes

Primary Outcomes (end points)
We focus on three outcomes: 1) entry decisions, 2) the likelihood of the victim retaining their data, and 3) victim surplus.
Primary Outcomes (explanation)

Secondary Outcomes

Secondary Outcomes (end points)
Secondary Outcomes (explanation)

Experimental Design

Experimental Design
We compare the effects of different cybersecurity policy regimes on ransomware outcomes. Specifically, we compare three treatments: 1) sophisticated ransomware insurance, 2) the banning of ransom payments, and 3) victim compensation.
Experimental Design Details
Randomization Method
Randomization will be completed using the experimental software.
Randomization Unit
Because this is a between-subject design, the main treatments (insurance vs. bans vs victim compensation) will be assigned at the session level. These assignments will be pre-determined (and not randomized) in order to ensure balance by week the session is run in and time of day the session is run. Subjects have no way of knowing which treatment they will participate in when choosing which session to sign up for. The within-session random variation, such as the composition of groups, the assignment of roles, and some parameters (initial budgets in all rounds, the level of victim compensation in the victim compensation treatment, and the probability that ransoms will be blocked in the ransom banning treatment) will be randomized by the experimental software within the experiment.
Was the treatment clustered?
No

Experiment Characteristics

Sample size: planned number of clusters
We expect to recruit 180-240 subjects.
Sample size: planned number of observations
Each subject will participate in 35 rounds, but we will only analyze data from rounds 6 to 35. Furthermore, our outcome variables are at the group level (with grou sizes of 2). Thus, the total number of observations will be the total number of subjects, multiplied by 30, divided by two. Furthermore, some analyses will focus on specific subsets of the data, as described in the pre-analysis plan.
Sample size (or number of clusters) by treatment arms
60-80 subjects per treatment.
Minimum detectable effect size for main outcomes (accounting for sample design and clustering)
Supporting Documents and Materials
IRB

Institutional Review Boards (IRBs)

IRB Name
UQ BEL LNR Ethics Committee
IRB Approval Date
2024-06-11
IRB Approval Number
2024/HE001212
Analysis Plan

There is information in this trial unavailable to the public. Use the button below to request access.

Request Information

Post-Trial

Post Trial Information

Study Withdrawal

There is information in this trial unavailable to the public. Use the button below to request access.

Request Information

Intervention

Is the intervention completed?
No
Data Collection Complete
Data Publication

Data Publication

Is public data available?
No

Program Files

Program Files
Reports, Papers & Other Materials

Relevant Paper(s)

Reports & Other Materials