Ransomware,Emotions,and the Decision to Pay: Evidence From a Factorial Experiment

Abstract

Ransomware victims must decide quickly whether to pay, yet the emotional dynamics of this decision are not well understood. We report the results of a pre-registered between subjects vignette experiment with a nationwide U.S. adult sample testing how ransomware notes shape such emotions as fear, anger, guilt, and shame, and how these responses relate to stated willingness to pay. Participants were randomly assigned to a neutral policy frame, or a ransomware note, and we additionally compare locked files versus stolen data threats. Results show clear differences between threat messaging and the neutral policy condition in both emotional responses and payment intentions. The locked versus stolen contrast affected the emotions only.

Keywords

ransomware emotions cybercrime risk decision-making factorial vignette experiment

Introduction

Ransomware is a form of malicious software used by cybercriminals to encrypt or restrict access to digital systems, thereby denying users control over their data until a ransom is paid. In many cases, perpetrators also threaten to publish or sell exfiltrated data if their demands are not met, further increasing coercive pressure on victims. The primary objective of such attacks is not simply data theft, but extortion, that is, extracting payment, typically in cryptocurrency, in exchange for the decryption key or the assurance of data confidentiality (Kharraz et al., 2015; Paquet-Clouston et al., 2019).

Recent years have seen a sharp escalation in ransomware activity worldwide. The Office of the Director of National Intelligence (2025) estimates that there were approximately 2,593 ransomware incidents in 2022 globally, rising to 4,591 in 2023 (a 77% increase), and 5,289 in 2024 (a further 15% rise). Although major law-enforcement operations have disrupted several high-profile groups (for instance, the FBI-led take-down of the Hive ransomware network in 2023 and the coordinated Europol action against LockBit affiliates in early 2024) these interventions have had only limited impact on the overall trajectory of attacks (Sophos, 2025). Certain sectors remain particularly vulnerable: in 2024, ransomware affected at least 85 U.S. hospital systems (covering more than 1,000 hospitals), over 2,200 public schools, and 117 state or local government entities (United States Senate Committee on Finance, 2024).

Globally, victims paid approximately US$813 million in ransoms in 2024, which is only slightly down from the record-breaking US$1 billion in 2023 (Chainalysis Team, 2024, 2025). Individual payments have grown substantially, with recent estimates ranging from an average of US$1 to 2 million per incident (Coveware, 2025; Sophos, 2024, 2025). In one of the most serious incidents to date, Change Healthcare allegedly paid approximately US$22 million to attackers in 2024 (Greenberg, 2024), following the exfiltration of sensitive medical and personal data including diagnostic records, insurance identifiers, and social security numbers (Abrams, 2024).

The financial toll of ransomware extends beyond ransom payments. Even for organizations that refuse to pay, the costs associated with recovery, downtime, and reputational damage are often substantial. A recent global survey estimated the average recovery cost (excluding ransom) at approximately US$1.53 million (Sophos, 2025). Despite law enforcement agencies consistently advising against payment (Federal Bureau of Investigation, 2025), nearly half (49%) of affected organizations in 2024 reported paying ransoms, with a median payment of around US$400,000 (Sophos, 2025).

A defining feature of ransomware, and extortion-based crime more broadly, is that the crime’s outcome depends critically on what occurs during the extortion phase, when victims decide whether to pay or not to pay the ransom. Victims’ decision-making can therefore have systemic implications, influencing the profitability and persistence of ransomware operations. Understanding the factors that shape victims’ decisions is thus essential to effective ransomware prevention and response strategies. And while traditional economic and rational-choice perspectives conceptualize ransom payment as a cost–benefit calculation, they overlook the powerful emotional dynamics that accompany victimization. Research shows that victims of both online and offline crime often experience acute emotional reactions such as fear, anger, and shame (Borrion & Connolly, 2020). These emotions can alter judgment under stress and bias rational decision-making (Lerner & Keltner, 2001; Loewenstein et al., 2001). In ransomware incidents, these emotions are particularly salient: the threats are immediate, the stakes are high, and the offender’s message is deliberately crafted to provoke affective responses. Yet, despite the growing sophistication of ransomware operations, the role of emotion in shaping victim behavior remains strikingly underexplored in cybersecurity research.

The present study addresses this gap by employing an experimental, between-subjects factorial vignette design to examine how variations in ransomware-note content influence emotional reactions and ransom-payment decisions. Specifically, it investigates:

RQ1: To what extent the extortion mechanism (locked files vs. stolen files) affect ransomware victims’ decision to pay or not to pay?

RQ2: How does the extortion mechanism affect victims’ emotional responses?

RQ3: How do specific emotions such as fear, anger, shame, and guilt, influence victim decision to pay or not to pay the ransom?

Literature Review

Factors Affecting Victims’ Decision-Making in Ransomware Attacks

After a ransomware attack, victims, whether individuals or organizations, must quickly weigh complex costs, benefits, and risks to decide whether to pay the ransom. Research and industry reports reveal that this decision is driven by a range of factors, including the importance of data and availability of backups; downtime and business interruption costs; attacker tactics and trustworthiness; cybersecurity insurance coverage; knowledge and preparation; ethical stance, among others (Connolly & Borrion, 2022).

Victims of ransomware must weigh the cost of prolonged downtime against the ransom amount. For industries like healthcare, for example, every hour of downtime can be extremely costly, and in the case of hospitals, even life-threatening (Dameff et al., 2023; National Audit Office [NAO], 2017). Hospital ransomware can paralyze operations, forcing cancellations, diversions, and manual fallback that jeopardize patient care. For example, during WannaCry ransomware attack, the NHS (National Health Service, the publicly funded healthcare system in the United Kingdom) recorded 6,912 confirmed (and an estimated approximately 19,494) canceled appointments and multiple emergency department diversions (NAO, 2017).

Although many organizations espouse “do not pay” principles, such commitments can be overridden when data are irreplaceable, reputational exposure is severe, or safety risks are acute. Paying the ransom might promise the fastest path to restoration, potentially reducing losses from halted production or services. Illustratively, in 2016, Hollywood Presbyterian Medical Center paid more than 40 bitcoins in ransom (approximately $17,000 at the time) to restore access to medical records, citing patient care imperatives (Zorthian, 2016). In 2024, Change Healthcare (USA) paid $22 million to ransomware attackers in one of the most disruptive healthcare cyber-attacks in U.S. history, illustrating how, in situations like these, faster recovery via ransom payment is weighed against the slower and often costlier alternative of rebuilding systems manually.

Importantly, acute emotions (panic, stress, and anger) triggered by a ransomware attack may steer the choice whether to pay away from narrow cost–benefit logic as such a choice is a high-stakes gamble involving practical trade-offs and intense psychological pressure. Research suggests that victims “conduct thorough cost–benefit analysis” but also that “less predictable” emotional elements (panic, stress, uncertainty, and moral judgment) can heavily influence the final call (Connolly & Borrion, 2022). On one side of the dilemma is the promise of a quick fix through payment; on the other side are long-term risks and principles of not negotiating with criminals.

The Risk-as-Feelings Perspective on Decision Making Under Risk

Early work in decision science modeled choice under risk as a purely cognitive, consequentialist calculation of probabilities and outcomes. The risk-as-feelings account argues that immediate emotions experienced at the moment of choice can diverge from, and at times dominate, those calculations, so that fear, anxiety, or shame drive behavior more than analytic assessment (Loewenstein et al., 2001). This perspective explains systematic departures from “rational” choice in high-stakes contexts.

Substantial empirical research supports the risk-as-feelings hypothesis. Experiments show that emotions shift risk perception and choice, independent of informational content. For example, imagining vivid negative outcomes in risky scenarios raises fear/stress and, in turn, increases perceived risk; imagining positive outcomes has the opposite effect (Sobków et al., 2016; Traczyk et al., 2015). Interestingly, exogenous stressors unrelated to the task also heighten subsequent risk judgments (Sobków et al., 2016). These findings are in line with the risk-as-feelings prediction that affect at decision time influences risk appraisal and behavior.

Laboratory research further supports the risk-as-feelings view by illustrating how specific emotions (e.g., fear or anger) impact decision biases (Lerner & Keltner, 2001). Fear, which is typically accompanied by appraisals of uncertainty and low personal control, tends to inflate perceived risk and encourage precaution or compliance. Anger, which is linked to appraisals of certainty and control, often dampens perceived risk and promotes defiance or risk seeking. Thus a fearful decision-maker may put too much weight on worst-case outcomes and select defensive options, whereas an angry decision-maker may downplay hazards and resist even at cost. Such emotion-specific findings reinforce a central tenet of risk-as-feelings: the nature of one’s affective reaction at the moment of choice can fundamentally shape the decision process, sometimes more powerfully than objective risk metrics. Field evidence echoes these dynamics. Following the September 11, 2001 attacks, heightened fear led many Americans to substitute driving for flying despite its higher objective risk per mile, producing a measurable increase in traffic fatalities (Gigerenzer, 2006). The broader lesson is that intense, dread-laden contexts can yield choices that depart from the choices that would be made by simply considering objective statistical risks (Gaissmaier & Gigerenzer, 2012).

High-stakes situations are the settings in which emotional responses are most likely to override deliberation. When potential losses are catastrophic or personal stakes are high, people’s emotional reactions tend to intensify and can dominate deliberation. For instance, studies of terrorism threats show that people strongly influenced by fear or anger will support very different protective actions and policies than those who remain calm – fear can lead to the overestimation of the threat and an exaggerated preference for safety measures, whereas anger might engender risk-taking or punitive responses (Huddy et al., 2005; Lerner et al., 2003). The common thread is that the more intense the emotional stake, the more likely feelings will “speak louder” than facts in guiding decisions.

Despite extensive support for the risk-as-feelings perspective, the evidence is not uniform. In a longitudinal field study of trained naval personnel, perceived risk predicted later worry, but worry did not feed back into subsequent risk judgments. This suggests that in structured, high-expertise settings cognitive evaluations may be more insulated from affect (Kobbeltvedt et al., 2005). These results suggest that in some contexts (e.g., highly trained individuals or structured environments), cognitive evaluations of risk may remain somewhat insulated from emotional fluctuations. This highlights that the magnitude of risk-as-feelings effects can depend on context, and individual differences.

Applying Risk-as-Feelings to Ransomware Victim Decision-Making

Ransomware incidents present victims with an emotionally charged dilemma. Whether they are individuals or institutional representatives, victims often experience fear, anger, shame, or guilt – emotions known to influence judgment and behavior in high-stakes decisions. Building on the risk-as-feelings framework introduced earlier, this section explores how these discrete emotions may affect the decision to pay or refuse to pay a ransom, and highlights the need for systematic empirical testing in this context. We take the point of view that in our setting the risk-as-feeling approach predicts that fear induces risk-averse and anger risk-seeking behavior, consistent with the hypothesis that fear is associated with overestimating and anger with underestimating the probability of a loss. Shame is also predicted to increase risk aversion as paying the ransom can be seen as taking a remedial action. Guilt, on the other hand is predicted to have an ambiguous effect on behavior.

Fear may play a particularly strong role when the perceived consequences of inaction are catastrophic, for example, the loss of sensitive data or disruption of life-critical services. When people feel afraid, they often prioritize immediate safety and security over other considerations, such as long-term financial well-being or a desire to avoid rewarding criminal behavior (Wake et al., 2020). Research suggests that fear shapes how individuals perceive and evaluate risks (Barnum & Solomon, 2019; Kahneman & Tversky, 1979; Lerner et al., 2003; Lerner & Keltner, 2001), leading to distorted risk assessments where fear-inducing threats are perceived as more likely or severe than they actually are. Victims of a ransomware attack driven by the fear of losing irreplaceable data might thus pay the ransom more often than if fear were not a factor.

Shame is directed toward the self rather than a specific behavior; it reflects a global negative self-evaluation that may discourage victims from seeking help, prompting attempts to resolve the situation privately and quietly (Gausel & Leach, 2011; Tangney & Dearing, 2002). In organizational contexts, this self-conscious distress may heighten reluctance to involve authorities or publicize the incident, thereby increasing the likelihood of paying the ransom privately to contain reputational damage (UK National Cyber Security Centre [NCSC], 2021).

Anger, by contrast, may promote defiance. It has been linked to diminished sensitivity to deterrents and greater risk-taking, potentially leading some victims to reject payment and pursue punitive or confrontational responses (Barnum & Solomon, 2019; Meier, 2022). Finally, when victims believe they contributed to the breach (for example, by clicking a malicious link or neglecting updates) they might experience guilt, activating a desire to repair the harm (Baumeister et al., 1994; Tangney & Dearing, 2007). This may motivate payment to restore control, but may also induce defiance.

In practice, victims are unlikely to experience only one emotion. Instead, ransomware incidents may evoke multiple, sometimes conflicting emotional reactions, such as fear of data loss, anger at the attacker, shame over security failures, and guilt over human error. These mixed emotional states may exert competing influences on decision-making, a dynamic that remains poorly understood. Existing research offers some preliminary insights. Borrion and Connolly (2020) found that while most ransomware victims describe their actions in rational terms, many reported feeling panic, confusion, and emotional distress. Similarly, interviews conducted by MacColl et al. (2023) highlight fear, helplessness, and shame as common reactions among victims. These findings underscore that emotional responses matter – and that their influence likely varies across emotional types. Yet no existing study has systematically tested how different emotions, or combinations of emotions, affect ransomware decisions. The present study addresses this gap by experimentally manipulating the content of ransomware notes and measuring resulting emotional reactions and payment intentions.

The Current Study

This study examines how ransomware note content influences payment intentions and the emotions that accompany those decisions. Building on the “risk as feelings” theoretical framework, we test the following hypotheses in relation to whether specific ransomware note designs (locked files vs. stolen files) differentially shape emotions, and whether those emotions are statistically linked to payment intentions:

H1: (Condition → Payment) The ransomware note condition will affect the probability of paying.

H2: (Emotions → Payment) Specific emotions (e.g., fear, anger, shame, and guilt) will affect the probability of paying the ransom.

H2a: Fear and shame will increase the odds of paying.

H2b: Anger will decrease the odds of paying.

H2c: The direction for guilt is uncertain.

H3: (Condition → Emotions) The ransomware note condition will affect the emotions reported by the participants.

H4: (Mediation) The effect of note type on payment will be statistically mediated by elicited emotions. Because emotions are measured after exposure and not randomized, we interpret mediation paths as statistical rather than fully causal.

Experimental Design

We fielded a pre-registered, between-subjects factorial vignette experiment in which participants were randomly assigned to one of three conditions. All participants were asked to imagine serving as the head of cybersecurity at a mid-sized regional hospital. In the neutral policy condition (Condition 0), participants indicated their preferred default policy for ransomware incidents, that is, whether the hospital should generally pay or not pay a ransom, without being exposed to a threat message. In the two threat conditions, participants read a simulated ransomware note demanding US$1.2 million in cryptocurrency. The note informed them that either critical patient data had been locked (encryption leverage, Condition 1) or stolen (data-theft leverage, Condition 2). The Neutral condition was designed as a policy-framed baseline that captures respondents’ normative/pragmatic stance on whether an organization should pay a ransom in a hospital context, rather than an “absence of ransomware risk” or an emotionally neutral decision state. Accordingly, treatment effects are interpreted as the difference between an abstract policy judgment (Neutral) and responses to a direct coercive threat message (Locked Files / Stolen Files).

The experimental notes were developed by adapting language and structural elements from a large body of real-world ransomware communications collected by the authors for a separate project. After reading the note, participants were asked to decide whether they would pay or refuse to pay the ransom. This design isolates the causal effect of the attacker’s leverage (encryption vs. data theft) on payment decisions while holding all contextual features constant and using the neutral condition as a baseline for non-threat policy attitudes.

We used a between-subjects design so that each participant responded to exactly one scenario. This choice minimizes demand and contrast effects that arise when respondents see multiple manipulations in sequence, reduces fatigue and learning effects, and avoids emotional carryover or desensitization – risks that are salient for affect-laden vignettes such as ransomware notes. It also mirrors real-world decision making, where a victim typically faces a single extortion message rather than comparing several variants in a short span. Presenting multiple vignettes to the same respondent can introduce fatigue and learning effects that degrade data quality, as well as demand characteristics and contrast across scenarios, all of which threaten internal validity (e.g., Auspurg & Hinz, 2015; Iyengar, 2011; Orne, 1962). For emotion eliciting stimuli, repeated exposure can also blunt responses through desensitization or carryover, reducing the very variation in affect we aim to measure (Greenwald, 1976). A between-subjects design therefore limits these threats and preserves ecological validity, since real-world victims typically encounter a single ransomware note rather than a series of variants. The protocol received ethics approval from the HREC of Monash University, and we preregistered hypotheses, design, analyses, robustness checks, and target sample size on AsPredicted (protocol #246119).

Measures

The central independent variable in this study was the experimental condition, reflecting the type of ransomware scenario to which each participant was randomly assigned. Participants were allocated to one of three conditions: a neutral policy frame (Condition 0), a “locked files” ransomware note (Condition 1), or a “stolen data” ransomware note (Condition 2). In the neutral frame, respondents indicated whether the hospital should generally pay or not pay ransoms in principle, without exposure to a threat message. In the two ransomware conditions, participants viewed a simulated attacker note demanding US$1.2 million in Bitcoin. The content of the messages differed in the leverage used by attackers: the locked-files note stated that patient records, diagnostic files, and financial documents had been encrypted and would be permanently damaged if recovery was attempted; in contrast, the stolen-data note asserted that these files had been exfiltrated and would be sold on the dark web if the ransom was not paid. Each note emphasized the attackers’ “reputation” for keeping their word. These conditions were subsequently coded as dummy variables (Locked Files vs. Neutral; Stolen Files vs. Neutral), with the neutral frame serving as the reference category.

The primary dependent variable was the binary payment decision measured immediately after exposure to the vignette. Participants indicated whether they would “Pay the ransom” or “Not pay the ransom,” and were then prompted to briefly explain their choice. While these qualitative explanations were not analyzed quantitatively, they confirmed that participants understood the decision context.

Immediately following the decision item, participants completed the emotion measures, which served both as outcome variables in the manipulation check and as mediators in the mediation analysis. Four discrete emotional responses – Fear, Anger, Shame, and Guilt – were measured using 0 to 100 slider scales anchored at “Not at all” and “Extremely.” Participants reported the intensity of each emotion experienced “immediately after reading the note,” capturing a proximal state response rather than a post-hoc evaluation. These emotions were selected because they represent central high-arousal, self-relevant negative emotions theorized to influence judgment under threat. This approach of measuring each emotion on a single 0 to 100 intensity rating helps minimize respondent burden and demand effects. Any remaining unreliability would be expected to introduce classical measurement error that attenuates estimated associations and indirect effects; accordingly, the emotion and mediation estimates are best interpreted as conservative.

In addition to analyzing emotions individually, we constructed a latent Negative Affect factor to capture shared variance across the four indicators. Confirmatory factor analyses (CFA; reported in the Supplemental Materials) demonstrated excellent fit for the one-factor model, supporting the use of a standardized composite score in robustness analyses.

Several individual difference measures were included as covariates to improve precision and adjust for baseline tendencies relevant to emotional reactivity and risk-based decision-making. Trait anxiety was measured using the seven-item GAD-7 scale (Spitzer et al., 2006). Items ask respondents how frequently in the past two weeks they experienced symptoms such as “Feeling nervous, anxious, or on edge” or “Worrying too much about different things,” with response options ranging from 0 (“Not at all”) to 3 (“Nearly every day”). Cybersecurity efficacy was assessed using a six-item scale measuring confidence in performing routine security behaviors. Items included statements such as “I routinely adjust privacy and security settings on my devices,” “I enable multi-factor authentication on important accounts,” and “I routinely back up important files,” rated on a five-point Likert scale from “Strongly disagree” to “Strongly agree.” Both the GAD-7 and cybersecurity efficacy scales were validated via confirmatory factor analysis and demonstrated excellent reliability; full loadings and fit indices are reported in the Supplemental Materials A.2.

Participants also reported their prior experience with ransomware, selecting whether they had previously encountered an attack personally, at work, both, or not at all. Those indicating prior exposure were asked about the outcome of their most recent incident (e.g., “Ransom was paid,” “Ransom was not paid”). For analysis, this measure was recoded into a three-level categorical variable distinguishing participants with no ransomware experience, those who had experienced ransomware without paying, and those who had paid a ransom in the past.

Cybersecurity training was measured in two stages. Participants first indicated whether they had received any formal cybersecurity training. Those answering affirmatively were presented with a list of possible training contexts, such as university coursework, community college programs, intensive bootcamps, employer-provided training, U.S. government or military programs, independent certification courses (e.g., Security+), vendor-specific training (e.g., Cisco, Microsoft, and AWS), and self-paced online courses. Participants could select multiple options. The total number of distinct training types was then summed to produce a count variable capturing the breadth of formal training exposure rather than the mere presence of training.

Baseline risk tolerance was measured using an allocation task in which respondents distributed an imaginary US $100,000 across low-, medium-, and high-risk investment categories (e.g., savings accounts, index funds, and cryptocurrency). As preregistered, we converted these allocations into a single risk-tolerance score by applying weights to each category (Low = 1, Medium = 2, and High = 3) and calculating a weighted average of the respondent’s investment choices. This produces a continuous score that increases as respondents allocate more of their money to higher-risk options, providing an interpretable measure of financial risk-taking.

Finally, demographic variables included age (measured in years), gender, race/ethnicity, education, household income, and U.S. region. Gender was recorded with an open option; however, because very few participants selected non-binary or self-described genders (n = 8), these responses were retained descriptively but excluded from regression models to avoid model instability. All other demographic variables were treated as categorical factors or, in the case of age, as a continuous measure. Continuous predictors were z-standardized using Gelman’s g-scaling procedure (by dividing the values by two standard deviations) to facilitate interpretation and comparability of coefficients (Gelman, 2008). All survey items, including the full text of vignettes, emotion items, cybersecurity scales, and demographic questions, are provided in the Supplemental Materials A.6 for transparency and replication.

Sample and Participants

Participants were recruited through the Cint online panel aggregator between 10 and 21 September 2025. Eligibility was limited to U.S. residents aged 18 years or older. Quota sampling was employed to obtain a sample broadly representative of the U.S. adult population. Of the 2,157 individuals who began the survey, those who did not provide consent or failed the attention check were excluded. The final analytic sample included 2,085 participants.

Analytical Strategy

Prior to the analysis, the dataset was screened and flagged for straight lining, excessive speeding, and failed comprehension checks. Descriptive comparisons of demographic and baseline variables across the three experimental Condition cells were conducted using χ² tests (for categorical variables) and one-way ANOVA to confirm successful random assignment (i.e., no significant differences at α = .05).

We then tested four hypotheses: whether the ransomware note condition affects payment decisions (H1), whether specific emotions predict payment decisions (H2), whether ransomware note condition affects emotional responses (H3), and whether emotions mediate the effect of the condition on payment (H4), using the following variables:

Y_i = payment decision for person i, where Y_i ∈ {0,1} with 1 = pay and 0 = not pay,

D_i1 = dummy indicator for Condition 1 (Locked files),

D_i2 = dummy indicator for Condition 2 (Stolen Files), Fear_i, Anger_i, Shame_i, Guilt_i, NegativeAffect_i = emotions variables, measured from 0 to 100, were rescaled by dividing by two standard deviations (Gelman, 2008).

X _i = vector of control variables (covariates).

Results of the logit regressions are reported as un-exponentiated log-odds (β) with 95% confidence intervals. Model fit is evaluated using information criteria (AIC and BIC) and prediction error (RMSE). Lower AIC and BIC values and smaller RMSE indicate better model performance.

Hypothesis 1

Hypothesis 1 (the ransomware note condition affects payment decisions) was tested using binary logistic regression. The probability of choosing to pay was regressed on the experimental condition, using Condition 0 (neutral) as the reference category, with covariates included as controls:

l o g i t (P r (Y_{i} = 1)) = β_{0} + β_{1} D_{i 1} + β_{2} D_{i 2} + X_{i}^{T} ϕ

(1)

Hypothesis 2

To test H2 (specific emotions predict payment decisions), we fit a series of logistic regression models.

L o g i t (P r (Y_{i} = 1)) = γ_{0} + γ_{1} F e a r_{i} + γ_{2} A n g e r_{i} + γ_{3} S h a m e_{i} + γ_{4} G u i l t_{i} + X_{i}^{T} ϕ

(2)

Hypothesis 3

To test H3 (the ransomware note condition affects emotions), a series of linear regression models were estimated in which each emotion (Fear, Anger, Shame, and Guilt) and the composite variable Negative Affect was regressed separately on the condition variable and covariates:

{Fear}_{i} = α_{0}^{F} + α_{1}^{F} D_{i 1} + α_{2}^{F} D_{i 2} + X_{i}^{T} Ψ^{F}

(3)

{Anger}_{i} = α_{0}^{A} + α_{1}^{A} D_{i 1} + α_{2}^{A} D_{i 2} + X_{i}^{T} Ψ^{A}

(4)

{Shame}_{i} = α_{0}^{S} + α_{1}^{S} D_{i 1} + α_{2}^{S} D_{i 2} + X_{i}^{T} Ψ^{S}

(5)

Guilti = α_{0}^{G} + α_{1}^{G} D i 1 + α_{2}^{G} D i 2 + X_{i}^{T} Ψ^{G}

(6)

{NegativeAffect}_{i} = α_{0}^{N} + α_{1}^{N} D_{i 1} + α_{2}^{N} D_{i 2} + X_{i}^{T} Ψ^{N}

(7)

Hypothesis 4

To examine whether experimental note effects on payment decisions operate in part through emotional responses, we estimate indirect effects using a potential outcomes mediation framework (Imai et al., 2010; Pearl, 2012). This approach improves on the traditional “causal steps” procedure of Baron and Kenny (1986) by defining indirect and direct effects in terms of contrasts between counterfactual outcomes, accommodating nonlinear outcome models, and avoiding reliance on sequential significance testing (Imai et al., 2010; Imai et al., 2011). Throughout, we interpret estimated indirect effects as statistical decompositions that can be given a causal interpretation only under standard mediation identification assumptions (including no unmeasured confounding of the mediator–outcome relationship, conditional on treatment and covariates; Imai et al., 2010; VanderWeele, 2015; Figure 1).

Figure 1.

Mediation model (H4).

Because the discrete emotions in this study (Fear, Anger, Shame, and Guilt) were moderately inter-correlated and conceptually overlapping, estimating emotion specific indirect effects within a single simultaneous multiple-mediator model would require strong assumptions about the independence and causal ordering of the mediators that are difficult to justify in this setting (VanderWeele, 2015). We therefore adopted two complementary strategies:

Strategy 1 (discrete emotions). We estimated parallel mediation models that treat each emotion in turn as the focal mediator, while including the other emotions as covariates in the outcome model (i.e., mediator-specific decompositions).

Strategy 2 (shared negative affect). We estimated a mediation model with a single composite mediator, Negative Affect, to capture variance shared across the four emotions.

All mediation models were estimated in R using the mediation package with 5,000 nonparametric bootstrap replications to obtain percentile-based confidence intervals (Imai et al., 2010; VanderWeele, 2015). For Strategy 1, we fit a linear mediator model and a logistic (logit) outcome model for payment; ACME and ADE were computed by mediate() from simulated counterfactual predictions with nonparametric bootstrap confidence intervals. For Strategy 2, we estimated the same mediator model but used a probit-linked outcome model so that the package’s sensitivity analysis procedure (medsens) could be applied (it is only implemented for probit outcome models); results were substantively similar under a logit link (see Supplemental Materials A.5). Covariates were included to improve precision and to reduce the plausibility of mediator–outcome confounding, though unmeasured confounding cannot be ruled out.

Estimation of the parallel mediation specification combines Equations 3 to 6 with the following outcome model:

\begin{array}{l} l o g i t (P r (Y_{i} = 1)) = b_{0} + b_{1} D_{i 1} + b_{2} D_{i 2} + b_{F} F e a r_{i} + \\ b_{A} A n g e r_{i} + b_{S} S h a m e_{i} + b_{G} G u i l t_{i} + X_{i}^{T} ζ \end{array}

(8)

Estimation of the Negative Affect specification combines Equation 7 with:

Φ^{- 1} (P r (Y_{i} = 1)) = b_{0} + b_{1} D_{i 1} + b_{2} D_{i 2} + b_{N} N e g a t i v e A f f e c t_{i} + X_{i}^{T} ζ

(9)

Within the potential outcomes mediation framework, the total effect of condition j ∈ {1, 2} on payment can be decomposed into an estimated indirect component through mediator E ∈ {F, A, S, G, N} (reported by the package as ACME) and an estimated direct component not operating through that mediator (reported as ADE). In nonlinear models, these effects are computed from counterfactual predictions rather than as simple products of coefficients. We therefore report ACME and ADE as the package-defined average indirect and direct effects, along with bootstrap confidence intervals. Note. We report ACME and ADE using the conventional terminology of the mediation package. ACME is interpreted here as an estimate of the average indirect effect (indirect component) and ADE as the average direct effect, conditional on standard mediation identification assumptions.

We also conducted sensitivity analyses (via medsens) to quantify how strong residual mediator–outcome confounding would need to be to attenuate the estimated indirect effect to zero, reporting the implied ρ (residual correlation) and associated R² benchmarks.

To verify that the study was adequately powered to detect indirect effects, an a priori power analysis was conducted using the approach outlined by Qin (2024). Full details of assumptions, parameters, and results are provided in Supplemental Materials A.1.

Robustness Checks and Sensitivity Analyses

All robustness and sensitivity procedures were preregistered. The analytic sample excludes participants who did not provide consent or who failed the preregistered attention check. Other potential data quality indicators, such as speeding, straight-lining, and comprehension check failure, were treated as flags and retained in the primary analyses; robustness models were re-estimated by (i) adding these indicators as covariates and/or (ii) excluding flagged cases.

We assessed robustness to alternative emotion scoring by re-estimating models using (1) item-level emotion ratings (0–100; standardized) and (2) a latent single-factor Negative Affect score estimated via CFA (WLSMV), with empirical Bayes factor scores used in regressions. To evaluate potential satisficing, we flagged respondents in the fastest 5% of completion times (completion time ≤5th percentile) and re-estimated models including this indicator and excluding fast responders. We also examined sensitivity to comprehension by re-estimating models with a binary indicator for comprehension check failure and by excluding comprehension failures.

Results

Descriptive Statistics

The final analytic sample comprised 2,085 U.S.-based participants, approximately evenly distributed across the three experimental conditions. The average age was 47 years (SD = 18), with respondents ranging from 18 to over 90. Gender representation was balanced, with 49% identifying as male and 51% as female; a small proportion (0.5%) identified as non-binary or another gender. The majority of participants identified as White (69%), followed by Black or African American (15%), and smaller proportions identifying as Asian, American Indian/Alaska Native, or other racial groups. Respondents were geographically diverse. Figure 2 shows the geographic distribution of participants across the United States.

Figure 2.

Map of participants’ locations.

In terms of education, 28% had completed high school, 19% had some college education, and 15% held a 4-year degree. A further 16% held professional or doctoral-level qualifications. Annual household income was varied, with 22% earning less than $25,000, and 23% earning between $25,000 and $49,999. About 9% reported incomes above $150,000. Across all demographic categories (with the exception of age, gender and location, which were compulsory and do not have any missing data), rates of missing or unreported data were low (approximately 8%–9%). Table 11, which contains descriptive statistics for socio-demographic characteristics of the sample, including means (SD) and ranges for continuous variables, and counts and percentages for categorical variables, including overall and stratified by condition, is provided in the Supplemental Materials A.4.

In Table 1, we report pairwise Pearson correlations among continuous variables (lower triangle; stars indicate statistical significance). The four discrete emotions were moderately to strongly inter-correlated (|r| = .39–.77), with the largest association between Shame and Guilt (r = .77, p < .001). Age showed small-to-moderate negative correlations with Fear, Shame, Guilt, and GAD-7 (up to r = −.38, p < .001), indicating that younger participants tended to report higher negative affect and anxiety symptoms. Training types was positively related to emotions and GAD-7 (r = .08–.32, p < .001), and Cybersecurity efficacy displayed uniformly small correlations with other constructs (|r| ≤ .16). Risk tolerance exhibited weak associations overall (|r| ≤ .15). Overall, coefficients were modest in magnitude aside from the inter-emotion correlations, suggesting limited risk of extreme multicollinearity beyond the emotion cluster.

Table 1.

Correlation Matrix (Pearson r).

Variable	1	2	3	4	5	6	7	8	9
(1) Age	1.00
(2) Fear	−0.09***	1.00
(3) Anger	0.08***	0.59***	1.00
(4) Shame	−0.18***	0.59***	0.39***	1.00
(5) Guilt	−0.25***	0.61***	0.40***	0.77***	1.00
(6) Risk tolerance	−0.15***	0.05	−0.01	0.12***	0.12***	1.00
(7) Training types	−0.16***	0.22***	0.08***	0.29***	0.32***	0.14***	1.00
(8) Cyber efficacy	−0.01	0.12***	0.16***	0.11***	0.09***	0.02	0.26***	1.00
(9) GAD-7	−0.38***	0.25***	0.11***	0.31***	0.35***	0.09***	0.21***	0.03	1.00

Note. Significance levels: ***p < .001.

The proportion of participants who chose to pay the ransom varied by condition: 45.7% in the Neutral scenario (Condition 0), 36.4% in the Locked Files scenario (Condition 1), and 37.7% in the Stolen Files scenario (Condition 2).

Hypotheses Testing Results

Table 2 reports logistic regression models predicting the decision to pay. Entries are un-exponentiated log-odds coefficients (β) with robust (HC1) standard errors in parentheses, and odds ratios are reported in square brackets. Odds ratios are obtained by exponentiating the corresponding log-odds estimates (OR = e^β ) and can be interpreted as multiplicative differences in the odds of paying associated with a one-unit increase in the predictor (here, a two standard-deviation change for g-standardized variables). Model 1 includes covariates only. Model 2 adds the experimental condition contrasts to test H1. Model 3 adds the discrete emotions to assess H2. Model 4 includes both condition and emotion predictors (Equation 8). Model 5 replaces the discrete emotions with the Negative Affect composite (Equation 9). Model fit statistics (AIC/BIC and RMSE) are reported at the bottom of Table 2. Overall model fit improved when condition and emotion predictors were added (lowest AIC/BIC in Model 4), while RMSE was similar across specifications (0.42–0.43). Because emotions are not experimentally manipulated, coefficients for emotion predictors are interpreted as conditional associations rather than causal effects.

Table 2.

Logistic Regression Models Predicting the Decision to Pay While Controlling for Covariates (Robust Errors and Odds Ratios).

	Model 1	Model 2	Model 3	Model 4	Model 5
Variable	Base	[Equation 1]	[Equation 2]	[Equation 8]	[Equation 9]
Intercept	−0.883*** (0.095) [OR = 0.41]	−0.714*** (0.121) [OR = 0.49]	−0.802*** (0.107) [OR = 0.45]	−0.575*** (0.138) [OR = 0.56]	−0.651*** (0.128) [OR = 0.52]
Age	−0.504*** (0.128) [OR = 0.60]	−0.520*** (0.130) [OR = 0.59]	−0.421** (0.151) [OR = 0.66]	−0.434** (0.153) [OR = 0.65]	−0.581*** (0.138) [OR = 0.56]
Gender (Female)	0.142 (0.122) [OR = 1.15]	0.148 (0.122) [OR = 1.16]	0.185 (0.138) [OR = 1.20]	0.196 (0.139) [OR = 1.22]	0.182 (0.127) [OR = 1.20]
Risk tolerance (g)	0.303* (0.119) [OR = 1.35]	0.308** (0.119) [OR = 1.36]	0.212 (0.134) [OR = 1.24]	0.214 (0.135) [OR = 1.24]	0.273* (0.124) [OR = 1.31]
Cybersecurity efficacy (g)	−0.009 (0.119) [OR = 0.99]	0.000 (0.119) [OR=1.00]	0.036 (0.135) [OR = 1.04]	0.029 (0.136) [OR = 1.03]	−0.050 (0.126) [OR = 0.95]
GAD-7 (g)	0.264* (0.125) [OR = 1.30]	0.248* (0.125) [OR = 1.28]	0.150 (0.145) [OR = 1.16]	0.126 (0.146) [OR = 1.13]	0.199 (0.135) [OR = 1.22]
Training types (g)	0.024 (0.143) [OR = 1.02]	0.018 (0.143) [OR = 1.02]	−0.008 (0.153) [OR = 0.99]	−0.013 (0.153) [OR = 0.99]	−0.026 (0.144) [OR = 0.97]
Ransomware exp. (not paid)	−0.764*** (0.190) [OR = 0.47]	−0.758*** (0.190) [OR = 0.47]	−0.866*** (0.211) [OR = 0.42]	−0.861*** (0.211) [OR = 0.42]	−0.794*** (0.196) [OR = 0.45]
Ransomware exp. (paid)	2.630*** (0.256) [OR = 13.87]	2.658*** (0.256) [OR = 14.27]	2.270*** (0.270) [OR = 9.68]	2.288*** (0.270) [OR = 9.86]	2.541*** (0.260) [OR = 12.69]
Cond 1: Locked vs. Neutral		−0.390** (0.145) [OR = 0.68]		−0.474** (0.167) [OR = 0.62]	−0.528*** (0.153) [OR = 0.59]
Cond 2: Stolen vs. Neutral		−0.154 (0.139) [OR = 0.86]		−0.264 (0.158) [OR = 0.77]	−0.270 (0.146) [OR = 0.76]
Fear (g)			0.714*** (0.188) [OR = 2.04]	0.724*** (0.190) [OR = 2.06]
Anger (g)			−0.643*** (0.171) [OR = 0.53]	−0.593*** (0.174) [OR = 0.55]
Shame (g)			0.148 (0.211) [OR = 1.16]	0.153 (0.211) [OR = 1.17]
Guilt (g)			0.502* (0.216) [OR = 1.65]	0.494* (0.217) [OR = 1.64]
Negative Affect (g)					0.728*** (0.133) [OR = 2.07]
AIC	1,802.1	1,798.7	1,425.1	1,420.7	1,657.7
BIC	1,850.8	1,858.1	1,492.6	1,498.6	1,721.9
RMSE	0.43	0.43	0.42	0.42	0.42

Note. Entries are log-odds coefficients. Robust (HC1) standard errors in parentheses; odds ratios in square brackets.

Significance: ***p < .001. **p < .01. *p < .05. *p < .10.

H1: The Effect of the Ransomware Note Condition on the Payment Decision

As shown in Table 2 (Model 2), participants exposed to the Locked Files note had about 32% lower odds of paying than those in the neutral condition (OR = 0.68, p < .01), whereas the Stolen Files note was associated with only a small (about 14%) and statistically non-significant reduction in payment odds (OR = 0.86; p = .27). Taken together, these results support H1: ransomware note framing influences intended payment, with the Locked Files condition producing the clearest reduction.

H2: Emotions and the Payment Decision

Model 3 (Table 2) indicates that emotions are strongly associated with the decision to pay. Higher Fear and Guilt were associated with higher odds of payment (Fear: OR = 2.04, p < .001; Guilt: OR = 1.65, p < .05), whereas higher Anger was associated with substantially lower odds of payment (OR = 0.53, p < .001). Shame was not statistically distinguishable from zero (p = .48). Consistent with these patterns, model fit was better in specifications that included emotion measures than in the covariate only model (Table 2).

Model 4 includes both the condition contrasts and the discrete emotions. The Locked Files condition remained a significant negative predictor of payment (OR = 0.62, p < .01), while the Stolen Files contrast remained negative but was weaker and not statistically significant at conventional levels (OR = 0.77, p = .10). The emotion associations were stable: Fear and Guilt remained positive, Anger remained negative, and Shame remained non-significant (Table 2). Model 4 provided the best overall fit among these specifications.

Model 5 replaces the four discrete emotions with the Negative Affect composite. Negative Affect was positively associated with payment (OR = 2.07, p < .001), but this composite specification fit worse than the discrete-emotion model. This pattern suggests that retaining emotion-specific information (particularly Anger) better accounts for heterogeneity in payment decisions.

H3: The Effect of the Ransomware Note Condition on Emotions

As shown in Table 3, both ransomware notes increased negative emotional responses relative to the Neutral condition, consistent with H3. The clearest and most consistent condition effects were observed for Anger and Fear: both the Locked Files and Stolen Files notes produced significant increases in these emotions compared to Neutral (approximately 0.10–0.17 g, i.e., about 0.20–0.34 SD). For Fear, the Stolen Files note showed a slightly stronger increase than the Locked Files note, whereas for Anger the Locked Files note produced the larger increase. By contrast, effects on self-conscious emotions (Shame and Guilt) were smaller and less consistent. Shame increased modestly only in the Stolen Files condition, while there was no statistically significant condition effect on Guilt.

Table 3.

Linear Regression Models Predicting Discrete Emotions (Robust SEs).

	Model 1	Model 2	Model 3	Model 4	Model 5
Variable	Anger	Fear	Shame	Guilt	NegAffect
Intercept	−0.130*** (0.027)	−0.140*** (0.026)	−0.083** (0.026)	−0.087*** (0.025)	−0.140*** (0.025)
Age (g)	0.177*** (0.029)	0.041 (0.029)	−0.005 (0.026)	−0.070** (0.027)	0.058* (0.027)
Gender (Female)	−0.032 (0.026)	0.030 (0.026)	−0.080** (0.025)	−0.035 (0.025)	0.021 (0.025)
Risk tolerance (g)	−0.018 (0.026)	−0.006 (0.025)	0.037 (0.025)	0.024 (0.024)	0.004 (0.024)
Cyber efficacy (g)	0.143*** (0.027)	0.068* (0.028)	0.031 (0.027)	0.019 (0.027)	0.074** (0.026)
GAD-7 (g)	0.149*** (0.030)	0.193*** (0.031)	0.196*** (0.029)	0.210*** (0.029)	0.196*** (0.029)
Training types (g)	0.010 (0.027)	0.098*** (0.026)	0.064* (0.027)	0.101*** (0.026)	0.097*** (0.026)
Prior: exp., not paid	0.119** (0.036)	0.052 (0.037)	0.108** (0.037)	0.087* (0.037)	0.075* (0.036)
Prior: exp., paid	0.108** (0.040)	0.209*** (0.041)	0.382*** (0.043)	0.337*** (0.043)	0.237*** (0.041)
Cond: Locked vs Neutral	0.168*** (0.031)	0.101*** (0.030)	0.043 (0.029)	0.038 (0.029)	0.100*** (0.029)
Cond: Stolen vs. Neutral	0.146*** (0.030)	0.120*** (0.030)	0.059* (0.029)	0.037 (0.029)	0.120*** (0.029)
R²	.095	.130	.226	.244	.142
R² adjusted	.089	.124	.221	.239	.136
RMSE	0.48	0.47	0.44	0.44	0.46

Significance levels: ***p < .001. **p< .01. *p < .05. *p < 10.

When emotions were summarized as a composite Negative Affect factor score (Model 5), both ransomware notes again produced significant increases relative to Neutral, indicating a general elevation in negative affect in response to ransomware threats. Figure 3 visualizes these patterns using both unadjusted means and covariate-adjusted marginal means; adjustment for demographics, psychological covariates, training, and prior ransomware exposure did not substantively alter the condition differences.

Figure 3.

Emotions by condition (model-adjusted and unadjusted means ± 95% CIs).

H4: Mediation Results

We estimated mediation models to decompose differences in payment across note conditions into indirect components through emotions and residual direct components (reported as ACME/ADE; see Hypothesis 4). Because emotions were self-reported and not experimentally manipulated, indirect effects are interpreted as model-based decompositions and discussed cautiously.

Parallel Mediation Through Discrete Emotions

Table 4 reports mediator-specific indirect and direct components for each discrete emotion (Fear, Anger, Shame, and Guilt). Each model treats one emotion as the focal mediator while adjusting for the other three emotions in the outcome model to partial out shared variance. For interpretability, effects are presented on the probability scale as percentage-point (pp) changes in the probability of paying (see Methods for full estimation details).

Table 4.

Parallel Mediation by Discrete Emotions.

Mediator	ACME	ADE	Total	Prop. med. (%)
Locked files vs. neutral
Fear	+0.0 [−0.6, +0.7]	−8.8 [−14.8, −2.9]	−8.8 [−14.7, −2.9]	−0.6
Anger	−2.0 [−3.3, −0.9]	−8.9 [−14.6, −2.9]	−10.8 [−16.4, −4.8]	18.4
Shame	−0.0 [−0.5, +0.3]	−8.9 [−14.7, −3.0]	−8.9 [−14.7, −3.0]	0.5
Guilt	−0.3 [−1.2, +0.6]	−9.0 [−14.7, −3.2]	−9.2 [−14.9, −3.7]	3.0
Stolen files vs. neutral
Fear	+0.4 [−0.2, +1.1]	−7.9 [−13.3, −1.8]	−7.5 [−13.0, −1.5]	−5.1
Anger	−1.5 [−2.6, −0.6]	−7.9 [−13.7, −1.9]	−9.3 [−15.1, −3.3]	16.1
Shame	+0.1 [−0.2, +0.6]	−7.9 [−13.7, −1.8]	−7.8 [−13.5, −1.8]	−1.6
Guilt	−0.8 [−1.8, +0.0]	−7.9 [−14.0, −3.2]	−8.7 [−14.9, −3.2]	9.3

Note. Values are percentage points (pp) with 95% CIs in brackets. Prop. med. = /Total, reported as %; negative values indicate suppression (the indirect path offsets the direct effect). ACME = average indirect effect; ADE = average direct effect; Total = ACME + ADE.

Across the parallel models, the Locked Files note had a consistently negative and statistically significant total effect on payment, corresponding to an approximately 8.8 to 10.8 percentage-point (pp) lower probability of paying (all p ≤ .004). The only robust estimated indirect effect was through Anger: ACME_Anger = −2.0 pp with a 95% CI [−3.3, −0.9] (p < .001). In magnitude, this corresponds to about 18.4% of the total reduction in payment probability. Estimated indirect effects through Fear, Shame, and Guilt were close to zero, with confidence intervals including zero. The direct effect (ADE), conditional on the four emotions, remained sizeable and negative across specifications (approximately −8.9 to −9.0 pp; all p ≤ .005), suggesting that most of the total effect is not accounted for by the measured emotions in these models.

A similar pattern was observed for the Stolen Files note. Across the parallel models, the total effect remained negative and statistically significant, corresponding to an approximately 7.5 to 9.3 pp reduction in payment probability (p = .001–.013). Again, Anger showed the clearest estimated indirect effect: ACME_Anger = −1.5 pp with 95% CI [−2.6, −0.6] (p < .001), accounting for about 16.1% of the total reduction. The Guilt pathway was small and borderline (ACME = −0.8 pp; p = .065). Direct effects (ADEs) were consistently negative and substantially larger than the indirect effects (approximately −7.9 to −8.0 pp; all p ≤ .011).

Overall, both ransomware notes (Locked Files and Stolen Files) reduced the probability of payment by roughly 8 to 11 pp. A modest share of this difference is captured by the estimated indirect effect through Anger (about 16%–18%) in these parallel models, whereas Fear, Shame, and Guilt contribute little. In absolute terms, the emotion-specific indirect effects are small (approximately 0–2 pp), while the remaining direct effects are sizeable (approximately 8 pp), indicating that much of the total effect is not explained by the measured emotions in this specification.

Mediation Through Negative Affect

Table 5 reports a mediation model using Negative Affect (a latent composite of Fear, Anger, Shame, and Guilt) as the mediator. The model adjusts for pre-specified covariates (age, gender, risk tolerance, trait anxiety [GAD-7], cybersecurity efficacy, and training exposure). Indirect and direct components are interpreted as model-based decompositions and discussed cautiously given that emotions were self-reported and not experimentally manipulated (see Section Hypothesis 4 for full estimation details).

Table 5.

Mediation Model of Ransomware Note Conditions on Payment Decision via Negative Affect.

Effect	Estimate	95% CI [Lower, Upper]	p-value
Condition 1 (locked files) vs. condition 0 (neutral)
Indirect effect (ACME)	0.019	[0.009, 0.030]	<0.001***
Direct effect (ADE)	−0.091	[−0.145, −0.037]	0.001**
Total effect	−0.072	[−0.125, −0.017]	0.001**
Proportion mediated	−0.271	[−1.086, −0.100]	0.011*
Condition 2 (stolen files) vs. condition 0 (neutral)
Indirect effect (ACME)	0.020	[0.009, 0.030]	<0.001***
Direct effect (ADE)	−0.072	[−0.127, −0.020]	0.010**
Total effect	−0.052	[−0.108, 0.000]	0.058
Proportion mediated	−0.374	[−2.534, 0.880]	0.058

Note. Models control for age, gender, trait anxiety (GAD-7 latent), baseline risk tolerance, cybersecurity training exposure, and cybersecurity efficacy. Effects estimated using 5,000 nonparametric bootstrap replications with probit link. Proportion mediated is reported for completeness but can be unstable in nonlinear mediation models (e.g., probit), particularly when direct and indirect effects operate in opposing directions; we therefore interpret this quantity descriptively. ACME = average indirect effect; ADE = average direct effect.

Significance levels: ***p < .001. **p < .01. *p < .05. *p < .10.

For the comparison between the Locked Files condition and the Neutral condition, the indirect effect via Negative Affect was statistically significant (ACME_avg = 0.019, 95% CI [0.009, 0.030], p = .0004). In practical terms, this corresponds to an increase of roughly two percentage points in the predicted probability of payment captured by the affective pathway. The direct effect remained negative and significant (ADE_avg = −0.091, 95% CI [−0.145, −0.037], p = .001), indicating that – net of Negative Affect – the Locked Files note reduced the payment likelihood. The total effect was also negative (Total = −0.072, 95% CI [−0.125, −0.017], p = .001).

A similar pattern emerged for the Stolen Files condition relative to Neutral. The indirect effect via Negative Affect was again positive and significant (ACME_avg = 0.020, 95% CI [0.009, 0.030], p < .0001), again implying an approximately two percentage-point increase in predicted payment probability through Negative Affect. The direct effect was negative (ADE_avg = −0.072, 95% CI [−0.127, −0.020], p = .010), while the total effect was smaller and marginal (Total = −0.052, 95% CI [−0.108, 0.000], p = .058), consistent with offsetting pathways.

Robustness Checks

We re-estimated the full logistic regression models adding indicators for (i) participants in the fastest 5% of completion times and (ii) participants who failed the preregistered comprehension check, entered separately and jointly. Across specifications, effect sizes and statistical inferences for the experimental condition, Fear, Anger, Guilt, and prior ransomware experience were essentially unchanged (see Supplemental Materials). Comprehension check failure was not meaningfully associated with payment behavior, and its inclusion did not materially affect other coefficients. Fast responders were substantially more likely to recommend payment (OR = 11), but adjusting for this indicator did not alter the key predictors, suggesting that speeding/satisficing is unlikely to account for the main results. Cybersecurity training remained non-significant in all robustness models. Overall, the primary findings appear robust to these alternative specifications and exclusion-related concerns.

Discussion

This pre-registered vignette experiment examined whether ransomware note content affects willingness to pay, whether it alters emotional responses, and whether those emotions help explain payment decisions. Several clear patterns emerged. Relative to a neutral policy frame, both ransomware notes reduced the probability of payment, with the Locked Files condition producing the clearest reduction (H1). H2 was partially supported: higher Fear was associated with a greater likelihood of paying, whereas higher Anger was associated with a lower likelihood of paying; Guilt showed a smaller positive association, and Shame was not reliably associated with ransom payment. H3 was supported: both ransomware notes elevated negative emotions, with the Stolen Files note generally producing larger increases across the discrete emotions. H4 received partial support: Anger was the strongest mediator (accounting for roughly 16%–18% of the total reduction in payment in the parallel models), and the Negative Affect composite also showed a small but significant indirect effect, while indirect effects via Fear, Shame, and Guilt were not statistically significant. Consistent with a risk-as-feelings account, models incorporating emotions explained substantially more variation in payment decisions than covariate-only specifications, and the joint models indicate that note framing predicts payment decisions and emotional responses show independent associations with payment decisions.

A notable pattern observed in this study is that respondents in the Neutral condition were more likely to recommend payment than respondents exposed to the ransomware threat notes. This should not be interpreted as “no-risk baseline” behavior. Rather, the Neutral condition captures an abstract normative policy judgment about whether an organization should pay to maintain continuity, made without confronting an offender’s demands. By contrast, the Locked Files and Stolen Files notes make the coercive exchange salient and may trigger reactance, moral resistance to rewarding extortion, and/or skepticism about whether attackers will follow through or whether payment will resolve the problem. On this interpretation, ransomware messages can reduce stated willingness to pay even while increasing negative emotion, because the framing shifts respondents from policy pragmatism to a more morally and strategically contested decision context.

One motivation of this study was to compare encryption leverage with data theft leverage. The observed behavioral differences between the Locked Files and Stolen Files notes were modest. Several explanations are consistent with this pattern. First, the two leverage types may activate partially offsetting psychological pathways. In our data, the threat notes reliably elevated negative affect (and discrete emotions), but anger was associated with reduced willingness to pay while fear was associated with increased willingness to pay. If stolen-data threats heighten negative affect while simultaneously triggering anger-based resistance or moral opposition, net differences in payment can be dampened even when emotional intensity increases. Second, the hospital scenario may foreground service continuity and time-critical disruption, rendering encryption-based harm more salient than downstream privacy or reputational harms in the moment of decision. These interpretations suggest clear boundary conditions for future work: manipulating proof-of-exfiltration, time horizon (immediate disruption vs. delayed exposure), and regulatory framing (e.g., breach notification and penalties) should help identify when data-theft leverage meaningfully exceeds encryption leverage.

A key finding in this study is that emotions are related to ransomware responses in two ways: they are directly associated with payment decisions, and they capture a small, mediated component of the experimental note effect in the mediation models (under standard identification assumptions). Consistent with H2, Fear and Anger were clearly associated with payment decisions: higher Fear was linked to greater willingness to pay, whereas higher Anger was linked to lower willingness to pay, controlling for note condition and covariates (including baseline anxiety measured by GAD-7). This pattern suggests meaningful heterogeneity in how participants emotionally respond to the same ransomware scenario, and that these emotional differences align with differences in payment recommendations. Although GAD-7 adjusts for generalized anxiety symptoms, other stable dispositions, such as trait anger, reactance, threat sensitivity, or moral opposition to paying, may also contribute to variation in both emotional responses and payment preferences.

At the same time, the mediation models (H4) are consistent with a modest indirect component through emotional responses in the relationship between note condition and payment. In the discrete emotion models, Anger showed the clearest mediated component, and the Negative Affect composite similarly indicated a small but statistically detectable indirect effect (under standard identification assumptions). However, the indirect effects were small relative to the remaining direct effects, implying that much of the treatment effect is not accounted for by the measured emotions in these models. This leaves room for complementary non-affective processes, such as judgments about attacker credibility, duty of care, ethical responsibility, reputational or legal exposure, and the feasibility of alternatives (e.g., restoration from backups or law enforcement engagement). Future work should measure these cognitive and moral evaluations directly, alongside emotional responses and relevant dispositions, to clarify how these components jointly shape compliance under cyber extortion.

The results also suggest that ransomware scenarios elicit multiple emotions at once, rather than a single dominant feeling. Fear and Anger were prominent, but many participants also reported Guilt and Shame. This supports a view of ransomware decision-making as affectively complex: fear may pull toward compliance, anger toward resistance, and self-conscious emotions may activate additional moral or reputational concerns. The co-occurrence of emotions may also help explain why aggregate mediation is modest: different emotions can push behavior in competing directions within the same decision episode.

In addition to note content and emotions, several individual difference variables were associated with payment decisions. Prior experience with ransomware emerged as one of the strongest predictors. Participants who had previously paid a ransom were dramatically more likely to recommend paying again (approximately 10 to 14 times more likely than those with no prior experience; β = 2.27–2.66, OR = 9.7–14.3), whereas those who had experienced ransomware but refused to pay were substantially less likely to endorse payment (β = −.76 to −.87, OR = 0.42–0.47). Several psychological covariates also showed meaningful associations, including trait anxiety and risk tolerance. By contrast, the number of cybersecurity training types completed showed no measurable effect on payment behavior (β = −.01 to .02, OR = 0.97–1.02), suggesting that existing training, at least as captured by training exposure counts, may be insufficient to shift high-stakes decision-making under coercion.

Finally, while the mediation models indicate that only a small proportion of the treatment effect is captured by self-reported emotional responses, this likely underestimates the role of affect in real-world incidents. Survey vignettes cannot fully reproduce the intensity, uncertainty, and consequences of a live ransomware attack. The emotional reactions measured here may therefore represent a conservative lower bound. In field settings, where patient safety, livelihoods, reputations, or sensitive data are at stake, emotions such as fear, panic, guilt, and outrage may be stronger and more consequential for decision-making.

Theoretical Implications

Our findings contribute to and complicate existing theories of affective decision-making in high-stakes cybercrime contexts. Drawing on work in risk-as-feelings theory (Loewenstein et al., 2001), we expected that emotional responses to ransomware would play a central role in the decision to pay or not to pay a ransom. Our results support this general expectation, but also reveal a more complex picture.

Importantly, the results suggest that ransomware notes are not merely informational cues about “risk”; they function as designed communications that can activate different appraisal structures depending on the leverage being signaled (encryption-based disruption vs. threatened dissemination of stolen data). In this sense, the study extends risk-as-feelings to a distinctive class of decisions in which offenders strategically engineer the emotional environment of choice.

Our findings suggest that victims of ransomware attacks experience mixed emotions that push in competing directions: fear, guilt, and shame were positively associated with the likelihood of paying, while anger significantly reduced the odds of payment. This pattern underscores the value of conceptual precision about emotion function. Fear and anger plausibly reflect external threat appraisal, whereas guilt and shame reflect moral self-assessment; these pathways need not operate as interchangeable indicators of a single negative state.

Yet, even after accounting for these affective influences, a substantial proportion of the treatment effect remained unexplained. Rather than undermining the affective account, this points to bounded scope conditions: emotional reactions appear to shape ransomware payment decisions alongside normative, strategic, and institutional considerations that extend beyond affect alone. This supports dual-process theories that treat emotional and deliberative reasoning as interacting, rather than competing, systems (Kahneman, 2011; Loewenstein et al., 2001). It also echoes findings in crisis decision-making research, where emotions such as fear and guilt sharpen attention to consequences but do not deterministically drive compliance (Gross & Thompson, 2007).

Implications for Policy and Practice

Our findings have direct implications for the ransomware incident response guidance issued by national cybersecurity agencies (e.g., CISA¹, NCSC, and ENISA²) and law-enforcement bodies. Ransomware is, at its core, a form of online financial crime: it is extortion conducted through digital infrastructure, with cryptocurrency payments flowing through transnational networks that also facilitate fraud, money laundering, and other financially motivated cybercrimes. Understanding the emotional dynamics that drive victim compliance is therefore relevant not only to cybersecurity policy but also to the broader effort to reduce the profitability of online financial crime and to develop evidence-informed responses across law enforcement, regulatory, and victim-support domains.

Current advisories typically focus on technical containment, that is, isolating affected systems, preserving forensic evidence, and notifying authorities. They also offer only generic counsel against payment. Our findings suggest that these guidelines should explicitly acknowledge the emotional pressures that victims face during the extortion phase, particularly the fear that drives compliance and the anger that may support resistance. Ransomware incident response guidelines could incorporate structured “emotional preparedness” checklists: for example, reminding decision-makers that ransomware notes are deliberately crafted to provoke panic, that fear-driven decisions tend to overestimate the probability of catastrophic data loss, and that initial emotional reactions should be expected rather than treated as signs of personal failure.

Our data show that fear increases payment likelihood while anger decreases it, yet both are elevated by threat exposure, creating competing pressures within the same decision episode. Organizations can mitigate these dynamics by establishing clear decision-making frameworks in advance. This could be in the form of specifying payment-authorization authority, requiring a mandatory deliberation period before payment, as well as mandating consultation with legal counsel, cyber-insurance providers, and law enforcement. The strong association between prior payment and willingness to pay again (OR = 10–14) further underscores the need for institutional safeguards: without structural checks, an initial payment may create a behavioral precedent predisposing the organization toward future compliance.

Relatedly, our results inform communication strategies during ransomware events. Communications that reduce uncertainty and enhance perceived control, such as by outlining clear recovery timelines and decision-making processes, may help mitigate fear-driven compliance and avoid triggering counterproductive anger. The finding that anger was the only emotion with a robust mediated effect on payment, accounting for approximately 16% to 18% of the total treatment effect, underscores how incident communications can materially influence outcomes. Internal communications should provide factual, measured updates that reduce uncertainty and, therefore, fear, without employing language that amplifies anger toward the attacker, which may impede clear-headed deliberation despite its association with resistance. External communications from cybersecurity agencies should similarly avoid framing that heightens shame or guilt (e.g., implying victim fault), as these self-conscious emotions, though less influential individually, contribute to elevated negative affect positively associated with payment.

These communication principles extend directly to law-enforcement practice. Police and federal agencies are often among the first points of contact for ransomware victims, yet officers and agents may receive limited guidance on how emotional states shape victim cooperation and decision-making during active extortion. Our findings suggest that law-enforcement personnel involved in ransomware response, including cyber-crime units, victim liaison officers, and ransom negotiation teams, could benefit from training in emotionally informed communication. Specifically, understanding that fear drives compliance while anger promotes resistance can help investigators calibrate how they advise victims: messaging that reduces panic and restores a sense of agency may support more deliberate decision-making and increase willingness to engage with law enforcement rather than pay covertly. Furthermore, awareness that shame and guilt discourage help-seeking implies that law-enforcement outreach should actively reduce stigma around reporting ransomware incidents, which remains a significant barrier to accurate intelligence on the scale and financial impact of these crimes.

Further, the findings have implications for public awareness campaigns and cybersecurity education. Our observation that the number of cybersecurity training types completed showed no measurable effect on payment behavior (β = −.01 to .02, OR = 0.97–1.02) is notable and suggests that existing training programs, which are typically focused on threat recognition and technical hygiene, may be insufficient to prepare individuals for the psychological realities of a live extortion event. The observed associations between prior ransomware experience, training, and payment decisions imply that some individuals or roles may be predisposed toward payment due to situational pressures rather than learned best practices. This highlights the importance of distinguishing between the effects of exposure and the actual impact of training. Evaluating training programs in this context should consider not only technical outcomes but also their influence on decision-making legitimacy and governance under pressure. Training curricula should therefore incorporate scenario-based exercises simulating the emotional and time-pressured conditions of ransomware incidents, building not only technical response skills but also psychological resilience and structured decision-making habits. Tabletop exercises using realistic ransomware notes with explicit debriefing of participants’ emotional reactions could build affective awareness and reduce fear-driven decision-making. Public awareness campaigns could similarly move beyond purely technical messaging to address how to recognize and manage emotional manipulation during cyber extortion. Importantly, these recommendations are likely to generalize beyond ransomware to other forms of online financial crime that rely on emotional manipulation, including romance fraud, business email compromise, and sextortion, where victim compliance is similarly shaped by anger, fear, shame, and guilt. Developing emotionally informed training and awareness programs thus represents a cross-cutting investment in victim protection.

Finally, regulators considering mandatory reporting, payment bans, or safe-harbor provisions should account for the emotional dynamics of victim decision-making documented here. Blanket payment prohibitions without adequate support infrastructure, such as rapid-response teams, technical recovery assistance, and psychological support, may redirect emotional distress rather than resolve it. Conversely, structured support pathways, including incident-response coordinators trained in crisis communication and emotional de-escalation, could reduce fear-driven compliance that undermines broader anti-ransomware efforts. Notably, both ransomware notes reduced stated willingness to pay relative to the neutral policy frame, suggesting that coercive demands activate resistance alongside distress, and that well-designed support interventions during the extortion window could further reinforce victims’ capacity to refuse payment.

Limitations

The findings should be interpreted with several constraints in mind. The mediation analyses are grounded in the potential outcomes framework and avoid conditioning on post-treatment covariates, but they still rely on the assumption of sequential ignorability – that no unmeasured factors jointly influence emotional responses and the payment decision (Imai et al., 2010). While this assumption cannot be directly tested, the design incorporates baseline measures of trait anxiety (GAD-7) and general risk tolerance to account for stable predispositions toward emotional reactivity and risk-based decision-making. Even so, additional unmeasured influences may remain, and sensitivity analyses indicate that modest violations of ignorability could attenuate some weaker indirect paths, particularly those involving guilt and shame.

A further limitation is that emotions were measured immediately after exposure to the scenario and note. This timing is necessary to capture proximal affect, yet it cannot fully separate immediate emotional reactions from post hoc rationalization of the payment decision. Future research could strengthen temporal ordering by incorporating time-sensitive physiological or behavioral indicators (e.g., galvanic skin response and response latency) alongside self-reports.

The vignette-based experimental design involves a trade-off: random assignment yields strong internal validity and allows differences in stated payment intentions across conditions to be attributed to the note content, but the scenario necessarily simplifies the operational complexity and stakes of real ransomware incidents. Participants responded to a single, hypothetical scenario under constrained information, which may not reproduce the full intensity of affective and strategic pressures that arise during actual attacks. Relatedly, the outcome reflects self-reported intentions rather than observed behavior; although intentions are predictive, they may be influenced by hypothetical bias or social desirability in high-stakes moral contexts.

External validity is constrained primarily by the sampling frame and the nature of the outcome. The study draws on a general online panel of U.S. adults rather than verified ransomware victims, and the dependent measure therefore captures a hypothetical binary pay/not-pay intention under standardized exposure rather than behavior under real operational, financial, legal, and reputational pressures. Although prior ransomware exposure and the reported outcome of the most recent incident were measured, the number of respondents reporting payment is necessarily small in a general-population sample, limiting power for experience-stratified comparisons and constraining claims about confirmed victim–payers in particular. Robust external validation with verified victim–payers and refusers remains an important next step. However, scaling such work typically requires specialist recruitment pathways (e.g., incident-response or insurer partnerships and victim registries), reliable verification of incident and payment status, and heightened ethical safeguards, which were impractical within the scope of the current study.

Generalizability may also vary across institutional and regulatory contexts. The vignette was situated in a U.S. regional hospital, implying a specific organizational backdrop and decision environment. Payment decisions may differ across jurisdictions with different moral norms regarding payment, legal and regulatory expectations (e.g., reporting requirements, official guidance, and sanctions risk), and the availability of incident-response support and cyber insurance, as well as across victim types and organizational settings (e.g., individual victims and small firms) that face different resource constraints, operational dependencies, and response capacity. In addition, although the sample is demographically diverse, it may not reflect the experience, responsibility, or technical expertise typical of real-world incident responders. The results should therefore be interpreted as evidence about how note content shapes emotions and intended payment decisions in this controlled U.S.-hospital scenario, and the resulting estimates should be treated as U.S.-context parameters rather than assumed to generalize to jurisdictions with different cultural norms, institutional arrangements, or regulatory regimes. Future research should replicate the design cross-nationally and in country-comparative samples, and extend it across victim types and organizational contexts to assess the stability of these effects across environments.

Conclusion

Our study demonstrates that emotional reactions play an important, but previously under-acknowledged role in shaping victim behavior during ransomware incidents. While research and policy have traditionally emphasized technical defenses, and incident-response protocols (still central to ransomware response), our findings show that emotional reactions triggered by ransomware notes influence whether victims comply with extortion demands. Fear and anger, in particular, emerged as influential and divergent drivers of payment decisions, indicating that victims do not simply “calculate” their options but instead, their responses are shaped by negative affect.

These results have several implications for both theory and practice. Theoretically, they point to the need for cybercrime frameworks that move beyond rational-choice assumptions and explicitly incorporate affective mechanisms. Practically, our findings suggest that improving ransomware resilience will require more than technical target hardening. Organizational cybercrime response protocols must be designed with an understanding of how victims actually feel and think in the moment of attack.

Finally, our results open several avenues for future research. Experimental work could examine other emotional states (e.g., shame, disgust, and moral outrage), message features (tone, threats, length, and visual design), and organizational factors (team coordination and leadership response) that shape victims’ willingness to pay. Longitudinal studies could also trace how emotions evolve across the incident-response timeline – from initial discovery through negotiation and recovery. As ransomware attacks continue to escalate in frequency and sophistication, understanding the emotional architecture of victim decision-making will be increasingly important for developing human-centered approaches to cyber extortion.

Supplemental Material

sj-docx-1-cad-10.1177_00111287261440149 – Supplemental material for Ransomware, Emotions, and the Decision to Pay: Evidence From a Factorial Experiment

Supplemental material, sj-docx-1-cad-10.1177_00111287261440149 for Ransomware, Emotions, and the Decision to Pay: Evidence From a Factorial Experiment by Zarina Vakhitova and Claudio Mezzetti in Crime & Delinquency

Footnotes

Acknowledgements

This study was pre-registered on AsPredicted (protocol #246119). The experimental protocol received ethics approval from the Human Research Ethics Committee (HREC) of Monash University (Project ID 47500).

ORCID iDs

Zarina Vakhitova

Claudio Mezzetti

Ethical Considerations

This study received ethics approval from the Human Research Ethics Committee (HREC) of Monash University (Project ID 47500).

Consent to Participate

All participants provided informed consent prior to participation. Eligibility was limited to U.S. residents aged 18 years or older.

Funding

The authors disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: Mezzetti gratefully acknowledges financial support from the Australian Research Council Grant DP190102904.

Declaration of Conflicting Interests

The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Data Availability Statement

The data and materials that support the findings of this study are available from the corresponding author* upon reasonable request.

Supplemental Material

Supplemental material for this article is available online.

Notes

Author Biographies

Dr. Zarina Vakhitova is a criminologist with expertise in the intersection of technology and crime at Monash University, Melbourne, Australia. She has published in PLoS ONE, Computers in Human Behavior, Justice Quarterly and other international journals.

Professor Claudio Mezzetti is the Colin Clark Professor of Economics at the University of Queensland, Brisbane, Australia. His research focuses on microeconomic theory, mechanism design, game theory and their applications.

References

Abrams

(2024). Change Healthcare lists the medical data stolen in ransomware attack. https://www.bleepingcomputer.com/news/security/change-healthcare-lists-the-medical-data-stolen-in-ransomware-attack/

Auspurg

Hinz

(2015). Factorial survey experiments. Sage.

Barnum

T. C.

Solomon

S. J.

(2019). Fight or flight: Integral emotions and violent intentions. Criminology, 57(4), 659–686. https://doi.org/10.1111/1745-9125.12222

Baron

R. M.

Kenny

D. A.

(1986). The moderator–mediator variable distinction in social psychological research: Conceptual, strategic, and statistical considerations. Journal of Personality and Social Psychology, 51(6), 1173–1182. https://doi.org/10.1037/0022-3514.51.6.1173

Baumeister

R. F.

Stillwell

A. M.

Heatherton

T. F.

(1994). Guilt: An interpersonal approach. Psychological Bulletin, 115(2), 243–267. https://doi.org/10.1037/0033-2909.115.2.243

Borrion

Connolly

(2020). Your money or your business: Decision-making processes in ransomware attacks. https://discovery.ucl.ac.uk/id/eprint/10110901/3/Borrion_Your%20Money%20or%20Your%20Business_Final.pdf

Chainalysis Team. (2024). Ransomware Hit $1 Billion in 2023. https://www.chainalysis.com/blog/ransomware-2024/

Chainalysis Team. (2025). Crypto ransomware 2025: 35% year-over-year decrease in ransomware payments. https://www.chainalysis.com/blog/crypto-crime-ransomware-victim-extortion-2025/

Connolly

A. Y.

Borrion

(2022). Reducing ransomware crime: Analysis of victims’ payment decisions. Computers & Security, 119, Article 102670. https://doi.org/10.1016/j.cose.2022.102670

10.

Coveware. (2025). Targeted social engineering is en vogue as ransom payment sizes increase: Q2 2025 Ransomware Report. https://www.coveware.com/blog/2025/7/21/targeted-social-engineering-is-en-vogue-as-ransom-payment-sizes-increase

11.

Dameff

Tully

Chan

T. C.

Castillo

E. M.

Savage

Maysent

Hemmen

T. M.

Clay

B. J.

Longhurst

C. A.

(2023). Ransomware attack associated with disruptions at adjacent emergency departments in the US. JAMA Network Open, 6(5), e2312270. https://doi.org/10.1001/jamanetworkopen.2023.12270

12.

Federal Bureau of Investigation. (2025). Internet crime report 2024. https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf

13.

Gaissmaier

Gigerenzer

(2012). 9/11, Act II: A fine-grained analysis of regional variations in traffic fatalities in the aftermath of the terrorist attacks. Psychological Science, 23(12), 1449–1454. https://doi.org/10.1177/0956797612447804

14.

Gausel

Leach

C. W.

(2011). Concern for self-image and social image in the management of moral failure: Rethinking shame. European Journal of Social Psychology, 41(4), 468–478. https://doi.org/10.1002/ejsp.803

15.

Gelman

(2008). Scaling regression inputs by dividing by two standard deviations. Statistics in Medicine, 27(15), 2865–2873. https://doi.org/10.1002/sim.3107

16.

Gigerenzer

(2006). Out of the frying pan into the fire: Behavioral reactions to terrorist attacks. Risk Analysis: An International Journal, 26(2), 347–351.

17.

Greenberg

(2024). Hackers behind the Change Healthcare ransomware attack just received a $22 million payment. https://www.wired.com/story/alphv-change-healthcare-ransomware-payment/

18.

Greenwald

A. G.

(1976). Within-subjects designs: To use or not to use? Psychological Bulletin, 83(2), 314.

19.

Gross

Thompson

(2007). Emotion regulation: Conceptual foundations. In Gross

J. J.

(Ed.), Handbook of emotion regulation (pp. 3–27). The Guilford Press.

20.

Huddy

Feldman

Taber

Lahav

(2005). Threat, anxiety, and support of antiterrorism policies. American Journal of Political Science, 49(3), 593–608. https://doi.org/10.1111/j.1540-5907.2005.00144.x

21.

Imai

Keele

Tingley

(2010). A general approach to causal mediation analysis. Psychological Methods, 15(4), 309–334. https://doi.org/10.1037/a0020761

22.

Imai

Keele

Yamamoto

(2010). Identification, inference and sensitivity analysis for causal mediation effects. Statistical Science, 25(1), 51–71. https://doi.org/10.1214/10-STS321

23.

Imai

Tingley

Yamamoto

(2011). Unpacking the black box of causality: Learning about causal mechanisms from experimental and observational studies. American Political Science Review, 105(4), 765–789. https://doi.org/10.1017/S0003055411000414

24.

Iyengar

(2011). Laboratory experiments in political science. In Druckman

J. N.

Green

D. P.

Kuklinski

J. H.

Arthur

(Eds.), Cambridge handbook of experimental political science (pp. 73–88). Cambridge University Press.

25.

Kahneman

Tversky

(1979). Prospect theory: An analysis of decision under risk. Econometrica, 47(2), 263–292. https://doi.org/10.2307/1914185

26.

Kahneman

(2011). Thinking, fast and slow. Farrar, Straus and Giroux.

27.

Kharraz

Robertson

Balzarotti

Bilge

Kirda

(2015, July 9–10). Cutting the Gordian knot: A look under the hood of ransomware attacks [Conference session]. 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment - Volume 9148,Berlin, Heidelberg (pp. 3–24). Springer-Verlag.

28.

Kobbeltvedt

Brun

Johnsen

B. H.

Eid

(2005). Risk as feelings or risk and feelings? A cross-lagged panel analysis of risk perception and worry. Journal of Risk Research, 8(5), 417–437. https://doi.org/10.1080/1366987042000315519

29.

Lerner

J. S.

Gonzalez

R. M.

Small

D. A.

Fischhoff

(2003). Effects of fear and anger on perceived risks of terrorism: A national field experiment. Psychological Science, 14(2), 144–150. https://doi.org/10.1111/1467-9280.01433

30.

Lerner

J. S.

Keltner

(2001). Fear, anger, and risk. Journal of Personality and Social Psychology, 81(1), 146–159. https://doi.org/10.1037/0022-3514.81.1.146

31.

Loewenstein

Weber

Hsee

Welch

(2001). Risk as feelings. Psychological Bulletin, 127(2), 267–286. https://doi.org/10.1037/0033-2909.127.2.267

32.

MacColl

Husch

Mott

Sullivan

Nurse

J. R. C.

Turner

Pattnaik

(2023). Ransomware: Victim insights on harms to individuals, organisations and society. https://www.rusi.org/explore-our-research/publications/occasional-papers/ransomware-victim-insights-harms-individuals-organisations-and-society

33.

Meier

A. N.

(2022). Emotions and risk attitudes. American Economic Journal: Applied Economics, 14(3), 527–558. https://doi.org/10.1257/app.20200164

34.

National Audit Office, U. (2017). Investigation: WannaCry cyber attack and the NHS. https://www.nao.org.uk/reports/investigation-wannacry-cyber-attack-and-the-nhs/

35.

Office of the Director of National Intelligence. (2025). Worldwide ransomware, 2024: Increasing rate of attacks tempered by law enforcement disruptions. https://www.odni.gov/files/CTIIC/documents/products/Worldwide_Ransomware_2024.pdf

36.

Orne

M. T.

(1962). On the social psychology of the psychological experiment: With particular reference to demand characteristics and their implications. American Psychologist, 17, 776–783. https://doi.org/10.1037/1522-3736.5.1.535a

37.

Paquet-Clouston

Haslhofer

Dupont

(2019). Ransomware payments in the Bitcoin ecosystem. Journal of Cybersecurity, 5(1), tyz003. https://doi.org/10.1093/cybsec/tyz003

38.

Pearl

(2012). The causal mediation formula: A guide to the assessment of pathways and mechanisms. Prevention Science, 13(4), 426–436. https://doi.org/10.1007/s11121-011-0270-1

39.

Qin

(2024). Sample size and power calculations for causal mediation analysis: A tutorial and Shiny App. Behavior Research Methods, 56(3), 1738–1769. https://doi.org/10.3758/s13428-023-02118-0

40.

Sobków

Traczyk

Zaleskiewicz

(2016). The affective bases of risk perception: Negative feelings and stress mediate the relationship between mental imagery and risk perception. Frontiers in Psychology, 7, Article 932. https://doi.org/10.3389/fpsyg.2016.00932

41.

Sophos. (2024). Ransomware payments increase 500% in the last year, finds sophos state of ransomware 2024. https://www.sophos.com/en-us/press/press-releases/2024/04/ransomware-payments-increase-500-last-year-finds-sophos-state

42.

Sophos. (2025). The state of ransomware 2025. https://news.sophos.com/en-us/2025/06/24/the-state-of-ransomware-2025/

43.

Spitzer

R. L.

Kroenke

Williams

J. B. W.

Löwe

(2006). A brief measure for assessing generalized anxiety disorder: The GAD-7. Archives of Internal Medicine, 166(10), 1092–1097. https://doi.org/10.1001/archinte.166.10.1092

44.

Tangney

J. P.

Dearing

R. L.

(2002). Shame and guilt. Guilford Press.

45.

Tangney

J. P.

Dearing

R. L.

(2007). What’s moral about the self-conscious emotions? In Tracy

J. L.

Robins

R. W.

Tangney

J. P.

(Eds.), The self-conscious emotions: Theory and research (pp. 21–37). Guilford Press.

46.

Traczyk

Sobków

Zaléskiewicz

(2015). Affect-Laden imagery and risk taking: The mediating role of stress and risk perception. PLoS ONE, 10(3), e0122226. https://doi.org/10.1371/journal.pone.0122226

47.

UK National Cyber Security Centre. (2021). Mitigating malware and ransomware attacks How to defend organisations against malware or ransomware attacks. https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance

48.

United States Senate Committee on Finance. (2024). Hacking America’s health care: Assessing the Change Healthcare cyber attack and what’s next. https://www.finance.senate.gov/hearings/hacking-americas-health-care-assessing-the-change-healthcare-cyber-attack-and-whats-next

49.

VanderWeele

T. J.

(2015). Explanation in causal inference: Methods for mediation and interaction. Oxford University Press.

50.

Wake

Wormwood

Satpute

A. B.

(2020). The influence of fear on risk taking: A meta-analysis. Cognition and Emotion, 34(6), 1143–1159. https://doi.org/10.1080/02699931.2020.1731428

51.

Zorthian

(2016). L.A. Hospital pays bitcoin ransom to hackers over medical records. https://time.com/4228837/hospital-bitcoin-ransom-hackers/

Supplementary Material

Please find the following supplemental material available below.

For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.

For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.

0.00 MB

0.03 MB