2025 Reports

Escalation of Ransomware-as-a-Service (RaaS) Attacks on Financial Institutions and Optimizing Cybersecurity Investment: A Quantitative Decision and Risk Perspective

Dutt, Ashish

The financial sector is facing an escalation of Ransomware-as-a-Service (RaaS) attacks, resulting in growing operational, regulatory, and reputational risks. As financial institutions expand their digital infrastructures, the key challenge has shifted from whether to invest in cybersecurity to determining how much to invest and how best to allocate limited resources. This paper examines cybersecurity investment decision-making in financial institutions through a quantitative decision and risk framework. Using publicly available data from industry reports, including IBM, PwC, and ENISA, the study develops an exponential cybersecurity investment and risk-cost optimization model to analyse the relationship between spending, expected loss, and total cost. The results reveal a point of diminishing returns, where total cost initially decreases with increased investment but begins to rise beyond an optimal threshold. The findings highlight the importance of aligning cybersecurity budgets with institutional risk appetite and regulatory expectations. By integrating principles of decision science, operational risk management, and cybersecurity economics, this study contributes to the ongoing academic and practical discussions on data-driven cybersecurity investment strategies in the financial sector.

Keywords: Ransomware-as-a-Service (RaaS), Cybersecurity Investment, Quantitative Decision Framework, Risk-Cost Optimization, Financial Institutions, Cybersecurity Economics