Atanu Lahiri

PhD - Business Administration
University of Rochester - 2010

Click on the link for details - publications

Best Conference Paper at HICSS - [2021]

INFORMS ISS Sandra A. Slaughter Early Career Award - [2020]

Best Conference Paper with a Doctoral Student at CHITA - [2017]

Best Conference Paper Runner-up at WISE (2015) - [2015]

Best Conference Paper with a Doctoral Student at INFORMS CIST - [2015]

Chair, Information Security Advisory Committee
University of Texas, Dallas [2020–Present]

Director, Graduate Certificate Program in Cybersecurity Systems
University of Texas, Dallas [2019–Present]

Study Examines Whether Policy Intervention Could Combat Ransomware

As ransomware attacks become more common and complex — and costly to the crimes’ targets — a University of Texas at Dallas researcher is examining how policymakers might combat cybercriminals.

Dr. Atanu Lahiri, an associate professor of information systems in the Naveen Jindal School of Management, said ransomware has become one of the top cybersecurity threats facing organizations worldwide. Spread primarily through email phishing scams and exploitation of unpatched software bugs, ransomware robs a user’s access to computer files until a ransom is paid.

“The data is still on your computer,” he said. “It’s locked up, and the criminals have the key.”

In a study published online May 2 in Information Systems Research, Lahiri and a colleague examined whether and under what circumstances policy intervention could help deter this type of cyberattack. He found that effective response solutions might depend on factors such as the value of compromised information, the nature of the ransom demand, and who or what organization is most affected.

Although paying ransom often seems preferable to facing business disruptions, payments also embolden the attackers and encourage them to come back for more. This ripple effect, or externality, which is driven by extortion, creates a unique problem dubbed “extortionality” by the authors.

“There are two questions: When do we care, and what do we do?” Lahiri said. “Should ransom payments be banned or even penalized?”

The disruptions caused by ransomware attacks can be crippling for businesses. In 2024, the FBI’s Internet Crime Complaint Center received more than 3,000 ransomware complaints. Victims paid over $800 million to attackers, according to research by Chainalysis, although the impact is likely much higher because many incidents and payments go unreported.

The illegal breaches have hit targets ranging from Fortune 500 companies to police departments to government and university systems.

Dr. Atanu Lahiri
Lahiri was inspired to explore potential solutions as federal and state lawmakers grapple with laws to restrict government entities and other companies from paying ransoms to regain access to their data. He found that fighting these threats through legislation is tricky because a ban on ransom payments or other penalties could negatively affect the victim, whose goal is simply to recover compromised information quickly and with minimal disruption.
For example, outright bans on ransom payment are particularly problematic for hospitals, where lives are at stake and critical lifesaving information can’t be accessed.

On the other hand, paying ransom rewards criminal behavior, encourages more breaches and elevates the risk of additional attacks, the researchers found.

Through mathematical models and simulations, Lahiri determined that an ideal scenario in many cases would be for companies not to give in to an attacker’s ransom demand. In practice, however, this solution is not so clear-cut.

“It relies on you trusting the other guy, in this case other organizations, not to pay up either,” he said. “It would be better if nobody paid, but if someone does, it would raise the risk for everybody.”

“You have to be careful when you impose a ban, though,” said Lahiri, who teaches the graduate class Cybersecurity Fundamentals at UT Dallas, serves as director of the cybersecurity systems certificate program, and chairs the University Information Security Advisory Committee. “A more reasoned approach might be to first try incentives or a penalty to deter ransom payments.”

If the attackers are not strategic in choosing their ransom asks — and do not demand different sums from the victims depending on their ability to pay — Lahiri recommends that policymakers impose fines or taxes on companies that pay ransoms.

“When imposing a ban, policymakers should be mindful,” he said. “In particular, hospitals and critical infrastructure firms should be exempted to avoid excessive collateral damage from business disruption.

“In some cases, you wouldn’t even have to impose the ban, but if you talk a lot about a ban, ransom payers would take notice. Even the specter of a ban might do the trick and make organizations invest in backup technologies that can help them recover without having to pay the attackers.”

The best offense, Lahiri said, is a good defense, and the best defense is simply more redundancy. Backing up data and practicing drills on recovering information is a strong way to avoid paying the attacker. Policymakers could incentivize redundancy measures, he said, by subsidizing backup technology, practice drills and awareness campaigns.

“One of the biggest problems is that people don’t invest in backups,” Lahiri said. “They don’t conduct drills, like fire drills. Security is always seen as a hassle.

“If we had great backups and we could recover from the attacks, we would not be paying the ransom in the first place. And we would not be talking about extortionality.”

Dr. Debabrata Dey, Davis Professor and area director of analytics, information and operations at The University of Kansas, is a co-author of the study.

Study: How Piracy Can Unravel Company Profits in Product Bundling

Determining whether the practice of product bundling — such as combining cable TV channels into packages or computer software programs into software suites — is profitable in the presence of piracy is important to businesses as they formulate pricing strategies.

Piracy — the unauthorized use or reproduction of another’s work — has become more pervasive because consumers often don’t want to pay for an entire bundle of items when they are only interested in a small selection. In a new study published online Aug. 26 and in the Volume 39, Issue 3 print edition of the Journal of Management Information Systems, a researcher from The University of Texas at Dallas and his colleagues examined this issue and concluded that bundling actually abets piracy and that the loss of profits from piracy is not offset by the additional income from selling bundled information goods.

(Click on the link above for full article)

Information Systems Researcher Wins Early Career Award

Dr. Atanu Lahiri, an associate professor of information systems, was one of six honorees who recently received an award marking them as “on a path towards making outstanding intellectual contributions to the information systems discipline.”

Lahiri won the Sandra A. Slaughter Early Career Award from the Information Systems Society of the Institute for Operations Research and the Management Sciences (INFORMS). The award was announced on Nov. 8 at the INFORMS Conference on Information Systems and Technology 2020.

Given annually since 2015, the award honors the late Dr. Sandra A. Slaughter, a professor at the Georgia Institute of Technology known for seeking recognition for rising young leaders in the information systems discipline.

(Click on the link above for full article)

Researchers Examine if Online Physician Reviews Indicate Clinical Outcomes

Online consumer reviews play an important role in almost every consumer industry — from dining and shopping to travel and technology. But what do online reviews of physicians tell consumers?

In a new study, researchers from The University of Texas at Dallas investigated whether patient-generated online reviews of physicians accurately reflect the quality of care.

For chronic diseases, the study found that online reviews do not reliably indicate the quality of care provided by a physician, as measured in terms of readmission risk and other similar broadly accepted clinical outcomes. Both the star ratings and textual reviews were found to be equally uninformative of the actual quality of care, Lahiri said.

“The result was indeed a surprise,” he said. “Since prior research on online reviews is mostly based on search goods and experience goods, it typically finds that online reviews are useful to prospective consumers. A key takeaway is that the efficacy of online reviews of search and experience goods does not extend to credence goods, such as chronic-disease care.

(Click on the link above for full article)

Jindal School Researcher Wins Early Career Award

Dr. Atanu Lahiri, associate professor of information systems in the Naveen Jindal School of Management at The University of Texas at Dallas, recently received the Sandra A. Slaughter Early Career Award from the Information Systems Society of the Institute for Operations Research and the Management Sciences.

Given annually since 2015, the award honors Slaughter, a professor at the Georgia Institute of Technology known for seeking recognition for rising young leaders in information systems (IS). The award’s six recipients were recognized for their outstanding contributions to the IS discipline and their growing body of published research that is “likely to influence theory, research and practice.”