The SCRAM platform measures the state of security control adoption and maturity to assess protection against ransomware and evaluate progress over time in a way that does not require firms to disclose their own data.

Ransomware Defenses

This assessment focuses on communications as a critical infrastructure sector. Participating firms are fixed line or mobile providers with sophisticated defenses. The SCRAM team is partnering with the OECD on this data collection to help bridge the information gap in digital security.

Contact scram@mit.edu to participate.

Ransomware Readiness Index 2021
  • White paper: Ransomware Readiness Index (pdf)
  • Data submission form: (forthcoming)
  • Security overview (v1): (pdf )
  • Ransomware Readiness Index
  • Personalized RRI score
  • Information on ransomware losses
  • Information on ransoms paid
  • Recommendations to improve
Time estimate:
5-10 hours for a full-time employee

Next run:
Fall 2021

Ransomware is currently one of the most pressing cybersecurity threats for enterprises. While the consequences of ransomware have been long known, both firms and governments lack critical information needed to assess progress toward meaningful resilience.

We are working with organizations to create a new Ransomware Readiness Index (RRI) that provides a snapshot of the level of ransomware readiness, highlights areas most at risk, and measures progress over time. Through an extensive independent review and analysis, our team of cybersecurity researchers at MIT defined and codified the set of ransomware controls making up the RRI based based on guidance in the United States White House Executive Order (EO) and related White House Memo issued in Spring 2021.

The RRI will provide an aggregate view of organizational security readiness and risk in the context of ransomware. To create this view, we are collecting control data across a diverse set of public and private sector participants through to help organizations benchmark their defenses and track progress over time. Building the RRI on the SCRAM platform means we can aggregate data without requiring firms to disclose any of their sensitive data. Read our whitepaper here (link to come).

Approach to building the RRI


For organizations: Participating organizations will receive actionable feedback on where they stand relative to their peers and advice on addressing the gaps. The feedback will help organizations allocate their security expenses and connect with external resources.

For regulators and policymakers: The RRI provides a standard, transparent methodology for intertemporal security data on the ransomware economy to help inform policy decision-making and government support.

For technology providers: The RRI will help security companies identify the current state of affairs and develop solutions that address the actual needs of organizations struggling to keep up with ransomware threats.