Abstract
Research shows that customers are insufficiently motivated to protect themselves from crimes that may derive from data theft within an organization. Instead, the burden of security is placed upon the businesses that host their personal information. Companies that fail to sufficiently secure their customers’ information thus risk experiencing potentially ruinous reputational harm. There is a relative dearth of research examining why some businesses that have been breached stay resilient in the face of negative public reaction while others do not. To bridge this knowledge gap, this study tackles the concept of cyber-resilience, defined as the ability to limit, endure, and eventually bounce back from the impact of a cyber incident. A vignette-based experimental study was conducted and featured: (1) a breached business described as having a strong cyber-resilience posture; (2) a breached business described as having a weak cyber-resilience posture. Overall, a convenience sample of 605 students in Canada were randomly assigned to one of the two main experimental conditions. The results show that a strong cyber-resilience posture reduces negative customer attitudes and promotes positive customer behavioral intentions, in comparison to a weak cyber-resilience posture. Similarly, the more negative attitudes a customer holds toward a breached business, the less likely they are to behave favorably toward it. As a result of this study, cyber-resilience, which has hitherto primarily received conceptual attention, gains explanatory power. Furthermore, this research project contributes more generally to business victimology, which is an underdeveloped field of criminology.
Keywords: Crisis communication, Cyber-resilience, Cybersecurity, Data breach, Ideal victim, Reputation, Risk management, Social reaction, Victim blaming, Vignettes
Introduction
Businesses want, and to a certain extend need, to create large databases of their customers’ personal information, both in order to authenticate their customers and provide them with a personalized and user-friendly experience (Freedman, 2022). While this is beneficial in some respects, the custody of such databases also comes with a responsibility to protect customers’ confidentiality (Rosati et al., 2019). This is far from a trivial task, as evidenced by the 22 billion records that were stolen in 2021 alone (RiskBased Security, 2022). In the event of a data breach, businesses are placed in a difficult position, insofar as they are the victims of a crime, that is, data theft, but ultimately end up being blamed by customers for failing to protect their personal information (Bentley et al., 2018; Carre et al., 2018). Indeed, prior research has demonstrated that a company’s reputation—the aggregate assessment that stakeholders make of a company’s ability to meet their expectations (Wartick, 1992)—is negatively impacted in the wake of a data breach (Berezina et al., 2012; Syed et al., 2019; Valecha et al., 2017). However, there is little explanatory work exploring how businesses bounce back from public scrutiny following a cyberattack (Dupont et al., 2020).
The present study takes recourse to Hopkins’s (2016) adaptation of the “ideal victim” to examine the public reaction to businesses after data theft. More specifically, the study examines whether the public reaction to victimized firms changes according to their cyber-resilience posture, that is, “an organization’s ability to limit the impact of cyber disruptions, maintain critical functions, and rapidly re-establish normal operations following a cyber incident” (Bryson, 2018, p. 5). Public reaction was divided into (1) attitudes and (2) behavioral intentions. Attitudes group together all the evaluations (favorable or unfavorable) that a person makes about an entity, while behaviors refer to the actions that are taken by an individual toward said entity (Ajzen & Fishbein, 1978). A vignette-based experimental procedure was employed, with the two main experimental conditions involving: (1) a business with a strong cyber-resilience posture and; (2) a business with a weak cyber-resilience posture. Data was collected from a convenience sample of 605 students in Canada. After controlling for gender and age, the results suggest that a strong cyber-resilience posture reduces negative public attitudes and promotes positive behavioral intentions by the public, in comparison to a weak cyber-resilience posture. Furthermore, the more negative the attitudes held by the public toward a business are, the less likely they are to act favorably toward it.
Literature review
Overview of data breaches
The Personal Information Protection and Electronic Documents Act (PIPEDA) (OPCC, 2018) defines a data breach as: “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards […] or from a failure to establish those safeguards”. Although data breaches can be either accidental or criminal in nature, the latter account for the most reported cases in Canada (OPCC, 2019). Despite the fact that most cybercriminals attack a company’s infrastructure to steal customer data (Verizon, 2021), the real impact in the ensuing years is ultimately felt by customers through identity fraud. Identity fraud refers to the theft of an identity for the purpose of stealing either the victim’s funds or someone else’s funds in the name of the victim (Hartung & Busch, 2010). It is an especially simple and low-risk method for monetizing ill-gotten information (Burnes et al., 2020; Copes & Vieraitis, 2009). Identity fraud has steadily risen in Canada, which, in turn, has increased the severity index of non-violent crime in multiple regions across the country (Moreau, 2021). Research shows that despite widespread popular concern over data breaches, notified customers actually do little to protect themselves from the crimes that may ensue (Bhagavatula et al., 2020; Curtis et al., (2018); Zou et al., 2018). Rather, they tend to delegate this task to the firms that they think were supposed to protect their personal information in the first place (Carre et al., 2018; Gemalto, 2018; Ping Identity, 2019). Resultantly, customers may either reward or punish those entities they deem to be responsible for the security of their data (Carre et al., 2018; Martin et al., 2020). Enterprises may thus face public backlash if they fail to prevent data theft (Malhotra et al., 2017). Alongside the attribution of blame and the ensuing animosity, customers may disparage the service, sever ties with it, and even take legal action (Berezina et al., 2012; Romanosky et al., 2014; Syed, 2019; Valecha et al., 2017).
Determinants of the public reaction to data theft
There is evidence that data breaches elicit harsher reactions from the public than other types of incidents, such as, for example, website defacement (Andoh-Baidoo et al., 2010; Cavusoglu, 2004; Garg et al., 2003). All customers of a victimized business tend to react to a data theft, irrespective of whether they were personally affected by the incident or not (Berezina et al., 2012). There is ongoing debate over how long businesses are likely to experience harm from a data theft, with some authors arguing that there are long-term implications for businesses’ economic performance (Cavusoglu, 2004; Morse et al., 2011; Nieuwesteeg & Faure, 2018), while others stress the opposite (Acquisti et al., 2006; Avery, 2021; Ko & Dorantes, 2006). For instance, Angelis et al. (2022) argue that data breaches are now so commonplace that affected customers limit themselves to venting their emotions, but eventually return to the concerned firm. That said, there are additional factors related to an incident that can influence the gravity of the ensuing public reaction. For example, the negative public reaction is greater when the breach involves financial information (Garg et al., 2003; Kamiya et al., 2020; Malhotra & Malhotra, 2011). However, research shows that customers will refrain from criticizing a company when the incident is described as having affected a limited number of victims compared to when it is reported to have impacted upon thousands of individuals (Angelis & Miller, 2021). Moreover, there are contradictory findings regarding how the size of a firm (small-, mid-, or large-sized firm) impacts upon the public reaction (Cavusoglu et al., 2004; Gatzlaff & McCullough, 2010; Malhotra & Malhotra, 2011; Rosati et al., 2019). Whether the theft was caused by an external actor or an internal one is another point of contention with respect to the ensuing public reaction (Andoh-Baidoo et al., 2010; Confente et al., 2019). Finally, low-tech incidents involving social engineering and the theft of computer equipment exacerbate the negative public reaction, compared to data theft caused by computer hacking (Morse et al., 2011).
Impact of cyber-resilience practices on the public reaction to data breaches
Knight and Nurse (2020) argue that it is the way in which the negative public reaction is managed that ultimately decides if the associated reputational harms pose an existential threat to the business. Born out of a realization that security breaches are inevitable, cybersecurity professionals have begun to promote the concept of cyber-resilience (Dupont, 2019). Cyber-resilience practices encompass the technologies, processes and people that are mobilized to minimize and overcome the shocks caused by cybersecurity incidents (Carìas et al., 2018; Dupont, 2019). It is important to stress that cyber-resilience does not eliminate the need for prevention (Bryson, 2018; Cichonski et al., 2012). Indeed, breached companies are more likely to be held accountable for the incident if the public believes that they had lax cybercrime prevention policies (Knight & Nurse, 2020; Romanosky et al., 2014; Syed, 2019). Therefore, implementing a comprehensive range of cybersecurity processes and technologies helps companies to both mitigate and overcome the negative public reaction following a data breach (Ponemon, 2017). Researchers have also demonstrated that providing security services (like a free credit monitoring service subscription) lowers the gravity of the public reaction (Goode et al., 2017; Romanosky et al., 2014).
Other authors have argued that what customers want above all else is an immediate, apologetic, and transparent statement from companies explaining both the circumstances of the breach and the measures they are putting in place to reduce the risks of data misuse (Choi et al., 2016; Jenkins et al., 2014). Likewise, Carre et al. (2018) find that people who see companies as more responsible for protecting data than individuals and more responsible after a data breach also rate a company as more trustworthy if it takes accountability for the incident. At the same time, a business must monitor news coverage of the incident, as journalists may reframe issued company communications in a way that makes the breach seem more severe than it really is (Kim et al., 2017). An overblown depiction of a data breach may indeed worsen negative public reaction towards the affected firm. Similarly, online customer sentiment should be monitored to seek and reassure worried people (Angelis & Miller, 2022). A breached firm that fails to implement suitable response measures gives off the impression that it both insufficiently cares about customer data and lacks compliant security guidelines (Muzatko et al., 2019; Syed, 2019). In response, customers are more likely to deem that the business shares responsibility for their personal information being compromised, not to mention that they may believe that the company will be unable to overcome the repercussions of the incident (Kim et al., 2019).
To summarize the previous findings, many businesses, both small and large, are likely to fall victim to incidents that result in the theft of their customers’ personal information. In some cases, businesses will be held responsible for the data theft, and despite being the victim, will be singled out as the guilty party in the data theft. This dual status as both victim and offender has hitherto received scarce scholarly attention in the context of businesses. In the following section, we develop a theoretical framework through which to explain how this dual status should be both understood and analyzed.
Theoretical framework
The idea that some victims are more likely than others to receive public sympathy echoes Christie’s (1986) conceptualization of the “ideal victim”. According to him, the public grants full victim status when the victim is: (1) “weak”; (2) carrying out a respectable project at the time of their victimization; (3) blameless; (4) the offender is “big and bad”; (5) the offender is unknown to the victim. To summarize, the “ideal victim” thus forms a continuum, and, ultimately, it is the position in which an individual finds themselves that determines the level of responsibility attributed to them for their victimization (Mason, 2013). In light of Christie’s (1986) initial propositions, Hopkins (2016) adapted the framework to understand victimized businesses. The “ideal victim” firm is above all “weak”. Small- and medium-sized businesses (SMBs) are absolved of blame by virtue of their economic “fragility”, which, in turn, makes it unfeasible to have sufficient adequate protection against crime. However, empirical research regarding this assertion remains inconclusive in the context of data theft (Cavusoglu et al., 2004; Gatzlaff & McCullough, 2010; Malhotra & Malhotra, 2011; Rosati et al., 2019).
Secondly, the “ideal victim” firm is carrying out a “respectable” project: a victimized firm must pursue a legal and morally acceptable mandate. Be that as it may, Hopkins (2016) adds that it is more important that the crime provokes moral outrage in favor of the victim, irrespective of whether the morality of certain businesses (such as casinos and nightclubs) is questionable. For instance, Hopkins (2016) argues that blatantly violent crimes committed against staff are likely to generate public sympathy. A review of the literature reveals that in all cases, security breaches and data theft more specifically cause a certain level of negative public reaction. That said, reputational harm is especially bad if the incidents are described as having exposed the data of a large number of stakeholders (Garg et al., 2003; Gatzlaff & McCullough, 2010; Kamiya et al., 2020; Malhotra & Malhotra, 2011; Angelis & Miller, 2021; Morse et al., 2011; Romanosky et al., 2014; Tweneboah-Kodua et al., 2018; Tweneboah-Kodua et al., 2020).
Thirdly, the “ideal victim” firm is “blameless”, which means that the company is spared from scrutiny because the crime occurred in spite of the precautions they had put in place to adequately deter crime. In the context of data theft, this dimension of the “ideal” victim model also includes other cyber-resilience practices, more specifically the organizational response measures used to reduce the risk of data misuse (Gwebu et al., 2018; Jenkins et al., 2014; Muzatko et al., 2018; Syed, 2019). To reiterate, Syed (2019) argues that a company that does not activate its response capabilities risks conveying a negative public image with regard to its entire cybersecurity culture. This would result in it being seen as responsible for the theft due to its perceived negligence in terms of data protection.
Fourth, the “ideal victim” firm is targeted by a “big and bad” offender. This offender uses sophisticated methods to commit the crime, or is linked to organized crime (Hopkins, 2016). In the context of data breaches, the negative public reaction to a breached organization is attenuated if the offenders used technical methods to launch their cyberattack against the company in question (Morse et al., 2011). This finding echoes a popular conception in the media and political discourse, that of the super-hacker or super-user. The myth of the super-hacker/super-user involves the gifted hacker who can paralyze society entirely (Wall, 2008). Firms cannot thwart the super-hacker/super-user, because the myth holds that they are difficult to find, that they have complete mastery over digital technology and that they know how to exploit legal loopholes to avoid prosecution (Ohm, 2008).
Finally, the offender is not related to the firm in any way, that is, they are not an employee or a relative of an executive. In cybersecurity, although data protection efforts focus on external threats, decision makers are often reminded by the media that malicious insiders may lurk inside their company’s infrastructure (Kont et al., 2018; Saxena et al., 2020; Verizon, 2021). However, the results remain mixed with respect to the impact of the origin of the attack on blame towards an organization after data theft (Andoh-Baidoo et al., 2010; Confente et al., 2019).
Present study
Businesses that become the victims of data theft risk experiencing a negative public reaction and subsequent economic losses (Knight & Nurse, 2020). Despite this, there is a relative dearth of research examining how the actions undertaken by a business affect the public reaction to data theft. There are several reasons for this. Firstly, reliable data on the subject is difficult to obtain. For instance, it is hard to ascertain both the nature and impact of data breaches, as these can sometimes span several years (Coffey, 2019). Moreover, some businesses are reluctant to report detected data breaches precisely because they fear reputational repercussions (Richardson, 2011). Secondly, cybercriminology as a field of study is relatively new (Bossler & Berenblum, 2019). Allied with this is the lack of interest in the victimology of businesses (Hopkins, 2016). Few of the studies that exist on the reputational impact of data breaches explore the factors that either exacerbate or minimize its severity, much less how organizational cyber-resilience practices impact upon reputational harm.
The present research utilizes the “ideal victim” framework to explain how businesses’ cyber-resilience posture impacts upon negative public reaction in the wake of data theft. More specifically, it seeks to explain the impact of businesses’ cyber-resilience posture on customers’ (1) attitudes and (2) behavioral intentions. The study also attempts to determine whether the attitudes and behavioral intentions of the public are linked, and, as such, whether the reputational harm that follows data theft has tangible implications for a business’s resilience (Knight & Nurse, 2020).
Methods
Below, we present the survey that we administered to students attending multiple universities in order to explain the impact of companies’ cyber-resilience postures. We also present our quantitative research framework.
Participants
The sample (Table 1) consisted of undergraduate students from the Université de Montréal (UdeM), Université du Québec à Montréal (UQAM), Université Laval and Université du Québec à Trois-Rivières (UQTR). The only exclusion criterion for participation in the study was that minors (i.e., those aged under 18 years old) were not eligible to take part for ethical reasons. No monetary or any other type of incentive was given for participating in the study. Recruitment and participation took place during class time between January 13, 2021, and March 31, 2021. The initial sample comprised 792 participants, however individuals who did not respond to the survey questions pertaining to their assigned vignette were excluded from the analysis. The analyses were also controlled for age and gender. This resulted in a final sample of 605 people (428 women and 173 men) aged between 18 to 66, the majority of whom were white (79%). The students came from a variety of university programs.
Table 1: Descriptive Statistics of the Study Participants
| N | % |
---|
Gender | | |
---|
Man | 173 | 28.6% |
Woman | 428 | 70.7% |
Other | 4 | 0.7% |
Ethnicity | | |
---|
Indigenous peoples | 4 | 0.7% |
Asian | 19 | 3.1% |
Black | 38 | 6.3% |
White | 488 | 80.7% |
Hispanic | 11 | 1.8% |
Other | 32 | 5.3% |
No response | 13 | 2.1% |
Educational attainment | | |
---|
No degree | 2 | 0.3% |
High school degree | 32 | 5.3% |
CEGEP degree1 | 431 | 71.2% |
Bachelor’s degree | 96 | 15.9% |
Master’s degree | 13 | 2.1% |
Doctorate degree | 1 | 0.2% |
Other | 24 | 4% |
No response | 6 | 1% |
Age group | | |
---|
18-24-year-old | 493 | 81.5% |
25-64-year-old | 111 | 18.3% |
65-year-old + | 1 | 0.2% |
University | | |
---|
UdeM | 304 | 50.2% |
UQAM | 48 | 7.9% |
Université Laval | 166 | 27.4% |
UQTR | 63 | 10.4% |
Other | 8 | 1.5% |
No response | 16 | 2.6% |
Undergraduate program | | |
---|
Criminology | 214 | 35.4% |
Law | 63 | 10.4% |
Police studies | 51 | 8.4% |
Economics | 30 | 5% |
Industrial engineering | 26 | 4.3% |
Administration | 23 | 3.8% |
Sociology | 19 | 3.1% |
Communication | 20 | 3.3% |
Forensic science | 14 | 2.3% |
Psychology | 15 | 2.5% |
Other | 99 | 16.4% |
No response | 31 | 5.1% |
N = Number; % = Percentage
Materials and Measures
Data collection was carried out through the use of vignettes (see Appendix) and a short survey. Vignette studies allow researchers to manage their variables within a controlled environment, allowing them to attribute their effects to the experiment (Finch, 1987). Hainmueller et al. (2015) also highlight the external validity of this technique, thus rejecting the criticism that due to its imaginary nature, vignettes cannot predict the real reactions of participants. On the other hand, vignettes reduce the risk of social desirability bias, because the questions pertain to scenarios instead of the participants’ life experiences (Alexander & Becker, 1978). In short, vignettes give researchers the required flexibility to reliably capture the intricacies of a given issue.
To ensure the feasibility of the study, the dimensions integrated in the vignettes were chosen in accordance with the findings of Lewis et al. (2019). According to their analysis of popular preconceptions of victims, victim status pertains to the “weak”, “respectable” and “blameless” qualities of the victim. Consequently, the present study incorporated these three factors along with the original five into the vignettes, which made for a total of three dichotomized independent variables and 23 = 8 vignettes. The vignettes featured two fictitious retail companies named Boîte à prix and ÉchangeGros, both of which were the victims of data theft. The main independent variable—the cyber-resilience posture of the company (its “blameless” quality)—was inspired by practices highlighted in the literature review that sought to reduce reputational harm. Therefore, in the “strong cyber-resilience posture” vignettes, the firms were able to immediately mobilize their communicative resources upon detection of the breach, whereas in the “weak cyber-resilience posture” vignettes, the firms waited two months after detection of the breach to announce it to their stakeholders. The companies in the “strong cyber-resilience posture” condition expressed regret over the incident, whereas the firms in the “weak cyber-resilience posture” condition were unapologetic in their response. Moreover, Boîte à prix and ÉchangeGros in the “strong cyber-resilience posture” condition sought to provide as much information as possible to the public about the breach. According to the OPCC (2018), in order for a business to be transparent about the circumstances of the breach, it must provide details about the targeted organization(s) and how they relate to the affected personal data; how and why the breach occurred; when it was detected; where it happened; who potentially could have access to the data. With this in mind, the companies in the “strong cyber-resilience posture” vignettes were described as being incredibly communicative regarding the circumstances of the theft. Conversely, little information about the circumstances of the breach were shared in the “weak cyber-resilience posture” vignettes.
Similarly, the OPCC (2018) prescribes specific steps that affected individuals can take to reduce or mitigate the risk of ensuing harm. Furthermore, it recommends including contact information in order to allow stakeholders to obtain further information about the breach. In the “strong cyber-resilience posture” vignettes, information was provided regarding how best to protect against identity fraud, and communication channels were open. Conversely, little information was provided in the “weak cyber-resilience posture” vignettes, while communication channels were left shut. Finally, in the “strong cyber-resilience posture” condition, the firms announced that they had comprehensive processes and technologies in place to prevent cybercrime and that they also had provisions to prevent misuse of data in the event of a compromise. In the “weak cyber-resilience posture” condition, the firms were reluctant to share details about the incident and their security practices, although media sources highlighted the weaknesses of their cybercrime prevention capabilities. The size of Boîte à prix and ÉchangeGros (“weak” dimension of the “ideal victim”) were dichotomized into “small business” and “large business,” respectively. The severity of the theft (“respectable” quality of the “ideal victim”) was presented as either “theft affecting the non-financial data of a limited number of customers” or “theft affecting the financial data of many customers”. The literature review underscored that data theft is not a crime that exempts companies from blame, especially if it concerns the financial data of a large number of stakeholders (Andoh-Baidoo et al., 2010; Kamiya et al., 2020; Angelis & Miller, 2021). Indeed, the public reaction is only likely to wane if the theft affects the non-financial data of a limited number of customers (Kamiya et al., 2020; Angelis & Miller, 2021; Tweneboah-Kodua et al., 2020).
The dependent variables were measured via the survey. To measure the impact of cyber-resilience on public attitudes toward a business affected by data theft, the first three variables corresponded to: (1) the blame attributed to the business; (2) the negative feelings felt toward the firm; (3) negative beliefs toward the business. The next three variables helped measure the impact of cyber-resilience upon the behavioral intentions of the public toward a business affected by data theft: (1) positive word-of-mouth; (2) intention to revisit; (3) legal action. The combined dependent variables enabled us to test the link between public attitudes and behavioral intentions toward a firm in the events of data theft. Demographic variables were also measured in the survey and included: (1) the gender of the respondent; (2) the age of the respondent; (3) the respondent’s ethnicity; (4) the respondent’s educational attainment; (5) the university at which the respondent was enrolled; (6) their current study program.
Procedures
An introductory email was sent to 45 university lecturers (40% from UdeM; 20% from UQAM; 24% from Université Laval; 16% from UQTR) to ask them permission to conduct the study during class time. A total of 20 instructors agreed to the request, albeit some only allowed a short presentation of the research project. Most of the teachers who refused the solicitation agreed to announce the project to their class via either email or their respective student portal. After the introduction of the research project, students were invited to visit a link that redirected them to the online study. After providing their written consent, the participants were randomly given one of the eight vignettes (cyber-resilience posture x company size x severity of the theft) (Table 2). They were tasked with both reading their assigned vignette and answering the subsequent survey questions on their attitudes and behavioral intentions. The study concluded with demographic questions.
Table 2: Vignette Distribution
Vignettes | N | % |
---|
(1) Small business—Theft affecting the non-financial data of a limited number of customers—Strong cyber-resilience posture | 83 | 13.7% |
(2) Small business—Theft affecting the non-financial data of a limited number of customers—Weak cyber-resilience posture | 78 | 12.9% |
(3) Large business—Theft affecting the non-financial data of a limited number of customers—Strong cyber-resilience posture | 75 | 12.4% |
(4) Large business—Theft affecting the non-financial data of a limited number of customers—Weak cyber-resilience posture | 82 | 13.6% |
(5) Small business—Theft affecting the financial data of many customers—Strong cyber-resilience posture | 75 | 12.4% |
(6) Small business—Theft affecting the financial data of many customers—Weak cyber-resilience posture | 83 | 13.7% |
(7) Large business—Theft affecting the financial data of many customers—Strong cyber-resilience posture | 74 | 12.2% |
(8) Large business—Theft affecting the financial data of many customers—Weak cyber-resilience posture | 55 | 9.1% |
Total | 605 | 100% |
N = Number; % = Percentage
Analytic Strategy
To explain the impact of cyber-resilience upon public attitudes toward a business affected by data theft, multivariate analyses of covariance (MANCOVA) were conducted between the dependent variables pertaining to attitudes (blame; negative feelings; negative beliefs), the independent variables (cyber-resilience posture, company size and severity of the theft) and the covariates of age and gender. Amongst the tested assumptions, the Box’s M test was significant which suggested a violation of the homogeneity of the variance-covariance matrices. Consequently, Pillai’s trace (V) was used to interpret the analyses. The first null hypothesis is as follows:
H0a: The cyber-resilience posture of a business affected by data theft has no impact upon public attitudes toward it.
To measure the impact of cyber-resilience upon the behavioral intentions of the public toward a business affected by data theft, MANCOVA tests were performed between the dependent variables pertaining to behavioral intentions (positive word-of-mouth; intention to revisit; legal action), the three independent variables in the study and the covariates (gender and age). Pillai’s trace (V) was once again used to interpret the results, as there was a violation of the homogeneity of the variance-covariance matrices. The following null hypothesis is presented below:
H0b: The cyber-resilience posture of a business affected by data theft has no impact upon the behavioral intentions of the public toward it.
Pearson correlation tests were employed to answer the third specific objective. The variables pertaining to attitudes were turned into a scale, but the item “negative beliefs” was removed to increase the value of Cronbach’s Alpha (α = .637 to α = .711). Positive word-of-mouth and intention to revisit were also combined into a scale, with legal action deleted to improve internal consistency (α = .696 to α = .793). A mean score of 1 indicates a peak in negative attitudes or behaviors toward the company, while a mean score of 7 entails the opposite. This procedure makes it possible to respond to the following null hypothesis:
H0c: There is no association between public attitudes and behavioral intentions toward a firm affected by data theft.
Results
Table 3 presents the descriptive statistics of the three dependent variables pertaining to attitudes (blame, negative feelings, negative beliefs) according to (1) the cyber-resilience posture of the company, (2) company size and (3) severity of the theft, thus providing a total of eight experimental conditions.
Table 3: Univariate Analyses of Public Attitudes Toward the Breached Firm
| Blame (1 = Strongly agree to 7 = Strongly disagree) | Negative feelings (1 = Strongly agree to 7 = Strongly disagree) | Negative beliefs (1 = Strongly agree to 7 = Strongly disagree) |
---|
Strong cyber-resilience posture | Weak cyber-resilience posture | Strong cyber-resilience posture | Weak cyber-resilience posture | Strong cyber-resilience posture | Weak cyber-resilience posture |
---|
n | M | s | n | M | s | n | M | s | n | M | s | n | M | s | n | M | s |
---|
Small business, Theft affecting the non-financial data of a limited number of customers | 83 | 4 | 1.7 | 78 | 3.1 | 1.5 | 83 | 4.1 | 1.6 | 78 | 2.5 | 1.3 | 83 | 5 | 1.1 | 78 | 4.5 | 1.5 |
Small business, Theft affecting the financial data of many customers | 75 | 4.1 | 1.7 | 83 | 3.2 | 1.5 | 75 | 4.2 | 1.6 | 83 | 2.5 | 1.2 | 75 | 5.3 | 1.4 | 83 | 4.3 | 1.5 |
Large business, Theft affecting the non-financial data of a limited number of customers | 75 | 4.1 | 1.6 | 82 | 2.8 | 1.4 | 75 | 4.2 | 1.6 | 82 | 2.4 | 1.4 | 75 | 5.3 | 1.2 | 82 | 4.4 | 1.5 |
Large business, Theft affecting the financial data of many customers | 74 | 3.6 | 1.6 | 55 | 3 | 1.6 | 74 | 3.7 | 1.5 | 55 | 2.3 | 1.3 | 74 | 5.4 | 0.9 | 55 | 4.5 | 1.6 |
Total | 307 | 3.9 | 1.7 | 298 | 3.0 | 1.5 | 307 | 4.0 | 1.6 | 298 | 2.4 | 1.3 | 307 | 5.4 | 1.1 | 298 | 4.4 | 1.5 |
n = sample size; M = mean; s = standard deviation
Table 4 presents the MANCOVA tests. According to Pillai’s trace, cyber-resilience posture does significantly affect public attitudes (V = .263, F (3, 593) = 70.646, partial η2 = .263, p < .01), which leads us to reject the null hypothesis H0a. However, there is no three-way interaction effect for public attitudes (V = .006, F(3, 593) = 1.170, partial η2 = .006, p > .05). Furthermore, there are no two-way interaction effects between the independent variables and the combined dependent variables pertaining to public attitudes (company size x cyber-resilience posture: V = .000, F(3, 593) = .048, partial η2 = .000, p > .05 ; severity of the theft x cyber-resilience posture: V = .004, F(3, 593) = .884, partial η2 = .004, p > .05 ; company size x severity of the theft : V = .010, F(3, 593) = 2.024, partial η2 = .010, p > .05). Similarly, neither company size (V = .007, F(3, 593) = 1.465, partial n2 = .007, p > .05) nor severity of the theft (V = .001, F(3, 593) = .293, partial n2 = .001, p > 0.5) have any major effect upon public attitudes.
Table 4: MANCOVA Analyses (Pillai’s Trace) of Public Attitudes Toward the Breached Firm
| V | F | Partial η2 | p |
---|
Cyber-resilience posture | .263 | 70.646 | .263 | .000** |
Company size | .007 | 1.465 | .007 | .223 |
Severity of the theft | .001 | .293 | .001 | .831 |
Company size x Cyber-resilience posture | .000 | .048 | .000 | .986 |
Severity of the theft x Cyber-resilience posture | .004 | .884 | .004 | .449 |
Company size x Severity of the theft | .010 | 2.024 | .010 | .109 |
Company size x Severity of the theft x Cyber-resilience posture | .006 | 1.170 | .006 | .321 |
*p < .05; ** p < .01
V = value of Pillai’s trace; F = f-statistic; Partial n2 = Partial eta squared; p = p-value
In light of the significant main effect, ANOVA tests (Table 5) were conducted to determine the impact of cyber-resilience upon the individual dependent variables. First, the cyber-resilience posture of a company that suffered data theft moderately predicts (p < .01, η = .278) the level of blame assigned to it. That is to say, the public are less likely to blame a firm that has mobilized its security and communication measures (M = 3.94, s = 1.67) than a business with a weak cyber-resilience posture (M = 3.03, s = 1.47). Indeed, cyber-resilience has a very strong impact (p < .01, η = .483) on the negative feelings felt toward companies. Specifically, having a good cyber-resilience posture reduces negative feelings (M = 4.03, s = 1.58) compared to a bad cyber-resilience posture (M = 2.44, s = 1.28). Finally, cyber-resilience strongly predicts (p < .01, η = .332) negative beliefs toward a business. It reduces pessimistic beliefs about the future of a firm (M = 5.37, s = 1.14), compared to a weak cyber-resilience posture (M = 4.42, s = 1.54).
Table 5: ANOVA Analyses of Public Attitudes Toward the Breached Firm
| Cyber-resilience posture (STRONG and WEAK) | STRONG | WEAK |
---|
F | η | p | M | s | n | M | s | n |
---|
Blame | 50.53 | .278 | .000** | 3.94 | 1.67 | 307 | 3.03 | 1.47 | 298 |
Negative feelings | 183.57 | .483 | .000** | 4.03 | 1.58 | 307 | 2.44 | 1.28 | 298 |
Negative beliefs | 74.82 | .332 | .000** | 5.37 | 1.14 | 307 | 4.42 | 1.54 | 298 |
*p < .05; ** p < .01
F = f-statistic; η = eta; p = p-value
M = mean; s = standard deviation; n = sample size
Table 6 depicts the descriptive statistics of the three variables portraying customers’ behavioral intentions (positive word-of-mouth, intention to revisit, legal action) with respect to the three independent variables:
Table 6: Univariate Analyses of the Behavioral Intentions of the Public Toward the Breached Firm
| Positive word-of-mouth (1 = Strongly agree to 7 = Strongly disagree) | Intention to revisit (1 = Strongly agree to 7 = Strongly disagree) | Legal action (1 = Strongly agree to 7 = Strongly disagree) |
---|
Strong cyber-resilience posture | Weak cyber-resilience posture | Strong cyber-resilience posture | Weak cyber-resilience posture | Strong cyber-resilience posture | Weak cyber-resilience posture |
---|
n | M | s | n | M | s | n | M | s | n | M | s | n | M | s | n | M | s |
---|
Small business, Theft affecting the non-financial data of a limited number of customers | 83 | 4.1 | 1 | 78 | 5.2 | 1.2 | 83 | 3.4 | 1.2 | 78 | 4.9 | 1.4 | 83 | 2.9 | 1.7 | 78 | 3.8 | 1.7 |
Small business, Theft affecting the financial data of many customers | 75 | 4.2 | 1.3 | 83 | 5.4 | 1.2 | 75 | 3.5 | 1.5 | 83 | 4.8 | 1.4 | 75 | 3.3 | 1.7 | 83 | 3.7 | 1.8 |
Large business, Theft affecting the non-financial data of a limited number of customer | 75 | 4.3 | 1.2 | 82 | 5.4 | 1.2 | 75 | 3.5 | 1.3 | 82 | 4.8 | 1.5 | 75 | 2.9 | 1.7 | 82 | 3.9 | 1.5 |
Large business, Theft affecting the financial data of many customers | 74 | 4.4 | 1.1 | 55 | 5.5 | 1.3 | 74 | 3.8 | 1.4 | 55 | 5.2 | 1.3 | 74 | 3 | 1.5 | 55 | 4.1 | 1.8 |
Total | 307 | 4.2 | 1.2 | 298 | 5.3 | 1.2 | 307 | 3.5 | 1.4 | 298 | 4.9 | 1.4 | 307 | 3.0 | 1.7 | 298 | 3.9 | 1.7 |
n = sample size; M = mean; s = standard deviation
The MANCOVA tests are shown in Table 7. The analyses showed a significant effect between cyber-resilience posture and the behavioral intentions of the public (V = .240, F (3, 593) = 62.589, partial η2 = .240, p < .01), which leads us to reject null hypothesis H0b. No three-way interaction effect exists between the independent variables and behavioral intentions of the public toward the breached firm (V = .001, F (3, 593) = .150, partial n2 = .004, p > 0.5). Similarly, there are no two-way interaction effects between the independent variables and the combined dependent variables pertaining to the behavioral intentions of the public (company size x cyber-resilience posture: V = .001, F(3, 593) = .292, partial η2 = .001, p > .05 ; severity of the theft x cyber-resilience posture: V = .000, F(3, 593) = .072, partial η2 = .000, p > .05 ; company size x severity of the theft : V = .004, F(3, 593) = .817, partial η2 = .004, p > .05). Furthermore, neither company size (V = .005, F(3, 593) = 1.069, partial η2 = .005, p > .05) nor severity of the theft (V = .005, F(3, 593) = .997, partial η2 = .005, p > .05) significantly affects the behavioral intentions of the public.
Table 7: MANCOVA Analyses (Pillai’s trace) of the Behavioral Intentions of the Public Toward the Breached Firm
| V | F | Partial η2 | p |
---|
Cyber-resilience posture | .240 | 62.589 | .240 | .000** |
Company size | .005 | 1.069 | .005 | .362 |
Severity of the theft | .005 | .997 | .005 | .394 |
Company size x Cyber-resilience posture | .001 | .292 | .001 | .831 |
Severity of the theft x Cyber-resilience posture | .000 | .072 | .000 | .975 |
Company size x Severity of the theft | .004 | .817 | .004 | .485 |
Company size x Severity of the theft x Cyber-resilience posture | .001 | .150 | .001 | .930 |
*p < .05; ** p < .01
V = value of Pillai’s trace; F = f-statistic; Partial n2 = Partial eta squared; p = p-value
The following ANOVA tests (Table 8) show a strong relationship between cyber-resilience and positive word-of-mouth (p < .01, η = .432). In other words, the public spoke more positively about those companies that activated their cyber-resilience measures (M = 4.22, s = 1.17) than those who did the opposite (M = 5.36, s = 1.21). Similarly, a strong relationship (p < .01, η = .442) exists between cyber-resilience posture and intention to revisit. That is to say, the public are more inclined to revisit a company with a strong cyber-resilience posture (M = 3.53, s = 1.35) than a firm with a poor cyber-resilience posture (M = 4.89, s = 1.41). Finally, cyber-resilience has a moderate effect on the intention to initiate legal action (p < .01, η = .285), with a strong posture reducing the likelihood of doing so (M = 2.96, s = 1.67) compared to a poor posture (M = 3.85, s = 1.69).
Table 8: ANOVA Analyses of the Behavioral Intentions of the Public Toward the Breached Firm
| Cyber-resilience posture (STRONG and WEAK) | STRONG | WEAK |
---|
F | η | p | M | s | n | M | s | n |
---|
Positive word-of-mouth | 138.246 | .432 | .000** | 4.22 | 1.17 | 307 | 5.36 | 1.21 | 298 |
Intention to revisit | 146.702 | .442 | .000** | 3.53 | 1.35 | 307 | 4.89 | 1.41 | 298 |
Legal action | 40.926 | .285 | .000** | 2.96 | 1.67 | 307 | 3.85 | 1.69 | 298 |
*p < .05; ** p < .01
F = f-statistic; η = eta; p = p-value
M = mean; s = standard deviation; n = sample size
Pearson correlation tests (Table 9) demonstrate a very strong negative linear relationship between the negative public attitudes scale (α = .711) and the positive behavioral intentions of the public scale (α = .793) toward a breached firm (r = -.576, p < .01). In other words, the more negative attitudes a person has regarding a company that suffered a data theft, the less likely their intention to act favorably toward it). Consequently, we reject null hypothesis H0c.
Table 9: Pearson Correlation Tests Between Public Attitudes and Behavioral Intentions
| M | s | Attitudes (r) | Behaviors (r) |
---|
Attitudes | 6.75 | 2.89 | 1 | -.576** |
Behaviors | 8.99 | 2.612 | -.576** | 1 |
*p < .05; ** p < .01
M = mean; s = standard deviation; r = Pearson’s r
Discussion
The analyses showed that a strong cyber-resilience posture effectively reduces negative public attitudes compared to a poor cyber-resilience position. Similarly, the results indicated that compared to a bad cyber-resilience posture, good cyber-resilience promotes positive behavioral intentions among the public. Overall, then, the results support the observation that robust security technologies and processes as well as effective crisis communication mechanisms mitigate the reputational harm caused by data theft. On the other hand, the analyses did not indicate a significant relationship between firm size and public reaction. As aforementioned, previous research has found mixed results about how firm size impacts upon public reaction (Cavusoglu et al., 2004; Gatzlaff & McCullough, 2010; Malhotra & Malhotra, 2011; Rosati et al., 2019). It is possible that the present experimental study did not find support for either of these interpretations due to the fact that the inclusion of cyber resilience in the analysis overshadowed the role played by company size. In other words, the actions (or inaction) of a firm may be much more important to customers than the size of the firm. In fact, it is possible that an association between severity of the theft and public reaction was not found for the same reason. Another vignette study could examine the role of firm size and severity of the theft in the absence of cyber-resilience posture. However, such a study may lack external validity, because a data breach is always followed by a response or a lack thereof on the part of the affected organization.
That said, the non-significant effect of the severity of the theft upon the public reaction may be counter-intuitive, because detection solutions seek to trigger an incident response before the incident ever escalates in the first place (Cichonski et al., 2012). However, this does not mean that detection solutions are irrelevant to a cyber resilience strategy designed to reduce reputational harm. In fact, research has shown that the severity of the public reaction lessens if the business was the first to inform them about any crisis (Beldad et al., 2018). Therefore, to foster resilience, a company should ensure that it is the first to detect and communicate the data breach to the public (Knight & Nurse, 2020). In this study, it was assumed that the firm was the first to detect the data theft. The observations resulting from the study do not allow us to confirm whether an interaction effect exists between company size, the severity of the theft, cyber-resilience posture and the public reaction in the event of a data theft. In sum, this study finds that among the examined dimensions in Hopkins’s (2016) “ideal victim” framework, only the “blameless” quality of a company allows it to better claim victim status in the event of data theft. Irrespective of the circumstances around the theft, companies of all sizes must suitably prepare and mobilize their prevention, detection, and response capabilities against cybercrime to ensure their resilience in the face of reputational damage. That said, it is impossible to confirm whether a firm may ever be seen as an “ideal victim” in the eyes of the public after data theft. After all, it was not able to prevent the breach and, all things considered, this violates public expectations about data protection (Malhotra et al., 2017). In any case, this study contributes to the “ideal victim” model (Hopkins, 2016) by showing that, in the context of data theft, a breached organization that is “blameless” will occupy a better place in the “ideal victim” hierarchy.
Finally, the results of the present study lend support to those of Martin et al. (2020), who showed that public attitudes toward breached businesses are linked to behaviors regarding it. In other words, the more severe the negative attitudes, the less favorably the public intends to act toward the company. This finding suggests that the reputational damage caused by data theft also involves economic repercussions for the business in question.
Limitations
This experimental study has several limitations. Firstly, the sample comprises solely university students, which limits the generalizability of the findings as student samples differ markedly from non-student samples (Hanel & Vione, 2016). Furthermore, a large part of the participants were criminology students, meaning that the sample is not based on the general student population. Fox and Cook (2011) suggest that criminology students, who most likely already took a victimology course, are less inclined to blame a victim than others because they had the opportunity to develop a critical perspective regarding victimization and its causes. That said, the field of victimology has traditionally focused on the victimization of individuals (Hopkins, 2016). It is thus possible that the victim status of companies, especially in cases of data breaches where they are expected to safeguard customer data (Carre et al., 2018; Gemalto, 2018; Ping Identity, 2019), is not affected by the students’ curriculum. Secondly, the cyber-resilience posture of the businesses, although described concisely, formed much of the vignettes’ content. Therefore, when giving their opinions, this element could have been more salient in the participants’ minds than company size or severity of the theft, as the latter two variables only accounted for one sentence each. Likewise, since the companies in the vignettes were not real, it is possible that the participants did not have a proper mental image of the businesses in question, thus shaping their responses. However, because this study sought to examine customer attitudes and behavioral intentions after data theft, it could not risk choosing a real company for which people already hold strong feelings. Thirdly, the results do not allow us to predict how long the public reaction lasts after data theft, only that it exists and that a cyber-resilience posture can limit it. Fourthly, this research project is an experimental study and, as such, all the variables were manipulated in an artificial setting. However, in real life, many factors obscure the impact of cyber-resilience upon the public reaction in the event of data theft. Moreover, the present study focused on behavioral intentions rather than real behaviors. However, just because a person reports that they will stop supporting a company, this does not always mean that they will do so. A final limitation concerns the operationalization of the main independent variable “cyber-resilience posture”. The vignettes included cyber-resilience practices that have been shown to have a favorable impact upon resilience to reputational damage after data theft. These do not necessarily apply to the physical, psychological, or social shocks that may also follow data theft or other cybersecurity incidents.
Conclusion
A vignette-based experimental study was carried out to examine the impact of cyber-resilience posture upon the public reaction to businesses following data theft. The results show that reputational damage has implications for the survival of the affected organization. To ensure its resilience in the face of reputational damage after data theft, a business must maintain its “blameless” quality via its security and communication strategies. The non-significant effects of “company size” and “severity of the theft” bode well for businesses in the sense that they can take complete charge of their cyber-resilience to public reaction after data theft. Businesses, and even SMEs, can build their strategy by looking at the available best practice frameworks for preventing, detecting and responding to cybersecurity incidents (Cyber Security Coalition, s.d. ; Cichonski et al., 2012 ; ISO, 2020 ; Morreale, 2008 ; NCSC, 2020 ; NIST, 2018).
Future research could seek to examine the relevance of other dimensions of the “ideal victim” that were not addressed by the present study. In addition, it may be interesting to assess the Just World Hypothesis’s impact on the “ideal victim” model. The Just World Hypothesis refers to the belief that the world is fair and thus that people get what they deserve (Lerner & Miller, 1978). If someone becomes a victim, a person who believes in a just world may think that they have done something to warrant it (Lodewijkx et al., 2001). Furthermore, future studies could attempt to show whether a cyber-resilience posture equally assuages the public reaction in both criminal cases and accidental ones. Other empirical research could look to test the impact of cyber-resilience practices upon other shocks resulting from cybersecurity incidents, such as, for example, on a company’s productivity. On that note, in addition to contributing to business victimology – a niche subfield of criminology – the study provides initial empirical support for cyber-resilience, which still was in its conceptual phase. This study thus hopefully inspires others to publish work explaining the impacts of cyber-resilience on other types of harms that follow a security breach.
Funding
This research received no specific grant from any funding agency in the public, commercial, or not-for-profit sectors.
Notes
1 A CEGEP degree is a level of education between high school and undergraduate education. It is exclusive to the province of Quebec, in Canada.
References
Acquisti, A., Friedman, A. and Telang, R. (2006). Is there a cost to privacy breaches? An event study. Twenty-Seventh International Conference on Information Systems, Milwaukee, WI, United-States. https://aisel.aisnet.org/icis2006/94/?utm_source=aisel.aisnet.org%2Ficis2006%2F94&utm_medium=PDF&utm_campaign=PDFCoverPages
Ajzen, I. et Fishbein, M. (1978). Attitude-behavior relations: a theoretical analysis and review of empirical research. Psychological Bulletin, 84(5), 888-918. https://doi.org/10.1037/0033-2909.84.5.888
Alexander, C. S. and Becker, H. J. (1978). The use of vignettes in survey research. The Public
Opinion Quarterly, 42(1), 93‑104. https://doi.org/10.1086/268432
Andoh-Baidoo, F. K., Amoako-Gyampah, K. and Osei-Bryson, K.-M. (2010). How internet security breaches harm market value. IEEE Security Privacy, 8(1), 36‑42. 10.1109/MSP.2010.37
Angelis, J. N. and Miller, J. C. (2021). An empirical investigation of the effects of individuality on responses to data theft crimes. IEEE Transactions on Engineering Management, 68(6), 1663‑1676. https://doi.org/10.1109/TEM.2020.2974742
Angelis, J. N., Murthy, R. S., Beaulieu, T. and Miller, J. C. (2022). Better angry than afraid: the case of post data breach emotions on customer engagement. IEEE Transactions on Engineering Management, 1‑13. https://doi.org/10.1109/TEM.2022.3189599
Avery, A. (2021). After the disclosure: measuring the short-term and long-term impacts of data breach disclosures on the financial performance of organizations. Information & Computer Security, (in press). 10.1108/ICS-10-2020-0161
Beldad, A. D., Laar, E. van and Hegner, S. M. (2018). Should the shady steal thunder? The effects of crisis communication timing, pre-crisis reputation valence, and crisis type on post-crisis organizational trust and purchase intention. Journal of Contingencies and Crisis Management, 26(1), 150‑163. 10.1111/1468-5973.12172
Bentley, J. M., Oostman, K. R. and Shah, S. F. A. (2018). We’re sorry but it’s not our fault: organizational apologies in ambiguous crisis situations. Journal of Contingencies and Crisis Management, 26(1), 138‑149. 10.1111/1468-5973.12169
Berezina, K., Cobanoglu, C., Miller, B. L. and Kwansa, F. A. (2012). The impact of information security breach on hotel guest perception of service quality, satisfaction, revisit intentions and word‐of‐mouth. International Journal of Contemporary Hospitality Management, 24(7), 991‑1010. 10.1108/09596111211258883
Bhagavatula, S., Bauer, L. and Kapadia, A. (2020). (How) do people change their passwords after a breach?. IEEE Signal Processing Workshop, Rio de Janeiro, Brazil. https://www.ieee-security.org/TC/SPW2020/ConPro/papers/bhagavatula-conpro20.pdf
Bossler, A. M. and Berenblum, T. (2019). Introduction: new directions in cybercrime research. Journal of Crime and Justice, 42(5), 495‑499. 10.1080/0735648X.2019.1692426Boyd, B., Bergh, D. and Ketchen, D. (2010). Reconsidering the reputation—performance relationship: a resource-based view. Journal of Management, 36(3), 588‑609. 10.1177/0149206308328507
Bryson, R. (2018). Building cyber resilience. The Conference Board of Canada 2018, Ottawa, ON, Canada. https://www.conferenceboard.ca/temp/1236a7e2-ac3f-441f-bf97-d5883dc30128/9822_Building%20Cyber%20Resilience_BR_FR.pdf
Burnes, D., DeLiema, M. and Langton, L. (2020). Risk and protective factors of identity theft victimization in the United States. Preventive Medicine Reports, 17, 1‑8. 10.1016/j.pmedr.2020.101058
Carìas, J. F., Labaka, L., Sarriegi, J. M. and Hernantes, J. (2018). An approach to the modeling of cyber resilience management. 2018 Global Internet of Things Summit, Bilbao, Spain. 10.1109/GIOTS.2018.8534579
Carre, J. R., Curtis, S. R. and Jones, D. N. (2018). Ascribing responsibility for online security and data breaches. Managerial Auditing Journal, 33(4), 436‑446. https://doi.org/10.1108/MAJ-11-2017-1693
Cavusoglu, H., Mishra, B. and Raghunathan, S. (2004). The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce, 9(1), 69‑104. 10.1080/10864415.2004.11044320
Choi, B. C. F., Kim, S. S. and Jiang, Z. (Jack). (2016). Influence of firm’s recovery endeavors upon privacy breach on online customer behavior. Journal of Management Information Systems, 33(3), 904‑933. 10.1080/07421222.2015.1138375
Christie, N. (1986). The ideal victim. In M. Duggan (eds.), Revisiting the ‘ideal victim’: developments in critical victimology (pp. 11-23). Policy Press. 10.1007/978-1-349-08305-3_2
Cichonski, P., Millar, T., Grance, T. and Scarfone, K. (2012). Computer security incident handling guide : recommendations of the National Institute of Standards and Technology. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-61r2
Coffey, J. W. (2019). Difficulties in determining data breach impacts, Journal of Systemics, Cybernetics and Informatics, 17(5), 9-13. http://www.iiisci.org/journal/sci/FullText.asp?var=&id=IP069LL19
Confente, I., Siciliano, G. G., Gaudenzi, B. and Eickhoff, M. (2019). Effects of data breaches from user-generated content: a corporate reputation analysis. European Management Journal, 37(4), 492‑504. 10.1016/j.emj.2019.01.007
Copes, H. and Vieraitis, L. M. (2009). Bounded rationality of identity thieves: using offender-based research to inform policy. Criminology & Public Policy, 8(2), 237‑262. 10.1111/j.1745-9133.2009.00553.x
Curtis, S. R., Carre, J. R. and Jones, D. N. (2018). Consumer security behaviors and trust following a data breach. Managerial Auditing Journal, 33(4), 425‑435. https://doi.org/10.1108/MAJ-11-2017-1692
Cyber Security Coalition (s.d.). Cyber Security Incident Management Guide. Cyber Security Coalition. https://www.cybersecuritycoalition.be/content/uploads/cybersecurity incident-management-guide-EN.pdf
Dupont, B. (2019). The cyber-resilience of financial institutions: significance and applicability. Journal of Cybersecurity, 5(1), 1‑17. 10.1093/cybsec/tyz013
Dupont, B., Shearing, C. and Bernier, M. (2020). Withstanding cyber-attacks: cyber-resilience practices in the financial sector. Global Risk Institute. https://globalriskinstitute.org/publications/withstanding-cyber-attacks-cyber-resilience-practices-in-the-financial-sector/
Finch, J. (1987). The vignette technique in survey research. Sociology, 21(1), 105‑114. 10.1177/0038038587021001008
Fox, K. A. and Cook, C. L. (2011). Is knowledge power? The effects of a victimology course on victim blaming. Journal of Interpersonal Violence, 26(17), 3407‑3427. 10.1177/0886260511403752
Freedman, M. (2022, June 29). How and why businesses collect consumer data. Business News Daily. https://www.businessnewsdaily.com/10625-businesses-collecting-data.html
Garg, A., Curtis, J. and Halper, H. (2003). Quantifying the financial impact of IT security breaches. Information Management & Computer Security, 11(2), 74-83. 10.1108/09685220310468646
Gatzert, N. (2015). The impact of corporate reputation and reputation damaging events on financial performance: empirical evidence from the literature. European Management Journal, 33(6), 485‑499. 10.1016/j.emj.2015.10.001
Gatzlaff, K. M. and McCullough, K. A. (2010). The effect of data breaches on shareholder wealth. Risk Management and Insurance Review, 13(1), 61‑83. 10.1111/j.1540-6296.2010.01178.x
Gemalto. (2018). Data Breaches & Customer Loyalty 2018. Gemalto. http://octopi.com/pdf/customer-loyalty-report.pdf
Goode, S., Hoehle, H., Venkatesh, V. and Brown, S. A. (2017). User compensation as a data breach recovery action: an investigation of the Sony PlayStation network breach. MIS Quarterly, 41(3), 703–727. 10.25300/MISQ/2017/41.3.03
Gwebu, K. L., Wang, J. and Wang, L. (2018). The role of corporate reputation and crisis response strategies in data breach management. Journal of Management Information Systems, 35(2), 683‑714. 10.1080/07421222.2018.1451962
Hainmueller, J., Hangartner, D. and Yamamoto, T. (2015). Validating vignette and conjoint survey experiments against real-world behavior. Proceedings of the National Academy of Sciences, 112(8), 2395‑2400. 10.1073/pnas.1416587112
Hanel, P. H. P. and Vione, K. C. (2016). Do student samples provide an accurate estimate of the general public? PLOS One, 11(12), 1-10. 10.1371/journal.pone.0168354
Hartung, D., & Busch, C. (2010). Biometric transaction authentication protocol. 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies, Venice, Italy. 10.1109/SECURWARE.2010.41
Hopkins, M. (2016). Business, victimisation and victimology: reflections on contemporary patterns of commercial victimisation and the concept of businesses as ‘ideal victims’. International Review of Victimology, 22(2), 161‑178. 10.1177/0269758016628948
ISO. (2020). ISO/IEC 27035-3:2020 information technology — Information security incident management — Part 3: guidelines for ICT incident response operations. International Organization for Standardization. https://www.iso.org/standard/74033.html
Jenkins, A., Anandarajan, M. and D’Ovidio, R. (2014). ‘All that glitters is not gold’: the role of impression management in data breach notification. Western Journal of Communication, 78(3), 337‑357. 10.1080/10570314.2013.866686
Kamiya, S., Kang, J.-K., Kim, J., Milidonis, A. and Stulz, R. M. (2020). Risk management, firm reputation, and the impact of successful cyberattacks on target firms. Journal of Financial Economics, 139(3), 1‑31. 10.1016/j.jfineco.2019.05.019
Kim, J. (2019). Underlying processes of SCCT: mediating roles of preventability, blame, and trust. Public Relations Review, 45(3), 1-8. 10.1016/j.pubrev.2019.04.008
Kim, B., Johnson, K. and Park, S.-Y. (2017). Lessons from the five data breaches: analyzing framed crisis response strategies and crisis severity. Cogent Business & Management, 4(1), 1-15. https://doi.org/10.1080/23311975.2017.1354525
Knight, R. and Nurse, J. R. C. (2020). A framework for effective corporate communication after cyber security incidents. Computers & Security, 99, 1-18. 10.1016/j.cose.2020.102036
Ko, M. and Dorantes, C. (2006). The impact of information security breaches on financial performance of the breached firms: an empirical investigation. Journal of Information Technology Management, 17(2), 13-22. https://jitm.ubalt.edu/XVII-2/article2.pdf
Kont, M., Pihelgas, M., Wojtkowiak, J., Trinberg, L. and Osula, A.-M. (2018). Insider threat detection study. NATO Cooperative Cyber Defence Centre of Excellence. https://ccdcoe.org/uploads/2018/10/Insider_Threat_Study_CCDCOE.pdf
Lerner, M. J. and Miller, D. T. (1978). Just World research and the attribution process: looking back and ahead. Psychological Bulletin, 85(5), 1030-1051. https://doi.org/10.1037/0033-2909.85.5.1030
Lewis, J. A., Hamilton, J. C. and Elmore, J. D. (2019). Describing the ideal victim: a linguistic analysis of victim descriptions. Current Psychology. 10.1007/s12144-019-00347-1
Lodewijkx, H. F. M., Wildschut, T., Nijstad, B. A., Savenije, W. and Smit, M. (2001). In a violent world a just world makes sense: the case of “senseless violence” in the Netherlands. Social Justice Research, 14(1), 79‑94. https://doi.org/10.1023/A:1012527808620
Malhotra, A. and Malhotra, K. C. (2011). Evaluating customer information breaches as service failures: an event study approach. Journal of Service Research, 14(1), 44‑59. 10.1177/1094670510383409
Malhotra, N., Sahadev, S. and Purani, K. (2017). Psychological contract violation and customer intention to reuse online retailers: exploring mediating and moderating mechanisms. Journal of Business Research, 75, 17‑28. 10.1016/j.jbusres.2017.01.013
Martin, K. (2020). Breaking the privacy paradox: the value of privacy and associated duty of firms. Business Ethics Quarterly, 30(1), 65‑96. 10.1017/beq.2019.24
Mason, G. (2013). The symbolic purpose of hate crime law: ideal victims and emotion. Theoretical Criminology, 18, 75-92. 10.1177/1362480613499792
Moreau, G. (2021). Police-reported crime statistics in Canada, 2020. Statistics Canada. https://www150.statcan.gc.ca/n1/pub/85-002-x/2021001/article/00013-eng.htm
Morse, E., Raval, V. and Wingender, J. (2011). Market price effects of data security breaches. Information Security Journal: A Global Perspective, 20, 263‑273. 10.1080/19393555.2011.611860
Muzatko, S. and Bansal, G. (2018). Timing of data breach announcement and e-commerce trust. Midwest Association for Information 2018 Proceedings, Saint-Louis, Missouri, United-States. https://aisel.aisnet.org/mwais2018/7/?utm_source=aisel.aisnet.org%2Fmwais2018%2F7&utm_medium=PDF&utm_campaign=PDFCoverPages
NCSC. (2020). Response and recovery - Small business guide: how to prepare your response to (and plan your recovery from) a cyber incident. National Cyber Security Centre. https://www.ncsc.gov.uk/files/NCSC_A5%20Response%20and%20Recovery%20Guide_v3_OCT20.pdf
Nieuwesteeg, B. and Faure, M. (2018). An analysis of the effectiveness of the EU data breach notification obligation. Computer Law & Security Review, 34(6), 1232‑1246. 10.1016/j.clsr.2018.05.026
NIST. (2018). Framework for improving critical infrastructure cybersecurity, version 1.1. National Institute of Standards and Technology. 10.6028/NIST.CSWP.04162018
Ohm, P. (2008). The myth of the superuser: fear, risk, and harm online. UC Davis Law Review, 41(4), 1327-1402. https://papers.ssrn.com/sol3/papers.cfm?abstract_id=967372
OPCC. (2018). What you need to know about mandatory reporting of breaches of security safeguards. Office of the Privacy Commissioner of Canada. https://www.priv.gc.ca/en/privacy-topics/business-privacy/safeguards-and-breaches/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/
OPCC. (2019). A full year of mandatory data breach reporting: What we’ve learned and what businesses need to know. Office of the Privacy Commissioner of Canada. https://www.priv.gc.ca/en/blog/20191031/
Ping Identity. (2019). 2019 consumer survey: trust and accountability in the era of data misuse. Ping Identity. https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/Misc/en/3464-consumersurvey-execsummary.pdf
Ponemon. (2017). The impact of data breaches on reputation & share value. Ponemon Institute. https://www.centrify.com/media/4772757/ponemon_data_breach_impact_study_uk.pdf
Richardson, R. (2011). 2010/2011 computer crime and security survey. Computer Security Institute. https://cours.etsmtl.ca/gti619/documents/divers/CSIsurvey2010.pdf
RiskBased Security (2022). Data breach report: 2021 year end. https://www.riskbasedsecurity.com/2022/02/04/data-breach-report-2021-year-end/
Romanosky, S., Hoffman, D. and Acquisti, A. (2014). Empirical analysis of data breach litigation. Journal of Empirical Legal Studies, 11(1), 74‑104. 10.1111/jels.12035
Rosati, P., Deeney, P., Cummins, M., van der Werff, L. and Lynn, T. (2019). Social media and stock price reaction to data breach announcements: evidence from US listed companies. Research in International Business and Finance, 47, 458‑469. 10.1016/j.ribaf.2018.09.007
Saxena, N., Hayes, E., Bertino, E., Ojo, P., Choo, K.-K. R. and Burnap, P. (2020). Impact and key challenges of insider threats on organizations and critical businesses. Electronics, 9(9), 1-29. https://doi.org/10.3390/electronics9091460
Syed, R. (2019). Enterprise reputation threats on social media: A case of data breach framing. The Journal of Strategic Information Systems, 28(3), 257‑274. 10.1016/j.jsis.2018.12.001
Valecha, R., Bachura, E., Chen, R. and Raghav Rao, H. (2017). An exploration of public reaction to the OPM data breach notifications. In M. Fan, J. Heikkilä, H. Li, M. J. Shaw et H. Zhang (dir.), Internetworked World (p. 185‑191). Springer. 10.1007/978-3-319-69644-7_19
Verizon. (2021). 2021 data breach investigations report. Verizon. https://enterprise.verizon.com/content/verizonenterprise/us/en/index/resources/reports/2021-data-breach-investigations-report.pdf
Wall, D. S. (2008). Cybercrime and the culture of fear. Information, Communication & Society, 11(6), 861‑884. 10.1080/13691180802007788
Wartick, S. L. (1992). The relationship between intense media exposure and change in corporate reputation. Business & Society, 31(1), 33‑49. 10.1177/000765039203100104
Zou, Y., Mhaidli, A. H., McCall, A. and Schaub, F. (2018). « I’ve got nothing to lose »: consumers’ risk perceptions and protective actions after the Equifax data breach. Fourteenth Symposium on Usable Privacy and Security, Baltimore, MD, United-States. https://www.usenix.org/conference/soups2018/presentation/zou
Tweneboah-Kodua, S., Atsu, F. and Buchanan, W. (2018). Impact of cyberattacks on stock performance: a comparative study. Information & Computer Security, 26(5), 637‑652. 10.1108/ICS-05-2018-0060
Tweneboah-Koduah, S., Atsu, F. and Prasad, R. (2020). Reaction of stock volatility to data breach: an event study. Journal of Cyber Security and Mobility, 9(3), 1‑19. 10.13052/jcsm2245-1439.931
Appendix: Vignettes
Vignette 1
Boîte à prix is a small Canadian retail business. It experienced the theft of the names and email addresses of a limited number of customers. After detecting the breach, the firm immediately issued a public announcement. It stated that it had a full range of measures in place to prevent security incidents and the misuse of data in the event of a breach. Regretting the incident, Boîte à prix was very communicative about the circumstances of the breach. It also gave advice to customers on ways to protect themselves from identity fraud. Similarly, it left its communication channels open for any further inquiry.
Vignette 2
Boîte à prix is a small Canadian retail business. It experienced the theft of the names and email addresses of a limited number of customers. After detecting the breach, the business waited two months before issuing an unapologetic public announcement. Although Boîte à prix is reluctant to share its security practices, media coverage suggests that its cybersecurity culture is lacking and that it does not have sufficient measures in place to prevent the misuse of stolen data. Moreover, the firm shared little about either the circumstances of the breach or the ways in which customers could protect themselves from identity fraud. Similarly, it kept its communication channels shut, which prevented customers from asking questions.
Vignette 3
ÉchangeGros is a big Canadian retail business. It experienced the theft of the names and email addresses of a limited number of customers. After detecting the breach, the firm immediately issued a public announcement. It stated that it had a full range of measures in place to prevent security incidents and the misuse of data in the event of a breach. Regretting the incident, ÉchangeGros was very communicative about the circumstances of the breach. It also gave advice to customers on ways to protect themselves from identity fraud. Similarly, it left its communication channels open for any further inquiry.
Vignette 4
ÉchangeGros is a big Canadian retail business. It experienced the theft of the names and email addresses of a limited number of customers. After detecting the breach, the business waited two months before issuing an unapologetic public announcement. Although Boîte à prix is reluctant to share its security practices, media coverage suggests that its cybersecurity culture is lacking and that it does not have sufficient measures in place to prevent the misuse of stolen data. Moreover, the firm shared little about either the circumstances of the breach or the ways in which customers could protect themselves from identity fraud. Similarly, it kept its communication channels shut, which prevented customers from asking questions.
Vignette 5
Boîte à prix is a small Canadian retail business. It experienced the theft of credit card information of a large number of its customers. After detecting the breach, the firm immediately issued a public announcement. It stated that it had a full range of measures in place to prevent security incidents and the misuse of data in the event of a breach. Regretting the incident, ÉchangeGros was very communicative about the circumstances of the breach. It also gave advice to customers on ways to protect themselves from identity fraud. Similarly, it left its communication channels open for any further inquiry.
Vignette 6
Boîte à prix is a small Canadian retail business. It experienced the theft of credit card information of a large number of its customers. After detecting the breach, the business waited two months before issuing an unapologetic public announcement. Although Boîte à prix is reluctant to share its security practices, media coverage suggests that its cybersecurity culture is lacking and that it does not have sufficient measures in place to prevent the misuse of stolen data. Moreover, the firm shared little about either the circumstances of the breach or the ways in which customers could protect themselves from identity fraud. Similarly, it kept its communication channels shut, which prevented customers from asking questions.
Vignette 7
ÉchangeGros is a big Canadian retail business. It experienced the theft of credit card information of a large number of its customers. After detecting the breach, the firm immediately issued a public announcement. It stated that it had a full range of measures in place to prevent security incidents and the misuse of data in the event of a breach. Regretting the incident, ÉchangeGros was very communicative about the circumstances of the breach. It also gave advice to customers on ways to protect themselves from identity fraud. Similarly, it left its communication channels open for any further inquiry.
Vignette 8
ÉchangeGros is a big Canadian retail business. It experienced the theft of credit card information of a large number of its customers. After detecting the breach, the business waited two months before issuing an unapologetic public announcement. Although Boîte à prix is reluctant to share its security practices, media coverage suggests that its cybersecurity culture is lacking and that it does not have measures in place to prevent the misuse of stolen data. Moreover, the firm shared little about either the circumstances of the breach or the ways in which customers could protect themselves from identity fraud. Similarly, it kept its communication channels shut, which prevented customers from asking questions.