Show-and-tell or hide-and-seek? Examining organizational cybersecurity incident notifications

W. Alec Cram (University of Waterloo, Waterloo, Canada)
Rissaile Mouajou-Kenfack (University of Waterloo, Waterloo, Canada)

Organizational Cybersecurity Journal: Practice, Process and People

ISSN: 2635-0270

Article publication date: 23 December 2022

79

Abstract

Purpose

The growing frequency of cybersecurity incidents commonly requires organizations to notify customers of ongoing events. However, the content contained within these notifications varies widely, including differences in the level of detail, apportioning of blame, compensation and corrective action. This study seeks to identify patterns contained within cybersecurity incident notifications by constructing a typology of organizational responses.

Design/methodology/approach

Based on a detailed review of 1,073 global cybersecurity incidents occurring during 2020, the authors obtained and qualitatively analyzed 451 customer notifications.

Findings

The results reveal three distinct organizational response types associated with the level of detail contained within the notification (full transparency, guarded and opacity), as well as three response types associated with the benefitting party (customer interest, balanced interest and company interest).

Originality/value

This work extends past classifications of cybersecurity incident notifications and provides a template of possible notification approaches that could be adopted by organizations.

Keywords

Citation

Cram, W.A. and Mouajou-Kenfack, R. (2022), "Show-and-tell or hide-and-seek? Examining organizational cybersecurity incident notifications", Organizational Cybersecurity Journal: Practice, Process and People, Vol. ahead-of-print No. ahead-of-print. https://doi.org/10.1108/OCJ-06-2022-0011

Publisher

:

Emerald Publishing Limited

Copyright © 2022, W. Alec Cram and Rissaile Mouajou-Kenfack

License

Published in Organizational Cybersecurity Journal: Practice, Process and People. Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence may be seen at http://creativecommons.org/licences/by/4.0/legalcode


1. Introduction

Cybersecurity incidents are increasingly common within organizations (Ponemon Institute, 2020; Verizon, 2020) and often require communications with customers regarding details of the event (Cichonski et al., 2012; Office of the Privacy Commissioner of Canada, 2019). These notifications can come in various forms, including formal press releases, postings on company websites, emails, social media and blogs. Stakeholders, including shareholders, governments, regulators and the media, pay close attention to organizational responses to cybersecurity incidents in determining what actions they may wish to take (Bitektine and Haack, 2015; Zhan and Zhao, 2021).

Although past research has established the link between cybersecurity incidents and downstream consequences on stock prices (Cavusoglu et al., 2004; Hovav and D’Arcy, 2003; Yayla and Hu, 2011), management turnover (Banker and Feng, 2019) and audit fees (Smith et al., 2019), there has been a limited focus on the actual content contained within publicly available cybersecurity incident notifications. Depending on the country where the organization is based, as well as the nature of the incident itself, these notices can include acknowledgments of what occurred, what systems/data were impacted and what the organization is doing (or has done) to respond. Although basic notification templates are available from a variety of sources (e.g. Delaware Attorney General, 2018; Educase, 2013; Montana Department of Justice, 2017), no widely accepted format has yet been established and the nature of communications can vary widely (Cichonski et al., 2012; Diesterhöft et al., 2020). Recent work on the topic has begun to investigate the relationships between the individual choices made by organizations (e.g. offering compensation or apologizing) and how these choices can impact customers (e.g. Greve et al., 2020a, b; Nikkhah and Grover, 2022) and investors (e.g. Marsen et al., 2020).

However, the details contained within cybersecurity incident notifications are particularly important to customers and provide valuable signals regarding the organization’s priorities and managerial philosophy. Past research suggests that stakeholders (including customers, employees, the media and the legal system) make judgments on an organization’s properties and behaviors, which combine to form macro-level conclusions about the legitimacy of the institution; these perceptions can directly influence performance and access to resources (Bitektine and Haack, 2015). In a cybersecurity incident context, since the content included in a notification to customers has the potential to shape how those customers judge if an organization’s response is fair and reasonable, we sought to clarify the nature of patterns that emerge across organizations in terms of customer notifications to cybersecurity incidents.

In order to investigate this further, we pose the following research question: What patterns are present in the approaches used by organizations when notifying customers about cybersecurity incidents? To address this question, we examined the organizational responses to 1,073 global cybersecurity incidents reported from January to December of 2020. From these, we collected 451 incident notifications and qualitatively analyzed their content. We identified three distinct organizational response types associated with the “level of detail” contained within the notification, as well as three additional response types associated with the “benefitting party”.

Our results contribute to the cybersecurity literature by identifying and categorizing the distinct approaches that organizations employ when responding to cybersecurity incidents. We highlight organizational examples that utilize open and forthcoming tactics (i.e. “show-and-tell”), as well as contrasting approaches that seek to conceal and obscure (i.e. “hide-and-seek”). Although past research has classified the individual characteristics of organizational responses, we are not aware of any work that has grouped these characteristics together to form higher level response categories. In doing so, the results from our study can help increase managerial awareness of the various incident notification approaches utilized by organizations around the world. By clarifying the underlying elements of incident notifications and observing how they can be combined together, managers can more mindfully design an approach that suits their own organization’s circumstances, while also potentially benchmarking their approach against other firms in their industry. Although we stop short of presenting causal evidence linking notification approaches to downstream consequences, our study is an important first step in moving towards an understanding of the stakeholder consequences of incident notification strategies.

The remaining sections of our paper are presented as follows. First, we describe the conceptual background, in terms of the crisis response strategies used by organizations. Next, we outline our methodological approach, including data collection and analysis. We then present our results, discuss the implications for research and practice and conclude with opportunities for future research.

2. Conceptual background

Broadly, cybersecurity refers to “the prevention of damage to, unauthorized use of, exploitation of, and—if needed—the restoration of electronic information and communications systems, and the information they contain, in order to strengthen the confidentiality, integrity and availability of these systems” (NIST, 2015, p. 41). Within organizations, an important element of a successful cybersecurity management program is effectively responding to incidents, which represent unexpected events that could compromise business operations (McLaughlin and Gogan, 2018).

In framing our study, we draw on concepts from the marketing, organizational behavior and information systems literature related to how institutions respond to emergency situations and service failures. In doing so, we consider the different approaches and strategies that can be adopted. Of particular interest in this study are the approaches used to communicate with customers following cybersecurity incidents. Although organizations may need to communicate (e.g. risk disclosures) with other stakeholders such as regulators or investors based on formalized guidelines (Eaton et al., 2019; Walton et al., 2021; Wang et al., 2013), our interest in customer notifications is motivated by the flexibility that many organizations have in how much or how little to disclose following an incident. In cases where private customer information is compromised, organizations may be required to meet at least a minimum standard of notification procedures, but these guidelines vary depending on the location of the incident (Buckbee, 2020). However, firms may choose to offer more details than necessary. On the one hand, many organizations are sensitive to the inconvenience that cybersecurity incidents can have on customers and are keen to express regret for the role they may have played in the event; on the other hand, organizations are wary of the legal and financial difficulties that may result from formally accepting responsibility for an incident. We provide an overview of these crisis response and service recovery strategies in the following section, which forms an important basis for our analysis.

2.1 Crisis response and service recovery strategies

Past research suggests that customers are acutely aware of the events and behaviors displayed by the organizations they interact with, which can lead to either satisfying or unsatisfying experiences (Bitner et al., 1990). In the specific context of a crisis situation, which refers to “an untimely but predictable event that has actual or potential consequences for stakeholders” (Millar and Heath, 2004, p. 64), how an organization responds can have long-term impacts on its reputation and profitability (Coombs, 2006). Similar sentiments appear in the service recovery literature, which focuses on the organizational actions following a failed delivery of service to customers in an attempt to repair loyalty and customer satisfaction (Kau and Loh, 2006; Van Vaerenbergh and Orsingher, 2016).

A key element of an organization’s response centers on its communications with stakeholders. Indeed, “managing a crisis effectively is crucial in reestablishing control of the organization, restoring the company image, and regaining stakeholder trust” (Marsen, 2020, p. 164). For example, organizational apologies following a crisis have been found to correspond with inconsistent results. Some research suggests that leaders who apologize for mistakes are perceived positively by victims (Tucker et al., 2006), while other others perceive apologies as reinforcing views of unfairness, particularly in cases where the communication is viewed as insincere (Skarlicki et al., 2004).

Customers’ perceptions of justice and trust in an organization’s response also play an important role in determining the level of satisfaction with the resolution (Van Vaerenbergh and Orsingher, 2016). Past research suggests that perceptions of distributive justice (i.e. the steps taken by the organization to offset the costs borne by an impacted customer, such as monetary compensation) are positively related to a customer’s satisfaction with an organization’s response to a service issue (Kau and Loh, 2006; Gelbrich and Roschk, 2011).

The effectiveness of an organization’s response to a crisis can be evaluated in a variety of ways. Past research has pointed to the reactions of customers on social media (Coombs and Holladay, 2014), the consistency of communications over time (Massey, 2001) and proactive preparations that can overcome crisis barriers (Fischer et al., 2016) as factors associated with effective responses. Indeed, research suggests that how a company responds to an incident can be more consequential to a customer’s satisfaction than the company’s initial provision of services (Spreng et al., 1995). For example, customers tend to respond more favorably to incident remedies that are conducted quickly and simply, rather than those remedies that are more complex or require more time (Swanson and Kelley, 2001). In turn, customer satisfaction following an incident has been found to influence repurchase intentions and word-of-mouth intentions (Van Vaerenbergh and Orsingher, 2016).

2.2 Responses to cybersecurity incidents

In the context of cybersecurity incidents, which we view as a type of organizational crisis (per the definition provided above), a good deal of research attention has been dedicated to the financial consequences of cybersecurity incident announcements. For example, Cavusoglu et al. (2004) evaluate the link between data breach announcements and the market value of the announcing firm. Similarly, Malhotra and Malhotra (2011) examine the links between reports of data breaches and a decline in the market value of a firm, while Foerderer and Schuetz (2022) find that firms time data breach announcements to “coincide with days of predictably high news pressure” (p. 1) in order to reduce attention to the issue and diminish the market reaction.

More recently, research has extended beyond treatments of incident announcements as a binary, “black box” and increasingly considers the nature and characteristics of the announcement itself. For example, Masuch et al. (2020) evaluate the consequences of firm response strategies after a data breach. The results suggest that apologizing after a data breach has detrimental effects on investor behavior, while whitewashing (i.e. downplaying the incident) has a small positive effect on stock value. Similarly, Diesterhöft et al. (2020) analyze the response strategies of 313 data breaches and derive a taxonomy from the results, including compensation, apology, whitewashing, action, value commitment, customer relationship, type of information disclosure and customer behavior advice. Other work by Greve et al. (2020b) evaluates the link between a company’s recovery actions (i.e. compensation or remorse) and a customer’s satisfaction. The study finds that a mix of both compensation and remorse is best to increase customer satisfaction, but that severe data breaches limit the positive benefits that remorse can have on satisfaction. In comparison, Nikkhah and Grover (2022) find that offering compensation is no more effective than apologizing, but the impact of response strategies is contingent on response time. Finally, Goode et al. (2017) consider how much compensation to offer customers following a cybersecurity incident. Results from the study indicate that compensating customers can have a positive impact on perceived service quality and intentions to continue as a customer.

Cultural differences can also play a role in the consequences of a cybersecurity incident. For example, Greve et al. (2020a) compare customer satisfaction levels in Germany and Bolivia following data breaches. The study examines the impact of compensation or an apology, as well as the broader implications on loyalty, trust and word-of-mouth. The authors find that cultural differences do exist, such as Germans being more likely to demand compensation, while Bolivians tend to be satisfied with an apology. Similarly, Kim and Lee (2021) compare organizational statements pertaining to cybersecurity incidents from firms located in the United States and South Korea. They find differences in terms of responsibility admittance and expressions of sympathy (more South Korean firms contained these elements), as well as with reassurance and compensation (more US firms contained these elements).

2.3 Research approach

Based on the background described above, our objective in this study was to build on past research that identifies the typical characteristics of cybersecurity incident notifications to better understand how those characteristics are aggregated together. Although managers are undoubtedly aware of the potential benefits and drawbacks of specific customer response tactics (e.g. apologizing or offering compensation), it remains unclear how organizations assemble collections of tactics together to form a notification strategy. Although we might expect managers to select several notification characteristics that align with the context, risk and objectives of the firm, the existing research has not yet uncovered the extent to which patterns may exist in the characteristics of cybersecurity notifications.

We suggest that this line of inquiry can provide important insights into the broader strategies and techniques used by organizations in response to cybersecurity incidents. From a practice perspective, identifying such patterns can provide clarity on the alternative approaches that could be adopted as a response to cybersecurity incidents. From a research perspective, identifying relationships between notification characteristics is a key step in constructing broader theoretical connections between incident response approaches and subsequent downstream impacts, such as diminished market share, regulatory penalties and lawsuits. Although we confine our focus in this study to the patterns within incident notifications, we view this as an important step towards uncovering downstream relationships with these important outcomes of interest. We outline the details of our methodological approach in the following section.

3. Methodology

We adopted a qualitative, content analysis approach that employed selected principles associated with grounded theory (Corbin and Strauss, 2008; Strauss and Corbin, 1990). This approach was deemed appropriate since we were interested in the characteristics and content contained within the cybersecurity notifications made by organizations, but acknowledge existing theory pertaining to our topic of interest is not yet well developed. By undertaking an exploratory approach that allowed for the emergence of patterns and themes from within the data, we were able to inductively generate insights and identify patterns without being constrained to any a priori theory.

Our data were drawn from public records of cybersecurity incidents. Although the Privacy Rights Clearinghouse database has been commonly used in past research related to cybersecurity incidents (e.g. Collins et al., 2011; Li et al., 2018; Richardson et al., 2019; Nikkhah and Grover, 2022), at the time the study was conducted, no data had been published related to 2020 incidents. As a result, we chose to draw on a listing of worldwide cybersecurity incidents published by IT Governance Ltd. (2021). Each month, the website publishes a listing of links to publicly announced cybersecurity incidents, including ransomware attacks and data breaches, from around the world.

We focused on the incidents reported by the website during January through December 2020. We identified a total of 1,073 incidents (61 in January, 105 in February, 62 in March, 48 in April, 103 in May, 86 in June, 65 in July, 89 in August, 101 in September, 117 in October, 103 in November and 133 in December). For each incident, we recorded the company name, date that the incident was reported, industry, type of incident, a summary of the incident and details of the organizational response. Where this information was incomplete based on the initial link provided by the IT Governance website, we conducted supplementary searches in three databases—ABI/INFORM, Factiva and Nexis Uni—using keywords such as “breach”, “incident” and “cyberattack” alongside the company name. We also searched each organization’s website for cybersecurity incident notifications. A total of 451 incident notifications were identified.

We arrived at several explanations as to why some of the identified incidents did not have notifications. First, depending on the date of the incident, some notifications may have been released on a corporate website and then subsequently taken offline before our research was conducted. In other cases, notifications may not have been created because the incidents did not directly affect customer data or occurred in countries where notifications were not required. Finally, depending on the nature of the organization (e.g. defense administrations, educational institutions), incident notifications were sometimes sent via traditional mail or email and were not posted online.

3.1 Data analysis

Our data analysis focused on the 451 collected cybersecurity incident notifications. We qualitatively analyzed the content of the notifications based on a series of nine characteristics that emerged from our review of the crisis response and cybersecurity literature (refer to Table 1). Although we do not claim that the listed characteristics are exhaustive, we intended to draw on a thorough collection of the characteristics identified in past research (see references in Table 1 for coding sources).

For each of the notifications, we recorded whether the corresponding characteristics were present or absent. During the coding process, the author team met regularly to discuss the coding approach. Where there were any ambiguities in determining a particular incident’s characteristics, the author team discussed the situation and agreed on a coding outcome.

Following the qualitative coding, we used an inductive approach to search for patterns in the grouping of characteristics across the entire pool of cybersecurity incident notifications. We sought to identify both “extreme” types of incident notifications (i.e. uncommon and radical strategies), as well as “typical” responses (i.e. commonly adopted strategies). By iteratively reviewing our incident coding results, we began to identify similarities in how some organizations responded. Based on these initial similarities, we constructed a preliminary matrix of notification characteristic groupings. As we continued examining more of the coding results, these groupings were refined. Early in the process, we identified five distinct groups, but this was later extended to eight and then finally reduced down to six. Collectively, we refer to these as notification types. Refer to Table 2 for details, where each type represents a collection of characteristics that were coded as being either present (e.g. the organization apologized in the notification; indicated with a “Y” in Table 3) or absent (e.g. the organization did not apologize; indicated with an “N” in Table 3). Those characteristics that are not explicitly considered as part of a notification type are indicated with a “-”. Three of these types (full transparency, guarded and opacity) are grouped together as they are all concerned with the level of detail contained within the notice, while the other three types (customer interest, balanced interest and company interest) are grouped together due to their orientation around the party that benefits from the notification strategy.

In the following section we provide details on how these six notification types were represented across our 451 cybersecurity incidents.

4. Results

The cybersecurity incidents that formed a basis for our study spanned the entirety of 2020, with December (67) and November (55) containing the highest quantity of notifications. Refer to Table 4 for details. In terms of the originating country of the notification, the United States was most common (303), followed by Canada (29) and the United Kingdom (29). As well, notifications were most commonly identified from organizations in the healthcare sector (117), followed by education (69) and government institutions (63).

In terms of the basic presence or absence of the nine notification characteristics, 65% contained a detailed explanation, 14% included whitewashing elements, 44% contained an apology, 25% included compensation, 82% had responsive action, 80% had a value commitment, 39% articulated a focus on customers, 65% were disclosed openly and 48% contained advice. Refer to Table 5 for details.

4.1 Incident notification types

As noted above, we identified six notification types from our analysis, within two groups. The first group, which contained the full transparency type, the guarded type and the opacity type, was focused on the level of detail contained within the notice. For instance, an example of the full transparency type came with Pacific Specialty Insurance Company’s notification, which included extensive details on the incident, as well as a clear commitment to customers:

The types of information contained within the potentially impacted emails varied by individual but include: an individual’s name, Social Security number, driver’s license and/or government issued identification, financial information, payment card information, medical information, and health insurance information. Pacific Specialty is committed to, and takes very seriously, its responsibility to protect all data in its possession. Pacific Specialty is continuously taking steps to enhance data security protections. As part of its incident response, it changed the log-in credentials for all employee email accounts to prevent further unauthorized access … Pacific Specialty established a dedicated assistance line for individuals seeking additional information regarding this incident. - Pacific Specialty Insurance Company (2020).

In comparison, an example of a guarded notification type was found with the City of Dawson Creek. In this case, although an organizational response is specified and details are provided on the incident, the organization downplays the severity of the event (i.e. whitewashing):

In the early hours of Thursday, January 9th, the City of Dawson Creek discovered that it was the victim of a cyber-attack in which the City’s network was illegally accessed and infected with ransomware. The malware was able to encrypt a number of City systems, rendering them temporarily unusable. City of Dawson Creek staff worked quickly to isolate the attack and to activate a comprehensive cyber incident investigation and response. The impacted systems were backed up, and all necessary steps are being taken to restore access to systems and files, and to ensure operations and services return to normal as quickly as possible. There is currently no evidence to suggest that any information was removed from the City’s systems or inappropriately accessed, and cyber security experts are working quickly to confirm this. - City of Dawson Creek (2020)

Finally, with the opacity type, we found that organizations were much more restrictive with the information they were willing to share. For example, at Enloe Medical Center, the organization provides few details on the incident and downplays the event’s severity. There is also no clear commitment to customer security:

Two weeks following a ransomware incident affecting network infrastructure, Enloe Medical Center is nearing full-functional restoration of its core systems. Upon discovery of the Jan. 2 incident, Enloe’s comprehensive emergency protocols were immediately implemented to safeguard patient records … The swift, seasoned response of Enloe’s Information Technology personnel resulted in major clinical programs being restored and back online within three days of the incident. Ancillary clinical programs were restored and back online shortly thereafter. At this time, there is no indication or evidence that suggests patient data was accessed, or exfiltrated. - Enloe Medical Center (2020).

The second group of notification types, which contained the customer-interest type, the balanced-interest type and the company-interest type, are oriented towards the party that benefits from the notification strategy. For example, the customer-interest type aims to cater to the concerns and well-being of customers. An example is at Tandem Diabetes Care, where the organization takes accountability for the incident, provides advice on how customers should proceed and offers compensation in the form of credit monitoring and identity management:

We recommend that customers review the billing statements they receive from their healthcare providers. If they see services they did not receive, they should contact the provider immediately. For those customers whose Social Security numbers were included in the email accounts, we are offering a complimentary membership of credit monitoring and identity protection services. We take the privacy and confidentiality of our customers’ information very seriously and apologize for any inconvenience or concern this incident may cause our customers. - Tandem Diabetes Care (2020).

In contrast, the balanced interest type attempts to serve the interests of both customers and the company. For example, the University of Utah Health notification includes the acknowledgment of responsibility, though no customer compensation is offered:

We recommend patients review the statements they receive from their health care providers. If there are discrepancies or services that you did not receive, please contact the provider immediately. We deeply regret any concern or inconvenience this may cause our patients. We are actively reviewing information protocols, reinforcing information security procedures with our employees and implementing changes where needed to help prevent an incident like this from happening again. - University of Utah Health (2020).

Finally, the company-interest type frames its notifications in a protective, defensive way, which seeks to best serve the organization. For example, the following notification from Transavia does not take any accountability for the event, provides no advice for customers and offers no compensation:

We continuously monitor our IT landscape to track deviating activities. We have recently found that there has been a case of unwanted access to a Transavia mailbox. After investigation, it appeared that this mailbox contained a file with personal data of a number of passengers who traveled with us … We have reported this to the Dutch Data Protection Authority. Despite the fact that this concerns data from the beginning of 2015 and that it did not contain sensitive data such as address data, credit card information or passport information, we [will] personally inform the passengers involved about this event. - Transavia (2020).

4.2 Patterns across incident notification types

Of the incident responses that fully aligned with our six identified notification types, 177 were full transparency, 7 were guarded, 1 was opacity, 34 were customer interest, 127 were company interest, and 130 were balanced interest (some notifications belonged to one “level of detail” type, as well as one “benefitting party” type). We also noted that 56 incident notices did not fully align with any of the incident notification types.

Since the full transparency and customer-interest types share similar objectives in terms of information distribution, we expected incidents belonging to one category to also correspond to the other. We found that this was the case with 15 notifications. Similarly, we expected responses that were guarded to overlap with balanced interest and four notices were found to do so. Finally, we expected notifications that were the opacity type to also be company-interest type, but none were. Interestingly, and contrary to our expectations, we also found that three incidents were coded to both full transparency and company interest, while 27 incidents were coded to full transparency and balanced interest. We also noted that one incident was coded to both guarded and customer interest.

5. Discussion

The objective of this study was to identify patterns in the approaches used by organizations when notifying customers about cybersecurity incidents. We qualitatively coded the characteristics of 451 notifications associated with cybersecurity incidents that occurred during 2020. Our results highlighted six distinct notification types. The first three types were grouped together as pertaining to the level of detail in the notice: full transparency, guarded and opacity. The second three types were grouped together based on the party that benefits from the notification strategy: customer interest, balanced interest and company interest.

The characteristics of the notifications in our sample were distinct from those in previous studies. In particular, the notifications were drawn from a total of 18 countries, whereas past research (e.g. Masuch et al., 2020; Nikkhah and Grover, 2022) tends to focus on firms based in the United States or on a two-country comparison (e.g. Greve et al., 2020a; Kim and Lee, 2021). This provides a uniquely global perspective on cybersecurity incidents and the associated notification strategies. For example, Kim and Lee (2021) examined 108 notifications in the United States and South Korea. They found the most incidents in the retail sector (25.9%), followed by technology (13.9%) and healthcare (12%). In comparison, our sample had the most incidents originating from healthcare (26%), followed by education (15%) and government (14%). The variation here might be explained by the different countries that were examined, but it could also be attributed to the period in which the Kim and Lee data was collected (2008–2016). For example, the recent rise in ransomware attacks has made healthcare and educational institutions particularly popular targets (IBM Security, 2021). However, despite those differences, our results showed similar rates of compensation (25%) relative to Kim and Lee’s findings (33.3%).

Compared to other research, such as Diesterhöft et al. (2020), our findings also show that a number of the US.-based notification characteristics exist similarly in a global dataset. For example, we found that 82.0% of notifications contained responsive actions, 64.5% utilized open disclosure and 80.0% articulated a value commitment. This compares to 84.3%, 82.1% and 80.5%, respectively, in Diesterhöft et al. (2020). However, our results suggested fewer apologies (44.3% versus 73.1%) and less customer advice (48.3% versus 89.5%).

In examining the notification type patterns, we found that although some organizations appear to be focusing primarily on their own interests (1 opacity; 127 company interest), many more organizations are at least partially (7 guarded; 130 balanced interest) or fully committed (177 full transparency; 34 customer interest) to serving customers with informative cybersecurity incident notifications.

5.1 Contributions

From a research perspective, the six notification types that emerged from our study extend past work that identifies the notification characteristics that are utilized by organizations during cybersecurity incidents. Based on the empirical data we collected, these six types provide unique insights into how these various characteristics are assembled within a notification. Indeed, these types may provide valuable clues into the strategic style that organizations employ when managing crisis situations and can help increase managerial awareness of the various incident notification approaches utilized by organizations around the world. This line of inquiry follows past calls (e.g. Diesterhöft et al., 2020) for research investigating the strategy used to select incident notification approaches. Our findings complement past work by Wang and Kuo (2017), who consider potential links between an organization’s crisis response capabilities and its strategic style in terms of the prospector, defender and analyzer typology proposed by Miles and Snow (1978). Wang and Kuo (2017) find that where an organization has established a general strategic direction, its crisis response capabilities will be improved. To the extent that the notification types identified in our findings contain characteristics that are consistent and compatible with one another, it may indicate that the firm has established a broader strategy that has been operationalized within the crisis response activities. Likewise, those firms that simultaneously employ notification characteristics that are seemingly at odds with one another (e.g. whitewashing and compensation) may indicate that an organization has opportunities to establish a guiding strategic style. Although we stop short of presenting causal evidence linking notification approaches to downstream consequences, our study represents an key step towards the development of an understanding of the stakeholder consequences of incident notification strategies.

Results from our study also supplement recent work by Nikkhah and Grover (2022), who examine the official response letters associated with data breaches occurring during 2005–2018 in US.-based public companies. Although the scope of our study differs (i.e. global companies, public and private, various forms of customer notifications, covering any type of cybersecurity incident during 2020), both works highlight the importance of understanding the strategies undertaken by companies in response to cybersecurity events. Our results are distinct in that we focus on identifying patterns of particular notification characteristics that form a broader cybersecurity incident notification strategy, whereas Nikkhah and Grover compare “accommodative” strategies (e.g. corrective action, apology, compensation) with “no action” strategies, as well as examining the downstream consequences for customers.

Our work also provides a distinctly global view of cybersecurity incident notifications. Since nearly 30% of our incident notifications were drawn from countries other than the United States, our results suggest that international approaches appear similar to the United States in some respects (e.g. value commitment) but are distinct in others (e.g. apologies).

From a practical perspective, our findings point out how common characteristics of cybersecurity incident notifications are assembled. By clarifying the core elements of incident notifications and observing how they can be combined together, managers can more mindfully shape an approach that fits their own organization’s circumstances. Doing so could also aid managers in benchmarking their incident notification approach against other firms in their industry. For new organizations or those struggling to decide on a consistent incident notification approach, the notification types highlighted in our findings can provide several possible options that could be considered for adoption. For organizations with a more mature incident notification approach that already corresponds to one of our notification types, our findings may help to highlight additional notification characteristic refinements that could be added in future notifications for improved consistency.

5.2 Limitations and future research

As with any research study, our work is subject to limitations that provide promising opportunities for future research. First, we acknowledge that for some cybersecurity incidents, no customer notification was produced (e.g. due to the lack of requirements to do so) and in others, the notification was not available (e.g. the organization removed it from its website). As a result, our findings are derived from those notifications that were publicly accessible at the time of our study. An interesting direction for future research may be to examine the characteristics of organizations that do and do not issue a customer notification following a cybersecurity incident.

Second, although our study draws on 148 incident notifications originating from non-US organizations, our analysis remains weighted towards incidents from US organizations. Future research could extend this international focus by drawing on a wider time period to gain further insights into the patterns of cybersecurity notifications that exist around the world. As we note in our findings, 56 of our collected incident notifications did not fully fit into any of our six notification types. Interestingly, only 13 (23%) of these were from non-US organizations, even though our sample was 33% international. This suggests that our identified notification types may align better with non-US organizations and that future research could seek to find additional notification types used in US organizations. Future work in this area may benefit from the use of linguistic analysis (e.g. Mattsson and den Haring, 1998; Lee et al., 2006; Kafeza et al., 2021) as a means to compare the terminology used to within incident notifications across different countries and cultures.

Third, our study examined notifications associated with individual cybersecurity incidents, but it remains unclear how notification strategies may change within a single organization for successive incidents. A promising opportunity for future research would be to conduct a longitudinal analysis of the extent that an organization uses similar or different incident notification approaches for different cybersecurity breaches that occur over time. For example, we acknowledge that the time period covered in our study was during the COVID-19 pandemic. A follow-up study could seek to determine the impact that the pandemic had on the approach used by organizations to respond to cybersecurity incidents and how this approach may evolves after the conclusion of the pandemic.

Finally, although our study identifies patterns within the characteristics of cybersecurity incident notifications, we stop short of connecting the resulting notification types to a measure of response effectiveness. Future research could investigate if some notification types tend to correspond with particular downstream consequences such as customer satisfaction, lawsuits, or customer retention/loyalty. It would also be interesting to explore if the notification strategies employed for particular types of incidents (e.g. ransomware) are associated with different downstream consequences. Establishing an empirical relationship between an organization’s notification type and measurable customer consequences could further solidify the importance of notification choices as part of an organization’s cybersecurity crisis response.

6. Conclusion

This study set out to identify patterns contained within cybersecurity incident notifications by constructing a typology of response approaches. Based on analysis of 451 notifications, we identified three distinct types associated with the notification’s level of detail and three response types associated with the benefitting party. Our findings extend past classifications of cybersecurity incident notifications and provide a template of possible notification approaches to be adopted by organizations.

Coding characteristics

Notification characteristicDefinition
Detailed explanationRecognition that a cybersecurity event has occurred, as well as the articulation of specific details (e.g. what happened, when it occurred)
WhitewashingDiverting blame away from the victim organization and blaming others (e.g. employees, suppliers); also includes downplaying of the severity of the incident (Diesterhöft et al., 2020; Masuch et al., 2020)
ApologyAn expression of remorse or regret about the incident (Masuch et al., 2020; Fehr and Gelfand, 2010)
CompensationThe offering of monetary (e.g. refunds or discounts) or service (e.g. credit monitoring) compensation to customers impacted by the incident (Diesterhöft et al., 2020; Goode et al., 2017; Fehr and Gelfand, 2010)
Responsive actionA description of the proactive and/or preventive actions that have been (or will be) undertaken by the organization in the wake of the incident (Diesterhöft et al., 2020)
Value commitmentExplanation of the company’s commitment to ensuring security and/or transparency (Diesterhöft et al., 2020)
Focused on the customersExplicit recognition of the importance of customers to the company (Diesterhöft et al., 2020)
Open information disclosureA detailed disclosure of the data has been impacted (e.g. passwords, financial information) (Diesterhöft et al., 2020)
Customer adviceRecommendations are provided on how customers should move forward after the incident (e.g. changing a password, monitoring credit) (Diesterhöft et al., 2020)

Incident notification types

Notification groupingNotification typeDefinition
Level of detail contained within the noticeFull transparencyA notification is fully forthcoming and contains a detailed explanation (i.e. what, when) of the incident without whitewashing. A clear organizational response is specified, as well as a value commitment
GuardedA notification discloses at least some information (i.e. what, when) relevant to the incident, while also whitewashing the company’s responsibility for the event. However, a clear organizational response is specified, as is a value commitment
OpacityA notification discloses little to no information (i.e. what, when) relevant to the incident, while also whitewashing the company’s responsibility for the event. Although there is responsive action noted, there is no value commitment
The party that benefits from the notification strategyCustomer interestA notification contains information that primarily benefits customers. The company takes full accountability for the incident, while also giving customers advice and compensation
Balanced interestA notification contains information that benefits both the customer and the company. Though customers are not compensated, the company takes full accountability for the incident
Company interestA notification contains information that primarily benefits the company. The company takes no accountability for the incident, gives no advice to customers and offers no compensation

Coding types

Notification groupingNotification typeNotification characteristics
Detailed explanationWhitewashingApologyCompensationResponsive actionValue commitmentCustomer focusOpen disclosureCustomer advice
Level of detail contained within the noticeFull TransparencyYNYYY
GuardedNYYYN
OpacityNYYNN
The party that benefits from the notification strategyCustomer interestYYYY
Balanced interestYN
Company interestNNNN

Organization and incident details

CategoryDescription
MonthJanuary: 29 (6.4%)
February: 41 (9.1%)
March: 23 (5.1%)
April: 23 (5.1%)
May: 41 (9.1%)
June: 35 (7.8%)
July: 21 (4.7%)
August: 31 (6.9%)
September: 44 (9.8%)
October: 41 (9.1%)
November: 55 (12.2%)
December: 67 (14.9%)
CountryUnited States: 303 (67.2%)
Canada: 29 (6.4%)
United Kingdom: 29 (6.4%)
Australia: 11 (2.4%)
Japan: 11 (2.4%)
France: 11 (2.4%)
Other: 57 (12.6%)
IndustryHealthcare and Medical: 117 (25.9%)
Educational Institutions: 69 (15.3%)
Government and Military: 63 (14.0%)
Retail: 48 (10.6%)
Technology: 45 (10.0%)
Other: 42 (9.3%)
Finance and Insurance: 35 (7.8%)
Non-profit: 17 (3.8%)
Hospitality: 15 (3.3%)

Notification characteristic coding

CharacteristicYesNo
Detailed explanation 291 (65%)160 (35%)
Whitewashing 65 (14%)385 (85%)
Apology 200 (44%)251 (56%)
Compensation 113 (25%)337 (75%)
Responsive action 370 (82%)81 (18%)
Value commitment 361 (80%)89 (20%)
Focused on customers 175 (39%)276 (61%)
Open information disclosure291 (65%)160 (35%)
Customer advice 218 (48%)233 (52%)

Earlier versions of this manuscript were presented at the 55th Hawaii International Conference on System Sciences and the Cybersecurity Emergent Research Symposium.

References

Banker, R.D. and Feng, C. (2019), “The impact of information security breach incidents on CIO turnover”, Journal of Information Systems, Vol. 33, pp. 309-329.

Bitektine, A. and Haack, P. (2015), “The ‘macro’ and the ‘micro’ of legitimacy: toward a multilevel theory of the legitimacy process”, Academy of Management Review, Vol. 40, pp. 49-75.

Bitner, M.J., Booms, B.H. and Tetreault, M.S. (1990), “The service encounter: diagnosing favorable and unfavorable incidents”, Journal of Marketing, Vol. 54, pp. 71-84.

Buckbee, M. (2020), “Data breach definition by stateVaronis, available at: https://www.varonis.com/blog/data-breach-definition-by-state/ (accessed 24 April 2021).

Cavusoglu, H., Mishra, B. and Raghunathan, S. (2004), “The effect of internet security breach announcements on market value: capital market reactions for breached firms and internet security developers”, International Journal of Electronic Commerce, Vol. 9, pp. 69-104.

Cichonski, P., Millar, T., Grance, T. and Scarfone, K. (2012), Computer Security Incident Handling Guide, National Institute of Standards and Technology.

City of Dawson Creek (2020), “Notice to the public January 10thavailable at: https://www.dawsoncreek.ca/2020/notice-to-the-public-january-10th/ (accessed 27 April 2021).

Collins, J.D., Sainato, V.A. and Khey, D.N. (2011), “Organizational data breaches 2005-2010: applying SCP to the healthcare and education sectors”, International Journal of Cyber Criminology, Vol. 5, pp. 794-810.

Coombs, W.T. (2006), “The protective powers of crisis response strategies”, Journal of Promotion Management, Vol. 12, pp. 241-260.

Coombs, W.T. and Holladay, S.J. (2014), “How publics react to crisis communication efforts: comparing crisis response reactions across sub-arenas”, Journal of Communication Management, Vol. 18, pp. 40-57.

Corbin, J. and Strauss, A. (2008), Basics of Qualitative Research, Sage.

Delaware Attorney General (2018), “Cyber-incident customer notification - delware templateavailable at: https://attorneygeneral.delaware.gov/wp-content/uploads/sites/50/2018/11/Travel-Leaders-Group-Data-Breach-Customer-Notification-Delaware-State-Template.pdf (accessed 21 April 2021).

Diesterhöft, T., Masuch, K., Greve, M. and Trang, S. (2020), “Really, what are they offering? A taxonomy of companies’ actual response strategies after a data breach”, 15th Pre-ICIS Workshop on Information Security and Privacy, pp. 1-17.

Eaton, T.V., Grenier, J.H. and Layman, D. (2019), “Accounting and cybersecurity risk management”, Current Issues in Auditing, Vol. 13, pp. C1-C9.

Educase (2013), “Data incident notification toolkit”, available at: https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/resources/information-security-guide/toolkits/data-incident-notification-toolkit (accessed 21 April 2021).

Enloe Medical Center (2020), “Enloe’s clinical programs fully restored following ransomware incident”, available at: https://www.enloe.org/newsroom/news-stories?news=1141 (accessed 27 April 2021).

Fehr, R. and Gelfand, M.J. (2010), “When apologies work: how matching apology components to victims’ self-construals facilitates forgiveness”, Organizational Behavior and Human Decision Processes, Vol. 113, pp. 37-50.

Fischer, D., Posegga, O. and Fischbach, K. (2016), “Communication barriers in crisis management: a literature review”, Twenty-Fourth European Conference on Information Systems, Istanbul, Turkey, pp. 1-18.

Foerderer, J. and Schuetz, S. (2022), “Data breach announcements and stock market reactions: a matter of timing?”, Management Science, Vol. 68 No. 10, pp. 7065-7791.

Gelbrich, K. and Roschk, H. (2011), “A meta-analysis of organizational complaint handling and customer responses”, Journal of Service Research, Vol. 14, pp. 24-43.

Goode, S., Hoehle, H., Venkatesh, V. and Brown, S.A. (2017), “User compensation as a data breach recovery action: an investigation of the sony playstation network breach”, MIS Quarterly, Vol. 41, pp. 703-727.

Greve, M., Masuch, K. and Trang, S. (2020b), “The more, the better? Compensation and remorse as data breach recovery actions – an experimental scenario-based investigation”, 15th International Conference on Wirtschaftsinformatik.

Greve, M., Masuch, K., Hengstler, S. and Trang, S. (2020a), “Overcoming digital challenges: a cross-cultural experimental investigation of recovering from data breaches”, Forty-First International Conference on Information Systems, AIS Virtual Conference Series, pp. 1-17.

Hovav, A. and D’Arcy, J. (2003), “The impact of denial-of-service attack announcements on the market value of firms”, Risk Management and Insurance Review, Vol. 6, pp. 97-121.

IBM Security (2021), IBM X-Force Threat Intelligence Report 2021, IBM Security, Somers, NY.

IT Governance Limited (2021), “IT governance UK blog”, available at: https://www.itgovernance.co.uk/blog (accessed 25 April 2021).

Kafeza, E., Makris, C., Rompolas, G. and Al-Obeidat, F. (2021), “Behavioral and migration analysis of the dynamic customer relationships on twitter”, Information Systems Frontiers, Vol. 23, pp. 1303-1316.

Kau, A.-K. and Loh, W.-Y. (2006), “The effects of service recovery on consumer satisfaction: a comparison between complainants and non-complainants”, Journal of Services Marketing, Vol. 20, pp. 101-111.

Kim, N. and Lee, S. (2021), “Cybersecurity breach and crisis response: an analysis of organizations’ official statements in the United States and South Korea”, International Journal of Business Communication, Vol. 58 No. 4, pp. 560-581.

Lee, M.Y.P., So, D.W.C. and Wong, L.Y.F. (2006), “An inter-linguistic and inter-cultural analysis of global corporate web sites”, Corporate Communications: An International Journal of Accounting Information Systems, Vol. 11, pp. 275-287.

Li, H., No, W.G. and Wang, T. (2018), “SEC’s cybersecurity disclosure guidance and disclosed cybersecurity risk factors”, International Journal of Accounting Information Systems, Vol. 30, pp. 40-55.

Malhotra, A. and Malhotra, C.K. (2011), “Evaluating customer information breaches as service failures: an event study approach”, Journal of Service Research, Vol. 14, pp. 44-59.

Marsen, S. (2020), “Navigating crisis: the role of communication in organizational crisis”, International Journal of Business Communication, Vol. 57, pp. 163-175.

Massey, J.E. (2001), “Managing organizational legitimacy: communication strategies for organizations in crisis”, The Journal of Business Communication, Vol. 38, pp. 153-183.

Masuch, K., Greve, M. and Trang, S. (2020), “Please be silent? Examining the impact of data breach response strategies on the stock value”, Forty-First International Conference on Information Systems, AIS Virtual Conference Series, pp. 1-17.

Mattsson, J. and den Haring, M.J. (1998), “Communication dynamics in the service encounter: a linguistic study in a hotel conference department”, International Journal of Service Industry Management, Vol. 9, pp. 416-435.

McLaughlin, M.-D. and Gogan, J. (2018), “Challenges and best practices in information security management”, MIS Quarterly Executive, Vol. 17, pp. 237-262.

Miles, R.E. and Snow, C.C. (1978), Organizational Strategy, Structure, and Process, McGraw-Hill, New York.

Millar, D.P. and Heath, R.L. (2004), Responding to Crisis: A Rhetorical Approach to Crisis Communication, Lawrence Erlbaum, Mahwah, NJ.

Montana Department of Justice (2017), “Sample data breach notification”, available at: https://dojmt.gov/wp-content/uploads/Glasswasherparts.com_.pdf (accessed 21 April 2021).

Nikkhah, H.R. and Grover, V. (2022), “An empirical investigation of company response to data breaches”, MIS Quarterly, Vol. 46 No. 4, pp. 2163-2196.

NIST (2015), in Hogan, M. and Newton, E. (Eds), Supplemental Information for the Interagency Report on Strategic US Government Engagement in International Standardization to Achieve US Objectives for Cybersecurity.

Office of the Privacy Commissioner of Canada (2019), “A full year of mandatory data breach reporting: what we’ve learned and what businesses need to know”, available at: https://priv.gc.ca/en/blog/20191031/ (accessed 21 April 2021).

Pacific Specialty Insurance Company (2020), “Pacific specialty insurance company provides notice of data security incident”, available at: https://www.prnewswire.com/news-releases/pacific-specialty-insurance-company-provides-notice-of-data-security-incident-301010131.html (accessed 27 April 2021).

Ponemon Institute (2020), Cost of a Data Breach Report [Online]. Traverse City, MI, Ponemon Institute, available at: https://www.ibm.com/security/data-breach (accessed 10 February 2021).

Richardson, V.J., Smith, R.E. and Watson, M.W. (2019), “Much ado about nothing: the (lack of) economic impact of data privacy breaches”, Journal of Information Systems, Vol. 33, pp. 227-265.

Skarlicki, D.P., Folger, R. and Gee, J. (2004), “When social accounts backfire: the exacerbating effects of a polite message or an apology on reactions to an unfair outcome”, Journal of Applied Social Psychology, Vol. 34, pp. 322-341.

Smith, T.J., Higgs, J.L. and Pinsker, R. (2019), “Do auditors price breach risk in their audit fees?”, Journal of Information Systems, Vol. 33, pp. 177-204.

Spreng, R.A., Harrell, G.D. and Mackoy, R.D. (1995), “Service recovery: impact on satisfaction and intentions”, Journal of Services Marketing, Vol. 9, pp. 15-23.

Strauss, A. and Corbin, J. (1990), Basics of Qualitative Research: Grounded Theory Procedures and Techniques, Sage.

Swanson, S.R. and Kelley, S.W. (2001), “Attributions and outcomes of the service recovery process”, Journal of Marketing Theory and Practice, Vol. 9, pp. 50-65.

Tandem Diabetes Care (2020), “Tandem diabetes care notifies customers of phishing incident”, available at: https://www.databreaches.net/tandem-diabetes-care-notifies-customers-of-phishing-incident/ (accessed 27 April 2021).

Transavia (2020), “Unwanted access to a Transavia mailbox”, available at: https://www.transavia.com/en-EU/incident/ (accessed 27 April 2021).

Tucker, S., Turner, N., Barling, J., Reid, E.M. and Elving, C. (2006), “Apologies and transformational leadership”, Journal of Business Ethics, Vol. 63, pp. 195-207.

University of Utah Health (2020), “Unauthorized data access alert”, available at: https://healthcare.utah.edu/publicaffairs/news/2020 (accessed 27 April 2021).

Van Vaerenbergh, Y. and Orsingher, C. (2016), “Service recovery: an integrative framework and research agenda”, Academy of Management Perspectives, Vol. 30, pp. 328-346.

Verizon (2020), “2020 data breach investigations report”,Verizon, New York, available at: https://enterprise.verizon.com/resources/reports/dbir/ (accessed 1 March 2021).

Walton, S., Wheeler, P., Zhang, Y. and Zhao, X. (2021), “An integrative review and analysis of cybersecurity research: current state and future directions”, Journal of Information Systems, Vol. 35 No. 1, pp. 155-186.

Wang, C.-Y. and Kuo, M.-F. (2017), “Strategic styles and organizational capability in crisis response in local government”, Administration and Society, Vol. 49, pp. 798-826.

Wang, T., Kannan, K.N. and Ulmer, J.R. (2013), “The association between the disclosure and the realization of information security risk factors”, Information Systems Research, Vol. 24, pp. 201-218.

Yayla, A.A. and Hu, Q. (2011), “The impact of information security events on the stock value of firms: the effect of contingency factors”, Journal of Information Technology, Vol. 26, pp. 60-77.

Zhan, M.M. and Zhao, X. (2021), “How stakeholders react to issues with risk implications: extending a relational perspective of issues management”, Journal of Contingencies and Crisis Management, Vol. 29 No. 4, pp. 385-398.

Acknowledgements

This work was supported by the Social Sciences and Humanities Research Council (SSHRC) under grant 435-2021-0437. The authors thank Mai Nguyen for their research assistance.

Corresponding author

W. Alec Cram is the corresponding author and can be contacted at: wacram@uwaterloo.ca

About the authors

W. Alec Cram is an Associate Professor in the School of Accounting and Finance at the University of Waterloo, Canada. His research focuses on how information systems control initiatives can contribute to improving the performance of organizational processes, including systems development and cybersecurity management. Alec’s work has been published or is forthcoming in a variety of outlets, including MIS Quarterly, Information Systems Research, Journal of Management Information Systems, Journal of the Association for Information Systems, Information Systems Journal and European Journal of Information Systems. He also serves as associate editor at the Information Systems Journal and holds the PwC Fellowship at the University of Waterloo.

Rissaile Mouajou-Kenfack is an undergraduate student in the School of Accounting and Finance at the University of Waterloo, Canada. She is president of the Black Medical Leaders of Tomorrow club, a varsity rugby athlete, as well as a crisis responder for Kids Help Phone. Her research has appeared in the Hawaii International Conference on System Sciences (HICSS).

Related articles