Search results

This study aims to examine the relative effectiveness of functional and financial remedies in influencing customers' negative coping responses in the event of a data breach. It also uncovers the different mediating roles played by customers' feelings of anger and fear in the process of data breach recovery. This study thus differs from the literature, which has primarily focused on the impact of financial compensation and apologies for service failures in face-to-face environments.

Two scenario-based experiments were conducted to empirically validate the model. The authors received 302 copies of the questionnaire, of which 269 were valid.

This study finds that functional remedies are more effective than financial remedies when sensitive information has been compromised, but there is no significant difference between the effectiveness of the two remedies when nonsensitive information has been compromised. In addition, functional remedies influence negative coping behaviors directly and indirectly; the indirect effect is achieved through the reduction of fear and anger. Contrary to the authors' expectation, financial remedies do not have a direct effect on negative coping behaviors; they can indirectly affect negative coping behaviors by reducing anger but do not affect negative coping behaviors by reducing fear.

This study provides key insights into how to manage customer reactions in the event of a data breach, suggesting the use of carefully designed recovery strategies. Companies must attend to customers' specific emotional responses to manage their negative coping behaviors.

This study extends the limited literature on data breach recovery actions by investigating the different effectiveness of functional and financial remedies in the event of a data breach. It also uncovers how functional and financial recovery strategies affect customers' negative coping behaviors by revealing the different mediating effects of fear and anger.

Data breaches are an increasing phenomenon in today's digital society. Despite the preparations an organization must take to prevent a data breach, it is still necessary to develop strategies in the event of a data breach. This paper explores the key recovery areas necessary for data breach recovery.

Stakeholder theory and three recovery areas (customer, employee and process recovery) are proposed as necessary theoretical lens to study data breach recovery. Three data breach cases (Anthem, Equifax, and Citrix) were presented to provide merit to the argument of the proposed theoretical foundations of stakeholder theory and recovery areas for data breach recovery research.

Insights from these cases reveal four areas of recovery are necessary for data breach recovery – customer recovery, employee recovery, process recovery and regulatory recovery.

These areas are presented in the data recovery areas model and are necessary for: (1) organizations to focus on these areas when resolving data breaches and (2) future data breach recovery researchers in developing their research in the field.

The purpose of this paper is to investigate the private-data pertaining to the interaction of users with social media applications that can be recovered from second-hand Android devices.

This study uses a black-box testing-principles based methodology to develop use-cases that simulate real-world case-scenarios of the activities performed by the users on the social media application. The authors executed these use-cases in a controlled experiment and examined the Android smartphone to recover the private-data pertaining to these use-cases.

The results suggest that the social media data recovered from Android devices can reveal a complete timeline of activities performed by the user, identify all the videos watched, uploaded, shared and deleted by the user, disclose the username and user-id of the user, unveil the email addresses used by the user to download the application and share the videos with other users and expose the social network of the user on the platform. Forensic investigators may find this data helpful in investigating crimes such as cyber bullying, racism, blasphemy, vehicle thefts, road accidents and so on. However, this data-breach in Android devices is a threat to user's privacy, identity and profiling in second-hand market.

Perceived notion of data sanitisation as a result of application removal and factory-reset can have serious implications. Though being helpful to forensic investigators, it leaves the user vulnerable to privacy breach, identity theft, profiling and social network revealing in second-hand market. At the same time, users' sensitivity towards data-breach might compel users to refrain from selling their Android devices in second-hand market and hamper device recycling.

This study attempts to bridge the literature gap in social media data-breach in second-hand Android devices by experimentally determining the extent of the breach. The findings of this study can help digital forensic investigators in solving crimes such as vehicle theft, road accidents, cybercrimes and so on. It can assist smartphone users to decide whether to sell their smartphones in a second-hand market, and at the same time encourage developers and researchers to design methods of social media data sanitisation.

In the aftermath of data breaches, many firms offer compensation to affected customers to recover from damaged customer sentiments. To understand the effectiveness of such compensation offerings, Goode et al. (2017) examined the effects of compensation offered by Sony following the PlayStation Network breach in 2011. Although Goode et al. (2017) present key insights on data breach compensation, it is unclear whether their findings generalize beyond the context of subscription-based gaming platforms whose customers are young and experience substantial switching costs. To address this issue, we conducted a methodological replication in a retail context with low switching costs.

In our replication, we examine the effects of compensation offered by Home Depot in the aftermath of its data breach in 2014. Home Depot is the largest home improvement retailer in the US and presents a substantially different context. Data were collected from 901 participants using surveys.

Our results were consistent with the original study. We found that in retail breaches, effective compensation needs to meet customers' expectations because overcompensation or undercompensation leads to negative outcomes, such as decreased repurchase intention.

Our study provides insights into the effectiveness of compensation in the retail context and confirms the findings of Goode et al. (2017).

This study aims to explore the spillover effects of data breaches from a consumer perspective in the e-commerce context. Specifically, we investigate how an online retailer’s data breach affects consumers’ privacy risk perceptions of competing firms, and further how it affects shopping intention for the competitors. We also examine how the privacy risk contagion effect varies depending on the characteristics of competitors and their competitive responses.

We conducted two scenario-based experiments with surveys. To assess the spillover effects and the moderating effects, we employed an analysis of covariance. We also performed bootstrapping-based mediation analyses using the PROCESS macro.

We find evidence for the privacy risk contagion effect and demonstrate that it negatively influences consumers’ shopping intention for a competing firm. We also find that a competitor’s cybersecurity message is effective in avoiding the privacy risk contagion effect and the competitor even benefits from it.

While previous studies have examined the impacts of data breaches on customer perceptions of the breached firm, our study focuses on customer perceptions of the non-breached firms. To the best of the authors’ knowledge, this study is one of the first to provide empirical evidence for the negative spillover effects of a data breach from a consumer perspective. More importantly, this study empirically demonstrates that the non-breached competitor’s competitive response is effective in preventing unintended negative spillover in the context of the data breach.

The detrimental impact of data breaches on organizations and their customers has been well documented in the literature. These breaches expose sensitive information, raising concerns about reputational damage and substantial financial losses for affected firms. Prior research has consistently demonstrated the significant financial repercussions of data breach disclosures, with a significant decline in the market value of breached firms following the incident’s revelation. However, recent literature has documented the shift in consumer perception toward data breaches, warranting a revisit of this important and relevant issue with more recent data. This study aims to revisit the cost of data breach disclosures by empirically analyzing the impact of recent data breach incidents on the market value of affected firms.

The authors collect the data regarding data breach incidents among publicly traded companies in the USA listed in the S&P 500 index from 2013 to 2021. The empirical analysis relies on the event study approach, and the market value of each firm is estimated using the Fama-French three-factor model.

This study finds that the negative market reaction to data breach announcements in recent years has been significantly weaker than those reported in prior works from the past decade. This result confirms the shift in consumer perception toward data breaches in the market.

While prior research has quantified the cost of data breach disclosures, the authors posit that a renewed examination is essential within the contemporary digital environment. Consumer behavior and market sentiment have undergone significant transformations in recent years, necessitating a revisit of this important issue with updated data. This study not only documents this evolving phenomenon but also yields crucial policy recommendations. Notably, it challenges the conventional wisdom to rely on market forces as an adequate deterrent against data breaches. Consequently, updated regulations may be necessary to effectively navigate the complexities of the evolving digital landscape.

This research examines the relationship between the timeliness in announcing the discovery of a data breach and consumer trust in an e-commerce company, as well as later trust-rebuilding efforts taken by the company to compensate users impacted by the breach.

A survey experiment was used to examine the effect of both trust-reducing events (announced data breaches) and trust-enhancing events (provision of identity theft protection and credit monitoring) on consumer trust. The timeliness of the breach announcement by an e-commerce company was manipulated between two randomly assigned groups of subjects; one group viewed an announcement of the breach immediately upon its discovery, and the other viewed an announcement made two months after the breach was discovered. Consumer trust was measured before the breach, after the breach was announced, and finally, after the announcement of data protection.

The results suggest that companies that delay a data breach announcement are likely to suffer a larger drop in consumer trust than those that immediately disclose the data breach. The results also suggest that trust can be repaired by providing data protection. However, even after providing identity theft protection and credit monitoring, companies that fail to promptly disclose a breach have lower repaired trust than companies that promptly disclose.

This study contributes to the literature on e-commerce trust by examining how a company's forthrightness in reporting a data breach impacts user trust at the time of the disclosure of the data breach and after subsequent efforts to repair trust.

The increased use of Information Systems (IS) as a working tool for employees increases the number of accounts and passwords required. Despite being more aware of password entropy, users still often participate in deviant password behaviors, known as “password workarounds” or “shadow security.” These deviant password behaviors can put individuals and organizations at risk, resulting in a data breach. This paper aims to engage IS users and Subject Matter Experts (SMEs), focused on designing, developing and empirically validating the Password Workaround Cybersecurity Risk Taxonomy (PaWoCyRiT) – a 2x2 taxonomy constructed by aggregated scores of perceived cybersecurity risks from Password Workarounds (PWWAs) techniques and their usage frequency.

This research study was a developmental design conducted in three phases using qualitative and quantitative methods: (1) A set of 10 PWWAs that were identified from the literature were validated by SMEs along with their perspectives on the PWWAs usage and risk for data breach; (2) A pilot study was conducted to ensure reliability and validity and identify if any measurement issues would have hindered the results and (3) The main study data collection was conducted with a large group of IS users, where also they reported on coworkers' engagement frequencies related to the PWWAs.

The results indicate that statistically significant differences were found between SMEs and IS users in their aggregated perceptions of risks of the PWWAs in causing a data breach, with IS users perceiving higher risks. Engagement patterns varied between the two groups, as well as factors like years of IS experience, gender and job level had statistically significant differences among groups.

The PaWoCyRiT taxonomy that the we have developed and empirically validated is a handy tool for organizational cyber risk officers. The taxonomy provides organizations with a quantifiable means to assess and ultimately mitigate cybersecurity risks.

Passwords have been used for a long time to grant controlled access to classified spaces, electronics, networks and more. However, the dramatic increase in user accounts over the past few decades has exposed the realization that technological measures alone cannot ensure a high level of IS security; this leaves the end-users holding a critical role in protecting their organization and personal information. Thus, the taxonomy that the authors have developed and empirically validated provides broader implications for society, as it assists organizations in all industries with the ability to mitigate the risks of data breaches that can result from PWWAs.

The taxonomy the we have developed and validated, the PaWoCyRiT, provides organizations with insights into password-related risks and behaviors that may lead to data breaches.

While every firm is striving to embrace digital transformation (DT) to form new differentiating business capabilities, there are dark sides to such initiatives, and it is essential to acknowledge, identify and address them. The purpose of this paper is to identify and emperically demonstrate the impact of such darksides of DT. While a firm's DT effort may have many dark sides, the authors identify data breaches as the most critical one and focus on proving their impact since it can inflict significant damage to the firm.

Through the lens of paradox theory, the authors argue that the DT efforts of a firm will lead to increased risk and severity of data breaches. The authors developed a one-of-a-kind longitudinal data set by combining data from multiple sources, including 3604 brands over a 10-year period, and employed a DT performance scorecard to evaluate a firm's DT effort across four key digital selling touchpoints: site, mobile, digital marketing and social media.

The findings of this study show that a firm's DT efforts pertaining to its mobile and digital marketing platforms significantly increase the likelihood and severity of a data breach event indicating that these two channels are most vulnerable and need heightened attention from firms. Furthermore, the findings suggest that the negative repercussions of some DT initiatives may be minimized as the firm becomes more innovative. The findings can help firms re-strategize their DT efforts by promoting security and also encouraging a balanced communication strategy.

This research is one of the first to identify, recognize and empirically illustrate the downsides of a DT effort that is otherwise thought to provide only benefits.

The growing frequency of cybersecurity incidents commonly requires organizations to notify customers of ongoing events. However, the content contained within these notifications varies widely, including differences in the level of detail, apportioning of blame, compensation and corrective action. This study seeks to identify patterns contained within cybersecurity incident notifications by constructing a typology of organizational responses.

Based on a detailed review of 1,073 global cybersecurity incidents occurring during 2020, the authors obtained and qualitatively analyzed 451 customer notifications.

The results reveal three distinct organizational response types associated with the level of detail contained within the notification (full transparency, guarded and opacity), as well as three response types associated with the benefitting party (customer interest, balanced interest and company interest).

This work extends past classifications of cybersecurity incident notifications and provides a template of possible notification approaches that could be adopted by organizations.