Consumer security behaviors and trust following a data breach

The purpose of this study was to determine how security statement certainty (overconfident, underconfident and realistic) and behavioral intentions of potential consumers impact the perceptions of companies in the presence or absence of a past security breach.,The study exposed participants to three types of security statements and randomly assigned them to the presence or absence of a previous breach. Participants then evaluated the company and generated a hypothetical password for that company.,This study found that the presence or absence of a previous breach had a large impact on company perceptions, but a minimal impact on behavioral intentions to be personally more secure.,The authors found that the presence or absence of a previous breach had a large impact on company perceptions, but minimal impact on behavioral intentions to be personally more secure.,Companies need to be cautious about how much confidence they convey to consumers. Companies should not rely on consumers engaging in secure online practices, even following a breach.,Companies need to communicate personal security behaviors to consumers in a way that still instills confidence in the company but encourages personal responsibility.,The confidence of company security statements and presence of a previous breach were examined for their impact on company perception and a novel dependent variable of password complexity.

[1]  Michael D. Buhrmester,et al.  Amazon's Mechanical Turk , 2011, Perspectives on psychological science : a journal of the Association for Psychological Science.

[2]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[3]  Katerina Berezina,et al.  The impact of information security breach on hotel guest perception of service quality, satisfaction, revisit intentions and word‐of‐mouth , 2012 .

[4]  Daniel N. Jones,et al.  Ascribing responsibility for online security and data breaches , 2018 .

[5]  Gavriel Salvendy,et al.  Improving computer security for authentication of users: Influence of proactive password restrictions , 2002, Behavior research methods, instruments, & computers : a journal of the Psychonomic Society, Inc.

[6]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[7]  Blase Ur,et al.  How Does Your Password Measure Up? The Effect of Strength Meters on Password Creation , 2012, USENIX Security Symposium.

[8]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[9]  Anthony D. Miyazaki,et al.  Consumer Perceptions of Privacy and Security Risks for Online Shopping , 2001 .

[10]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[11]  Jason Hong,et al.  The state of phishing attacks , 2012, Commun. ACM.

[12]  Lujo Bauer,et al.  Encountering stronger password requirements: user attitudes and behaviors , 2010, SOUPS.

[13]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[14]  Jan Fernback,et al.  Online Privacy and Consumer Protection: An Analysis of Portal Privacy Statements , 2005 .

[15]  Daniel D. Riner,et al.  Omega approaches to persuasion: Overcoming resistance. , 2007 .

[16]  Alessandro Acquisti,et al.  Is There a Cost to Privacy Breaches? An Event Study , 2006, WEIS.

[17]  Oliver Günther,et al.  Privacy in e-commerce: stated preferences vs. actual behavior , 2005, CACM.

[18]  Serge Egelman,et al.  Scaling the Security Wall: Developing a Security Behavior Intentions Scale (SeBIS) , 2015, CHI.

[19]  Laura A. Dabbish,et al.  "My Data Just Goes Everywhere: " User Mental Models of the Internet and Implications for Privacy and Security , 2015, SOUPS.

[20]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2012, 2012 IEEE Symposium on Security and Privacy.

[21]  Ashish Garg,et al.  Quantifying the financial impact of IT security breaches , 2003, Inf. Manag. Comput. Secur..

[22]  Konstantin Beznosov,et al.  Does my password go up to eleven?: the impact of password meters on password selection , 2013, CHI.

[23]  Joseph A. Cazier,et al.  Password Security: An Empirical Investigation into E-Commerce Passwords and Their Crack Times , 2006, Inf. Secur. J. A Glob. Perspect..

[24]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[25]  Wang Tao,et al.  An empirical study of customers' perceptions of security and trust in e-payment systems , 2010, Electron. Commer. Res. Appl..

[26]  Vasant Raval,et al.  Market Price Effects of Data Security Breaches , 2011, Inf. Secur. J. A Glob. Perspect..

[27]  Miriam J. Metzger Effects of Site, Vendor, and Consumer Characteristics on Web Site Trust and Disclosure , 2006, Commun. Res..

[28]  M. Seligman,et al.  Learned helplessness in humans: critique and reformulation. , 1978, Journal of abnormal psychology.

[29]  Shelby R. Curtis,et al.  Phishing attempts among the dark triad: Patterns of attack and vulnerability , 2018, Comput. Hum. Behav..

[30]  France Bélanger,et al.  Trustworthiness in electronic commerce: the role of privacy, security, and site attributes , 2002, J. Strateg. Inf. Syst..

[31]  H. Raghav Rao,et al.  Online shopping intention in the context of data breach in online retail stores: An examination of older and younger adults , 2016, Decis. Support Syst..

[32]  W. Summers,et al.  Password policy: the good, the bad, and the ugly , 2004 .

[33]  Mohammad Mannan,et al.  From Very Weak to Very Strong: Analyzing Password-Strength Meters , 2014, NDSS.