Exploring Consumer Information-Security Awareness and Preparedness of Data-Breach Events

Abstract:The continuous increase of digital connectivity has improved the capability that businesses have for the collection, manipulation, and distribution of data. Due to shortfalls in security, this capability has resulted in data-breach events being a weekly occurrence globally. Notification of these events is becoming commonplace, in part fueled by notification legislation in many jurisdictions. As of February 2018, mandatory reporting of data breaches came into force in Australia (Australian Notifiable Data Breaches scheme [NDB]), and this was followed by European legislation (GDPR) coming into force in May of the same year. This study aims to establish current levels of information-security awareness within typical consumers in Australia, their awareness of these legislative changes, and their ability to respond to such a notification of their personal information being leaked from a service or system. The research results suggest that consumers had a high level of information-security awareness, yet low awareness of notification legislation. The discussion revealed that expected outcomes primarily drove stakeholder behavior in relation to data-breach and legislation preparedness.

[1]  I. Ajzen The theory of planned behavior , 1991 .

[2]  Jane K. Winn,et al.  Are 'Better' Security Breach Notification Laws Possible? , 2009 .

[3]  T. J. Whelan,et al.  Antecedents of Anonymity Perceptions in Web-based Surveys , 2008 .

[4]  Fabio Bisogni,et al.  Data Breaches and the Dilemmas in Notifying Customers , 2015, WEIS.

[5]  Christie Franks,et al.  Identity crime and misuse in Australia: results of the 2019 online survey , 2014 .

[6]  Malcolm Robert Pattinson,et al.  The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies , 2017, Comput. Secur..

[7]  Wendy Goucher Getting the most from training sessions: the art of raising security awareness without curing insomnia 1 1 This is not to say that curing insomnia would be a bad thing. , 2008 .

[8]  Martin C. Libicki,et al.  Markets for Cybercrime Tools and Stolen Data: Hackers' Bazaar , 2014 .

[9]  Salvatore Aurigemma,et al.  A Composite Framework for Behavioral Compliance with Information Security Policies , 2012, 2012 45th Hawaii International Conference on System Sciences.

[10]  Malcolm Robert Pattinson,et al.  A study of information security awareness in Australian government organisations , 2014, Inf. Manag. Comput. Secur..

[11]  Alessandro Acquisti,et al.  Do Data Breaches Disclosure Laws Reduce Identity Theft? , 2010, WEIS.

[12]  V. Braun,et al.  Using thematic analysis in psychology , 2006 .

[13]  Gavriel Salvendy,et al.  Usability and Security An Appraisal of Usability Issues in Information Security Methods , 2001, Comput. Secur..

[14]  Angela Daly The introduction of data breach notification legislation in Australia: A comparative view , 2018, Comput. Law Secur. Rev..

[15]  Jouni Markkula,et al.  EU General Data Protection Regulation: Changes and implications for personal data collecting companies , 2017, Comput. Law Secur. Rev..

[16]  K. Hambridge Action research. , 2000, Professional nurse.

[17]  S. Woolf,et al.  Methods for Evaluating Respondent Attrition in Web-Based Surveys , 2016, Journal of medical Internet research.

[18]  N. Hoffart Basics of Qualitative Research: Techniques and Procedures for Developing Grounded Theory , 2000 .

[19]  Atreyi Kankanhalli,et al.  Individual's Response to Security Messages: A Decision-Making Perspective , 2007, Decision Support for Global Enterprises.

[20]  Richard E. Boyatzis,et al.  Transforming Qualitative Information: Thematic Analysis and Code Development , 1998 .

[21]  Alessandro Acquisti,et al.  Is There a Cost to Privacy Breaches? An Event Study , 2006, WEIS.

[22]  Yu Andy Wu,et al.  Impact of Users’ Security Awareness on Desktop Security Behavior: A Protection Motivation Theory Perspective , 2016, Inf. Syst. Manag..

[23]  Lillian Ablon,et al.  Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information , 2016 .

[24]  Jemal H. Abawajy,et al.  User preference of cyber security awareness delivery methods , 2014, Behav. Inf. Technol..

[25]  C. Hoofnagle Identity Theft: Making the Known Unknowns Known , 2007 .

[26]  Malcolm Robert Pattinson,et al.  Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q) , 2014, Comput. Secur..

[27]  V. O’Reilly-Shah Factors influencing healthcare provider respondent fatigue answering a globally administered in-app survey , 2017, PeerJ.

[28]  Data Breach Notification Laws , 2016 .

[29]  Steve Love,et al.  Security awareness of computer users: A phishing threat avoidance perspective , 2014, Comput. Hum. Behav..

[30]  Ken Kelley,et al.  When Do IT Security Investments Matter? Accounting for the Influence of Institutional Factors in the Context of Healthcare Data Breaches , 2017, MIS Q..

[31]  David Hylender,et al.  Data Breach Investigations Report , 2011 .

[32]  Rachel Greenstadt,et al.  How Privacy Flaws Affect Consumer Perception , 2013, 2013 Third Workshop on Socio-Technical Aspects in Security and Trust.