The benefits of a cyber-resilience posture on negative public reaction following data theft
| Published date | 01 December 2023 |
| DOI | http://doi.org/10.1177/26338076231161898 |
| Author | Traian Toma,David Décary-Hétu,Benoît Dupont |
| Date | 01 December 2023 |
| Subject Matter | Articles |
The benefits of a cyber-
resilience posture on
negative public reaction
following data theft
Traian Toma , David Décary-Hétu,
and Benoît Dupont
University of Montreal, Montreal, Canada
Abstract
Research shows that customers are insufficiently motivated to protect themselves from crimes that
may derive from data theft within an organisation. Instead, the burden of security is placed upon the
businesses that host their personal information. Companies that fail to sufficiently secure their custo-
mers’information thus risk experiencing potentially ruinous reputational harm. There is a relative
dearth of research examining why some businesses that have been breached stay resilient in the
face of negative public reaction while others do not. To bridge this knowledge gap, this study tackles
the concept of cyber-resilience, defined as the ability to limit, endure, and eventually bounce back from
the impact of a cyber incident. A vignette-based experimental study was conducted and featured: (1) a
breached business described as having a strong cyber-resilience posture; (2) a breached business
described as having a weak cyber-resilience posture. Overall, a convenience sample of 605 students
in Canada were randomly assigned to one of the two main experimental conditions. The results
show that a strong cyber-resilience posture reducesnegative customer attitudes and promotes posi-
tive customer behavioral intentions, in comparison to a weak cyber-resilience posture. Similarly, the
more negative attitudes a customer holdst owarda breached business, the less likely they are to behave
favorably toward it. As a result of this study, cyber-resilience, which has hitherto primarily received
conceptual attention, gains explanatory power. Furthermore, this research project contributes
more generally to business victimology, which is an underdeveloped field of criminology.
Keywords
Crisis communication, cyber-resilience, cybersecurity, data breach, ideal victim, reputation,
risk management, social reaction, victim blaming, vignettes
Date received: 22 August 2022; accepted: 20 February 2023
Corresponding author:
Traian Toma, University of Montreal, Montreal, Canada.
Email: traian.toma@umontreal.ca
Article
Journal of Criminology
2023, Vol. 56(4) 470–493
© The Author(s) 2023
Article reuse guidelines:
sagepub.com/journals-permissions
DOI: 10.1177/26338076231161898
journals.sagepub.com/home/anj
Introduction
Businesses want, and to a certain extend need, to create large databases of their customers’
personal information, both in order to authenticate their customers and provide them with
a personalised and user-friendly experience (Freedman, 2022). While this is beneficial in
some respects, the custody of such databases also comes with a responsibility to protect
customers’confidentiality (Rosati et al., 2019). This is far from a trivial task, as evidenced
by the 22 billion records that were stolen in 2021 alone (RiskBased Security, 2022). In the
event of a data breach, businesses are placed in a difficult position, insofar as they are the
victims of a crime, that is, data theft, but ultimately end up being blamed by customers for
failing to protect their personal information (Bentley et al., 2018; Carre et al., 2018).
Indeed, prior research has demonstrated that a company’s reputation—the aggregate
assessment that stakeholders make of a company’s ability to meet their expectations
(Wartick, 1992)—is negatively impacted in the wake of a data breach (Berezina et al.,
2012; Syed, 2019; Valecha et al., 2017). However, there is little explanatory work explor-
ing how businesses bounce back from public scrutiny following a cyberattack (Dupont
et al., 2020).
The present study takes recourse to Hopkins’s (2016) adaptation of the “ideal victim”to
examine the public reaction to businesses after data theft. More specifically, the study
examines whether the public reaction to victimised firms changes according to their cyber-
resilience posture, that is, “an organization’s ability to limit the impact of cyber disruptions,
maintain critical functions, and rapidly re-establish normal operations following a cyber
incident”(Bryson, 2018, p. 5). Public reaction was divided into (1) attitudes and (2) behav-
ioral intentions. Attitudes group together all the evaluations (favorable or unfavorable) that
a person makes about an entity, while behaviors refer to the actions that are taken by an
individual toward said entity (Ajzen & Fishbein, 1978). A vignette-based experimental pro-
cedure was employed, with the two main experimental conditions involving: (1) a business
with a strong cyber-resilience posture; and (2) a business with a weak cyber-resilience
posture. Data was collected from a convenience sample of 605 students in Canada. After
controlling for gender and age, the results suggest that a strong cyber-resilience posture
reduces negative public attitudes and promotes positive behavioral intentions by the
public,incomparisontoaweakcyber-resilience posture. Furthermore, the more negative
the attitudes held by the public toward a business are, the less likely they are to act favor-
ably toward it.
Literature review
Overview of data breaches
The Personal Information Protection and Electronic Documents Act (PIPEDA) (OPCC,
2018) defines a data breach as: “the loss of, unauthorized access to or unauthorized dis-
closure of personal information resulting from a breach of an organization’s security
safeguards […] or from a failure to establish those safeguards”. Although data breaches
can be either accidental or criminal in nature, the latter account for the most reported
cases in Canada (OPCC, 2019). Despite the fact that most cybercriminals attack a com-
pany’s infrastructure to steal customer data (Verizon, 2021), the real impact in the
Toma et al. 471
To continue reading
Request your trial