The benefits of a cyber-resilience posture on negative public reaction following data theft

Published date01 December 2023
AuthorTraian Toma,David Décary-Hétu,Benoît Dupont
Date01 December 2023
Subject MatterArticles
The benets of a cyber-
resilience posture on
negative public reaction
following data theft
Traian Toma , David Décary-Hétu,
and Benoît Dupont
University of Montreal, Montreal, Canada
Research shows that customers are insufciently motivated to protect themselves from crimes that
may derive from data theft within an organisation. Instead, the burden of security is placed upon the
businesses that host their personal information. Companies that fail to sufciently secure their custo-
mersinformation thus risk experiencing potentially ruinous reputational harm. There is a relative
dearth of research examining why some businesses that have been breached stay resilient in the
face of negative public reaction while others do not. To bridge this knowledge gap, this study tackles
the concept of cyber-resilience, dened as the ability to limit, endure, and eventually bounce back from
the impact of a cyber incident. A vignette-based experimental study was conducted and featured: (1) a
breached business described as having a strong cyber-resilience posture; (2) a breached business
described as having a weak cyber-resilience posture. Overall, a convenience sample of 605 students
in Canada were randomly assigned to one of the two main experimental conditions. The results
show that a strong cyber-resilience posture reducesnegative customer attitudes and promotes posi-
tive customer behavioral intentions, in comparison to a weak cyber-resilience posture. Similarly, the
more negative attitudes a customer holdst owarda breached business, the less likely they are to behave
favorably toward it. As a result of this study, cyber-resilience, which has hitherto primarily received
conceptual attention, gains explanatory power. Furthermore, this research project contributes
more generally to business victimology, which is an underdeveloped eld of criminology.
Crisis communication, cyber-resilience, cybersecurity, data breach, ideal victim, reputation,
risk management, social reaction, victim blaming, vignettes
Date received: 22 August 2022; accepted: 20 February 2023
Corresponding author:
Traian Toma, University of Montreal, Montreal, Canada.
Journal of Criminology
2023, Vol. 56(4) 470493
© The Author(s) 2023
Article reuse guidelines:
DOI: 10.1177/26338076231161898
Businesses want, and to a certain extend need, to create large databases of their customers
personal information, both in order to authenticate their customers and provide them with
a personalised and user-friendly experience (Freedman, 2022). While this is benecial in
some respects, the custody of such databases also comes with a responsibility to protect
customerscondentiality (Rosati et al., 2019). This is far from a trivial task, as evidenced
by the 22 billion records that were stolen in 2021 alone (RiskBased Security, 2022). In the
event of a data breach, businesses are placed in a difcult position, insofar as they are the
victims of a crime, that is, data theft, but ultimately end up being blamed by customers for
failing to protect their personal information (Bentley et al., 2018; Carre et al., 2018).
Indeed, prior research has demonstrated that a companys reputationthe aggregate
assessment that stakeholders make of a companys ability to meet their expectations
(Wartick, 1992)is negatively impacted in the wake of a data breach (Berezina et al.,
2012; Syed, 2019; Valecha et al., 2017). However, there is little explanatory work explor-
ing how businesses bounce back from public scrutiny following a cyberattack (Dupont
et al., 2020).
The present study takes recourse to Hopkinss (2016) adaptation of the ideal victimto
examine the public reaction to businesses after data theft. More specically, the study
examines whether the public reaction to victimised rms changes according to their cyber-
resilience posture, that is, an organizations ability to limit the impact of cyber disruptions,
maintain critical functions, and rapidly re-establish normal operations following a cyber
incident(Bryson, 2018, p. 5). Public reaction was divided into (1) attitudes and (2) behav-
ioral intentions. Attitudes group together all the evaluations (favorable or unfavorable) that
a person makes about an entity, while behaviors refer to the actions that are taken by an
individual toward said entity (Ajzen & Fishbein, 1978). A vignette-based experimental pro-
cedure was employed, with the two main experimental conditions involving: (1) a business
with a strong cyber-resilience posture; and (2) a business with a weak cyber-resilience
posture. Data was collected from a convenience sample of 605 students in Canada. After
controlling for gender and age, the results suggest that a strong cyber-resilience posture
reduces negative public attitudes and promotes positive behavioral intentions by the
public,incomparisontoaweakcyber-resilience posture. Furthermore, the more negative
the attitudes held by the public toward a business are, the less likely they are to act favor-
ably toward it.
Literature review
Overview of data breaches
The Personal Information Protection and Electronic Documents Act (PIPEDA) (OPCC,
2018) denes a data breach as: the loss of, unauthorized access to or unauthorized dis-
closure of personal information resulting from a breach of an organizations security
safeguards [] or from a failure to establish those safeguards. Although data breaches
can be either accidental or criminal in nature, the latter account for the most reported
cases in Canada (OPCC, 2019). Despite the fact that most cybercriminals attack a com-
panys infrastructure to steal customer data (Verizon, 2021), the real impact in the
Toma et al. 471

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT