The Double-Edged Sword of Health Data Breaches: A Comparison of Customer and Stock Price Perspectives on the Impact of Data Breaches of Response Strategies

Unauthorized access to personal health data, known as data breaches, causes multi-faceted adverse effects and damage. Companies are trying to counteract the impact on customer relationships through recovery strategies such as compensation. On the other hand, there is also a negative effect on the company's stock price. Here, the literature suggests an opposite effect of response strategies, but this has not been explored further until recently. Our study takes both perspectives into account and examines the impact of data breaches on the market valuation in the health sector through an event study. Our results show a controversial relationship: If companies offered compensation to their customers in response to a data breach, this had a negative effect on the company's stock price. Our paper discusses this finding and derives practical implications and lessons learned for response strategies in the case of recent data breaches in the health sector

Fitness First or Safety First? Examining Adverse Consequences of Privacy Seals in the Event of a Data Breach.

Data breaches are increasing, and fitness trackers have proven to be an ideal target, as they collect highly sensitive personal health data and are not governed by strict security guidelines. Nevertheless, companies encourage their customers to share data with the fitness tracker using privacy seals, gaining their trust without ensuring security. Since companies cannot guarantee security, the question arises on how privacy seals work after not keeping the security promise. This study examines the possibilities to mitigate the consequences of data breaches in advance to maintain the continuance intention. Expectation-confirmation theory (ECT) and privacy assurance statements as a shaping of privacy seals are used to influence customer expectations regarding the data security of fitness trackers in the run-up to a data breach. Results show that the use of privacy assurance statements leads to high-security expectations, and failure to meet these has a negative impact on satisfaction and thus continuance intention

Triad or Error? Introducing Three Basic Dimensions of Competence as a Driving Force for Information Security Performance

As security incidents such as data breaches have dramatically increased in recent years, companies have acknowledged the utmost importance of implementing SETA (Security, Education, Training, and Awareness) programs. Although there has been much effort in designing these programs as effectively as possible, many security incidents are caused by employee misconduct. In this study, we shed light on the basic dimensions of information security competence (ISC) that employees need to efficiently improve their performance in dealing with security threats. Using a competence model from the field of vocational education, we conceptualize information security competence as a multidimensional construct. We then empirically test the impact of information security competence on information security performance in a study with 234 participants. Our results suggest that a differentiated view of competence is necessary, first, to improve employee performance in dealing with security threats and, second, to develop SETA programs that address employee vulnerabilities

Really, What Are They Offering? A Taxonomy of Companies\u27 Actual Response Strategies after a Data Breach

Data breaches have become an everyday phenomenon. As a consequence, organizations no longer solely focus on prevention but also proactively prepare for the next data breach. A key element of these efforts is data breach response strategies that aim to retain trust and loyalty of the affected parties. Prior research provides important insights into the effects, causes, and conditions of effective response strategies. However, an underlying conceptualization of different forms of data breach response strategies is lacking. By analyzing the response strategies of 313 data breaches, we inductively derive a taxonomy of data breach response strategies. Our results suggest that response actions can be classified along eight dimensions including 22 distinct characteristics. Our research provides contributions to research and practice. The taxonomy provides a comprehensive framework and allows to link different research streams logically. Subsequently, the taxonomy helps managers to distinguish different data breach response strategies and implement suitable measures

Replication Research of Moody, Siponen, and Pahnila’s Unified Model of Information Security Policy Compliance

Information security compliance behavior research has produced several theoretical models derived from different disciplines to explain or predict violations of information security policies (ISP) or related employee intentions. The application of these theories to ISP violations has led to an increasing number of information security behavioral models. Based on this observation, Moody et al. (2018) reviewed and empirically compared 11 theories that predict information system security behavior using a Finnish sample. Drawing on these findings, they derived and tested a unified model of ISP compliance (UMISPC). This study is a conceptual replication of the refined UMISPC by Moody et al (2018). For the replication, we considered the general tendency to violate policy rather than respondents considering specific behaviors according to the scenario approach that Moody et al. (2018) used to test the refined UMISPC. Further, in contrast to Moody et al. (2018), we tested the refined UMISPC with respondents from Germany. In our data, we found empirical evidence for seven of the eight proposed relationships of the refined UMISPC. Only the relationship between fear and reactance remained insignificant in our estimation. Although more research is necessary to confirm our results, we interpret them as further support for the model’s generalizability

A Double-Edged Sword of Involvement: On the Tension Between Customers’ Group Value and Self-Interest in Data Breach Response Processes

As data breaches continue to rise, customers exhibit heterogeneous expectations regarding the company\u27s response. Universal responses can show backfire effects since they fail to meet the expectations. Thus, the challenge arises that customer expectations must be known to mitigate the consequences while time is limited to publish the data breach announcement. By drawing on service failure, data breach, and justice research, we theorize that customer involvement provides a viable approach to this challenge. We argue that active customer involvement allows customers to formulate their expectations. Thus, enabling companies to leverage these expectations to provide tailored data breach responses. We test our hypotheses in a digital experiment (n=304). Our results provide a first indication that active customer involvement in a data breach drives positive group value and negative self-interest effects. We contribute to the data breach literature by revealing that customer involvement constitutes a suitable mechanism for identifying customer expectations

ARE YOU AWARE OF YOUR COMPETENCIES? – THE POTENTIALS OF COMPETENCE RESEARCH TO DESIGN EFFECTIVE SETA PROGRAMS

Since the late 1990s, security education training and awareness (SETA) programs have become commonplace. Despite extensive research into the effective design of such programs and factors influencing compliance behavior, SETA programs tend not to be as effective as they should be. In order to tailor learning content as closely as possible to individual needs, vocational education relies on the modeling and measurement of competencies. We argue that this existing knowledge can be transferred to the information security domain. Therefore, we introduce a competence model from vocational education and consider it in the context of the information security domain. Subsequently, we conduct a structured literature review on conceptualization and effective SETA design and investigate to what extent the competence dimensions from vocational education are already considered in the SETA literature. Our results indicate that competence research can make an important contribution to adapting SETA programs to individual situational actions

Chatbots at Digital Workplaces – A Grounded-Theory Approach for Surveying Application Areas and Objectives

Background: Chatbots are currently on the rise as more and more researchers tackle this topic from different perspectives. Simultaneously, workplaces and ways of working are increasingly changing in the context of digitalization. However, despite the promised benefits, the changes still show problems that should be tackled more purposefully by chatbots. Application areas and underlying objectives of a chatbot application at digital workplaces especially have not been researched yet. Method: To solve the existing problems and close the research gap, we did a qualitative empirical study based on the grounded-theory process. Therefore, we interviewed 29 experts in a cross-section of different industry sectors and sizes. The experts work in the information systems domain or have profound knowledge of (future) workplace design, especially regarding chatbots. Results: We identified three fundamental usage scenarios of chatbots in seven possible application areas. As a result of this, we found both divisional and cross-divisional application areas at workplaces. Furthermore, we detected fifteen underlying objectives of a chatbot operation, which can be categorized from direct over mid-level to indirect ones. We show dependencies between them, as well. Conclusions: Our results prove the applicability of chatbots in workplace settings. The chatbot operation seems especially fruitful in the support or the self-service domain, where it provides information, carries out processes, or captures process-related data. Additionally, automation, workload reduction, and cost reduction are the fundamental objectives of chatbots in workplace scenarios. With this study, we contribute to the scientific knowledge base by providing knowledge from practice for future research approaches and closing the outlined research gap. Available at: https://aisel.aisnet.org/pajais/vol12/iss2/3

The Role of Uncertainty in Data Breach Response Processes - A Reactance Theory Perspective

Data breaches lead to inherent uncertainty among customers due to the compromise of information and its potential consequences for customers, e.g., identity theft or credit card misuse. Previous research has focused on outcome-based strategies to address these negative impacts. However, informed by reactance theory, we argue that customers feel a loss of control due to the induced uncertainty and that companies need to tackle these impacts. We test our hypotheses in two empirical studies. The results of Study 1 suggest that data breaches indeed lead to an increased perception of uncertainty among customers. Study 2 examines to what extent the establishment of control can mitigate the negative uncertainty effects. We highlight that by providing customers with control, companies can reduce the degree of uncertainty and increase satisfaction with the response. By conceptualizing choice as a catalyst for perceived control, we offer practitioners a novel strategy for responding to data breaches

Bridging the Gap between Security Competencies and Security Threats: Toward a Cyber Security Domain Model

Security incidents are increasing in a wide range of organizational types and sizes worldwide. Although various threat models already exist to classify security threats, they seem to take insufficient account of which organizational assets the threat events are targeting. Therefore, we argue that conducting more job-specific IT security training is necessary to ensure organizational IT security. This requires considering which assets employees use in their daily work and for which threat events employees need to build up IT security competencies. Subsequently, we build a framework-based Cyber Security Domain Model (CSDM) for IT-secure behavior. We follow the Evidence Centered Assessment Design (ECD) to provide a deep- dive analysis of the domain for IT-secure behavior. As the leading result relevant for research and practice, we present our CSDM consisting of 1,087 cyber threat vectors and apply it to five job specifications