All companies are vulnerable to cyber threats. Any attack can have significant consequences, including direct costs incurred in customer support, security improvements, and investigations. Indirect costs might include an erosion of trust in the corporation, and an undermining of potential clients’ buying intentions. Not all incidents are identical and the nature of a breach may influence how people react. Privacy, the ability to control the use of one’s own personal information, is different to security. The latter is a feature of privacy, also encompassing steps to ensure integrity and confidentiality of personal information. Different responses to privacy violations and security breaches illustrate a range of economic impacts that can stem from data compromise.
This study uses an experimental method to examine the economic impact of privacy violations and security breaches on trust and behaviour. By conducting the experiment in a laboratory, rather than studying a series of real events, researchers were able to better control a range of conditions. Nearly 120 participants were presented with a fictional bank scenario. In the situations described, either 1) no data protection problem occurred, or the bank experienced 2) a privacy incident (i.e. the transfer of client information without customer consent) or 3) a security incident (i.e. theft of customer information by a former employee). After reading about the scenario, each participant was given 10 Euros, and the choice to invest some, all or none in a financial product of the bank. The average proportion of the money invested was then compared between groups.
The largest average investments came from the group shown no data protection problem. The group exposed to the security breach made the lowest investments; this suggests that security breaches may be related to a greater economic impact than privacy violations. In the group aware of the bank’s privacy violations, the impact was on trust, not investment behaviour.
This research reinforces the imperative for security, by quantifying the potential monetary loss of security breaches and privacy violations. This could prove useful for cost-benefit analysis of security interventions. Further, it illustrates that there is also an impact of trust that might not correspond directly to investment decisions, but could nonetheless have ramifications for financial institutions’ dealings with their clients.
Trust is important to bank clients but they consider privacy and financial security differently which could affect their response to communication of incidents.