If your company experiences an information security breach, will customers order from you again?

Author: Tim O'Connor

New psychological studies could be a game changer.

Damage to reputation and brand name are often some of the most significant hits an organization takes when knowledge of a security breach becomes public. At last peer-reviewed scientific research is starting to provide some guidance into how human psychology reacts to news of a breach and how we might be able use this knowledge to lessen the damage to brand names and customer confidence.

I would encourage everyone in information security management and those responsible for making or responding to announcements about a breach (including marketing, public relations and the “C-Suite”) to read these peer-reviewed studies. I will summarize some key points in this article to get everyone started. The studies and the peer-reviewed journal releases are listed in the references at the bottom of this page. As more journal articles are published I will continue to post any significant new findings.

The latest research focuses on differences between angry and fearful responses to a data breach. If we understand how people are likely to react, we make it possible to greatly reduce damage to our brand(s) and to the confidence our customers, partners, lenders, suppliers, and investors have in us.  

How Fear Affects Customer Response

The research clearly indicates that easing fears in the wake of a data breach should be a priority, but what exactly does that mean?

From DAY ONE you should make an announcement to your customers and all parties that are significant to you. This announcement must be made quickly as humans tend to start imagining a worst-case scenario and the longer they believe their worst fears, the more difficult it will be to modify the image in their minds. The announcement should include making a clear statement that disaster recovery plans are in place and appropriate actions and plans are in implementation. If the breach is fiscal or relates to personal information, there should also be information provided about services that are or will soon be offered to customers, such as free credit monitoring or other fraud protection services. It is important to note that such services must not be presented in such a way that cause people to think there is even more to the breach than the announcement indicates.

The research clearly shows that you must be extra careful about how you communicate the scope of the data breach. People in a fearful state of mind are very sensitive to the description of the size of a breach. Here is a helpful example given by a lead researcher; “If you have 500 million customers that were affected by a breach, but it only represents around 16% of your customer base, you may want to focus on that small number in your communications to minimize the threat to fearful customers.”

How Anger Affects Customer Response

Angry customers and related parties care much less about the scope of the breach, with very little difference in reaction if the breach affected 100 accounts to 10 million accounts. The people with an angry reaction to a breach focused on the perpetrator or on who was responsible for the breach.

Interestingly, fear reactions to a breach announcement makes the stock market sensitive and stock prices are likely to drop, while if there is an anger reaction stocks are likely to drop less.

Preparedness and knowledge is the key.

From this scientifically acquired data on reactions to breaches we now know that if we can craft timely communications about a breach we can perhaps greatly mitigate the damage to not only our investor base but also to our customers and partnerships. We can’t stop negative reactions to a breach but we might be able to influence the ratio of fearful to angry reactions in our favor.

You don’t want to be working out and learning how you do your first breach communications just after the event occurred, yet this is when you are going to need this plan and knowledge. This means that table-top exercises with all stakeholders should be done and practiced annually. These exercises should include a variety of scenarios ideally connected to your most recent risk assessments and industry research.

Often the best orchestrators and leaders to guide you through preparedness planning for post breach communications are not employees of your company but rather independent third parties who are trusted advisors.

Nowhere else in business and industry is the term “knowledge is power” more truly relevant than in information security.

Academic research analyzing responses to data breaches is finally now starting to emerge. This fear and anger study shows just how important this kind of scientific insight can be. Another ground-breaking study that you may consider for further reading studied the Target breach of 2014. It found that many of the “common sense” actions taken by Target in their communications actually may have backfired. Please see references below and also watch this blog feed for continuing developments.

References:

https://www.sciencedirect.com/science/article/abs/pii/S0148296319302747?via%3Dihub

University of Arkansas, Fayetteville. "Throwing money at data breach may make it worse." ScienceDaily. ScienceDaily, 22 December 2014. www.sciencedaily.com/releases/2014/12/141222084556.htm

Binghamton University. "Fearful customers sensitive to size and scope of a data breach while angry customers are not." ScienceDaily. ScienceDaily, 16 May 2019. www.sciencedaily.com/releases/2019/05/190516170024.htm