The Benefits of a Cyber-Resilience Posture on Negative Public Reaction Following Data Theft

Research shows that customers are insufficiently motivated to protect themselves from crimes that may derive from data theft within an organization. Instead, the burden of security is placed upon the businesses that host their personal information. Companies that fail to sufficiently secure their customers’ information thus risk experiencing potentially ruinous reputational harm. There is a relative dearth of research examining why some businesses that have been breached stay resilient in the face of negative public reaction while others do not. To bridge this knowledge gap, this study tackles the concept of cyber-resilience, defined as the ability to limit, endure, and eventually bounce back from the impact of a cyber incident. A vignette-based experimental study was conducted and featured: (1) a breached business described as having a strong cyber-resilience posture; (2) a breached business described as having a weak cyber-resilience posture. Overall, a convenience sample of 605 students in Canada were randomly assigned to one of the two main experimental conditions. The results show that a strong cyber-resilience posture reduces negative customer attitudes and promotes positive customer behavioral intentions, in comparison to a weak cyber-resilience posture. Similarly, the more negative attitudes a customer holds toward a breached business, the less likely they are to behave favorably toward it. As a result of this study, cyber-resilience, which has hitherto primarily received conceptual attention, gains explanatory power. Furthermore, this research project contributes more generally to business victimology, which is an underdeveloped field of criminology.