Organisations which suffer security breaches in which customer information is put at risk are far more likely to retain consumer trust if they are swift in communicating the incident and are proactive in setting out a solution, according to new research from Durham University Business School.
The study, co-authored by Dr Spyros Angelopoulos, alongside Robert Davison from City University of Hong Kong as well as Noury Janse, Carol Ou, and Xiaowei Zhang from Tilburg University, sought to better understand the actions that organisations typically take in the event of security breaches, and the subsequent reactions of consumers.
By doing so, the researchers hoped to guide organisations in choosing response strategies that could enable them to maintain consumers’ trust as well as their standing in the market.
To capture authentic consumer appraisals on how security breach incidents have been handled previously, the researchers conducted experiments and developed a conceptual model reflecting the most common forms of security breach within e-commerce, along with the typical response strategies of affected organisations.
Their investigation revealed that the key factors for retaining consumer trust following a security breach are; the perceived risk, the severity of the breach and the response efficacy of the affected organisation.
However, the researchers found that consumers’ reactions varied depending on the type of data that was placed at risk. For example, financial risks and privacy risks were found to be the most influential factors in determining consumers’ intentions to return their custom to an affected organisation following a breach.
The chosen response strategy of the affected organisations, proved to be the most vital element in retaining consumer trust. Whilst it could be presumed that announcing a security breach would alarm consumers, the researchers found that by adopting a more proactive response organisations can decrease consumers’ risk perception and positively boost their public appraisal.
Far from hiding or down playing such incidents, the research shows that transparency and proactivity are powerful tools for retaining confidence. Other factors which were revealed to build consumers’ reassurance included historical evidence of other similarly well-handled incidents.
Dr Angelopoulos says:
“Data security and privacy are becoming paramount as organisations are called to steward increasingly large amounts of sensitive information about their customers. Concurrently, the difficulties in developing, implementing, and executing effective information security measures in conjunction with the inevitable and unforeseen security vulnerabilities, make the prevention of security breach incidents practically impossible. What organisation can plan for, however, is their response strategy when such incidents occur.
The findings of our study demonstrate that a more responsive strategy, both in terms of announcing the occurrence of the incident as well as in sharing the response strategy for remedying the situation, can enhance the evaluation of an organisation by consumers following a security breach incident. The way in which organisations choose to conduct themselves in the aftermath can help to mitigate the ramifications for failing to adequately steward sensitive customer data in the first place.”
As data plays an increasingly vital part in how organisations operate and make decisions, the study recommends that not only more robust security measures should be put in place, but that such measures should also be monitored, and updated regularly. Additionally, the study recommends that such measures should be communicated to consumers proactively to better manage their perceptions of risk.
Ultimately, when security breach incidents occur, organisations can recover better if they are up-front about what information has been put at risk, and how they will be rectifying the situation. Burying the details and trying to maintain a perfect façade is likely to do more harm than good in the long run.
The study “Security breaches and organisation response strategy: Exploring consumers’ threat and coping appraisals” has been published in the International Journal of Information Management.