AMES, Iowa – If you shop online or swipe a credit or debit card when out to eat, you’ve likely received a notice your personal information was compromised in a data breach. And if you’re like most consumers, chances are you did nothing in response, says an Iowa State University researcher.
Cyberattacks are so prevalent that Rui Chen, an associate professor of information systems in ISU’s Ivy College of Business, says consumers are experiencing data breach fatigue. Chen and colleagues at the University of Texas at San Antonio (Eric Bachura, Rohit Valecha, H. Raghav Rao) are working to understand this behavior. Based on industry research, they know many consumers do not change their passwords or sign up for identity theft protection.
“When a data breach happens they’re not motivated to take any corrective or protective action,” Chen said. “They don’t use a stronger password and change it more often or check their credit files. When this happens society pays, and criminals are the only ones who benefit.”
Retailers are not the only targets of these data breaches. Hackers have hit medical facilities, government agencies and email providers. With so much personal information digitized and stored online, Chen says breaches are now the norm for consumers and breach fatigue creates an ever-growing opportunity for cyber criminals.
Chen and his colleagues received funding from the National Science Foundation to study public response to the 2015 data breach at the U.S. Office of Personnel Management (OPM), which affected 21.5 million people. In a paper, recognized for best paper at the 2017 Americas Conference of Information Systems, the researchers outlined a consumer response model to crisis events, such as data breaches, based on the five stages of grief.
Social media and public sentiment
The research team examined more than 18,000 tweets posted on Twitter over a two-month period that included the hashtag #OPMHack. Chen says the tweets – limited at that time to 140 characters – were ideal for gauging public sentiment (anxiety, anger and sadness) and testing their model. The two-month period started with public notification about the breach and included five significant events, such as the OPM director’s resignation.
Researchers expected to see fluctuations in Twitter activity based on these events, but what stood out was the drop-off rate following each spike. Chen says the drop-off rate after the news first broke was around 35 percent, which means consumers were no longer engaged on social media and commenting on the breach. Near the end of the two-month period, the drop-off rate hit 84 percent.
“The quick drop off in engagement indicates either an acceptance of the breach event or an apathetic tendency toward it, as would be expected with the onset of breach fatigue,” Chen said.
Analysis of the tweets found heightened levels of anxiety, followed by anger and then sadness. Chen says the tweets also provided a comparison between direct victims of the OPM data breach and others commenting on social media. The researchers did not see a difference between the groups when measuring anxiety and anger, but there was a significant difference in sadness, which was higher in the victim group.
The research team is surveying victims of the OPM and the Yahoo! data breach to learn more about how data breach fatigue affects behavior. The work may help improve interventions to change consumer behavior and limit the economic costs associated with these breaches, Chen said. It is also important for future policy intended to crack down on cybercrime.
“If people don’t care about data breaches, lawmakers will have no motivation to beef up laws to protect against cyberthreats,” Chen said.