Despite intense media attention on data breaches and identity thefts, very little is known about how users respond to adverse security events. Effective security policy making and firm response critically depends on how users respond when the firm holding their data is breached. Many argue that users may not pay adequate attention to security events or data breaches. They may ignore firms' breach notifications, especially if they receive many such notifications or when the notices are not specific enough. Even when users respond, it may be nuanced and subtle and not readily measured. This project examines users' responses to security events by assembling a large and unique field dataset. By collaborating with a large financial institution, the research team has access to detailed data for more than half million customers for more than six years spread over different geographies in the US. User response can range from leaving the firm to aversion to Internet and mobile based banking to changes in adopting other banking services. Combining econometrics techniques with machine learning techniques, this project aims to identify degree of behavior changes in user behavior due to an adverse security event or breach notification. The research team aims to estimate how the user response is conditioned by user characteristics (demographic), market characteristics (competition), and breach characteristics. If successful, this project could answer a wide variety of questions that may prove helpful for how firms can successfully overcome such events and how policy makers can fine tune their policy.
EAGER: Consumer Response to Security Incidences and Data Breach Notification