|
According to recent reports in the press, the Office of Personnel Management (OPM) was hit hard in two recent cyber-attacks (OPM 2015). In April 2015, OPM discovered that personal data (e.g., Social Security Numbers, full name, and birth date) of 4.2 million current and former Federal government employees had been stolen (referred to as personnel records incident hereafter). Later in June 2015, OPM discovered that around 21.5 million employees - current and former Federal employees and contractors - were affected as their personal information such as Social Security Numbers, fingerprints, and background investigation records were compromised (referred to as background investigation records incident hereafter). Unlike other information, sensitive data such as the background investigation records, which include personal histories, relationships, and biometrics, reveal employees' personal lives are difficult to be re-issued. Typical protection such as a few months of credit monitoring may be insufficient in protecting victims from determined attackers. To date, little is known about how and why people decide and act in the aftermath of breaches involving their personal data. In particular, the role of data breach fatigue, manifested by insensitivity to data breaches and low estimate of fraud loss, in affecting people's decisions and actions is unknown. The existing research has also been silent on employees' decision making and reactions in response to data breaches. To fill this research gap, in this proposal, we plan to conduct a study that reveals the key decision factors, response actions, and the potential effect of data breach fatigue in the context of anxiety over the possible outcomes of the breach. Findings of the study will help in understanding employee reactions towards data breaches. New knowledge will help industry and policy makers develop intervention strategies that avert the effect of breach fatigue This proposal will explore the crucial issues that influence employees' responses in the context of the recent two OPM data breach incidents. This proposed research will compare these two different incidents and their impacts on different types of victims, employees who receive notification of the personnel records incident (now), employees who receive notification of both incidents (future), and employees who only receive notification of the background investigation records incident (future). We will also survey employees who have not received any notification, as a control group. In addition to self-reported data through surveys, we shall extend this study by capturing organic Twitter messages related to the two breach incidents in the respective time periods in 2015 to study how people coped with breach incidents. Utilizing natural language processing, we intend to (1) explore patterns of discourses associated with the data breach fatigue, (2) extract coping mechanisms from the discourses, and (3) compare coping mechanisms of employees, identified from the survey and those derived from the data mining.
|
RAPID: Collaborative Research: Employees' Response to OPM Data Breaches: Decision Making in the Context of Anxiety and Fatigue