Consumer security behaviors and trust following a data breach

Purpose The purpose of this study was to determine how security statement certainty (overconfident, underconfident and realistic) and behavioral intentions of potential consumers impact the perceptions of companies in the presence or absence of a past security breach. Design/methodology/approach The study exposed participants to three types of security statements and randomly assigned them to the presence or absence of a previous breach. Participants then evaluated the company and generated a hypothetical password for that company. Findings This study found that the presence or absence of a previous breach had a large impact on company perceptions, but a minimal impact on behavioral intentions to be personally more secure. Research limitations/implications The authors found that the presence or absence of a previous breach had a large impact on company perceptions, but minimal impact on behavioral intentions to be personally more secure. Practical implications Companies need to be cautious about how much confidence they convey to consumers. Companies should not rely on consumers engaging in secure online practices, even following a breach. Social implications Companies need to communicate personal security behaviors to consumers in a way that still instills confidence in the company but encourages personal responsibility. Originality/value The confidence of company security statements and presence of a previous breach were examined for their impact on company perception and a novel dependent variable of password complexity.