Combating data breach fatigue

January 24, 2018, Iowa State University

If you shop online or swipe a credit or debit card when out to eat, you've likely received a notice your personal information was compromised in a data breach. And if you're like most consumers, chances are you did nothing in response, says an Iowa State University researcher.

Cyberattacks are so prevalent that Rui Chen, an associate professor of in ISU's Ivy College of Business, says consumers are experiencing data breach fatigue. Chen and colleagues at the University of Texas at San Antonio (Eric Bachura, Rohit Valecha, H. Raghav Rao) are working to understand this behavior. Based on industry research, they know many consumers do not change their passwords or sign up for identity theft protection.

"When a data breach happens they're not motivated to take any corrective or protective action," Chen said. "They don't use a stronger password and change it more often or check their credit files. When this happens society pays, and criminals are the only ones who benefit."

Retailers are not the only targets of these data breaches. Hackers have hit medical facilities, government agencies and email providers. With so much digitized and stored online, Chen says breaches are now the norm for consumers and breach fatigue creates an ever-growing opportunity for cyber criminals.

Chen and his colleagues received funding from the National Science Foundation to study public response to the 2015 data breach at the U.S. Office of Personnel Management (OPM), which affected 21.5 million people. In a paper, recognized for best paper at the 2017 Americas Conference of Information Systems, the researchers outlined a consumer response model to crisis events, such as data breaches, based on the five stages of grief.

Social media and public sentiment

The research team examined more than 18,000 tweets posted on Twitter over a two-month period that included the hashtag #OPMHack. Chen says the tweets – limited at that time to 140 characters – were ideal for gauging public sentiment (anxiety, anger and sadness) and testing their model. The two-month period started with public notification about the breach and included five significant events, such as the OPM director's resignation.

Researchers expected to see fluctuations in Twitter activity based on these events, but what stood out was the drop-off rate following each spike. Chen says the drop-off rate after the news first broke was around 35 percent, which means consumers were no longer engaged on and commenting on the breach. Near the end of the two-month period, the drop-off rate hit 84 percent.

"The quick drop off in engagement indicates either an acceptance of the breach event or an apathetic tendency toward it, as would be expected with the onset of breach fatigue," Chen said.

Analysis of the tweets found heightened levels of anxiety, followed by anger and then sadness. Chen says the tweets also provided a comparison between direct victims of the OPM data breach and others commenting on social media. The researchers did not see a difference between the groups when measuring anxiety and anger, but there was a significant difference in sadness, which was higher in the victim group.

The research team is surveying victims of the OPM and the Yahoo! data breach to learn more about how data fatigue affects behavior. The work may help improve interventions to change consumer behavior and limit the economic costs associated with these breaches, Chen said. It is also important for future policy intended to crack down on cybercrime.

"If people don't care about , lawmakers will have no motivation to beef up laws to protect against cyberthreats," Chen said.

Explore further: Nearly 700,000 UK nationals affected by Equifax breach: company

Related Stories

CareFirst says data breach affects about 1.1M people

May 20, 2015

In the latest disclosure of a cyberattack against a health insurer, CareFirst BlueCross BlueShield says that attackers gained access to a database that included the names of 1.1 million people.

US reviewing better tech identifiers after hacks: Trump aide

October 3, 2017

US officials are studying ways to end the use of social security numbers for identification following a series of data breaches compromising the data for millions of Americans, a Trump administration official said Tuesday.

Recommended for you

Archaeologists discover Incan tomb in Peru

February 16, 2019

Peruvian archaeologists discovered an Incan tomb in the north of the country where an elite member of the pre-Columbian empire was buried, one of the investigators announced Friday.

Where is the universe hiding its missing mass?

February 15, 2019

Astronomers have spent decades looking for something that sounds like it would be hard to miss: about a third of the "normal" matter in the Universe. New results from NASA's Chandra X-ray Observatory may have helped them ...

What rising seas mean for local economies

February 15, 2019

Impacts from climate change are not always easy to see. But for many local businesses in coastal communities across the United States, the evidence is right outside their doors—or in their parking lots.

The friendly extortioner takes it all

February 15, 2019

Cooperating with other people makes many things easier. However, competition is also a characteristic aspect of our society. In their struggle for contracts and positions, people have to be more successful than their competitors ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.