The findings on how consumers actually behave after breaches

Dr. Branden Williams shares the data from his recent research on how consumers actually behave after breaches and what it means for security leaders

crdit card laptop purchase

Do consumers actually flee after a breach?

While headlines suggest a breach drives away customers, most of the evidence is based on perception surveys. When asked, it makes sense that someone would express outrage and suggest they won’t come back.

But do they?

Dr. Branden Williams (@BrandenWilliams) decided to explore a bit deeper. Dr. Williams worked with MAC, the Merchant Acquirer’s Committee (Twitter, website), to capture and analyze behavior data. Their findings are available in Consumer Attitudes Toward Breaches: How Consumers React to Retail Breaches (download link).

He shared his perspective in What research reveals about consumer behavior after a security breach. He also made the key charts available for this slideshow.

CSO staff

Awareness of breaches is poor in general, with two notable exceptions

“Consumers, in general, displayed little awareness of the breaches presented to them. Perhaps this is one of the key indicators of their attitudes toward these breaches. Only Target Stores (81%) and The Home Depot (38%) represented a significant breach awareness. Of the responses, 13% indicated no awareness of any of the data breaches presented.”

The lesson here seems to be “stay out of the headlines.” Broader, however, it signals that consumer awareness remains low. How does that match your experience?

CSO staff

Who is most likely to defect?

“ … the data indicates that older consumers are more likely to defect because of the breach with nearly three quarters of the defectors being over the age of 46.”

If you do business with people over the age of 45, this could matter to you. Worth exploring further and certainly makes for a good decision. Otherwise, people are people. And there aren’t any real indicators that suggest they will or won’t leave you.

CSO staff

How quickly do people return?

“Less than 2% (on average) have not returned since a breach went public.

Based on the means from the responses, shoppers tend to return to shop between three and six months from a breach if they were aware of the breach. No one age group demonstrated more propensity to return faster over another…”

This brings us back to the question “Where’s the harm?” While we tend to lament breaches, perhaps consumers have a better understanding than we give them credit for.

CSO staff

How consumers paid, post breach

“Even in spite of merchants suffering from a breach involving the payment cards in consumers’ wallets, consumers still prefer to use cards over other methods of payment. Fully 78% of respondents (on average) paid with a credit or debit card after said merchant’s breach with cash following at a distant second. Respondents over 46 demonstrated a slightly larger preference for cash over other groups.”

Payment cards represent convenience. Combine with zero (or near-zero) liability, consumers continue to favor them. This is worth noting as a security leader. Explore ways to make that system more user-friendly and efficient to provide a real benefit.


CSO staff

Why consumers didn’t return

“When asked why consumers who had shopped at one of the breached merchants in the last three years did not return to the merchant within twelve months of the breach, 70% indicated that they do not regularly shop at the merchant in question. Consumers who stood their ground against compromised merchants were in the minority. Only 4% took their business to a competitor that they perceived to be more secure, with an additional 2% indicating they did not return specifically because of the breach.”

This is perhaps the most interesting finding. Dr. Williams makes some suggestions in the paper for additional consideration and discussion around this point. But what seems clear is that people don’t vote with their feet. Even the minority that claim they left… might have left anyway (breaches make for great cover).

cleanup flood sandy
Alec Perkins (Creative Commons BY or BY-SA)

What it all means

Dr. Williams shares his experience in the conclusion of the paper, along with some ideas worth exploring. He advances the idea that security breaches are akin to natural disasters:

“... causes a minor interruption in operations with a significant capital outlay to clean up and return to normal operations.”

Hopefully we’ll continue to gather evidence on behavior that allows us to form deeper, actionable insights on breaches. In the meantime, keep shifting the mindset away from “prevent breach” -- which is unattainable -- to “anticipate breach.

As this data suggests - rapid detection coupled with quick action might keep you out of the headlines. It’ll keep your customers happy and coming back for more.

Copyright © 2016 IDG Communications, Inc.