What research reveals about consumer behavior after a security breach

Do consumers flee your business after a breach?

If you believe some headlines, the answer is a resounding yes. Supported by perception surveys that attempt to gauge consumer sentiment. But does their behavior match their bravado?

Dr. Branden Williams (@BrandenWilliams) decided to explore a bit deeper. A notable professional in the industry, he has twenty years of experience in business, technology, information security. This includes deep experience in payments as a consultant, executive, and industry leader. He has written several books on PCI Compliance and hosted several industry events related to payment security & compliance.

Dr. Williams worked with MAC, the Merchant Acquirer’s Committee (Twitter, website), to capture and analyze behavior data. Their findings are available in Consumer Attitudes Toward Breaches: How Consumers React to Retail Breaches (download link). Here are five questions with Dr. Branden Williams:

What prompted you to research consumer behaviors after a breach? What did it take to capture behaviors over perceptions?

The idea for this research came after I reviewed a couple of stats that suggested consumers avoid merchants after a breach. Right next to that stat were the logos of Target, Home Depot, and Sears. Sure, the breaches were bad for those companies, but they are still around and have not closed shop.

Something didn’t add up.

I decided to ask the question about what consumers actually did after a breach, as opposed to what they might do after a breach. The results stood in contrast to previous research. We asked consumers to detail their shopping habits.

One big question that kept coming up while I framed the study is how this translates to small business. If a small business has enough insurance to cover the fees and fines that may come down from a breach, they should be able to weather the storm in a similar fashion (with the same cautions around cash flow).

Let’s focus on research for a second. Based on your experience, any insights for how security leaders to approach and review research?

This is a tricky subject to tackle. As an academic, I had to evaluate research based on a number of elements, but the biggest difference was the way the data was presented. In practitioner-focused white papers, we sometimes leave out the details.

I think the biggest thing that security professionals can do is evaluate how the research was conducted, and see if you agree with the result. In the case of this research, I asked consumers to specifically document their spending behavior. In the other research I mention, consumers were asked to talk about how they felt. Think about how the conversation goes:

Question: Merchant A suffered a breach. Would you shop there?

Consumer: Well, probably not. Breaches are bad, right? So no. I’ll avoid shopping at that merchant.

Of course a consumer is going to respond this way. Even though many of us are terrible digital citizens, I do believe that most folks who have a computer or smartphone realize that if they can access sensitive information, others could too with the right tools. That may instill some fear, which, in turn, would cause them to react this way.

But if the breached merchant is a big corporation that is just down the street from their house (convenience), sells non-durable goods or necessities (needs), and all they had to do was throw away their old credit card and activate a new one, they appear to continue to shop there.

When you compiled and reviewed the evidence from how consumers behavior after breaches – what surprised you? Did anything stand out?

The awareness stat really surprised me. I live in this world, so all of these breaches were memorable to me in different ways. But the fact that 13% had heard of none of the breaches we presented? That was surprising. It also appeared to skew slightly older, meaning that older respondents were more likely to be aware of breaches than younger ones.

Another fun stat that didn’t make it into the paper was the gender divide in awareness. Women showed more awareness toward stores they frequented (Target, Michaels), and men showed more awareness towards stores they frequented (Home Depot, Sears).

What does this suggest for companies in how they need to think about and handle breaches?

An information security breach could be compared to the digital equivalent of a natural disaster, such as Winter Storm Jonas. The event causes a minor interruption in operations with some kind of capital outlay to clean up and return to normal operations.

Managers of firms that suffer a breach must be mindful of cash flows after a breach announcement. Cash will decline from temporary sales reductions and a significant uptick in firm spend related to clean-up efforts. Common costs that firms face in the wake of a payment card breach include investigation and forensic services, legal fees, consulting fees, IT and security infrastructure, headcount increases to support new systems, and reserves held for lawsuit settlements. In addition, a merchant’s processor or acquiring bank may withhold settlement funds to cover costs in the case that the merchant’s post-breach solvency is in question.

Merchants should think about the types of data they use in their normal operations. What kinds of criminals want to take it? How can it be monetized? How can I de-risk my setup to remove the risk of a breach associated with someone stealing this kind of data?

What are 1-2 things a security leader can do with this research report in their organizations?

First, this should be a good way to filter through the FUD. If you are a retailer and a vendor tells you that their solution will preserve your brand value by keeping you safe from breaches, you should ask them how they came to that conclusion. It’s an outdated sound bite that may demonstrate a sales person’s lack of knowledge into the space.

Second, it’s important to have the right message when communicating the impacts of breaches. The impact is financial, and should be treated like a natural disaster. When we construct buildings, we do it with the environment in mind. If we’re near an ocean, we’re going to take different precautions to keep the building safe than if we are at the base of a mountain. It’s also important to focus on the right solutions for your company, and make sure those solutions are aligned with your corporate strategy (a low-cost retailer isn’t going to buy the most expensive security tools).