We would like to congratulate Dr. Hamid Reza Nikkhah, one of our valued members, on his recent publication in the MIS Quarterly.
An Empirical Investigation of Company Response to Data Breaches
Hamid Reza Nikkhah
Bentley University
Information and Process Management Department
Varun Grover
University of Arkansas
Department of Information Systems
ABSTRACT.
Companies may face serious adverse consequences as a result of a data breach event. To repair the potential damage to relationships with stakeholders after data breaches, companies adopt a variety of response strategies. However, the effects of these response strategies on the behavior of stakeholders after a data breach are unclear; differences in response times may also affect these outcomes, depending on the notification laws that apply to each company. As part of a multi-method study, we first identify the adopted response strategies in Study 1 based on content analysis of the response letters issued by publicly traded U.S. companies (n = 204) following data breaches; these strategies include any combination of the following: corrective action, apology, and compensation. We also find that breached companies may remain silent and adopt a no action strategy. In Studies 2 and 3, we examine the effects of various response strategies and response times on the predominant stakeholders affected by data breaches: customers and investors. In Study 2, we focus on customers and present a moderated-moderated-mediation model based on the expectancy violation theory. To test this model, we design a factorial survey with 15 different conditions (n = 811). In Study 3, we focus on investors and conduct an event study (n = 166) to examine their reactions to company responses to data breaches. The results indicate the presence of moderating effects of certain response strategies; surprisingly, we do not find compensation to be more effective than apology. Further, the magnitude of the moderating effects of response strategies is contingent upon response time. We interpret the results and provide implications for research and practice.
About Hamid Reza Nikkhah
Hamid is an Assistant Professor in the Information and Process Management Department at Bentley University. He received a Ph.D. in Business Administration with a concentration in Information Systems from the University of Arkansas. Hamid has been a Microsoft Certified Professional (MCP) since 2003 and has worked as an information systems project manager and consultant for 12 years. Along the lines of his professional background, his research focuses on cybersecurity, privacy, and cybercrime. Hamid has published his research in the refereed journals and presented in prominent IS conferences. Hamid has won two research awards in ICIS conferences and has taught technical and managerial IS courses for more than ten years. Hamid also holds professional certificates such as Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Security+, and several others from Microsoft and Cisco.