.jpeg)
Research Article
The Effect of Perceived Controllability of Personal Information Leakage on Emotions and Behavioral Intentions
1 씨에이에스, 2 Chungbuk National University
Published: January 2017 · Vol. 46 No. 6 · pp. 1555-1576
DOI: https://doi.org/10.17287/kmr.2017.46.6.1555
Full Text
Abstract
Research in management information systems and information security has thus far focused on the rational aspects that emphasize human rationality, such as security technologies and policies. Consequently, the emotional aspects—such as the disappointment and betrayal felt by customers due to personal information breaches or service failures—have been overshadowed by the emphasis on rationality and have received little attention. As a result, corporate responses to personal information breach incidents have failed to satisfy customer sentiments and have been ineffective in service recovery. Therefore, this study applied the cognition → emotion → conation theory, which has been studied in psychology and marketing, to the context of personal information breaches to investigate the relationships among emotional responses based on the cognition of breach causes and the resulting behavioral intentions. The research model posits that the perception of prior controllability of personal information breach incidents affects emotions, which in turn affects behavioral intentions. Furthermore, these effects differ depending on whether the breach was caused by internal leakage or external hacking.
A survey was conducted targeting individuals who had experienced personal information breaches. The survey presented hypothetical scenarios distinguishing between external hacking and internal leakage as causes of personal information breaches, and respondents answered questions about perceived controllability, emotions, and behavioral intentions for each scenario. A total of 460 data points were collected, and Smart-PLS 2.0 was used as the statistical analysis tool to verify the research model.
The results of verifying the research model through data analysis are as follows. First, higher levels of perceived prior controllability regarding personal information breach incidents induced greater feelings of disappointment and betrayal, and these induced emotions led to higher behavioral intentions for service switching to competitors and negative word-of-mouth. Second, when personal information was breached by external hacking, perceived controllability induced disappointment, which in turn affected negative word-of-mouth intentions. Third, when personal information was breached by insiders, perceived controllability induced feelings of betrayal, which heightened service switching intentions.
The significance of this study can be examined from both academic and managerial perspectives. From an academic standpoint, whereas previous research in the security and personal information protection domain focused on explaining the cognition → behavioral intention relationship, this study applied the cognition → emotion → conation psychological theory to the personal information breach context, thereby enhancing explanatory power compared to prior research. In other words, by adding the emotional dimensions of betrayal and disappointment to the rational aspects emphasized in prior security research, the study enhanced both explanatory power and behavioral predictability.
From a managerial standpoint, the significance lies in focusing on the locus of causality—external hacking versus internal leakage—which had not been addressed in prior research, thereby identifying differences and suggesting that corporate incident response measures should be differentiated according to the locus of causality. Furthermore, by identifying that customers' negative behaviors resulting from personal information breaches stem from disappointment in the case of external hacking and from betrayal in the case of internal leakage, the study contributes to enhancing the effectiveness of corporate post-incident measures.
When a personal information breach occurs due to external hacking, firms need to focus on reducing disappointment. For example, firms can lower customer expectations while seeking their understanding by communicating messages such as: the firm has made every effort toward prevention, but realistically complete prevention is difficult, and regrettably an incident has occurred. Additionally, firms need to specify the security activities they are currently undertaking and present recurrence prevention measures showing as-is and to-be plans for how they will further develop these efforts.
When a personal information breach occurs due to internal leakage, firms need to focus on reducing feelings of betrayal. For example, to heal and recover from the sense of betrayal, firms should first humbly acknowledge their wrongdoing and offer a sincere apology. Furthermore, firms should make efforts to restore fairness through timely and equitable damage compensation. Additionally, firms should internally conduct ethics training and undertake internal personnel renewal by strictly punishing the insiders involved in the breach.
A survey was conducted targeting individuals who had experienced personal information breaches. The survey presented hypothetical scenarios distinguishing between external hacking and internal leakage as causes of personal information breaches, and respondents answered questions about perceived controllability, emotions, and behavioral intentions for each scenario. A total of 460 data points were collected, and Smart-PLS 2.0 was used as the statistical analysis tool to verify the research model.
The results of verifying the research model through data analysis are as follows. First, higher levels of perceived prior controllability regarding personal information breach incidents induced greater feelings of disappointment and betrayal, and these induced emotions led to higher behavioral intentions for service switching to competitors and negative word-of-mouth. Second, when personal information was breached by external hacking, perceived controllability induced disappointment, which in turn affected negative word-of-mouth intentions. Third, when personal information was breached by insiders, perceived controllability induced feelings of betrayal, which heightened service switching intentions.
The significance of this study can be examined from both academic and managerial perspectives. From an academic standpoint, whereas previous research in the security and personal information protection domain focused on explaining the cognition → behavioral intention relationship, this study applied the cognition → emotion → conation psychological theory to the personal information breach context, thereby enhancing explanatory power compared to prior research. In other words, by adding the emotional dimensions of betrayal and disappointment to the rational aspects emphasized in prior security research, the study enhanced both explanatory power and behavioral predictability.
From a managerial standpoint, the significance lies in focusing on the locus of causality—external hacking versus internal leakage—which had not been addressed in prior research, thereby identifying differences and suggesting that corporate incident response measures should be differentiated according to the locus of causality. Furthermore, by identifying that customers' negative behaviors resulting from personal information breaches stem from disappointment in the case of external hacking and from betrayal in the case of internal leakage, the study contributes to enhancing the effectiveness of corporate post-incident measures.
When a personal information breach occurs due to external hacking, firms need to focus on reducing disappointment. For example, firms can lower customer expectations while seeking their understanding by communicating messages such as: the firm has made every effort toward prevention, but realistically complete prevention is difficult, and regrettably an incident has occurred. Additionally, firms need to specify the security activities they are currently undertaking and present recurrence prevention measures showing as-is and to-be plans for how they will further develop these efforts.
When a personal information breach occurs due to internal leakage, firms need to focus on reducing feelings of betrayal. For example, to heal and recover from the sense of betrayal, firms should first humbly acknowledge their wrongdoing and offer a sincere apology. Furthermore, firms should make efforts to restore fairness through timely and equitable damage compensation. Additionally, firms should internally conduct ethics training and undertake internal personnel renewal by strictly punishing the insiders involved in the breach.