The influencing factors for the impact of a
privacy breach on customer loyalty
A dive in prioritizing customers after a security breach incident regarding information privacy
Master’s thesis
MSc Business Administration - Digital Business
Amsterdam Business School
Amsterdam, 23-06-2017
Author Diederik Petrus Leonardus van de Laarschot
Student No. 10121927
Statement of originality
This document is written by Diederik van de Laarschot who declares to take full
responsibility for the contents of this document.
I declare that the text and the work presented in this document is original and that no sources
other than those mentioned in the text and its references have been used in creating it.
The Faculty of Economics and Business is responsible solely for the supervision of
Acknowledgements
This master’s thesis is the final part of my student life. It has been a busy part of my life, with time flying by so fast. Without the support of certain people, the process would
have been much tougher than it finally was. To these people, I would like to express my
gratitude. Firstly, I want to thank my thesis supervisor Javier Sese for his guidance,
comments and critical view throughout the entire period. His structural method of supervision
was extremely effective and was precisely what I needed. Secondly I want to thank my
college friends for the day by day assistance, company, dinners and fun at the university.
Lastly, I want to thank my family for being there for me and helping me put down a properly
Table of Contents
Statement of originality...I
Acknowledgements ... II
Table of Contents ... III
Abstract ... V 1. Introduction ... 1 2. Literature review ... 4 2.1 Privacy breaches ... 4 2.1.1 Company level ... 5 2.1.2 Customer level ... 8
2.1.3 Literature on service failures ... 11
2.1.4 Conclusion ... 13
2.1.4.1 Research question ... 14
2.2 Conceptual framework ... 16
2.2.1 Main effect of a privacy breach on loyalty ... 17
2.2.2 Moderating effect of engagement, severity and sensitivity ... 19
2.2.2.1 Engagement... 19 2.2.2.2 Severity ... 22 2.2.2.3 Sensitivity ... 24 3. Method ... 27 3.1 Design... 27 3.2 Measures... 28 3.3 Procedure ... 31 3.4 Sample ... 32 4. Results ... 33 4.1 Preliminary analysis ... 33 4.2 Manipulation check ... 36
4.3 Analysis ... 36
4.3.1 Main relation... 36
4.3.2 Engagement, severity and sensitivity ... 37
4.3.2.1 Interaction ... 40
5. Discussion ... 42
5.1 Theoretical implications ... 42
5.2 Managerial implications ... 45
5.3 Limitations and recommendations for further research ... 46
6. Conclusion ... 49
7. References ... 50
Appendix 1. Survey ... 56
Appendix 2. Sample characteristics ... 59
Appendix 3. Factor analysis ... 60
Appendix 4. Heterogeneity test... 61
Appendix 5. Interactions ... 62
Abstract
As company databases with customer information are getting larger, a growing
amount of privacy breaches are taking place. Customer information is wanted and its safety is
not fully guaranteed. These breaches cause privacy violations and change perceptions of trust
in the company affecting loyalty. Different factors are influencing this change and can help
companies decide how resources should be allocated among their customers to minimize the
damage.
Over the past years literature on privacy breaches is developing. However, in most
cases this is mainly focussed on the effect of privacy breaches on the market value of
companies. This research explores this gap by looking into the change of loyalty levels of the
customer. To support our understanding of privacy breach consequences, theories from
service failure theory are successfully applied.
This thesis studies the change of customer loyalty intentions after a privacy breach.
The research question is: “How does a privacy breach influence loyalty in terms of purchase
intention and word of mouth, and how is this effect influenced by customer engagement, severity of the breach and sensitivity of the information?” An experiment is applied in a
survey to study the main effect
The contribution of this research is to confirm that privacy breach exerts a negative
effect on loyalty, and that this effect is influenced by the sensitivity of the information
involved. Effects of engagement and severity are not confirmed. A side finding was that
manipulation of severity had no effect. Respondents made their own distinction on what was
severe or not.
Future studies should consider a local experiment, include a control group and try to
mirror an actual customer-company relationship to gather evidence for a changing effect on
1. Introduction
“I think that this is the ‘tip of the speer’ of what we are going to see in 2017” said W. Donaldson, CEO nomx and data security expert, about the one billion Yahoo accounts
hacked in 2013 (V. Goel & Perlrothdec, 2016). Personal data has become omnipresent in the
21st century. Customer information is provided daily and stored by various companies. More
specifically, the use of e-commerce is skyrocketing (Intelligence, 2016). For almost every
purchase made online, accounts are set up to make orders, service, payment and delivery
possible. This information is not only stored for the benefit of the customer but increasingly
for the use of companies. Over the past decade advancements in IT are increasing the
possibilities for companies to collect customer data and use this for marketing purposes. Thus
data is not only provided through shopping accounts but also traced from online platforms.
Consequently online businesses can use this data to provide service to the customer but also
to increase their efficiency in marketing (McAfee, Brynjolfsson, Davenport, Patil, & Barton,
2012).
Collaboratively these growing databases of customer data are developing a growing
interest among thief’s and hackers. According to
informationisbeautiful.net
(2017) the number of breaches
in the security systems of
customer information is
increasing significantly, mainly
by hacking. In the figure on the
right, the growth in hacking as
part of the data breaches is displayed. These new developments show the importance for
companies to gain knowledge about the impact of privacy breaches on their customers.
Importance of IT security grows explicitly for financial institutions according to Accenture
Security (2016). Financial institutions are found to be quite confident about their security as
only half of them measure impact of breaches. Nevertheless Accenture Security (2016) found
one per three attempts of breaches on financial institutions to be successful. Accenture
Security mentions the importance of investing in IT security, strategy and responses due to
new challenges and higher demands for security.
Along with the rise of hacking incidents, customer concerns regarding the safety of
sensitive information are growing (Bélanger & Crossler, 2011; Tucker, 2014). The
relationships of customers with companies are also changing. Mainly through social media,
customers are creating more affective relationships with brands. The investments to get the
customer engaged are growing each year (eMarketeer, 2015). Those companies are aiming
for increased loyalty which is critical for conducting business in today’s competitive
marketplace (Reichheld & Schefter, 2000).
Even though the number of hacking incidents is growing, current study is focussed on
changes in the market value of breached companies, and little attention is given to changes in
attitudes and behaviour of the customer (Acquisti, Friedman, & Telang, 2006; Cavusoglu,
Mishra, & Raghunathan, 2004; Martin, Borah, & Palmatier, 2017). Above mentioned
subjects: customer data breaches, customer data sensitivity and customer engagement, were
core aspects of many studies. Like J. van Doorn and P.C. Verhoef (2010) who largely studied
engagement and researchers like R. Chakraborty, K.D. Martin, and M. Nofer are mostly the
few who studied effects of breaches on customer attitudes. Moreover there is still ambiguity
about the difference regarding information involved (Ablon, Heaton, Lavery, & Romanosky,
the research on customer information breaches has just taken flight and knowledge about the
differences in customer responses is missing.
This study contributes to theory by being the first to explore the combined knowledge
of customer information breaches and customer engagement in relationship to loyalty.
Additionally sensitivity and severity of the information in the breach are studied further.
Consequently the results of the study can shed light on how to prioritize and scale the
investments in responses following a privacy breach. Effective response strategies allow
companies to mitigate the market reactions.
With the selection of subjects the following research question is composed: “How
does a privacy breach influence loyalty in terms of purchase intention and word of mouth, and how is this effect influenced by customer engagement, severity of the breach and sensitivity of the information?” Research is conducted with a survey containing a repeated
measures experiment design.
The structure of the thesis is as follows. First, privacy breach literature is reviewed
with additional theory from service failure literature. Second, hypotheses are developed by
building upon theories, resulting in the conceptual framework. Third, the method is
explained. And fourth, the results are given whereupon these are discussed. The conclusion
2. Literature review
The literature review starts broadly by setting out the current state of literature, after
which the focus lies on the points of interest.
2.1 Privacy breaches
To understand a privacy breach, a definition of privacy itself is needed. Privacy is the
interest of individuals to preserve a “personal space, free from interference by other people or organisations” (Clarke, 1999). More specifically, Clarke (1999) identifies four different dimensions of privacy:
- Privacy of a person;
- Personal behaviour privacy;
- Personal communication privacy;
- Personal data privacy.
A privacy breach falls in the dimension personal data privacy. Bélanger and Crossler
(2011) define personal data privacy as “one’s ability to control information about oneself”.
The construct has many definitions, but it clearly involves “control over secondary use of
personal data” (Bélanger & Crossler, 2011). This control is the core factor at play. When
information is provided to a company, the customer trusts this company to have this control.
When an unauthorised party (or hacker) gets a hold of his information through a breach in the
security system of that company, the control is lost. When this happens, a privacy breach
occurs. A privacy breach is defined as “the loss of, unauthorized access to, or disclosure of,
personal information” (OPC, 2016). Consequently the data can be used by third parties with the goal of exploiting that data. Possible consequences are complex as they are difficult to
trace. Justifying investments to undo the damage is not easily substantiated, as the damage is
When reviewing literature on privacy breaches, two perspectives can be distinguished.
The first looks at the impact of a privacy breach on the company itself. The second looks at
the impact of the privacy breach on the customers. It is important to look at both perspectives
because they are measured differently. When studying effects on company level, the focus of
researchers is on the changing market values. These are deduced from analysing share prices.
The shortcoming in this view is that these values are based on market valuations of the
company. This perspective ignores the real impact on actual revenue. These costs are often
forgotten and make companies underestimate the consequences of privacy breaches
(Cavusoglu et al., 2004). When looking at revenue, the purchase intention of customers is one
of the most important determinants. Thus, the distinction is relevant as both determine
consequences and relevant factors. First, company level events are discussed, then customer
level.
2.1.1 Company level
At the company level the company is the unit of analysis and the impact of a privacy
breach on the company is reviewed. The consequences are measured in market value. Several
studies measured the effects of data breaches on company level and confirmed that privacy
breaches negatively affect market value (Cavusoglu et al., 2004; A. Malhotra & Kubowicz
Malhotra, 2011; Acquisti et al., 2006; S. Goel & Shawky, 2009). Event based studies are
often applied at the company level to study actual incidents using reports. Cavusoglu et al.
(2004) emphasise that, 40 per cent of US companies state lower customer trust and
confidence as the main unwanted consequences. The only way in which they try to quantify
the actual outcomes of these aspects, is making estimations deriving from market values.
They found that publicly traded US companies lose 2.1 per cent of market value within two
Regarding the type of breach, Cavuslogu (2004) found that hacking incidents are most
severe. This is in line with findings of Garg, Curtis and Halper (2003), who distinguished
between web site defacement, denial of service, theft of credit card information, and for other
customer information. The most severe reactions were found for credit card information and
next for other private information. From a systematic literature review as conducted by
Acquisti et al. (2006) found that disclosure of confidential information creates a negative
effect. Thus, the nature of the data would significantly affects the impact.
On the other hand, Malhotra and Malhotra (2011) found that the type of information
had no effect on market value, but the industry of the breached company did. Different
findings were detected in literature regarding the company and sector. They saw stronger
effects in the financial sector, which is an area where companies have higher standards of
data security. Nevertheless Cavusoglu (2004) found that internet companies were stronger
affected, due to the degree in which the company is dependent upon the internet. High
internet dependent companies have more to lose by a breach in security. Garg et al. (2003)
likewise found higher effects among internet companies.
A strong aspect of measuring consequences of the privacy breach at the company
level is the inclusion of investor expectations on the resulting market value. Acquisti et al.
(2006) found a bigger impact of privacy breaches on market value among retail companies,
and less for financial institutions, ‘other’ companies and data processors. Furthermore smaller
companies were found to experience higher cost (Cavusoglu et al., 2004). However, the
findings of Malhotra and Malhotra (2011) opposes this finding, as they found that revenue is
stronger affected at larger companies.
Regarding the severity of a privacy breach, different perspectives can be taken. When
looking at severity, the size of the problem is judged, regarding possible outcomes. Acquisti
on market value. They only found negative market effects with very large data breaches that
affected a large number of customers. However, these effects were short-lived. They ascribe
these issues to possible consequences like “the risk of impersonation, fraud, or identity theft”. Another risk is an increased chance of being victimised by ‘phishing emails’. This confirms
the finding of larger numbers of accounts breached causing a stronger effect (Garg et al.,
2003). This can be seen as the severity of the event from the perspective of the company. The
impact of severity was confirmed in a later study (Martin et al., 2017). They looked at
severity from the customer perspective. They found effects of private vulnerability, even
without an actual breach. They state that effects of privacy breaches are based on the
customer’s awareness of consequences, becoming a victim or experiencing potential harm, from the privacy breach.
Other found factors found include the time frame and size. Malhotra and Malhotra
(2011) found impact in the short and long term, but stronger in the long term. They theorise
this from network effects and customers who ‘hold a grudge’. This was especially the case
with large breaches. Moreover in a longer time frame, effects on the company level were
found to be more severe when the privacy breach was not the first one (Schatz & Bashroush,
2016).
Research on the company level often resulted in new implications for managers and
companies to get their investments right. Companies are given more knowledge on the
optimal level of investing in IT security regarding risk and protection (Hsieh, Noyes, Liu, &
Fiondella, 2015). However, this was questioned by Sen and Borle (2015) who found that per
industry or state, the number of breaches is positively related to money invested in IT
security. They argue that this is because companies do not invest in the right IT elements.
Results of company level research are quite diverse. Studies on underlying factors,
such as type of the breach, severity, time frame, and type of company resulted in some
ambiguous findings. These included companies in these studies were all retail stores, banks,
retailers or hospitals. Most studies compare privacy breach reports to actual listed market
values caused by the new perspective of investors and the overall cost involved with the
breach due to security costs. Customer loss consequences are often not included in the
calculations. However, customer data should be included in measuring company performance
after a breach, as it is an important link in the chain from cause to effect.
2.1.2 Customer level
Effects of privacy breaches on the customer level are critical to understand how
market values are affected through influence of the change in purchases from the company.
At the customer level, the customer is the unit of analysis and the impact of privacy breaches
on customers is reviewed. Several studies all found a negative relationship of a privacy
breach and loyalty (Chakraborty et al., 2016; Lee & Lee, 2012; Mamonov & Benbunan-Fich,
2015; Martin et al., 2017).
The aforementioned study by Martin et al. (2017) included extensive research on the
effects on customers. The authors found that customers experience negative effects primarily
due to “anxiety about the potential for data misuse and feeling of violation, rather than actual misuse” (Martin et al., 2017). They call this phenomenon ‘data vulnerability’. Furthermore, the study highlights that transparency of data management policies and giving customers
control of their data management can mitigate the effects of data breaches on company
performance. For the effects on the customer level they found that emotional violation and
cognitive trust fully mediate the effect of data vulnerabilities on both purchase intention and
word-of-mouth (WOM); these effects hold various demographic characteristics, industries,
Chakraborty et al. (2016) added an interesting variable —perceived risk— in their
study on major retail stores. Perceived risk indicates how risky customer sees online shopping
in general. This was significant among the younger age group. They found that customers
would become more risk averse due to threat and uncertainty.
In line with the finding of difference between online and offline activity by Lee and
Lee (2012), Goldberg, McHenry, Zambrano Ramos and Chen (2016) found that entire US
households would avoid using online activities altogether. The biggest impact was found for
the online performing of financial transactions, buying goods or services, posting on social
media and expressing controversial opinions. Identity theft was the biggest concern of
influence. This study implies that consequences of a privacy breach on the customer level
influence the entire household and thus have considerable impacts.
Nevertheless Ablon et al. (2016) found that only 11 percent of American adults
stopped doing business with a company after a privacy breach. They explain these numbers
by switching cost, employees who are obligated to use their employer company, the need to
provide personal information again to a different party when switching companies, and
customers not knowing if competitors are more secure (Ablon et al., 2016). This aligns with
the finding of Lee and Lee (2012) that effects on purchase intention are strongly affected by
the perceived damage and the shopping alternative. These alternatives can result in “avoiding
the use of the online store, choosing another online store or switching to offline stores”.
The study by Lee and Lee (2012), on a hacking incident in Korea confirmed his
anxiety related concept. They propose that companies should consider the irrationality of the
decision-making process of online customers, due to the moderating effect of perceived
damage. They describe resulting loyalty as the retreative effect on customers: “these
behaviours can include moving to another offline or online vendor, providing fake customer
channel” (Lee & Lee, 2012). Perceived damage, which could be interpreted as perceived
severity, was central to their finding. Perceived severity indicates to what extent the privacy
breach is a serious problem to the customer.
Chakraborty et al. (2016) found significant effects of the perceived severity of a
privacy breach for two demographic age groups. The effects were stronger for the older
group. Perceived severity has been identified as a significant factor in research on privacy
breach perceptions among smartphone application users (Mamonov & Benbunan-Fich,
2015). Perceptions of severity show significant differences between types of information: a
breach regarding financial information is considered more severe than geo-location data.
Thus, there is also an indication on the customer level that different types of information
cannot be considered as equal.
Regarding different companies, Nofer, Hinz, Muntermann and Roßnagel (2014)
focussed on the effect of privacy breaches on bank customers. They compare the impact of a
privacy breach to a privacy violation of a company through an experiment. They conclude
that a privacy breach lowers trust but does not lower their willingness to invest in the bank.
They state that in the long run the consequences on the customer level affect company value
stronger than consequences on the company level. These indirect effects may be bigger than
the direct effects.
When trust was studied, Chakraborty et al. (2016) found that higher trust does not
necessarily leads to purchase intention and Nofer et al. (2014) found that actual behaviour is
different from the trust resulting from privacy concerns. These findings cast doubt on the
relevance of trust with regard to the impact of privacy breaches on loyalty.
Overall little research has been conducted in the field of privacy breaches on the
customer level. The conducted research focused on companies in the US and Korea (Bélanger
This arises in variables like perceived severity, perceived risk and perceived damage. A
literature search found no studies that included influencing effects of engagement or another
form of the quality of the customer-company relationship.
2.1.3 Literature on service failures
To better understand the consequences of a privacy breach for the customer, studies
from service failure literature are included in the review. Specifically, research regarding the
influence of a customer-company relationship is included. Service failures are events in
which customer perceptions of service quality disappear (Malhotra & Malhotra, 2011).
Malhotra and Malhotra (2011) found that viewing privacy breaches as service failures can be
more effective in finding the right theory due to the congruence of both concepts in causing
“customer loss, negative publicity and liability risk”. Service failures provide an applicable understanding of privacy breach effects. Nevertheless the consequences of privacy breaches
differ from service failures in some core aspects. First, it differs in the difficulty to measure
damages, which complicates determining financial compensations to customers afterwards.
In other respects, privacy breaches hinge upon the fear of possible damage and violation of
trust instead of actual damage leading to more complex responses like monitoring breached
accounts.Malhotra and Malhotra (2011) state that a privacy breach damages customer
privacy and is a violation of trust. The loss of trust can be seen as a service failure as trust
issues are identified as key drivers of customer service quality perceptions. Such a violation
has three salient customer reactions: reduction in future trust, emotional anger and frustration,
and spreading of negative WOM with reduced purchase intention (Malhotra & Malhotra,
2011). In addition, studies associate service failures with dissatisfaction, loss of customers,
increased costs and decline in customer confidence (Komunda & Osarenkhoe, 2012; Wang,
Hess et al. (2003) measure changed satisfaction due to service failure and responses
including the factor customer-company relationships. Responses are efforts to reduce
customer loss. The results show a significant effect of the ability of the relationship to
decrease the effect of a negative response, confirming earlier findings (Berry, 1995).
Furthermore, the customers expect lower service levels in the future when they continue the
relationship. Regarding responses, Hess et al. (2003) concluded that if responses do not
match conflicted damage, a large penalty follows. Finally, the study emphasises that response
or reimbursement expectations are different among customer segments and not equally
productive. Some responses may be overly generous.
Building on the findings of Hess et al. (2003), Grégoire and Fisher (2006) found
supporting evidence for customers with higher quality relationship experiencing the —love is
blind— effect. They found that such customers have a low desire for retaliation, which results
in lower chance of spreading negative WOM. They also suggest that —love is blind—
requires a very strong relationship with the company (high levels of identification).
Mattila (2004) contradicts the mitigating effect of the relationship. This study
suggests that service failures have more negative effects when moderated with higher levels
of emotional bonding. Mattila (2004) proposes that these emotionally bonded customers feel
betrayed. Confirming this study, Grégoire and Fisher (2008) formulated a concept very
damaging to companies: —love becomes hate—. They bring forward actions of customers
who feel betrayed and retaliate to restore fairness in the relationship. These actions
encompass spreading negative WOM and can escalate to harming the reputation of the
company. They speculate that this is caused by anger that not only wants to rebalance the
fairness, but goes beyond that. The concept is founded on the variable ‘perceived betrayal’.
severity. Overall, they found that judgements of fairness in combination with quality of
relationship could foster betrayal which leads to retaliation behaviours.
Grégoire, Tripp and Legoux (2009) focussed on the length of the relationship.
Relationship strength is found to cause more unfavourable reactions of the customers in the
long run. Revenge was found to decrease over time but in the long run, customers still ‘hold a
grudge’ that causes a rapid growth of avoidance from the company. Here too the variable perceived betrayal explains the variation. Ironically, high-quality customers were found to
only need the most modest form of recovery to lower revenge desires, while low-quality
customers only react to expensive responses. Revenge desires were stronger for high-quality
customers. Additionally, perceived greed of the company was found to be the main
influential factor of the desire of revenge (Grégoire, Laufer, & Tripp, 2010). Taken together,
aforementioned studies present an ambiguous effect of the quality of the relationship on the
consequences of service failures.
2.1.4 Conclusion
Research on the company level includes significant change in market values. Various
studies define severity is several ways. But hacking incidents, including credit card
information, are often considered severe. Regarding the type of account, internet companies
are found most relevant. But what company does not depend on the internet today? Final
judgements are still needed regarding the type of sector or account involved. Retail stores,
banks, internet companies and hospitals are the most common subject companies of studies,
but they are hardly related to each other. No study has yet examined privacy breaches in
relation to product categories, and only a little research has been conducted on the company
level (Acquisti et al., 2006; Cavusoglu et al., 2004; Martin et al., 2017).
Research on the customer level found that the irrationality of the customer is relevant
perceived severity and perceived damage highlight this aspect. Furthermore, only
Chakraborty et al. (2016) found a demographic distinction. Moreover, no study on privacy
breaches has studied the customer-company relationship. This has been studied a little in
service failure theory (Grégoire & Fisher, 2006; Grégoire & Fisher, 2008).
Research on severity has been conducted, although the outcomes were often only
marginally determined (Ablon et al., 2016; Chakraborty et al., 2016; Martin et al., 2017). Few
have studied this within service failures (Mamonov & Benbunan-Fich, 2015). A clear effect
of the severity of the breach is lacking in literature. Lastly, research on service failures give
more depth on the irrationality mentioned by Lee and Lee (2012). Privacy breach literature
seems to ignore the possible consequences due to customers who feel betrayed, which would
be understandable.
Overall, the research on privacy breaches has only just begun and knowledge about
different customer reactions is lacking. Besides, research has thus far only been conducted in
the United States (US) and Korea (Bélanger & Crossler, 2011).
2.1.4.1 Research question
All factors of influence on the customer level can be divided in three levels (Martin et
al., 2017). The customer level that looks at characteristics of the customer, the company level
that looks at characteristics of the company, and the event level which looks at characteristics
of the privacy breach itself. The research question will include all levels to start out broadly
in this research venue.
Loyalty is relevant to any company as retaining existing customers is more
cost-efficient than pursuing new prospects (Reichheld & Schefter, 2000). Loyalty is chosen as the
main dependent variable.
Not every privacy breach involves the same type or amount of information. Managers
response effort is valued most by customers for breaches involving different types of
information. Knowledge about the changing customer attitudes is important to let companies
understand the possible consequences per industry and the need for IT security investments.
Determining the influence of engagement on the loyalty changes is important to see how the
most influential customers are affected. Customer engagement is a hot topic and is one of the
most important aspects in the company -customer relationship due to its performance
enhancing effects on the customer, which go further than loyalty (Van Doorn et al., 2010).
This study can shed light on what consequences companies should be most aware of and
which customers deserve the most attention during response processes.
A broad perspective on underlying factors is taken into account when studying the
effects on behaviours of customers. The research question is: “How does a privacy breach
influence loyalty in terms of purchase intention and word of mouth, and how is this effect influenced by customer engagement, severity of the breach and product category?”
2.2 Conceptual framework
For this study, a conceptual framework is proposed to visualise the expected
interactions between the variables. This model is a visualisation of our hypotheses, which
will be described more in-depth in this section. First, the main effect of a privacy breach on
loyalty are studied, displayed as the main relationship in Figure 2. In addition, three
influencing variables are studied: engagement, which we choose for its relevance in today’s
marketing pursuits, severity, which provides information on the size of the problem, and
sensitivity, which implies account relevance. They are each involved in the privacy breach on
a different level. Engagement is a characteristic of the customer and is expected to moderate
the main effect. Severity is a characteristic of the privacy, and sensitivity is a characteristic of
the company. These are both independent variables and displayed as part of the privacy
breach in Figure 2. Next, this study explores the constructs and discuss possible outcome
effects. Privacy breach - Severity - Sensitivity Δ Loyalty Engagement Level H1 H2a (-) H2b (+) Loyalty t=0 H3 (+) H4 (+)
2.2.1 Main effect of a privacy breach on loyalty
Loyalty determines the spending power relating to a specific company or brand (Gee,
Coates, & Nicholson, 2008). Oliver (1999) defines customer loyalty as “a deeply held
commitment to re-buy or re-patronize a preferred product/service consistently in the future, thereby causing repetitive same-brand or same brand-set purchasing despite situational influences and marketing efforts having the potential to cause switching behaviour”. This
study uses this definition in this study. This study focusses on conative loyalty, which
involves behavioural intentions, as actual behaviour cannot be measured in the time frame of
this research.
Loyal customers have the potential to act as WOM promoters (Gee et al., 2008).
WOM is defined as “informal, person-to-person communication between a perceived
non-commercial communicator and a receiver regarding a brand, a product, an organization, or a service (Harrison-Walker, 2001). It is substantially more effective in customer acquisition
than traditional marketing (Trusov, Bucklin, & Pauwels, 2009). Loyal customers are likely to
maintain their customer-company relationship, however, loyalty is always vulnerable and
changeable. Those changes may occur due to regular considerations like typical benefits,
such as pricing, customer service or convenience, but also negative events. These events can
consist of service failures or violations of certain agreements, like privacy. This study aims to
examine the changing level of loyalty caused by a privacy breach.
A privacy breach violates the trust that allowed the customer to provide information.
Trust has been proven to be a strong determinant of purchase intention (Hong & Cho, 2011).
In literature a privacy breach has proven to cause lower trust resulting in lower levels of
loyalty (Chakraborty et al., 2016; Clarke, 1999; Flavián & Guinalíu, 2006; Martin et al. 2016;
There are several —mainly emotional— consequences for the customer. Studies show
that more than one of three customers experience moderate or severe levels of emotional
distress after an identity theft situation resulting from a privacy breach (Harrell & Langton,
2013). This could be because the harm itself is not necessarily the biggest problem, but rather
the fear of being harmed in the future (Fisher, 2012). In addition, characteristics of service
failures often cause anger and frustration (Gelbrich, 2010; Kalamas, Laroche, & Makdessian,
2008). Angry customers are likely to adopt vindictive behaviour, such as stopping positive
WOM and spreading negative WOM (Gelbrich, 2010). Moreover, the victims could enter a
powerless state of mind, as the consequences cannot be altered, which makes them even more
frustrated (Gelbrich, 2010).
When trust is violated, the customer’s reaction regarding loyalty can be explained
with equity theory. This theory is frequently used in service failure literature to explain
loyalty consequences (Grégoire & Fisher, 2008; Grégoire et al., 2009). The theory perceives
the relationship between customer and company as a balance between input and output.
Customers weigh the proportions of investment to the company and rewards from the
company against each other, depending on what is perceived fair. Equity theory predicts that
after the rise of emotion due to inequity, customers act to turn the situation back to a state of
equilibrium (Patterson, Cowley, & Prasongsukarn, 2006). A privacy breach can be perceived
as causing massive inequity, which is expected to trigger a reaction in the customer to
rebalance the relationship.
On the other hand, recent literature points out the importance of including attribution
theory in explanation of service failures (Van Vaerenbergh, Orsingher, Vermeir, & Larivière,
2014). Service failures often cause customers to search for attribution of accountability
(Gelbrich, 2010). Regarding the consequences, Van Vaerenbergh et al. (2014) confirm that
controllability attributions on negative emotions. This type of attribution relates to the extent
to which the company is expected to should have prevented the service failure. Therefore, the
extent to which the company was in control of the event is of great importance.
Furthermore, well found attributions hinge upon one party’s ability to comprehend the
other party’s choices and constraints (Weber, Malhotra, & Murnighan, 2004). This means judgements can be influenced by the information given. It indicates that people who have
more knowledge about the circumstances of the company, have more compassion and are less
likely to attribute the cause to the company. Thus, when little explanatory information is
given, this would have negative loyalty consequences. However, a danger in giving
information lies in the customer seeing the company ‘providing an excuse’ (Liao, 2007).
Service failures cause a reaction in the customer to rebalance the relationship driven
by negative emotions, which can result in a decrease in loyalty (Gelbrich, 2010).
Additionally, when service failures are perceived as being caused by the company, stronger
negative emotions arise within the customer, leading to a change in loyalty (Van Vaerenbergh
et al., 2014). Thus, this study hypothesises that:
H1: A privacy breach causes loyalty to change negatively.
2.2.2 Moderating effect of engagement, severity and sensitivity
2.2.2.1 Engagement
Customer engagement behaviour is broadly defined as “the customers’ behavioural
manifestation toward a brand or firm, beyond purchase, resulting from motivational drivers”
(Van Doorn et al., 2010). More specifically, Kumar, Aksoy, Donkers, Venkatesan, Wiesel,
and Tillmanns (2010) defined it as “interactions like WOM or new product ideas et cetera of
a customer with a firm, with prospects and with other customers, whether they are
at relationships with stakeholders and customers, emphasising its importance on the account
of value. Kumar et al. (2010) say its value is multidimensional and consists of:
- purchase behaviour over lifetime;
- referral value or stimulating others to purchase by getting rewarded for it;
- customer influencer value which is the ability of the customer to stimulate others
to become customers, and lastly;
- knowledge value, the information gathered through feedback from the customer.
This value can be achieved through WOM, recommendations, helping other
customers, blogging, writing reviews and engaging in legal action (Van Doorn et al., 2010).
In line with these theoretical interpretations of customer engagement, this study assumes that
customer engagement consists of behaviours besides purchasing motivated from an emotional
connection with the brand or company.
Customers who have an emotional connection with the company could respond either
stronger or less strong to service failures. According to the aforementioned service failure
literature, better relationship levels could mitigate the damaging effects of service failures
(Hess, Ganesan, & Klein, 2003). Additionally, having a relationship painted by affective
commitment allows the love-is-blind effect (Grégoire & Fisher, 2006).
Love is blind
Engaged customers take such pleasure of buying products and services of the
company that they are likely to keep buying and promote the company. This pleasure or high
level of satisfaction could create a buffer to certain errors of the company and could serve as
a protective layer for loyalty (Sajtos, Brodie, & Whittome, 2010). Furthermore, according to
Albert and Merunka (2013), this love for the company tends to be rooted in commitment,
which is built up from switching cost and scarcity of alternatives (Albert & Merunka, 2013).
would open the possibilities for the customer to accept the situation and still use the product
or service of the company, thus mitigating the effect of a service failure. Thus, this study
hypothesises that:
H2a: Higher customer engagement reduces the impact of a privacy breach on the loyalty of the customer.
On the other hand, customer engagement could cause an even extremer reaction to a
privacy breach. When customers are dedicated to a company and entrust it with their personal
information, the breaking of this trust could be a massive insult to these highly loyal
customers. The involvement of emotions could cause less rational thinking than for
customers who are just loyal. Grégoire and Fisher (2008) points out that engaged customers
would not only feel angry, but would feel betrayed. A high level of betrayal significantly
influences a motivation for revenge, which causes the love-becomes-hate effect.
Love becomes hate
The possible consequences of a privacy breach are far greater than with service
failures. Therefore, it seems likely that the love-becomes-hate effect will appear. As
mentioned by Kumar et al. (2010), the total value of engaged customers is staggering. Such
customers, who are the executors of this value creation for the company, could be aware of
this overinvesting balance to the benefit of the company. In other words, engaged customer
could feel that they are giving a lot to the company and maybe even more than the company
gives in return. Consequently, considering the service failure, the customers could perceive
that it was caused by the greed of the company. In this line of thought, the company is
neglecting the value of the individual’s privacy. For example, the customer could blame the breach to an underinvestment by the company in the information security software.
The perception of the company being greedy has proved to be a strong predictor of
judgement of fairness (Grégoire et al., 2010). Perceived effort and fairness were linked to
engagement in the service recovery literature (Cambra-Fierro, Melero-Polo, & Sese, 2016).
Furthermore, researchers defined information privacy concerns as an “individual’s subjective
views of fairness within the context of information privacy” (Bélanger & Crossler, 2011).
Thus, fairness theory provides understanding on the dynamics at play with the factor
customer engagement.
Thus, in addition to the rebalancing effect due to inequity described in the main
relationship, the engaged customer could include the perception of fairness in his reaction to
service failures. This could cause an emotional reaction, which could trigger the
love-becomes-hate effect. In combination with the possibility of perceiving the company as being
greedy, the proposition is that a second possibility is that customer engagement increases the
main effect of a privacy breach on loyalty.
H2b: Higher customer engagement magnifies the impact of a privacy breach on loyalty.
2.2.2.2 Severity
Severity should be taken into account, as it has been proven to have significant effects
on loyalty, WOM and purchase intention in service failures (Wang et al., 2011; Weun,
Beatty, & Jones, 2004). Another significant form of severity in security and privacy literature
is perceived severity (Chakraborty et al., 2016; Kankanhalli, & Xu, 2009). Severity occurs at
the event level. According to Dayarathna (2011), it is determined by “the number of previous
data breaches, number of records breached this time, the strength of deployed security
measures to prevent the data breach and the damage causes”. This definition of severity is
focussed on consequences for investors and ultimately on market value. As this study
focusses on the consequences of severity for the loyalty of customers, however, this study
Chakraborty et al. (2016) define severity as the level of seriousness of the security
breach at the company as it is perceived by the individual. Moreover, recent research
highlights that the extent to which the data involved in the breached can inflict damage is
relevant (Ablon et al., 2016). Thus, the definition of severity depends on your perspective.
Chakraborty et al. (2016) defines severity as the level of seriousness of the security
issue/breach at the company as it is perceived by the individual. Moreover recent research
highlights this aspect, the extent to which the data involved in the breached is able to inflict
damage is relevant (Ablon et al., 2016). Thus the definition of severity depends on your
perspective.
The assumption is made that severity differs based on possible negative consequences
for the customer. Most negative consequences were found when credit card information was
involved. Moreover, customers’ fear gave most importance to unauthorised third party access
to credit card information in comparison to personal information and other types of concerns
(Miyazaki & Fernandez, 2001). This effect is confirmed by other studies (Garg et al., 2003;
Harrell & Langton, 2013).
Severity seems to be linked to the type of private data. Different types of information
have different impacts. Private information exists in different dimensions (Nissenbaum,
1998), such as identification and description. Identification includes names, email addresses,
house addresses, phone numbers, bank card numbers, etc. Description goes even further; it
contains spending behaviour, online activity, travel information, orders, purchases, etc.
Private information concerning identification is considered less sensitive than aspects of
description (Mamonov & Benbunan-Fich, 2015; Nissenbaum, 1998). Moreover, when
information of both dimensions is combined, accurate statements can be made about the
The possible negative outcomes for the customer create an uncomfortable situation;
the emotional reaction can even cause anger and fear (Fisher, 2012; Harrell & Langton,
2013). This discomfort is based on privacy concerns, which can increase depending upon
how many dimensions of private data are involved (Nissenbaum, 1998). The resulting
discomfort or concerns can increase or decrease depending on the severity of the situation. It
is expected that this emotional distress influences attitudes and therefore purchase intentions.
Thus, this study hypothesises that:
H3: Higher severity of the privacy breach increases the impact on the loyalty of the customer.
2.2.2.3 Sensitivity
Some information requires more care and security than other information, bringing us
to the last influential factor at the company level: the sensitivity of the information. The
sensitivity of information is based on possible positive or negative consequences when an
unauthorised party acquires the information. Weible (1993) defines information sensitivity as
“the level of privacy concern an individual feels for a type of data in a specific situation”. Thus, the sensitivity affects the concerns of the customer and based on this definition, the
variation lies in the specific situation in addition to the type of data. The situation depends on
the company involved in the privacy breach. For example, a person would have higher
privacy concerns when their account history was stolen from their hospital than when that
information was stolen from their online bookstore. Due to the nature of each company,
different information is needed to provide services to the customer.
As in the example, the difference between account information from companies is
likely to be stronger on industry level. The difference is less likely to bring change in
accounts are determined simply by the product category. No clarity exists for the effects of
the product category on privacy breach in literature.
Most previous research involved online retailers, healthcare and financial services.
Different outcomes were measured when studying the relationships between the product
categories. Acquisti et al. (2006) found stronger effects among online retailers than on
financial institutions, contrary to Malhotra and Malhotra (2011), who found stronger effects
for financial institutions. This study concerns itself with the product category financial
services and online retail shopping. They are chosen for their presence among all consumers
in everyday life.
All things being equal, providing more sensitive information has a higher perceived
risk than less sensitive information (Malhotra, Kim, & Agarwal, 2004). Thus, perceived risk
is important when dealing with sensitivity. The risk means there is more to lose when a third
party accesses this information. Perceived risk has been negatively associated with loyalty
(Chakraborty et al., 2016). Moreover, perceived risk is an important factor for the
customer-company relationship.
As mentioned in Paragraph 2.2.1, customers entrust the company with a control over
their data. Perceived risk causes a need for trust to provide information (Olivero & Lunt,
2004). Perceived risk negatively affects trust and thus with higher risk, more trust is needed
to give a company control over the private information. Likewise, more trust is needed if the
information of the customer is more sensitive (Yang, Pang, Liu, Yen, & Michael Tarn, 2015).
Sensitivity is expected be higher for financial services: people’s spending history at their bank is more sensitive than at their online retailer. This is based on the simple fact that
the bank would contain all transactions and the online retailer contains only transactions of
purchases at that website. It is assumed that the average individual uses the same bank for
generally perceived as more sensitive among consumers than, for example, online shopping
patterns or lifestyle information (Malhotra et al., 2004).
People would have bigger privacy concerns when their account is hacked from a
company in the financial or health sector than from an online retailer. Furthermore, the
emotional reaction after a privacy breach can be heightened by higher levels of sensitivity of
the information. Therefore, in the last hypothesis, an influencing effect of sensitivity is
proposed.
H4: Higher sensitivity of the data that is subject of a privacy breach increases the impact on the loyalty of the customer.
3. Method
3.1 Design
To study the effect of a privacy breach on loyalty, a survey is developed to perform an
experiment. This survey stages a privacy breach to provoke a train of thought to reveal a new
perception on loyalty intentions. In the survey the respondents are told to imagine their
relationship with their main supplier of either financial services or online retail products. This
relationship is questioned throughout the survey in terms of engagement, loyalty and
additional variables.
A repeated measures design is applied to study the main relationship between the
privacy breach and loyalty. This means that every respondent is measured on his current
levels of loyalty, and these levels of loyalty are measured again after the staged privacy
breach. This creates a reference point of the variable loyalty, which is used to calculate the
change (Δ loyalty) with the second loyalty measurement. The calculated mean difference
variable of both loyalty measures creates the dependent variable.
The privacy breach itself is introduced to the respondent by exposure to an email
message that contains information about the privacy breach. Thus the independent variable
(privacy breach) is introduced as a message. This message informs respondents that the
company’s database suffered a security breach which has allowed an unauthorized third party to gain access to their information. Moreover this message is communicated in a neutral
manner and information is minimally provided. This is done to avoid communicating an
excuse to the customer which can be taken in a wrong way (Liao, 2007). This message is
manipulated to create different situations depending on severity and sensitivity. The
respondents are randomly assigned to the four conditions. Thus, additionally a 2 (high or low
severity) by 2 (high or low sensitivity) between group experiment is used to measure the
Considering the entire survey, it starts with general questions about the relationship
with the company, followed by a measurement of engagement. Then loyalty is assessed,
followed by the privacy breach message. After which a manipulation check is assessed,
followed by the second measurement of loyalty. Demographic information is asked in the end
of the survey to gather control variables. The survey is conducted by use of qualtrics.com
university software.
The assumption is made that this study does not require a control group. A repeated
measures design is used, with a pre-intervention measurement of loyalty that functions as the
control group (Saunders, Lewis, & Thornhill, 2012). According to Saunders et al. (2012) the
danger in a repeated measures design lies in the possibility that respondents experience
fatigue during the survey. Therefore measures are taken to construct the survey as short as
possible. For example no unnecessary or overflowing questions are asked. The survey is
added as Appendix 1.
3.2 Measures
All questions are answered in a seven-point-Likert-scale (1 = strongly agree / 7 =
strongly disagree) for maximum data extraction and accuracy (Saunders et al., 2012). Each
variable is discussed in this section.
Loyalty
Loyalty is measured twice, resulting in loyalty t-0 and loyalty t=1. These measures are
identical. They are merged into a single dependant variable. The scale of loyalty is derived
from theory that is often used for loyalty measurements. The scale consists of five items (α =
0.94) which contain questions about purchase intention and WOM (Zeithaml, Berry, &
Parasuraman, 1996). Example: “I would say positive things about this firm to other people”
(Zeithaml et al., 1996).
This is a dependent variable. Customer engagement has been measured in different
ways, all having their own focus, but in general ‘attention’ and ‘participation’ are used most
frequently (So, King, & Sparks, 2014; Sprott, Czellar, & Spangenberg, 2009; Vivek, Beatty,
Dalela, & Morgan, 2014). An extensive way to measure engagement is using five dimensions
(So et al., 2014). These are: identification, enthusiasm, attention, absorption and interaction.
Based on the goal of studying conative loyalty, behavioural dimensions are adopted. Five
items (α = 0.93) are adopted from attention and one item (α = 0.94) from interaction.
Example: “Everything related to this firm grabs my attention” (So et al., 2014).
Only one item is adopted from interaction because the other items are focussed on
enjoying spending time and interacting with peers in a brand community. In the product
categories of the current study, it is assumed that no brand community is involved.
Companies like the ones included, handle their own social media, but not always own a brand
community. A second assumption here is that the ‘interaction’ items from So et al. (2014) are
too much brand related. Therefore a measurement change is made based on the study by
Barger and Labrecque (2013). They say engagement through social media does not only
includes that the customer views or reads the posts of the company or brand, but goes a step
further. An engaged customer also likes, comments, replies or shares a post of the company.
Consequently a more universal classification is: “expressing agreement, rating, voicing
opinion and sharing” (Barger & Labrecque, 2013). Therefore in addition to the five items of ‘attention’, simplified items are added for ‘interaction’ which are (Barger & Labrecque, 2013):
1. Being likely to express agreement in the form of a like;
2. Voicing one’s opinion by placing a comment;
3. Participating in social media discussion.
Severity from the perspective of the customer is the extent to which data involved in
the breach causes possible damage to the customer (Ablon et al., 2016). Thus the severity of
the breach is determined by the amount of information that is lost by the company. Deriving
from this concept, two conditions are included in the survey. Thus sensitivity is an
independent variable. Low severity includes a privacy breach wherein the breach caused loss
of contact information and high severity contains a breach that involved loss of all
information stored (for example personal contact information, location data, credit or debit
card data, and spending history.).
Perceived severity
To check the manipulation through the experience of the respondent, three items (α =
0.80) are adopted that measure perceived severity (Chakraborty et al., 2016). Example: “This
incident is a serious problem to me” (Chakraborty et al., 2016). The manipulation check clarifies if the individual judgements of severity resemble the severity by manipulation.
Sensitivity
To measure sensitivity, two conditions (or product categories) are added. This makes
sensitivity an independent variable. Low sensitivity (online shopping website) and high
sensitivity (bank). These product categories because roughly everyone make decisions about
these products.
Different control variables are used to enable analysis to test relative relationships.
They consist of demographic variables and three other questions.
Age: the age of the respondent is asked. It is an ordinal variable with six options on 10 year
intervals.
Gender: the gender of the respondent. It is a binary nominal variable which states either
Income level: the current level of income. It is an ordinal variable with four options ranging
from ‘€0’ to ‘above €30 000’.
Education level: the highest level of education completed. It is an ordinal variable with four
options ranging from ‘high school’, to ‘Ph.D. candidate’.
Products bought: the number of products bought from the company. It is an ordinal variable
ranging from ‘1-3’ to ‘above 15’ for financial services and from ‘1-5’ to ‘above 50’ for online retailer.
Years being a customer: the length of the relation with the company. It is an ordinal variable
with four options ranging from ‘less than one year’ to ‘more than five years’.
Experienced breach before: the respondent has experienced a privacy breach before. It is a
binary variable which states either ‘yes’ or ‘no’.
3.3 Procedure
Before the ultimate sample collection, the survey was pretested to establish a good
understanding of the questions. After some edits, the final survey version was distributed
using the anonymous link. Convenience sampling is used to gather as many respondents as
needed and to avoid complications of random sampling. Responses were gathered mainly
through social media platform Facebook. By different public messages, visitors of the
platform were invited to participate. The instructions of the survey told respondents the study
aimed at determining customer attitudes and behaviour for a master thesis. After determining
that response rates were too low, individuals from the friends list were directly messaged
with the link. Finally also one reminder message was sent. The survey was open for three
3.4 Sample
To determine a sufficient sample size, a power analysis is conducted with the program
G*Power (Erdfelder, Faul, & Buchner, 1996). To conclude effects and interactions with four
groups in a statistical MANOVA f-test, sample size should minimally be 113 to achieve a
power of .80. Our sample suffices with 172 cases. The cases are mainly students and
employees within the Netherlands (97% are between 18 and 35 years of age, 60% females,
78% had income lower than 20 000 per year, and 53% obtained a bachelor’s degree). Furthermore, 9 cases have experienced privacy breaches. About the customer-company
relationship, 83% of the respondents are at least 3 years a customer and most 73% have
bought 1 to 10 products. The population consist of customers of the product categories that
are at least 18 years old. See table 1 for descriptive information and Appendix 2 for a detailed
frequency overview.
Variable Min Max Mean Mean related answer SD
Age 1 5 1.35 18 – 25 .637
Gender 1 2 1.60 Female .492
Education 1 3 2.11 Bachelor degree .678
Income level 1 4 1.73 €10,000 – €20,000 1.096
Products bought 1 5 1.95 3 – 10 1,287
Years customer 1 4 3.25 3 – 5 .895
Experienced privacy breach 1 2 1.95 No .224
4. Results
4.1 Preliminary analysis
Unfinished responses are deleted. Scale means are computed for the variables
engagement, loyalty t=0, loyalty t=1 and perceived severity. In addition dummy variables
were created for both severity (0 = low severity, 1 = high severity) and sensitivity (0 = low
sensitivity or retailer, 1 = high sensitivity or bank). Likewise a new mean difference variable
was created, Δ loyalty (loyalty t=0 – loyalty t=1). See table 2 for means, standard deviations,
correlations and Cronbach’s alphas coefficients of all variables. Reliability is high for all variable scales with Cronbach’s alpha values over .86, except for perceived severity that has a reliability of .703 which still suffices. Also none of the items would substantially affect
reliability if they were deleted. Furthermore factor analysis was performed for the
measurement of engagement, resulting in two factors. See Appendix 3 for details on the
factor analysis.
An outlier check showed one case which are deleted. The total data set resulted in 171
cases. A normality check showed one particularly interesting aspect of perceived severity. It
was not normally distributed, as the skewness was 1.6. It is further tested with the
‘Kolmogorov-Smirnov’ test. The result showed (statistic = .218, p = .001, p < .01), that the distribution is indeed not normal. Alternatively this variable was transformed (X*=Log10(X))
to prepare the numerical variable for moderation testing (Field, 2013). Inspection showed that
the variable was approximately normally distributed after the transformation.
To test is the group are heterogeneous, the demographic control variables are used.
The other control variables are dependent upon the company and are thus biased for
homogenous testing. Levene’s test indicated equal variances (F = 1.227, p = .291, p > .05). The results for each demographic variable is non-significant. Age (p = .194), gender (p =
.197), income (p = .070), education (p = .591) are all non-significant (p > .05) which
indicates homogeneity of groups. See Appendix 4 for details on the heterogeneity test.
A correlation matrix is created. The Likert-scale variables in the matrix indicate
disagreement when positive (as a higher point in the Likert scale indicates disagreement).
One exception on this rule is Δ loyalty in which a negative value indicates a decrease in
loyalty. Significant correlations are indicated with starts. With the control variables, several
correlations can be found. Income level is positively correlated with age and education is also
positively correlated with income level and age. Furthermore there are correlations between
loyalty t=0, engagement, products bought and loyalty t=1 which imply an equivalent view on
the relationship with the company. Likewise the correlation of engagement and age indicates
that older respondents are less engaged with companies. In addition there are some
unexpected correlations. Sensitivity is negatively correlated with loyalty t=0 and loyalty t=1,
which indicates that loyalty decreases with high sensitivity (bank). Thus customers of the
retailer are more loyal at both measurements. Sensitivity is positively correlated to years
being a customer, which indicates that customers of online retailers have a shorter
relationship with the company. Sensitivity is also just significantly correlated to income level,
which could be a coincidence, likewise previous breach experienced is correlated to income
level. Severity is not correlated in any way. On the variables of interest, a significant
correlation of engagement and Δ loyalty (.21) is seen, which indicates a mitigating effect of
engagement. Furthermore, severity and Δ loyalty are not correlated (.00). Lastly, sensitivity is
Table 2. Correlation matrix M SD 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1. Gender 1,60 ,49 1,00 2. Age 1,35 ,64 **-,36 1,00 3. Income level 1,73 1,10 **-,33 **,50 1,00 4. Education 2,11 ,68 **-,24 **,23 **,24 1,00 5. Products bought 1,95 1,29 ,15 -,03 -,05 -,11 1,00 6. Years customer 3,25 ,90 -,02 *,18 *,17 -,01 -,10 1,00 7. Breach before 1,95 ,22 ,07 -,03 *-,18 -,08 ,01 -,08 1,00 8. Loyalty t=0 2,89 1,15 **-,25 **,25 **,28 ,07 **-,45 **,28 -,14 0.89 9. Engagement 4,83 1,02 **-,24 **,22 *,18 ,13 **-,29 **,22 *-,16 **,57 0.84 10. Per. severity 2,23 1,14 -,11 ,07 ,11 ,01 ,02 ,07 *-,17 ,04 ,10 0.70 11. Loyalty t=1 4,95 1,38 -,03 ,02 -,02 ,08 **-,27 ,03 -,01 **,43 **,27 **-,48 1,00 12. Δ Loyalty -2,06 1,36 *-,18 *,19 **,26 -,03 -,11 **,21 -,11 **,41 **,21 **,52 **-,65 1,00 13. Severity ,49 ,50 -,13 -,08 -,01 -,08 -,05 -,05 ,12 -,03 -,05 -,09 -,02 ,00 1,00 14. Sensitivity ,51 ,50 -.10 -.05 *-,18 -,07 **,62 **-,47 -,03 **-,50 **-,23 ,07 **-,25 -*,17 -,02 1,00 ** p<0.01 (2-tailed); * p<0.05 (2-tailed).