The influencing factors for the impact of a privacy breach on customer loyalty : a dive in prioritizing customers after a security breach incident regarding information privacy

The influencing factors for the impact of a

privacy breach on customer loyalty

A dive in prioritizing customers after a security breach incident regarding information privacy

Master’s thesis

MSc Business Administration - Digital Business

Amsterdam Business School

Amsterdam, 23-06-2017

Author Diederik Petrus Leonardus van de Laarschot

Student No. 10121927

Statement of originality

This document is written by Diederik van de Laarschot who declares to take full

responsibility for the contents of this document.

I declare that the text and the work presented in this document is original and that no sources

other than those mentioned in the text and its references have been used in creating it.

The Faculty of Economics and Business is responsible solely for the supervision of

Acknowledgements

This master’s thesis is the final part of my student life. It has been a busy part of my life, with time flying by so fast. Without the support of certain people, the process would

have been much tougher than it finally was. To these people, I would like to express my

gratitude. Firstly, I want to thank my thesis supervisor Javier Sese for his guidance,

comments and critical view throughout the entire period. His structural method of supervision

was extremely effective and was precisely what I needed. Secondly I want to thank my

college friends for the day by day assistance, company, dinners and fun at the university.

Lastly, I want to thank my family for being there for me and helping me put down a properly

Table of Contents

Statement of originality...I

Acknowledgements ... II

Table of Contents ... III

Abstract ... V 1. Introduction ... 1 2. Literature review ... 4 2.1 Privacy breaches ... 4 2.1.1 Company level ... 5 2.1.2 Customer level ... 8

2.1.3 Literature on service failures ... 11

2.1.4 Conclusion ... 13

2.1.4.1 Research question ... 14

2.2 Conceptual framework ... 16

2.2.1 Main effect of a privacy breach on loyalty ... 17

2.2.2 Moderating effect of engagement, severity and sensitivity ... 19

2.2.2.1 Engagement... 19 2.2.2.2 Severity ... 22 2.2.2.3 Sensitivity ... 24 3. Method ... 27 3.1 Design... 27 3.2 Measures... 28 3.3 Procedure ... 31 3.4 Sample ... 32 4. Results ... 33 4.1 Preliminary analysis ... 33 4.2 Manipulation check ... 36

4.3 Analysis ... 36

4.3.1 Main relation... 36

4.3.2 Engagement, severity and sensitivity ... 37

4.3.2.1 Interaction ... 40

5. Discussion ... 42

5.1 Theoretical implications ... 42

5.2 Managerial implications ... 45

5.3 Limitations and recommendations for further research ... 46

6. Conclusion ... 49

7. References ... 50

Appendix 1. Survey ... 56

Appendix 2. Sample characteristics ... 59

Appendix 3. Factor analysis ... 60

Appendix 4. Heterogeneity test... 61

Appendix 5. Interactions ... 62

Abstract

As company databases with customer information are getting larger, a growing

amount of privacy breaches are taking place. Customer information is wanted and its safety is

not fully guaranteed. These breaches cause privacy violations and change perceptions of trust

in the company affecting loyalty. Different factors are influencing this change and can help

companies decide how resources should be allocated among their customers to minimize the

damage.

Over the past years literature on privacy breaches is developing. However, in most

cases this is mainly focussed on the effect of privacy breaches on the market value of

companies. This research explores this gap by looking into the change of loyalty levels of the

customer. To support our understanding of privacy breach consequences, theories from

service failure theory are successfully applied.

This thesis studies the change of customer loyalty intentions after a privacy breach.

The research question is: “How does a privacy breach influence loyalty in terms of purchase

intention and word of mouth, and how is this effect influenced by customer engagement, severity of the breach and sensitivity of the information?” An experiment is applied in a

survey to study the main effect

The contribution of this research is to confirm that privacy breach exerts a negative

effect on loyalty, and that this effect is influenced by the sensitivity of the information

involved. Effects of engagement and severity are not confirmed. A side finding was that

manipulation of severity had no effect. Respondents made their own distinction on what was

severe or not.

Future studies should consider a local experiment, include a control group and try to

mirror an actual customer-company relationship to gather evidence for a changing effect on

1. Introduction

“I think that this is the ‘tip of the speer’ of what we are going to see in 2017” said W. Donaldson, CEO nomx and data security expert, about the one billion Yahoo accounts

hacked in 2013 (V. Goel & Perlrothdec, 2016). Personal data has become omnipresent in the

21st century. Customer information is provided daily and stored by various companies. More

specifically, the use of e-commerce is skyrocketing (Intelligence, 2016). For almost every

purchase made online, accounts are set up to make orders, service, payment and delivery

possible. This information is not only stored for the benefit of the customer but increasingly

for the use of companies. Over the past decade advancements in IT are increasing the

possibilities for companies to collect customer data and use this for marketing purposes. Thus

data is not only provided through shopping accounts but also traced from online platforms.

Consequently online businesses can use this data to provide service to the customer but also

to increase their efficiency in marketing (McAfee, Brynjolfsson, Davenport, Patil, & Barton,

2012).

Collaboratively these growing databases of customer data are developing a growing

interest among thief’s and hackers. According to

informationisbeautiful.net

(2017) the number of breaches

in the security systems of

customer information is

increasing significantly, mainly

by hacking. In the figure on the

right, the growth in hacking as

part of the data breaches is displayed. These new developments show the importance for

companies to gain knowledge about the impact of privacy breaches on their customers.

Importance of IT security grows explicitly for financial institutions according to Accenture

Security (2016). Financial institutions are found to be quite confident about their security as

only half of them measure impact of breaches. Nevertheless Accenture Security (2016) found

one per three attempts of breaches on financial institutions to be successful. Accenture

Security mentions the importance of investing in IT security, strategy and responses due to

new challenges and higher demands for security.

Along with the rise of hacking incidents, customer concerns regarding the safety of

sensitive information are growing (Bélanger & Crossler, 2011; Tucker, 2014). The

relationships of customers with companies are also changing. Mainly through social media,

customers are creating more affective relationships with brands. The investments to get the

customer engaged are growing each year (eMarketeer, 2015). Those companies are aiming

for increased loyalty which is critical for conducting business in today’s competitive

marketplace (Reichheld & Schefter, 2000).

Even though the number of hacking incidents is growing, current study is focussed on

changes in the market value of breached companies, and little attention is given to changes in

attitudes and behaviour of the customer (Acquisti, Friedman, & Telang, 2006; Cavusoglu,

Mishra, & Raghunathan, 2004; Martin, Borah, & Palmatier, 2017). Above mentioned

subjects: customer data breaches, customer data sensitivity and customer engagement, were

core aspects of many studies. Like J. van Doorn and P.C. Verhoef (2010) who largely studied

engagement and researchers like R. Chakraborty, K.D. Martin, and M. Nofer are mostly the

few who studied effects of breaches on customer attitudes. Moreover there is still ambiguity

about the difference regarding information involved (Ablon, Heaton, Lavery, & Romanosky,

the research on customer information breaches has just taken flight and knowledge about the

differences in customer responses is missing.

This study contributes to theory by being the first to explore the combined knowledge

of customer information breaches and customer engagement in relationship to loyalty.

Additionally sensitivity and severity of the information in the breach are studied further.

Consequently the results of the study can shed light on how to prioritize and scale the

investments in responses following a privacy breach. Effective response strategies allow

companies to mitigate the market reactions.

With the selection of subjects the following research question is composed: “How

does a privacy breach influence loyalty in terms of purchase intention and word of mouth, and how is this effect influenced by customer engagement, severity of the breach and sensitivity of the information?” Research is conducted with a survey containing a repeated

measures experiment design.

The structure of the thesis is as follows. First, privacy breach literature is reviewed

with additional theory from service failure literature. Second, hypotheses are developed by

building upon theories, resulting in the conceptual framework. Third, the method is

explained. And fourth, the results are given whereupon these are discussed. The conclusion

2. Literature review

The literature review starts broadly by setting out the current state of literature, after

which the focus lies on the points of interest.

2.1 Privacy breaches

To understand a privacy breach, a definition of privacy itself is needed. Privacy is the

interest of individuals to preserve a “personal space, free from interference by other people or organisations” (Clarke, 1999). More specifically, Clarke (1999) identifies four different dimensions of privacy:

- Privacy of a person;

- Personal behaviour privacy;

- Personal communication privacy;

- Personal data privacy.

A privacy breach falls in the dimension personal data privacy. Bélanger and Crossler

(2011) define personal data privacy as “one’s ability to control information about oneself”.

The construct has many definitions, but it clearly involves “control over secondary use of

personal data” (Bélanger & Crossler, 2011). This control is the core factor at play. When

information is provided to a company, the customer trusts this company to have this control.

When an unauthorised party (or hacker) gets a hold of his information through a breach in the

security system of that company, the control is lost. When this happens, a privacy breach

occurs. A privacy breach is defined as “the loss of, unauthorized access to, or disclosure of,

personal information” (OPC, 2016). Consequently the data can be used by third parties with the goal of exploiting that data. Possible consequences are complex as they are difficult to

trace. Justifying investments to undo the damage is not easily substantiated, as the damage is

When reviewing literature on privacy breaches, two perspectives can be distinguished.

The first looks at the impact of a privacy breach on the company itself. The second looks at

the impact of the privacy breach on the customers. It is important to look at both perspectives

because they are measured differently. When studying effects on company level, the focus of

researchers is on the changing market values. These are deduced from analysing share prices.

The shortcoming in this view is that these values are based on market valuations of the

company. This perspective ignores the real impact on actual revenue. These costs are often

forgotten and make companies underestimate the consequences of privacy breaches

(Cavusoglu et al., 2004). When looking at revenue, the purchase intention of customers is one

of the most important determinants. Thus, the distinction is relevant as both determine

consequences and relevant factors. First, company level events are discussed, then customer

level.

2.1.1 Company level

At the company level the company is the unit of analysis and the impact of a privacy

breach on the company is reviewed. The consequences are measured in market value. Several

studies measured the effects of data breaches on company level and confirmed that privacy

breaches negatively affect market value (Cavusoglu et al., 2004; A. Malhotra & Kubowicz

Malhotra, 2011; Acquisti et al., 2006; S. Goel & Shawky, 2009). Event based studies are

often applied at the company level to study actual incidents using reports. Cavusoglu et al.

(2004) emphasise that, 40 per cent of US companies state lower customer trust and

confidence as the main unwanted consequences. The only way in which they try to quantify

the actual outcomes of these aspects, is making estimations deriving from market values.

They found that publicly traded US companies lose 2.1 per cent of market value within two

Regarding the type of breach, Cavuslogu (2004) found that hacking incidents are most

severe. This is in line with findings of Garg, Curtis and Halper (2003), who distinguished

between web site defacement, denial of service, theft of credit card information, and for other

customer information. The most severe reactions were found for credit card information and

next for other private information. From a systematic literature review as conducted by

Acquisti et al. (2006) found that disclosure of confidential information creates a negative

effect. Thus, the nature of the data would significantly affects the impact.

On the other hand, Malhotra and Malhotra (2011) found that the type of information

had no effect on market value, but the industry of the breached company did. Different

findings were detected in literature regarding the company and sector. They saw stronger

effects in the financial sector, which is an area where companies have higher standards of

data security. Nevertheless Cavusoglu (2004) found that internet companies were stronger

affected, due to the degree in which the company is dependent upon the internet. High

internet dependent companies have more to lose by a breach in security. Garg et al. (2003)

likewise found higher effects among internet companies.

A strong aspect of measuring consequences of the privacy breach at the company

level is the inclusion of investor expectations on the resulting market value. Acquisti et al.

(2006) found a bigger impact of privacy breaches on market value among retail companies,

and less for financial institutions, ‘other’ companies and data processors. Furthermore smaller

companies were found to experience higher cost (Cavusoglu et al., 2004). However, the

findings of Malhotra and Malhotra (2011) opposes this finding, as they found that revenue is

stronger affected at larger companies.

Regarding the severity of a privacy breach, different perspectives can be taken. When

looking at severity, the size of the problem is judged, regarding possible outcomes. Acquisti

on market value. They only found negative market effects with very large data breaches that

affected a large number of customers. However, these effects were short-lived. They ascribe

these issues to possible consequences like “the risk of impersonation, fraud, or identity theft”. Another risk is an increased chance of being victimised by ‘phishing emails’. This confirms

the finding of larger numbers of accounts breached causing a stronger effect (Garg et al.,

2003). This can be seen as the severity of the event from the perspective of the company. The

impact of severity was confirmed in a later study (Martin et al., 2017). They looked at

severity from the customer perspective. They found effects of private vulnerability, even

without an actual breach. They state that effects of privacy breaches are based on the

customer’s awareness of consequences, becoming a victim or experiencing potential harm, from the privacy breach.

Other found factors found include the time frame and size. Malhotra and Malhotra

(2011) found impact in the short and long term, but stronger in the long term. They theorise

this from network effects and customers who ‘hold a grudge’. This was especially the case

with large breaches. Moreover in a longer time frame, effects on the company level were

found to be more severe when the privacy breach was not the first one (Schatz & Bashroush,

2016).

Research on the company level often resulted in new implications for managers and

companies to get their investments right. Companies are given more knowledge on the

optimal level of investing in IT security regarding risk and protection (Hsieh, Noyes, Liu, &

Fiondella, 2015). However, this was questioned by Sen and Borle (2015) who found that per

industry or state, the number of breaches is positively related to money invested in IT

security. They argue that this is because companies do not invest in the right IT elements.

Results of company level research are quite diverse. Studies on underlying factors,

such as type of the breach, severity, time frame, and type of company resulted in some

ambiguous findings. These included companies in these studies were all retail stores, banks,

retailers or hospitals. Most studies compare privacy breach reports to actual listed market

values caused by the new perspective of investors and the overall cost involved with the

breach due to security costs. Customer loss consequences are often not included in the

calculations. However, customer data should be included in measuring company performance

after a breach, as it is an important link in the chain from cause to effect.

2.1.2 Customer level

Effects of privacy breaches on the customer level are critical to understand how

market values are affected through influence of the change in purchases from the company.

At the customer level, the customer is the unit of analysis and the impact of privacy breaches

on customers is reviewed. Several studies all found a negative relationship of a privacy

breach and loyalty (Chakraborty et al., 2016; Lee & Lee, 2012; Mamonov & Benbunan-Fich,

2015; Martin et al., 2017).

The aforementioned study by Martin et al. (2017) included extensive research on the

effects on customers. The authors found that customers experience negative effects primarily

due to “anxiety about the potential for data misuse and feeling of violation, rather than actual misuse” (Martin et al., 2017). They call this phenomenon ‘data vulnerability’. Furthermore, the study highlights that transparency of data management policies and giving customers

control of their data management can mitigate the effects of data breaches on company

performance. For the effects on the customer level they found that emotional violation and

cognitive trust fully mediate the effect of data vulnerabilities on both purchase intention and

word-of-mouth (WOM); these effects hold various demographic characteristics, industries,

Chakraborty et al. (2016) added an interesting variable —perceived risk— in their

study on major retail stores. Perceived risk indicates how risky customer sees online shopping

in general. This was significant among the younger age group. They found that customers

would become more risk averse due to threat and uncertainty.

In line with the finding of difference between online and offline activity by Lee and

Lee (2012), Goldberg, McHenry, Zambrano Ramos and Chen (2016) found that entire US

households would avoid using online activities altogether. The biggest impact was found for

the online performing of financial transactions, buying goods or services, posting on social

media and expressing controversial opinions. Identity theft was the biggest concern of

influence. This study implies that consequences of a privacy breach on the customer level

influence the entire household and thus have considerable impacts.

Nevertheless Ablon et al. (2016) found that only 11 percent of American adults

stopped doing business with a company after a privacy breach. They explain these numbers

by switching cost, employees who are obligated to use their employer company, the need to

provide personal information again to a different party when switching companies, and

customers not knowing if competitors are more secure (Ablon et al., 2016). This aligns with

the finding of Lee and Lee (2012) that effects on purchase intention are strongly affected by

the perceived damage and the shopping alternative. These alternatives can result in “avoiding

the use of the online store, choosing another online store or switching to offline stores”.

The study by Lee and Lee (2012), on a hacking incident in Korea confirmed his

anxiety related concept. They propose that companies should consider the irrationality of the

decision-making process of online customers, due to the moderating effect of perceived

damage. They describe resulting loyalty as the retreative effect on customers: “these

behaviours can include moving to another offline or online vendor, providing fake customer

channel” (Lee & Lee, 2012). Perceived damage, which could be interpreted as perceived

severity, was central to their finding. Perceived severity indicates to what extent the privacy

breach is a serious problem to the customer.

Chakraborty et al. (2016) found significant effects of the perceived severity of a

privacy breach for two demographic age groups. The effects were stronger for the older

group. Perceived severity has been identified as a significant factor in research on privacy

breach perceptions among smartphone application users (Mamonov & Benbunan-Fich,

2015). Perceptions of severity show significant differences between types of information: a

breach regarding financial information is considered more severe than geo-location data.

Thus, there is also an indication on the customer level that different types of information

cannot be considered as equal.

Regarding different companies, Nofer, Hinz, Muntermann and Roßnagel (2014)

focussed on the effect of privacy breaches on bank customers. They compare the impact of a

privacy breach to a privacy violation of a company through an experiment. They conclude

that a privacy breach lowers trust but does not lower their willingness to invest in the bank.

They state that in the long run the consequences on the customer level affect company value

stronger than consequences on the company level. These indirect effects may be bigger than

the direct effects.

When trust was studied, Chakraborty et al. (2016) found that higher trust does not

necessarily leads to purchase intention and Nofer et al. (2014) found that actual behaviour is

different from the trust resulting from privacy concerns. These findings cast doubt on the

relevance of trust with regard to the impact of privacy breaches on loyalty.

Overall little research has been conducted in the field of privacy breaches on the

customer level. The conducted research focused on companies in the US and Korea (Bélanger

This arises in variables like perceived severity, perceived risk and perceived damage. A

literature search found no studies that included influencing effects of engagement or another

form of the quality of the customer-company relationship.

2.1.3 Literature on service failures

To better understand the consequences of a privacy breach for the customer, studies

from service failure literature are included in the review. Specifically, research regarding the

influence of a customer-company relationship is included. Service failures are events in

which customer perceptions of service quality disappear (Malhotra & Malhotra, 2011).

Malhotra and Malhotra (2011) found that viewing privacy breaches as service failures can be

more effective in finding the right theory due to the congruence of both concepts in causing

“customer loss, negative publicity and liability risk”. Service failures provide an applicable understanding of privacy breach effects. Nevertheless the consequences of privacy breaches

differ from service failures in some core aspects. First, it differs in the difficulty to measure

damages, which complicates determining financial compensations to customers afterwards.

In other respects, privacy breaches hinge upon the fear of possible damage and violation of

trust instead of actual damage leading to more complex responses like monitoring breached

accounts.Malhotra and Malhotra (2011) state that a privacy breach damages customer

privacy and is a violation of trust. The loss of trust can be seen as a service failure as trust

issues are identified as key drivers of customer service quality perceptions. Such a violation

has three salient customer reactions: reduction in future trust, emotional anger and frustration,

and spreading of negative WOM with reduced purchase intention (Malhotra & Malhotra,

2011). In addition, studies associate service failures with dissatisfaction, loss of customers,

increased costs and decline in customer confidence (Komunda & Osarenkhoe, 2012; Wang,

Hess et al. (2003) measure changed satisfaction due to service failure and responses

including the factor customer-company relationships. Responses are efforts to reduce

customer loss. The results show a significant effect of the ability of the relationship to

decrease the effect of a negative response, confirming earlier findings (Berry, 1995).

Furthermore, the customers expect lower service levels in the future when they continue the

relationship. Regarding responses, Hess et al. (2003) concluded that if responses do not

match conflicted damage, a large penalty follows. Finally, the study emphasises that response

or reimbursement expectations are different among customer segments and not equally

productive. Some responses may be overly generous.

Building on the findings of Hess et al. (2003), Grégoire and Fisher (2006) found

supporting evidence for customers with higher quality relationship experiencing the —love is

blind— effect. They found that such customers have a low desire for retaliation, which results

in lower chance of spreading negative WOM. They also suggest that —love is blind—

requires a very strong relationship with the company (high levels of identification).

Mattila (2004) contradicts the mitigating effect of the relationship. This study

suggests that service failures have more negative effects when moderated with higher levels

of emotional bonding. Mattila (2004) proposes that these emotionally bonded customers feel

betrayed. Confirming this study, Grégoire and Fisher (2008) formulated a concept very

damaging to companies: —love becomes hate—. They bring forward actions of customers

who feel betrayed and retaliate to restore fairness in the relationship. These actions

encompass spreading negative WOM and can escalate to harming the reputation of the

company. They speculate that this is caused by anger that not only wants to rebalance the

fairness, but goes beyond that. The concept is founded on the variable ‘perceived betrayal’.

severity. Overall, they found that judgements of fairness in combination with quality of

relationship could foster betrayal which leads to retaliation behaviours.

Grégoire, Tripp and Legoux (2009) focussed on the length of the relationship.

Relationship strength is found to cause more unfavourable reactions of the customers in the

long run. Revenge was found to decrease over time but in the long run, customers still ‘hold a

grudge’ that causes a rapid growth of avoidance from the company. Here too the variable perceived betrayal explains the variation. Ironically, high-quality customers were found to

only need the most modest form of recovery to lower revenge desires, while low-quality

customers only react to expensive responses. Revenge desires were stronger for high-quality

customers. Additionally, perceived greed of the company was found to be the main

influential factor of the desire of revenge (Grégoire, Laufer, & Tripp, 2010). Taken together,

aforementioned studies present an ambiguous effect of the quality of the relationship on the

consequences of service failures.

2.1.4 Conclusion

Research on the company level includes significant change in market values. Various

studies define severity is several ways. But hacking incidents, including credit card

information, are often considered severe. Regarding the type of account, internet companies

are found most relevant. But what company does not depend on the internet today? Final

judgements are still needed regarding the type of sector or account involved. Retail stores,

banks, internet companies and hospitals are the most common subject companies of studies,

but they are hardly related to each other. No study has yet examined privacy breaches in

relation to product categories, and only a little research has been conducted on the company

level (Acquisti et al., 2006; Cavusoglu et al., 2004; Martin et al., 2017).

Research on the customer level found that the irrationality of the customer is relevant

perceived severity and perceived damage highlight this aspect. Furthermore, only

Chakraborty et al. (2016) found a demographic distinction. Moreover, no study on privacy

breaches has studied the customer-company relationship. This has been studied a little in

service failure theory (Grégoire & Fisher, 2006; Grégoire & Fisher, 2008).

Research on severity has been conducted, although the outcomes were often only

marginally determined (Ablon et al., 2016; Chakraborty et al., 2016; Martin et al., 2017). Few

have studied this within service failures (Mamonov & Benbunan-Fich, 2015). A clear effect

of the severity of the breach is lacking in literature. Lastly, research on service failures give

more depth on the irrationality mentioned by Lee and Lee (2012). Privacy breach literature

seems to ignore the possible consequences due to customers who feel betrayed, which would

be understandable.

Overall, the research on privacy breaches has only just begun and knowledge about

different customer reactions is lacking. Besides, research has thus far only been conducted in

the United States (US) and Korea (Bélanger & Crossler, 2011).

2.1.4.1 Research question

All factors of influence on the customer level can be divided in three levels (Martin et

al., 2017). The customer level that looks at characteristics of the customer, the company level

that looks at characteristics of the company, and the event level which looks at characteristics

of the privacy breach itself. The research question will include all levels to start out broadly

in this research venue.

Loyalty is relevant to any company as retaining existing customers is more

cost-efficient than pursuing new prospects (Reichheld & Schefter, 2000). Loyalty is chosen as the

main dependent variable.

Not every privacy breach involves the same type or amount of information. Managers

response effort is valued most by customers for breaches involving different types of

information. Knowledge about the changing customer attitudes is important to let companies

understand the possible consequences per industry and the need for IT security investments.

Determining the influence of engagement on the loyalty changes is important to see how the

most influential customers are affected. Customer engagement is a hot topic and is one of the

most important aspects in the company -customer relationship due to its performance

enhancing effects on the customer, which go further than loyalty (Van Doorn et al., 2010).

This study can shed light on what consequences companies should be most aware of and

which customers deserve the most attention during response processes.

A broad perspective on underlying factors is taken into account when studying the

effects on behaviours of customers. The research question is: “How does a privacy breach

influence loyalty in terms of purchase intention and word of mouth, and how is this effect influenced by customer engagement, severity of the breach and product category?”

2.2 Conceptual framework

For this study, a conceptual framework is proposed to visualise the expected

interactions between the variables. This model is a visualisation of our hypotheses, which

will be described more in-depth in this section. First, the main effect of a privacy breach on

loyalty are studied, displayed as the main relationship in Figure 2. In addition, three

influencing variables are studied: engagement, which we choose for its relevance in today’s

marketing pursuits, severity, which provides information on the size of the problem, and

sensitivity, which implies account relevance. They are each involved in the privacy breach on

a different level. Engagement is a characteristic of the customer and is expected to moderate

the main effect. Severity is a characteristic of the privacy, and sensitivity is a characteristic of

the company. These are both independent variables and displayed as part of the privacy

breach in Figure 2. Next, this study explores the constructs and discuss possible outcome

effects. Privacy breach - Severity - Sensitivity Δ Loyalty Engagement Level H1 H2a (-) H2b (+) Loyalty t=0 H3 (+) H4 (+)

2.2.1 Main effect of a privacy breach on loyalty

Loyalty determines the spending power relating to a specific company or brand (Gee,

Coates, & Nicholson, 2008). Oliver (1999) defines customer loyalty as “a deeply held

commitment to re-buy or re-patronize a preferred product/service consistently in the future, thereby causing repetitive same-brand or same brand-set purchasing despite situational influences and marketing efforts having the potential to cause switching behaviour”. This

study uses this definition in this study. This study focusses on conative loyalty, which

involves behavioural intentions, as actual behaviour cannot be measured in the time frame of

this research.

Loyal customers have the potential to act as WOM promoters (Gee et al., 2008).

WOM is defined as “informal, person-to-person communication between a perceived

non-commercial communicator and a receiver regarding a brand, a product, an organization, or a service (Harrison-Walker, 2001). It is substantially more effective in customer acquisition

than traditional marketing (Trusov, Bucklin, & Pauwels, 2009). Loyal customers are likely to

maintain their customer-company relationship, however, loyalty is always vulnerable and

changeable. Those changes may occur due to regular considerations like typical benefits,

such as pricing, customer service or convenience, but also negative events. These events can

consist of service failures or violations of certain agreements, like privacy. This study aims to

examine the changing level of loyalty caused by a privacy breach.

A privacy breach violates the trust that allowed the customer to provide information.

Trust has been proven to be a strong determinant of purchase intention (Hong & Cho, 2011).

In literature a privacy breach has proven to cause lower trust resulting in lower levels of

loyalty (Chakraborty et al., 2016; Clarke, 1999; Flavián & Guinalíu, 2006; Martin et al. 2016;

There are several —mainly emotional— consequences for the customer. Studies show

that more than one of three customers experience moderate or severe levels of emotional

distress after an identity theft situation resulting from a privacy breach (Harrell & Langton,

2013). This could be because the harm itself is not necessarily the biggest problem, but rather

the fear of being harmed in the future (Fisher, 2012). In addition, characteristics of service

failures often cause anger and frustration (Gelbrich, 2010; Kalamas, Laroche, & Makdessian,

2008). Angry customers are likely to adopt vindictive behaviour, such as stopping positive

WOM and spreading negative WOM (Gelbrich, 2010). Moreover, the victims could enter a

powerless state of mind, as the consequences cannot be altered, which makes them even more

frustrated (Gelbrich, 2010).

When trust is violated, the customer’s reaction regarding loyalty can be explained

with equity theory. This theory is frequently used in service failure literature to explain

loyalty consequences (Grégoire & Fisher, 2008; Grégoire et al., 2009). The theory perceives

the relationship between customer and company as a balance between input and output.

Customers weigh the proportions of investment to the company and rewards from the

company against each other, depending on what is perceived fair. Equity theory predicts that

after the rise of emotion due to inequity, customers act to turn the situation back to a state of

equilibrium (Patterson, Cowley, & Prasongsukarn, 2006). A privacy breach can be perceived

as causing massive inequity, which is expected to trigger a reaction in the customer to

rebalance the relationship.

On the other hand, recent literature points out the importance of including attribution

theory in explanation of service failures (Van Vaerenbergh, Orsingher, Vermeir, & Larivière,

2014). Service failures often cause customers to search for attribution of accountability

(Gelbrich, 2010). Regarding the consequences, Van Vaerenbergh et al. (2014) confirm that

controllability attributions on negative emotions. This type of attribution relates to the extent

to which the company is expected to should have prevented the service failure. Therefore, the

extent to which the company was in control of the event is of great importance.

Furthermore, well found attributions hinge upon one party’s ability to comprehend the

other party’s choices and constraints (Weber, Malhotra, & Murnighan, 2004). This means judgements can be influenced by the information given. It indicates that people who have

more knowledge about the circumstances of the company, have more compassion and are less

likely to attribute the cause to the company. Thus, when little explanatory information is

given, this would have negative loyalty consequences. However, a danger in giving

information lies in the customer seeing the company ‘providing an excuse’ (Liao, 2007).

Service failures cause a reaction in the customer to rebalance the relationship driven

by negative emotions, which can result in a decrease in loyalty (Gelbrich, 2010).

Additionally, when service failures are perceived as being caused by the company, stronger

negative emotions arise within the customer, leading to a change in loyalty (Van Vaerenbergh

et al., 2014). Thus, this study hypothesises that:

H1: A privacy breach causes loyalty to change negatively.

2.2.2 Moderating effect of engagement, severity and sensitivity

2.2.2.1 Engagement

Customer engagement behaviour is broadly defined as “the customers’ behavioural

manifestation toward a brand or firm, beyond purchase, resulting from motivational drivers”

(Van Doorn et al., 2010). More specifically, Kumar, Aksoy, Donkers, Venkatesan, Wiesel,

and Tillmanns (2010) defined it as “interactions like WOM or new product ideas et cetera of

a customer with a firm, with prospects and with other customers, whether they are

at relationships with stakeholders and customers, emphasising its importance on the account

of value. Kumar et al. (2010) say its value is multidimensional and consists of:

- purchase behaviour over lifetime;

- referral value or stimulating others to purchase by getting rewarded for it;

- customer influencer value which is the ability of the customer to stimulate others

to become customers, and lastly;

- knowledge value, the information gathered through feedback from the customer.

This value can be achieved through WOM, recommendations, helping other

customers, blogging, writing reviews and engaging in legal action (Van Doorn et al., 2010).

In line with these theoretical interpretations of customer engagement, this study assumes that

customer engagement consists of behaviours besides purchasing motivated from an emotional

connection with the brand or company.

Customers who have an emotional connection with the company could respond either

stronger or less strong to service failures. According to the aforementioned service failure

literature, better relationship levels could mitigate the damaging effects of service failures

(Hess, Ganesan, & Klein, 2003). Additionally, having a relationship painted by affective

commitment allows the love-is-blind effect (Grégoire & Fisher, 2006).

Love is blind

Engaged customers take such pleasure of buying products and services of the

company that they are likely to keep buying and promote the company. This pleasure or high

level of satisfaction could create a buffer to certain errors of the company and could serve as

a protective layer for loyalty (Sajtos, Brodie, & Whittome, 2010). Furthermore, according to

Albert and Merunka (2013), this love for the company tends to be rooted in commitment,

which is built up from switching cost and scarcity of alternatives (Albert & Merunka, 2013).

would open the possibilities for the customer to accept the situation and still use the product

or service of the company, thus mitigating the effect of a service failure. Thus, this study

hypothesises that:

H2a: Higher customer engagement reduces the impact of a privacy breach on the loyalty of the customer.

On the other hand, customer engagement could cause an even extremer reaction to a

privacy breach. When customers are dedicated to a company and entrust it with their personal

information, the breaking of this trust could be a massive insult to these highly loyal

customers. The involvement of emotions could cause less rational thinking than for

customers who are just loyal. Grégoire and Fisher (2008) points out that engaged customers

would not only feel angry, but would feel betrayed. A high level of betrayal significantly

influences a motivation for revenge, which causes the love-becomes-hate effect.

Love becomes hate

The possible consequences of a privacy breach are far greater than with service

failures. Therefore, it seems likely that the love-becomes-hate effect will appear. As

mentioned by Kumar et al. (2010), the total value of engaged customers is staggering. Such

customers, who are the executors of this value creation for the company, could be aware of

this overinvesting balance to the benefit of the company. In other words, engaged customer

could feel that they are giving a lot to the company and maybe even more than the company

gives in return. Consequently, considering the service failure, the customers could perceive

that it was caused by the greed of the company. In this line of thought, the company is

neglecting the value of the individual’s privacy. For example, the customer could blame the breach to an underinvestment by the company in the information security software.

The perception of the company being greedy has proved to be a strong predictor of

judgement of fairness (Grégoire et al., 2010). Perceived effort and fairness were linked to

engagement in the service recovery literature (Cambra-Fierro, Melero-Polo, & Sese, 2016).

Furthermore, researchers defined information privacy concerns as an “individual’s subjective

views of fairness within the context of information privacy” (Bélanger & Crossler, 2011).

Thus, fairness theory provides understanding on the dynamics at play with the factor

customer engagement.

Thus, in addition to the rebalancing effect due to inequity described in the main

relationship, the engaged customer could include the perception of fairness in his reaction to

service failures. This could cause an emotional reaction, which could trigger the

love-becomes-hate effect. In combination with the possibility of perceiving the company as being

greedy, the proposition is that a second possibility is that customer engagement increases the

main effect of a privacy breach on loyalty.

H2b: Higher customer engagement magnifies the impact of a privacy breach on loyalty.

2.2.2.2 Severity

Severity should be taken into account, as it has been proven to have significant effects

on loyalty, WOM and purchase intention in service failures (Wang et al., 2011; Weun,

Beatty, & Jones, 2004). Another significant form of severity in security and privacy literature

is perceived severity (Chakraborty et al., 2016; Kankanhalli, & Xu, 2009). Severity occurs at

the event level. According to Dayarathna (2011), it is determined by “the number of previous

data breaches, number of records breached this time, the strength of deployed security

measures to prevent the data breach and the damage causes”. This definition of severity is

focussed on consequences for investors and ultimately on market value. As this study

focusses on the consequences of severity for the loyalty of customers, however, this study

Chakraborty et al. (2016) define severity as the level of seriousness of the security

breach at the company as it is perceived by the individual. Moreover, recent research

highlights that the extent to which the data involved in the breached can inflict damage is

relevant (Ablon et al., 2016). Thus, the definition of severity depends on your perspective.

Chakraborty et al. (2016) defines severity as the level of seriousness of the security

issue/breach at the company as it is perceived by the individual. Moreover recent research

highlights this aspect, the extent to which the data involved in the breached is able to inflict

damage is relevant (Ablon et al., 2016). Thus the definition of severity depends on your

perspective.

The assumption is made that severity differs based on possible negative consequences

for the customer. Most negative consequences were found when credit card information was

involved. Moreover, customers’ fear gave most importance to unauthorised third party access

to credit card information in comparison to personal information and other types of concerns

(Miyazaki & Fernandez, 2001). This effect is confirmed by other studies (Garg et al., 2003;

Harrell & Langton, 2013).

Severity seems to be linked to the type of private data. Different types of information

have different impacts. Private information exists in different dimensions (Nissenbaum,

1998), such as identification and description. Identification includes names, email addresses,

house addresses, phone numbers, bank card numbers, etc. Description goes even further; it

contains spending behaviour, online activity, travel information, orders, purchases, etc.

Private information concerning identification is considered less sensitive than aspects of

description (Mamonov & Benbunan-Fich, 2015; Nissenbaum, 1998). Moreover, when

information of both dimensions is combined, accurate statements can be made about the

The possible negative outcomes for the customer create an uncomfortable situation;

the emotional reaction can even cause anger and fear (Fisher, 2012; Harrell & Langton,

2013). This discomfort is based on privacy concerns, which can increase depending upon

how many dimensions of private data are involved (Nissenbaum, 1998). The resulting

discomfort or concerns can increase or decrease depending on the severity of the situation. It

is expected that this emotional distress influences attitudes and therefore purchase intentions.

Thus, this study hypothesises that:

H3: Higher severity of the privacy breach increases the impact on the loyalty of the customer.

2.2.2.3 Sensitivity

Some information requires more care and security than other information, bringing us

to the last influential factor at the company level: the sensitivity of the information. The

sensitivity of information is based on possible positive or negative consequences when an

unauthorised party acquires the information. Weible (1993) defines information sensitivity as

“the level of privacy concern an individual feels for a type of data in a specific situation”. Thus, the sensitivity affects the concerns of the customer and based on this definition, the

variation lies in the specific situation in addition to the type of data. The situation depends on

the company involved in the privacy breach. For example, a person would have higher

privacy concerns when their account history was stolen from their hospital than when that

information was stolen from their online bookstore. Due to the nature of each company,

different information is needed to provide services to the customer.

As in the example, the difference between account information from companies is

likely to be stronger on industry level. The difference is less likely to bring change in

accounts are determined simply by the product category. No clarity exists for the effects of

the product category on privacy breach in literature.

Most previous research involved online retailers, healthcare and financial services.

Different outcomes were measured when studying the relationships between the product

categories. Acquisti et al. (2006) found stronger effects among online retailers than on

financial institutions, contrary to Malhotra and Malhotra (2011), who found stronger effects

for financial institutions. This study concerns itself with the product category financial

services and online retail shopping. They are chosen for their presence among all consumers

in everyday life.

All things being equal, providing more sensitive information has a higher perceived

risk than less sensitive information (Malhotra, Kim, & Agarwal, 2004). Thus, perceived risk

is important when dealing with sensitivity. The risk means there is more to lose when a third

party accesses this information. Perceived risk has been negatively associated with loyalty

(Chakraborty et al., 2016). Moreover, perceived risk is an important factor for the

customer-company relationship.

As mentioned in Paragraph 2.2.1, customers entrust the company with a control over

their data. Perceived risk causes a need for trust to provide information (Olivero & Lunt,

2004). Perceived risk negatively affects trust and thus with higher risk, more trust is needed

to give a company control over the private information. Likewise, more trust is needed if the

information of the customer is more sensitive (Yang, Pang, Liu, Yen, & Michael Tarn, 2015).

Sensitivity is expected be higher for financial services: people’s spending history at their bank is more sensitive than at their online retailer. This is based on the simple fact that

the bank would contain all transactions and the online retailer contains only transactions of

purchases at that website. It is assumed that the average individual uses the same bank for

generally perceived as more sensitive among consumers than, for example, online shopping

patterns or lifestyle information (Malhotra et al., 2004).

People would have bigger privacy concerns when their account is hacked from a

company in the financial or health sector than from an online retailer. Furthermore, the

emotional reaction after a privacy breach can be heightened by higher levels of sensitivity of

the information. Therefore, in the last hypothesis, an influencing effect of sensitivity is

proposed.

H4: Higher sensitivity of the data that is subject of a privacy breach increases the impact on the loyalty of the customer.

3. Method

3.1 Design

To study the effect of a privacy breach on loyalty, a survey is developed to perform an

experiment. This survey stages a privacy breach to provoke a train of thought to reveal a new

perception on loyalty intentions. In the survey the respondents are told to imagine their

relationship with their main supplier of either financial services or online retail products. This

relationship is questioned throughout the survey in terms of engagement, loyalty and

additional variables.

A repeated measures design is applied to study the main relationship between the

privacy breach and loyalty. This means that every respondent is measured on his current

levels of loyalty, and these levels of loyalty are measured again after the staged privacy

breach. This creates a reference point of the variable loyalty, which is used to calculate the

change (Δ loyalty) with the second loyalty measurement. The calculated mean difference

variable of both loyalty measures creates the dependent variable.

The privacy breach itself is introduced to the respondent by exposure to an email

message that contains information about the privacy breach. Thus the independent variable

(privacy breach) is introduced as a message. This message informs respondents that the

company’s database suffered a security breach which has allowed an unauthorized third party to gain access to their information. Moreover this message is communicated in a neutral

manner and information is minimally provided. This is done to avoid communicating an

excuse to the customer which can be taken in a wrong way (Liao, 2007). This message is

manipulated to create different situations depending on severity and sensitivity. The

respondents are randomly assigned to the four conditions. Thus, additionally a 2 (high or low

severity) by 2 (high or low sensitivity) between group experiment is used to measure the

Considering the entire survey, it starts with general questions about the relationship

with the company, followed by a measurement of engagement. Then loyalty is assessed,

followed by the privacy breach message. After which a manipulation check is assessed,

followed by the second measurement of loyalty. Demographic information is asked in the end

of the survey to gather control variables. The survey is conducted by use of qualtrics.com

university software.

The assumption is made that this study does not require a control group. A repeated

measures design is used, with a pre-intervention measurement of loyalty that functions as the

control group (Saunders, Lewis, & Thornhill, 2012). According to Saunders et al. (2012) the

danger in a repeated measures design lies in the possibility that respondents experience

fatigue during the survey. Therefore measures are taken to construct the survey as short as

possible. For example no unnecessary or overflowing questions are asked. The survey is

added as Appendix 1.

3.2 Measures

All questions are answered in a seven-point-Likert-scale (1 = strongly agree / 7 =

strongly disagree) for maximum data extraction and accuracy (Saunders et al., 2012). Each

variable is discussed in this section.

Loyalty

Loyalty is measured twice, resulting in loyalty t-0 and loyalty t=1. These measures are

identical. They are merged into a single dependant variable. The scale of loyalty is derived

from theory that is often used for loyalty measurements. The scale consists of five items (α =

0.94) which contain questions about purchase intention and WOM (Zeithaml, Berry, &

Parasuraman, 1996). Example: “I would say positive things about this firm to other people”

(Zeithaml et al., 1996).

This is a dependent variable. Customer engagement has been measured in different

ways, all having their own focus, but in general ‘attention’ and ‘participation’ are used most

frequently (So, King, & Sparks, 2014; Sprott, Czellar, & Spangenberg, 2009; Vivek, Beatty,

Dalela, & Morgan, 2014). An extensive way to measure engagement is using five dimensions

(So et al., 2014). These are: identification, enthusiasm, attention, absorption and interaction.

Based on the goal of studying conative loyalty, behavioural dimensions are adopted. Five

items (α = 0.93) are adopted from attention and one item (α = 0.94) from interaction.

Example: “Everything related to this firm grabs my attention” (So et al., 2014).

Only one item is adopted from interaction because the other items are focussed on

enjoying spending time and interacting with peers in a brand community. In the product

categories of the current study, it is assumed that no brand community is involved.

Companies like the ones included, handle their own social media, but not always own a brand

community. A second assumption here is that the ‘interaction’ items from So et al. (2014) are

too much brand related. Therefore a measurement change is made based on the study by

Barger and Labrecque (2013). They say engagement through social media does not only

includes that the customer views or reads the posts of the company or brand, but goes a step

further. An engaged customer also likes, comments, replies or shares a post of the company.

Consequently a more universal classification is: “expressing agreement, rating, voicing

opinion and sharing” (Barger & Labrecque, 2013). Therefore in addition to the five items of ‘attention’, simplified items are added for ‘interaction’ which are (Barger & Labrecque, 2013):

1. Being likely to express agreement in the form of a like;

2. Voicing one’s opinion by placing a comment;

3. Participating in social media discussion.

Severity from the perspective of the customer is the extent to which data involved in

the breach causes possible damage to the customer (Ablon et al., 2016). Thus the severity of

the breach is determined by the amount of information that is lost by the company. Deriving

from this concept, two conditions are included in the survey. Thus sensitivity is an

independent variable. Low severity includes a privacy breach wherein the breach caused loss

of contact information and high severity contains a breach that involved loss of all

information stored (for example personal contact information, location data, credit or debit

card data, and spending history.).

Perceived severity

To check the manipulation through the experience of the respondent, three items (α =

0.80) are adopted that measure perceived severity (Chakraborty et al., 2016). Example: “This

incident is a serious problem to me” (Chakraborty et al., 2016). The manipulation check clarifies if the individual judgements of severity resemble the severity by manipulation.

Sensitivity

To measure sensitivity, two conditions (or product categories) are added. This makes

sensitivity an independent variable. Low sensitivity (online shopping website) and high

sensitivity (bank). These product categories because roughly everyone make decisions about

these products.

Different control variables are used to enable analysis to test relative relationships.

They consist of demographic variables and three other questions.

Age: the age of the respondent is asked. It is an ordinal variable with six options on 10 year

intervals.

Gender: the gender of the respondent. It is a binary nominal variable which states either

Income level: the current level of income. It is an ordinal variable with four options ranging

from ‘€0’ to ‘above €30 000’.

Education level: the highest level of education completed. It is an ordinal variable with four

options ranging from ‘high school’, to ‘Ph.D. candidate’.

Products bought: the number of products bought from the company. It is an ordinal variable

ranging from ‘1-3’ to ‘above 15’ for financial services and from ‘1-5’ to ‘above 50’ for online retailer.

Years being a customer: the length of the relation with the company. It is an ordinal variable

with four options ranging from ‘less than one year’ to ‘more than five years’.

Experienced breach before: the respondent has experienced a privacy breach before. It is a

binary variable which states either ‘yes’ or ‘no’.

3.3 Procedure

Before the ultimate sample collection, the survey was pretested to establish a good

understanding of the questions. After some edits, the final survey version was distributed

using the anonymous link. Convenience sampling is used to gather as many respondents as

needed and to avoid complications of random sampling. Responses were gathered mainly

through social media platform Facebook. By different public messages, visitors of the

platform were invited to participate. The instructions of the survey told respondents the study

aimed at determining customer attitudes and behaviour for a master thesis. After determining

that response rates were too low, individuals from the friends list were directly messaged

with the link. Finally also one reminder message was sent. The survey was open for three

3.4 Sample

To determine a sufficient sample size, a power analysis is conducted with the program

G*Power (Erdfelder, Faul, & Buchner, 1996). To conclude effects and interactions with four

groups in a statistical MANOVA f-test, sample size should minimally be 113 to achieve a

power of .80. Our sample suffices with 172 cases. The cases are mainly students and

employees within the Netherlands (97% are between 18 and 35 years of age, 60% females,

78% had income lower than 20 000 per year, and 53% obtained a bachelor’s degree). Furthermore, 9 cases have experienced privacy breaches. About the customer-company

relationship, 83% of the respondents are at least 3 years a customer and most 73% have

bought 1 to 10 products. The population consist of customers of the product categories that

are at least 18 years old. See table 1 for descriptive information and Appendix 2 for a detailed

frequency overview.

Variable Min Max Mean Mean related answer SD

Age 1 5 1.35 18 – 25 .637

Gender 1 2 1.60 Female .492

Education 1 3 2.11 Bachelor degree .678

Income level 1 4 1.73 €10,000 – €20,000 1.096

Products bought 1 5 1.95 3 – 10 1,287

Years customer 1 4 3.25 3 – 5 .895

Experienced privacy breach 1 2 1.95 No .224

4. Results

4.1 Preliminary analysis

Unfinished responses are deleted. Scale means are computed for the variables

engagement, loyalty t=0, loyalty t=1 and perceived severity. In addition dummy variables

were created for both severity (0 = low severity, 1 = high severity) and sensitivity (0 = low

sensitivity or retailer, 1 = high sensitivity or bank). Likewise a new mean difference variable

was created, Δ loyalty (loyalty t=0 – loyalty t=1). See table 2 for means, standard deviations,

correlations and Cronbach’s alphas coefficients of all variables. Reliability is high for all variable scales with Cronbach’s alpha values over .86, except for perceived severity that has a reliability of .703 which still suffices. Also none of the items would substantially affect

reliability if they were deleted. Furthermore factor analysis was performed for the

measurement of engagement, resulting in two factors. See Appendix 3 for details on the

factor analysis.

An outlier check showed one case which are deleted. The total data set resulted in 171

cases. A normality check showed one particularly interesting aspect of perceived severity. It

was not normally distributed, as the skewness was 1.6. It is further tested with the

‘Kolmogorov-Smirnov’ test. The result showed (statistic = .218, p = .001, p < .01), that the distribution is indeed not normal. Alternatively this variable was transformed (X*=Log10(X))

to prepare the numerical variable for moderation testing (Field, 2013). Inspection showed that

the variable was approximately normally distributed after the transformation.

To test is the group are heterogeneous, the demographic control variables are used.

The other control variables are dependent upon the company and are thus biased for

homogenous testing. Levene’s test indicated equal variances (F = 1.227, p = .291, p > .05). The results for each demographic variable is non-significant. Age (p = .194), gender (p =

.197), income (p = .070), education (p = .591) are all non-significant (p > .05) which

indicates homogeneity of groups. See Appendix 4 for details on the heterogeneity test.

A correlation matrix is created. The Likert-scale variables in the matrix indicate

disagreement when positive (as a higher point in the Likert scale indicates disagreement).

One exception on this rule is Δ loyalty in which a negative value indicates a decrease in

loyalty. Significant correlations are indicated with starts. With the control variables, several

correlations can be found. Income level is positively correlated with age and education is also

positively correlated with income level and age. Furthermore there are correlations between

loyalty t=0, engagement, products bought and loyalty t=1 which imply an equivalent view on

the relationship with the company. Likewise the correlation of engagement and age indicates

that older respondents are less engaged with companies. In addition there are some

unexpected correlations. Sensitivity is negatively correlated with loyalty t=0 and loyalty t=1,

which indicates that loyalty decreases with high sensitivity (bank). Thus customers of the

retailer are more loyal at both measurements. Sensitivity is positively correlated to years

being a customer, which indicates that customers of online retailers have a shorter

relationship with the company. Sensitivity is also just significantly correlated to income level,

which could be a coincidence, likewise previous breach experienced is correlated to income

level. Severity is not correlated in any way. On the variables of interest, a significant

correlation of engagement and Δ loyalty (.21) is seen, which indicates a mitigating effect of

engagement. Furthermore, severity and Δ loyalty are not correlated (.00). Lastly, sensitivity is

Table 2. Correlation matrix M SD 1 2 3 4 5 6 7 8 9 10 11 12 13 14 1. Gender 1,60 ,49 1,00 2. Age 1,35 ,64 **-,36 1,00 3. Income level 1,73 1,10 **-,33 **,50 1,00 4. Education 2,11 ,68 **-,24 **,23 **,24 1,00 5. Products bought 1,95 1,29 ,15 -,03 -,05 -,11 1,00 6. Years customer 3,25 ,90 -,02 *,18 *,17 -,01 -,10 1,00 7. Breach before 1,95 ,22 ,07 -,03 *-,18 -,08 ,01 -,08 1,00 8. Loyalty t=0 2,89 1,15 **-,25 **,25 **,28 ,07 **-,45 **,28 -,14 0.89 9. Engagement 4,83 1,02 **-,24 **,22 *,18 ,13 **-,29 **,22 *-,16 **,57 0.84 10. Per. severity 2,23 1,14 -,11 ,07 ,11 ,01 ,02 ,07 *-,17 ,04 ,10 0.70 11. Loyalty t=1 4,95 1,38 -,03 ,02 -,02 ,08 **-,27 ,03 -,01 **,43 **,27 **-,48 1,00 12. Δ Loyalty -2,06 1,36 *-,18 *,19 **,26 -,03 -,11 **,21 -,11 **,41 **,21 **,52 **-,65 1,00 13. Severity ,49 ,50 -,13 -,08 -,01 -,08 -,05 -,05 ,12 -,03 -,05 -,09 -,02 ,00 1,00 14. Sensitivity ,51 ,50 -.10 -.05 *-,18 -,07 **,62 **-,47 -,03 **-,50 **-,23 ,07 **-,25 -*,17 -,02 1,00 ** p<0.01 (2-tailed); * p<0.05 (2-tailed).