This sample breach letter was obtained from the Montana Department of Justice.  It was reported on April 5, 2017, as a result of a data breach incident that occurred with a business named GlassWasherParts.com.

There are a couple of economic theories that relate to the letter:

1. Rational choice – The business made choices about whether to invest in malware protection.  For example, the business may have chosen to invest in cybersecurity measures that were minimally effective, due to the cost of more robust security measures being too high.  Another example could’ve been that an employee may have chosen to click on a phishing link because they believed that the possible benefit of receiving the information in an email outweighed the cost of getting the business’ system infected with malware.  Maybe the business chose to delay patching a known vulnerability due to the cost of patching it.
2. Classical – Perhaps government regulations increased the cost of cybersecurity for this business, resulting in the business investing in cybersecurity measures that were minimally effective.  This is a similar scenario to what was previously mentioned; however, the letter does state that the business chose to outsource their cybersecurity needs to a platform provider.  This could potentially reduce the cost of cybersecurity measures for the company, while its platform provider simultaneously continues to work with a cybersecurity firm to remove the malware from its systems.

There are also a couple of social sciences theories that relate to the letter:

1. Social learning – This theory states that people learn by observing and imitating the behavior of other people.  It could be applied to understand how people learn cybersecurity risks and how to mitigate them.  As the company worked towards recovering from this cyberattack, perhaps they used it as an opportunity to design cybersecurity training programs that are based on social learning theory principles.  This could help teach employees how to mitigate cybersecurity risks as the company moves forward from the data breach incident.
2. Diffusion of innovations – This theory seeks to explain how new technological and other advancements are adopted by individuals and organizations.   Additionally, it also addresses barriers to the adoption of new cybersecurity technologies and best practices.  Similar to how the previous point mentions what the company can do as it recovers, the company could also provide financial incentives or training to encourage employees to utilize new technologies and practices.  To expand from this point, it’s also worth noting that the letter addresses customers who were potentially victims of identity theft.  It provided guidance on what customers should do to check for any suspicious activity, as well as who customers should inform of the incident so that they can be issued a replacement credit or debit card.

By understanding and applying these economic and social sciences theories, companies can develop more effective cybersecurity strategies that protect both financial and human resources.  This includes adopting new technologies and best practices that protect both payment information, as well as personal information.