Reading over the sample breach notification letter, a couple different economic and social theories come to mind.

For economic theories, the first that comes to mind is the Rational Choice Theory. Beginning with the customers, they have to immediately make some choices in response to the breach. As their payment information has been compromised, they must now decide if they need to cancel their cards or possibly monitor their credit for potential identity theft. The company, in response to the breach, has enlisted the services of a third-party cybersecurity company for the removal of malware and to help secure their data. These choices are made with those entity’s best interest in mind. The Laissez-Faire Theory stands out to me as well. The breach had been undetected for nearly a year, leading me to question, if any, regulation or guideline/framework, such as PCI-DSS, were in place. While PCI-DSS is not government-run, regular audits, particularly those performed by a third-party, may have detected the breach sooner.

One of the first things that comes to my mind, particularly when a breach occurs, is was this the result of social engineering, or an insider-threat looking to benefit from their actions. While it is not specifically stated how the breach occurred, other than being blamed by malware, it leads me to believe that it would of been the result of social engineering between the two. End users tend to be the weakest link in cyber defense, and attackers know this. People can be manipulated or tricked into practically giving over the keys to the network by unknowingly installing malware on the system. For the victims of the breach, the trust once held with the company is most likely diminished. Particularly if this was a well established, well known company, the users most likely had not put much real thought into how their data may be handled and had assumed everything would be safe. However, now the users are made aware that, at one point in time, their private information was stored unencrypted, leading to an understandable amount of questioning as to how their data would be handled going forward if they continue to do business with them.