Read this sample breach letter, “SAMPLE DATA BREACH NOTIFICATION,” and describe how two different economics theories and two different social sciences theories relate to the letter.
A good way to approach this type of situation, and apply social & economic theories, would be to incorporate theories based off of four perspectives that could be involved: the attackers, the victims, the company/corporation, and the companies/corporations outside of it.
On the attackers’ side of the equation, the Reinforcement Sensitivity Theory (RST) could provide insight as to why they may have committed the act; and it could also help the victim understand it as well from an objective point of view. RST, in short, posits that people will behave differently based on different sensitivities of brain systems. This theory involves factors like reward interest, goal-driven persistence, reward reactivity, and impulsivity; neural responses to these factors will influence a person’s likelihood of getting involved with cybercrime, such as the data breach referenced in the breach letter. Furthermore, the Neutralization Theory could add external context relating to the justification of the crime. Neutralization Theory suggests that people know right from wrong, but they have already justified their behavior prior to committing the crime. A common example could be that the crime was committed for the benefit of their group or even their familial needs. It could be seen as immoral from the victim standpoint, but to them they’ve already created the scenario where it isn’t.
On the company’s or corporation’s side of the equation, the Rational Choice Theory could provide insight as to what corrective actions were & should be taken, as well as how they planned to go forward with those actions. The Rational Choice Theory suggests that people/businesses act in their best interest; in this case, there was a data breach that lasted from Feb-Dec that put customer payment info at risk. It was in their best interest to delay notifying the customers until a time after the breach was discovered for the benefit of the investigation into the attack; following that, it was in their best interest to dedicate resources to work with a cybersecurity firm to ensure that no further damage was done to aid in maintaining customer satisfaction and loyalty. Moreover, Expected Utility Theory, a theory that suggests people make decisions based on the expected utility of different outcomes, would align well with this situation and the actions that were taken. Evaluating the pros and cons of dedicating more resources to the prevention of another attack would tie right into this theory.
Lastly, from the perspective of other companies or corporations, this entire incident could be perceived as a risk for cooperation. It’s going to be difficult to not take a hit to reputation after any type of cybersecurity incident. Companies and corporations actively try to keep their reputations as clean as possible; negative events such as this data breach will inevitably lead to attempts at/strategies for recovering for this reputation decrease. Impression Management Theory encompasses this concept well; it focuses on how people manage their image and how they are seen by others, as well as how negative events can affect their image, leading to actions/efforts to mitigate the damage done, similar to how the events in the breach letter unfolded.