This study simulated a scenario of fraud or identity theft by providing participants with a letter from a bank, describing a situation in which their personal banking information was compromised. Participants were asked to predict their own reactions. Researchers were interested in responses that reflected emotional reactions, perception of risk, any intention to change behaviour, and attitudes towards the role of government in cyber security.
The purpose of the experiment was to consider how people’s reactions might differ with the circumstances detailed in the letter. For example, the researchers manipulated the information about the attacker; in some letters, the attacker was an individual, in others a group or an unknown entity. Some letters portrayed the attacker as motivated by fame, or by money, while others suggested the attack was carried out to finance terrorism. Other variables were whether the attack was resolved, unresolved, or uncertain; and whether the attack targeted a single individual’s account or the entire bank database. The reactions to the different scenarios are compared to explore how different characteristics influence victim response.
Some circumstances are more likely to motivate victims’ engagement. If the situation is unresolved or the outcome is unknown, and therefore may pose some recurring risk of harm, participants reported a stronger impetus to change their circumstance than if the situation is resolved. Intended behaviour change included such actions as discontinuing online transactions or purchasing an identity theft protection service. If the fraud was motivated by financial gain, victims are also more likely to perceive an ongoing risk than if supporting terrorism or some unknown objective was behind the attack. Victims report more motivation when their own individual account information is compromised, compared with the whole bank database; in this situation, victims are also likely to expect banks to increase security measures.
The individual’s perception of risk influences the motivation to change behaviour. Different demographic groups tend to perceive risk in different ways, and a few demographic characteristics were examined in this study. Female victims are more likely to perceive risk and support government involvement, more likely to intend to seek help and invest in an online identity protection service. Similarly older victims are more likely to be emotionally engaged and to support a government response for cyber security.
This study provides insight into how people respond, what can be expected from people who are told about fraud or identity theft. Banks can use information about victims’ responses in designing communication for fraud notification. If the purpose is to ease clients potential concerns, a message providing details on the outcome or resolution of the breach would be appropriate. If the objective is to motivate action, notification focusing on the continuing risk to the individual may be more effective. Where the underlying situation of fraud or identity theft is the same, victims are likely to react differently based on the information provided.
People react to different security messages in very different ways and consider the attacker and motivation before changing their behaviour. Tailored notification for fraud may have more positive responses.