Responding to identity theft: A victimization perspective

Responding to identity theft: A victimization perspective

Accepted Manuscript Responding to identity theft: A victimization perspective Yuan Li, Adel Yazdanmehr, Jingguo Wang, H. Raghav Rao PII: DOI: Referen...

887KB Sizes 0 Downloads 7 Views

Accepted Manuscript Responding to identity theft: A victimization perspective

Yuan Li, Adel Yazdanmehr, Jingguo Wang, H. Raghav Rao PII: DOI: Reference:

S0167-9236(19)30061-2 https://doi.org/10.1016/j.dss.2019.04.002 DECSUP 13053

To appear in:

Decision Support Systems

Received date: Revised date: Accepted date:

29 October 2018 6 March 2019 7 April 2019

Please cite this article as: Y. Li, A. Yazdanmehr, J. Wang, et al., Responding to identity theft: A victimization perspective, Decision Support Systems, https://doi.org/10.1016/ j.dss.2019.04.002

This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

ACCEPTED MANUSCRIPT Responding to identity theft: A victimization perspective

IP

T

Yuan Li* Department of Management Information Systems College of Business and Management University of Illinois at Springfield One University Plaza, MS UHB 4021 Springfield, IL 62703, U.S.A. +1 217 206 8276 [email protected]

AN

US

CR

Adel Yazdanmehr Paul H. Chook Department of Information Systems and Statistics Zicklin School of Business Baruch College City University of New York New York, NY 10010 +1 646 312 3437 [email protected]

PT

ED

M

Jingguo Wang Department of Information Systems and Operations Management College of Business The University of Texas at Arlington Arlington, TX [email protected]

AC

CE

H. Raghav Rao Department of Information Systems and Cyber Security College of Business University of Texas at San Antonio San Antonio, TX [email protected] Declarations of interest: none * Corresponding author DECSUP-D-18-01001.R1

ACCEPTED MANUSCRIPT Responding to identity theft: A victimization perspective

ABSTRACT This study examines victims’ responses to identity theft and antecedents to their responses. Drawing upon

T

the victimization and coping literature, we recognize an emotional response called perceived distress and

IP

a portfolio of four behavioral responses including refraining from online transactions, refraining from

CR

information disclosure, emotional adjustment, and self-protection such as subscription to identity theft protection services. We conduct an empirical test on the antecedents to the responses. Based on a survey

US

on 197 self-reported identity theft victims, we find that perceived victimization severity, which is determined by the magnitude of financial loss, the extent of misuse of personal information, and the

AN

amount of time spent resolving the issue, has a positive impact on perceived distress, and perceived distress has a positive impact on the behavioral responses. In addition, time elapsed since the incident

M

negatively influences perceived distress, and past use of online services negatively influences the

ED

behavioral responses. This study highlights the central role of perceived distress in mediating the impact

CE

responses of victims.

PT

of perceived victimization severity on behavioral responses, calling for more attention to emotional

Keywords: Identity theft victimization, perceived distress, coping behaviors, coping theory, lifestyle-

AC

routine activity theory, psychological immune system

ACCEPTED MANUSCRIPT 1. Introduction In the past two decades, identity theft has attracted increasing attention from researchers and practitioners due to the rising numbers of identity theft occurred and the amount of financial loss caused [4, 45, 59, 65]. A report by Javelin Strategy & Research shows that in 2017, there were 16.7 million

T

victims of identity fraud, with a total loss of $16.8 billion [45]. Beyond financial loss, victims also

IP

suffered from emotional distress [24] as they spent hours, days, and years to solve the problems [55]; for

CR

working employees, this also meant productivity loss [19, 59]. Yet, it is unclear how such victimization experience impacts the victims and changes their subsequent online activities [27, 64]. To help victims

US

recover from identity theft has become an important task for researchers and practitioners [19, 64]. To date, studies on victims’ responses to identity theft have been scarce [53]. Other than some

AN

descriptive studies on the reporting of fraudulent activities to police or other authorities [1, 3, 6, 12, 20, 24, 53, 55], little is known about the range of emotional and behavioral responses of the victims, or

M

factors that influence their responses [19]. Besides, how the victims’ lifestyles or online activities may

ED

change due to victimization has been barely studied [19]. As we see rising numbers of victims over the years [45], studying the experiences of victims can help better understand their emotional and behavioral

PT

responses, and subsequently help them recover from the incidents.

CE

In this study, we investigate two related issues: 1) what types of emotional and behavioral responses does a victim have after identity theft, and 2) what factors influence those responses? To

AC

answer the questions, we draw upon identity theft victimization and coping literature to recognize an emotional response of the victims known as perceived distress [19, 50] and four aspects of behavioral responses including refraining from online transactions, refraining from information disclosure [53], emotional adjustment [36, 43, 68, 71], and actively engaging in self-protection such as subscription to identity theft protection services [28, 43, 53]. These behaviors represent long-term responses to identity theft [53]. Next, integrating literature on coping [36, 51, 52, 71], psychological immune system [17, 69], and habit [37, 44], we study antecedents to the responses, including perceived victimization severity [1], time elapsed since the incident [17, 69], and past use of online services [48, 49]. We suggest that 1

ACCEPTED MANUSCRIPT perceived victimization severity, denoting the victim’s subjective assessment of direct damages (such as monetary loss) caused by the incident, has a positive impact on the emotional and behavioral responses while time elapsed since the incident and past use of online services both have a negative impact. As perceived victimization severity is an important antecedent to emotional and behavioral responses, we

T

extend the study to examine factors that influence the severity, including the magnitude of financial loss

IP

[4, 19], the extent of misuse of personal information [3, 12, 50], and the amount of time spent resolving

CR

the issue [3, 12, 19, 61]. We expect these factors to contribute to perceived victimization severity. A survey of 197 self-reported identity theft victims was conducted to empirically test our research

US

model. The results show that perceived victimization severity, which is determined by the magnitude of financial loss, the extent of misuse of personal information, and the amount of time spent resolving the

AN

issue, has a positive impact on perceived distress, and perceived distress has a positive impact on behavioral responses. In addition, time elapsed since the incident has a negative impact on perceived

M

distress, and the past use of online services has a negative impact on behavioral responses. Further

ED

analysis shows that perceived distress fully mediates the impact of perceived victimization severity on behavioral responses, highlighting the central role of perceived distress in changing victims’ behaviors.

PT

Our study examines an under-investigated area in the cybersecurity literature, i.e., the post-

CE

victimization responses of victims. It has three contributions. First, by analyzing the emotional and behavioral responses of the victims, it presents a picture of how they cope with their victimization. This

AC

extends past research that was bound to victims’ reporting behavior [20, 50]. Second, the mediating role of perceived distress has important theoretical implications, suggesting that emotional responses should be better understood to gain deeper knowledge on identity theft victimization. Third, the negative effects of time elapsed and past use of online services suggest that victims may eventually recover from the psychological impact of victimization as time goes by and their habits of using online services make them less likely to change their online behaviors or adopt protective measures. The implications of the finding are explored.

2

ACCEPTED MANUSCRIPT 2. Literature Review and Theoretical Bases 2.1. Identity theft victimization and the lifestyle-routine activity theory Criminal victimization can be physically, economically, and psychologically harmful [1]. In terms of identity theft, economic and financial loss has been widely recognized, as studies show an

T

average of $1,000 loss per victim [24, 45]. The psychological impact on victims is also severe and

IP

enduring, as some victims may suffer for years from identity theft [24, 55]. The physical impacts on

CR

victims such as headaches and high blood pressure have also been observed [19, 50]. Of all these outcomes of identity theft, the emotional impact deserves the most attention [24, 55]. We focus on the

US

emotional response of the victims and their subsequent behavioral responses. The emotional impact on victims is widely observed. One such impact, known as psychological

AN

or emotional distress, is witnessed among all sorts of victims ranging from violent crime victims to property crime victims [42]. Although the distress may attenuate over time, for some victims it may last

M

for months and years. For identity theft, similar distress has been observed among victims. For example,

ED

Sharp et al. [58] studied 37 victims of identity theft and found that the victims had distress such as somatization, depression, and anxiety, and for those whose cases remained unresolved, the distress

PT

remained over time. A national survey on 3,709 identity theft victims shows that 80% of the victims

CE

suffered from emotional distress such as anxiety and depression [19]. Other symptoms of emotional distress, such as anger, helplessness and mistrust, were also observed [12]. In general, psychological or

AC

emotional distress is a common response of victims of identity theft. In terms of the behavioral responses, the lifestyle-routine activity theory (or RAT), an integrated theory of victim behaviors in the criminology literature [40, 41, 49, 56], offers some insights. This theory helps to understand the behaviors of victims and the strategies they implement to avoid revictimization [56, 64]. It explains the conditions upon which a crime takes place, with a focus on the lifestyles or routine activities of victims [40, 48]. The premise is, if victims do not change their (risky) routine activities, they may become victimized again. RAT posits three conditions for a crime: a motivated offender, a suitable target, and a lack of capable guardianship [11]. In terms of identity theft, first, certain 3

ACCEPTED MANUSCRIPT victim-related activities such as online banking and shopping may increase one’s likelihood of being victimized: for example, Reyns [48] shows that the victimization likelihood may increase by 30-50%, compared to those who do not engage in these potentially risky activities. Thus, to prevent future revictimization, these activities should be recognized and altered, refrained, or avoided.

T

The kinds of online activities that may lead to identity theft are very broad, ranging from online

IP

banking, shopping, emailing, instant messaging, to music and podcast downloading [9, 48]. Rosoff et al.

CR

[53] developed a comprehensive list of twelve long-term behavioral changes, such as using credit cards significantly less than before, requesting free fraud alert service from a credit bureau or subscribing to the

US

services, using pseudonyms in social network, and refraining from online transactions that require personal information. We adopt this list in the study. Nevertheless, Rosoff et al. aggregated the behaviors

AN

into a single construct despite their heterogeneity. Given the distinct characteristics of these activities, we categorize them into two groups: online transactions and information disclosure. Online transactions deal

M

with online banking, bill payment, shopping, and other transactional activities. Online information

ED

disclosure, then, deals with communicating personal information through the Internet, which does not involve transactions and thus may not cause direct financial loss. Refraining from these online activities

PT

constitutes long-term solutions to identity theft as compared to short-term reporting behaviors [72, 73]. RAT also advocates the importance of capable guardians, including technological guardianship

CE

such as anti-malware software [9], to protect victims. For identity theft, guardians that protect individuals’

AC

personal information and/or undercut the targeting behaviors of motivated offenders [49] have the capability to reduce damages of identity theft and chances of revictimization. Nevertheless, in some prior studies, traditional guardians such as firewall and anti-virus software were not found to reduce the risk of identity theft [34, 49]. Thus, we focus on a relatively new defensive and alerting solution for mitigating the threat – identity theft protection service such as credit monitoring [43] – that uses third-party services such as LifeLock, TrustedID, and Equifax ID Patrol to safeguard one’s online identity [28, 53]. Such services may curb fraudulent use of personal information (e.g., via credit freeze), helping to reduce damages caused by identity theft and deter future revictimization. For example, after some high-profile 4

ACCEPTED MANUSCRIPT data breach incidents [7, 30], victims were offered free identity theft protection services to restrain the damages. We study how victims may adopt this response to actively protect themselves. In addition to the recognition of responses to identity theft, we are also interested in learning what factors influence their responses. The literature suggests that victimization experiences such as monetary

T

loss, time loss, and even legal troubles that stem from restoring one’s identity [19] are potential influential

IP

factors. In general, the more severe the experiences are for the victim, the more likely the victim will

CR

exhibit emotional and behavioral responses. Nevertheless, Abbott and McGrath [1] argue that perceived severity of victimization mediates the effect of crime victimization on risk perceptions and responses.

US

Specifically, perceived victimization severity reflects the victim’s own appraisal of victimization experience, having stronger predictive power than other objective indicators of victimization such as

AN

monetary loss. Thus, we study victims’ perceived severity of victimization and its impact on the emotional and behavioral responses.

M

2.2. Coping literature

ED

The coping literature provides a common basis to study the adoption of protective behaviors to deal with threats [8, 31, 43, 68, 71]. It specifies two types of behavioral responses to threats: problem-

PT

focused coping and emotion-focused coping. Problem-focused coping aims to change the causes of the

CE

threat; activities such as refraining from online transactions and information disclosure, and subscribing to identity theft protection services, all fall into this category. In contrast, the emotion-focused coping does

AC

not aim to reduce the causes of the threat but adjusting one’s dreadful feelings aroused by the threat to achieve the best personal well-being [2, 36, 68]. For example, the victim may try to avoid thinking of the dreadful experience, or self-blame for its occurrence. This type of (maladaptive) coping response is especially common when the threat cannot be fully mitigated [19]. We thus examine emotion-focused coping of victims due to a lack of research on this response, and label it emotional adjustment. It should be noted that problem-focused coping and emotion-focused coping are not exclusive but complementary and coexistent [36], a mechanism called parallel processing [2, 68, 71]. Thus far, we have recognized both an emotional response and a portfolio of behavioral (or 5

ACCEPTED MANUSCRIPT coping) responses to identity theft, including refraining from online transactions, refraining from information disclosure, actively engaging in self-protection such as subscription to identity theft protections services, and emotional adjustment. Their relationships to perceived victimization severity are not identical: the coping literature suggests that the emotional response is a direct dependent of perceived

T

severity, whereas the choices of behavioral responses are contingent on the emotional response, a process

IP

called fear appeal [8, 36, 68, 71]. This suggests a potential mediating effect of emotion on the impact of

CR

perceived victimization severity on behavioral responses. Their specific relationships will be addressed in Section 3 (Research Model and Hypotheses).

US

To gain more insight into identity theft victimization, we examine factors that influence perceived victimization severity. The coping literature suggests personal experience as an important source for the

AN

perceived severity [71]. Via an examination of literature related to U.S. government-sponsored public surveys [65], we recognize three factors related to one’s victimization experience. The first and foremost

M

is the magnitude of financial loss, or the monetary loss of the victims [4, 19, 24]. In addition, victims also

ED

suffer from misuse of personal information when criminals illegally use their information to conduct online transactions, open new accounts, obtain loans, or achieve other benefits [4, 50]. To resolve the

PT

troubles caused by identity theft, victims must spend time and energy to contact their banks, credit card

CE

companies, or other authorities [3, 12]. All these factors, namely financial loss, misuse of personal information, and time to address the issue, would contribute to an overall assessment of perceived

AC

victimization severity.

2.3. Potential barriers to the responses We also study potential barriers to victims’ responses. According to the psychological immune system theory [17, 69], people have an innate psychological system that fights the threat of negative life events (such as divorce or layoff) to emotional well-being and recover from bad feelings [70]. For example, a person who just got divorced may feel very sad, but the sad feeling may become weak or disappear over time. Such an immune system works subconsciously, and reconstrues or rationalizes an event in a way that makes a person feel better. Because of this increased tendency to subconsciously 6

ACCEPTED MANUSCRIPT reconstrue negative events, people might view the events in more neutral terms over time [69], resulting in a reduced emotional distress and less engagement in protective behaviors. It should be noted that the psychological immune system is different from the emotion-focused coping. The most fundamental difference is their distinct cognitive basis: psychological immune system

T

does not depend on conscious thinking of the subject; instead, people are generally unaware of the

IP

influence of the system on their emotional well-being [17]. Emotion-focused coping, on the other hand, is

CR

driven by cognitive appraisal of the threat and the subsequent fear perception, and people have the choice of engaging in this type of coping rather than problem-focused coping [2, 71].

US

Secondly, we suggest that the need to use online services (such as online banking) may persist and offset the motivation to refrain from these (potentially risky) activities. In other words, because of

AN

habit, victims may be motivated to continue their online activities despite victimization experience, as one’s past habitual behaviors would have a direct impact on future behaviors [37, 44]. In terms of

M

behavioral responses to identity theft, this means that past use of online services would nullify the efforts

ED

to reduce the behaviors, suggesting a negative impact of past online service use on one’s engagement in behavioral responses. This provides another explanation for future revictimization [64]. In the next

CE

PT

section, we develop a research model to examine the relationship between these factors.

3. Research Model and Hypotheses

AC

Integrating the above literature, we develop a model in Fig. 1 to address the emotional and behavioral responses of identity theft victims and antecedents to their responses. We postulate that perceived victimization severity, determined by antecedents such as the magnitude of financial loss, the extent of misuse of personal information, and time spent resolving the problem, influences victims’ perceived distress, and perceived stress is a direct antecedent of behavioral responses. Further, perceived distress is negatively influenced by time elapsed since the incident, and past use of online services has a negative impact on behavioral responses. The hypotheses are developed as follows.

7

CR

IP

T

ACCEPTED MANUSCRIPT

3.1. Perceived victimization severity and its antecedents

US

Fig. 1. Research model and Hypotheses

AN

In identity theft victimization, perceived victimization severity refers to a person’s subjective assessment of the damages caused by the fraudulent use of his or her personal information. It is

M

determined by victimization experiences regarding financial loss, misuse of one’s identity information,

ED

and time spent resolving the issue. First, financial loss is a common experience with identity theft: studies show that more than half (57%) of the victims suffered from it [24]. The magnitude of financial loss is

PT

also enormous, in the range of several hundred to several thousand dollars per victim [4, 19], and in some

CE

cases, the per capita loss can be more than $13,000 [4]. The amount of monetary loss was also found to be positively associated with perceived distress, but with a small effect size [19]. We suggest that this may

AC

be due to the possibility that financial loss, along with other victimization experience, contribute to an overall assessment of perceived victimization severity, so that financial loss does not exert a separate impact on emotional or behavioral responses but through the impact on perceived victimization severity. We hypothesize: H1a: The magnitude of financial loss due to identity theft is positively associated with perceived victimization severity. Another victimization experience deals with the misuse of personal information by others.

8

ACCEPTED MANUSCRIPT Victims have seen their identity being used to open new bank accounts, obtain new loans, apply for jobs, rent houses, and even apply for government aid [3, 50]. Some of the misuse of information may result in further monetary loss, while others may cause reputation damage, thus adding to the overall perception of severity of victimization. We hypothesize:

T

H1b: The extent of misuse of personal information due to identity theft is positively associated

IP

with perceived victimization severity.

CR

The resolution of identity theft can be time-consuming, which causes additional strains on the victims [53]. Earlier on, it was reported that the median amount of time to resolve problems from identity

US

theft was four hours, and in some cases, it could reach 55 hours or longer [4]. Further research shows that on average, victims spend about 15 to 30 hours, often spread out over several years, resolving financial

AN

problems caused by identity theft [19]. The long hours spent on resolving the aftermath of identity theft causes a number of side effects, such as emotional stress and monetary loss due to missed work [12].

ED

victimization severity. We hypothesize:

M

Thus, time spent on addressing the aftermath of identity theft adds to the overall perceptions of perceived

victimization severity.

PT

H1c: The amount of time spent resolving identity theft is positively associated with perceived

CE

3.2. Perceived distress and its antecedents The coping literature suggests that perceived threat leads to emotional responses such as

AC

concerns, worries, anxiety, and fear [8, 51, 68, 71]. These responses reflect different extent of a victim’s feelings of dread about the severity of the threat, which is termed perceived distress in this study. Past research shows that a significant portion of victims (72%, according to [24]) experienced distress following identity theft [50], and identity theft victimization led to worries about future revictimization [1]. The worries will become stronger as perceived victimization severity intensifies. Thus, we expect a positive impact of perceived victimization severity on perceived distress of the victims. We do not expect direct impacts of victimization experiences such as financial loss on perceived distress, but suggest that the impacts of these factors will be fully mediated by perceived victimization 9

ACCEPTED MANUSCRIPT severity, as the coping theory implies [71]. In addition, studies show that perceived victimization severity is more impactful than the victimization experience factors in predicting victims’ cognitions and behaviors [1, 32], as perceived victimization severity aggregates all sorts of experiences. Thus, we hypothesize: H2: Perceived victimization severity is positively associated with perceived distress.

IP

T

“Time is the best medicine” is a phrase people use to explain the mechanism of an adaptive

CR

system, such as a human being, to recover from trauma. Although the monetary, psychological, and even physical impact of identity theft can be painful, people are born with a self-defense system to deal with

US

the pain and recover over time. The psychological literature recognizes this inherent self-defense system – psychological immune system – in humans that detects and neutralizes events that challenge their sense of

AN

well-being and help to recover from stressful feelings [17, 69]. According to this system, people have the tendency to handle a negative event (such as divorce, layoff, or identity theft) in a way that leads to

M

reduced psychological impact: for example, they may become distracted by other life events and thus pay

ED

less attention to the incident. Via such distractions from other events, the significance of the negative event (i.e., identity theft) becomes weak, resulting in less stressful feeling. In addition, as time flies,

PT

victims may not remember the facts related to the incident with precision or accuracy [66]. Thus, time

we hypothesize:

CE

elapsed since the incident can be a good medicine to recover from the stressful feeling of the incident, and

AC

H3: Time elapsed since last identity theft incident is negatively associated with perceived distress. As mentioned above, the psychological immune system works subconsciously, and in many cases the subjects are not aware of its existence and may overlook its effect, known as “immune neglect” [17]. This suggests that the subjects are not adopting the defense system to adjust their emotions consciously, making it different from the behavioral responses called emotional adjustment. 3.3 Behavioral responses The coping literature prescribes both problem-focused coping and emotion-focused coping to threat situations. We mentioned earlier that problem-focused coping includes a portfolio of behaviors 10

ACCEPTED MANUSCRIPT ranging from refraining from online transactions and information disclosure to actively engaging in selfprotection such as subscribing to identity theft protection service. While problem-focused coping aims to reduce the causes of the threat, emotion-focused coping (i.e., emotional adjustment) aims to adjust the dreadful feelings. A victim may adopt both to achieve the best well-being, especially when the threat cannot be fully mitigated.

IP

T

First, refraining from online transactions refers to limiting one’s use of online shopping, banking, or other financial activities [72, 73]. This does not imply a total retreat from online transactions, but

CR

reduction in one’s use of online storefronts and shopping trusted merchants only. It helps to reduce the

US

exposure of one’s personal information and the chance of revictimization [50, 64], as online merchants are frequent targets of cybercriminals. Second, refraining from information disclosure refers to limiting

AN

giving out personal information to others. This does not usually involve online transactions, as many people give out information in social media or other channels. By restricting the disclosure and use of

M

personal information in online shopping or other activities, one can reduce further damage caused by

ED

identity theft.

We argue that perceived distress is the direct antecedent of protective behaviors. As

PT

aforementioned, perceived threat engenders emotional response (or perceived distress), and emotional

CE

response influences the subsequent adoption of coping responses [2, 8, 68, 71]. Especially in identity theft victimization, the perception of threat may not be very accurate, as many victims are not aware of the

AC

exact amount of financial loss they suffered, or the extent of misuse of their personal information. Thus, perceived victimization severity may remain vague, and victims rely on perceived distress to decide what to do. Thus, we hypothesize: H4a: Perceived distress is positively associated with refraining from online transactions. H4b: Perceived distress is positively associated with refraining from information disclosure. Another passive (also called maladaptive) response to identity theft is emotional adjustment. As the coping literature shows [68, 71], victims may adopt an emotion-focused coping to adjust their feelings of dread caused by the threat, and this coping mechanism works in tandem with the problem-focused 11

ACCEPTED MANUSCRIPT coping (thus a parallel process) to address insufficiencies of the latter to control risks and eliminate distress [43, 68, 71]. As perceived distress grows, victims may strive to regulate their negative emotion so that they can resume their psychological well-being [22]. Emotional adjustment reflects how much effort individuals engage to achieve the rebalance of their feelings, but not how much or how faster their

T

feelings are rebalanced. This effortful response is intrinsic and can be shown in different cognitive

IP

processes, such as intentionally ignoring the source of stressful situation, or wishful thinking [14]. For

CR

example, individuals may wish that the criminals only target victims possessing significant financial assets [57], or the credit card company would cover all the loss. By engaging in such a wishful thinking,

US

the victims intend to adjust their feelings to offset the stress they feel. This type of coping has been found to reduce stresses and improve victims’ best well-being [21], and practitioners have been using this

AN

technique to help victims regain emotional balance [16]. We hypothesize: H4c: Perceived distress is positively associated with emotional adjustment.

M

In addition to the above passive behaviors, victims of identity theft may also seek proactive

ED

measures such as seeking guardianship like identity theft protection services [28, 53] to mitigate damages caused by identity theft and deter future revictimization. After some high-profile data breaches in recent

PT

years, identity protection services have caught attention of the public interest and have been touted as a

CE

remedy for identity theft. For example, after the Equifax data breach in 2017, Equifax, along with many financial institutes such as banks and credit card companies, offered free identity protection services to

AC

their clients [39, 47]. Meanwhile, other paid services such as LifeLock, TrustedID, and Equifax ID Patrol also help victims regain their identities. Those who suffer from identity theft and experience dreadful feelings may be motivated to use the service, and the more stressful they are, the more motivated they would be. We hypothesize: H4d: Perceived distress is positively associated with intention to subscribe to identity theft protection services. It should be noted that we focus on one’s intention to subscribe to identity theft protection services (in H4d), not the actual subscription behavior. To decide which service provider to subscribe to, 12

ACCEPTED MANUSCRIPT not only one’s threat appraisal (i.e., perceived victimization severity and distress) but also coping appraisal has to be determined [51, 71]. Coping appraisal assesses the kind of services provided and the corresponding cost, which influences the actual subscription behavior of the victim. As we are focusing on one’s general behavioral responses, it goes beyond the scope of this study to examine the specific

T

subscription behavior and the underlying coping appraisal. This limitation is addressed in Section 6.3.

IP

H2 and H4a-d together imply that perceived distress will mediate the impact of perceived

CR

victimization severity on behavioral responses. Some empirical studies confirm this expectation [8, 68]. Thus, we hypothesize:

US

H5: Perceived distress mediates the impact of perceived victimization severity on behavioral responses including refraining from online transactions, refraining from information disclosure,

AN

subscription to identity theft protection services, and emotional adjustment. Past use of online services reflects one’s habit in using the Internet for various online

M

transactions, ranging from online banking to shopping, entertaining, and communication. Although

ED

engaging in these online routine activities exposes one to potential identity theft [48], a total seclusion from online activities is beyond imagination in the Internet era. Thus, one’s past use experience may to

PT

some extent influence their subsequent online behavior, as the literature on habit shows [37, 44]. First,

CE

those who engage in online banking, shopping, and other transactions may find it difficult to refrain from online transactions and move offline, and such feeling is strengthened when more and more merchants are

AC

migrating to online platforms with their products and services. Second, individuals accustomed to online information disclosure (using online forms, emails, or other digital media) may find it inconvenient to use other forms such as paper to communicate. Both suggest the lack of motivation to abandon online translations and information disclosure, even for identity theft victims. This is also reflected in the simultaneous rise in numbers of online shoppers and identity theft victims in the past two decades. We hypothesize that whenever possible: H6a: Past use of online services is negatively associated with refraining from online transactions. H6b: Past use of online services is negatively associated with refraining from information 13

ACCEPTED MANUSCRIPT disclosure. In addition, an extensive use of the Internet may inflate one’s confidence in dealing with online risks and reduce concerns, despite accumulated awareness about the risks. In contrast to a general perception that online experience may enhance one’s concerns about online risks, a review study in the

T

privacy literature shows the opposite, as online experience may reduce such concerns [35]: as a person

IP

accumulates further awareness about online risks, he or she may learn to avoid some of the risks and

CR

become less concerned. This may be interpreted from the self-efficacy perspective: Stone [63] finds that individuals with higher self-efficacy (e.g., due to past Internet use) tend to have a high level of confidence

US

in their abilities, and exert less efforts or allocate less resources to the task (in our context, protection from identity theft). They feel confident that they know how to deal with the issues themselves. Thus, the need

AN

for effortful (or costly) responses such as emotional adjustment and subscription to identity theft protection services may be considered unnecessary. The critical aspect is the perceived cost-benefit ratio:

M

the person with good Internet experience will perceive that the cost of subscribing to the services is not

ED

worth the benefit from those services because he/she will be able to conduct self-defense [67]. All these suggest that the past use of online services may reduce engagement in coping behaviors of victims, so we

PT

hypothesize:

CE

H6c: Past use of online services is negatively associated with emotional adjustment. H6d: Past use of online services is negatively associated with intention to subscribe to identity

AC

theft protection services.

Several control variables are included in this study, including the intensity of Internet use (i.e., how long a person uses the Internet each day) and one’s demographics (i.e., age, gender, education, and income).

4. Research Method 4.1. Research design To test the research model, we conducted an online survey using the Qualtrics panel service 14

ACCEPTED MANUSCRIPT (Qualtrics.com). The survey was distributed by Qualtrics and its partner, Survey Sampling International (SSI; www.surveysampling.com), to their eligible panel participants based on their random sampling protocol. According to the brochure sent to the researchers by Qualtrics in a private communication, SSI was founded in 1977 as the pioneer commercial sample provider. Each year, it conducts more than 10

T

million interviews. The active panel size in North American (U.S. and Canada) is more than 920,000.

IP

Invitations were sent through individual emails by Qualtrics and SSI without any leading or suggestive

CR

subject lines or messages in the body of the email to each potential respondent who was registered in their panel database that matched our sampling criteria (U.S. consumers aged 18 or older). Each respondent

US

could participate in the survey without any time and location restriction. Moreover, every respondent was informed that whenever they wanted to withdraw from the survey, they could do so without any penalty.

AN

Qualtrics also performs panelist quality monitoring through the use of rotating trap questions that are added to confirm if a real user is answering the question. Qualtrics double checks profiling data and

M

eliminates speeders (those who answer the questions too fast – implying that they have not thought about

ED

the questions), straight liners (those who respond with the same answer for every question) and other undesired behavioral patterns. These measures make Qualtrics research panel a variable source for

PT

conducting academic research [38, 62]. Those participants who finished the survey successfully were

CE

compensated by Qualtrics based on their own incentive mechanism. Due to the large pool of registered panelists on Qualtrics, the data collection was completed within two days.

AC

A self-administered survey questionnaire was used to collect data. The survey aims to understand the profile of fraud victimization and whether the victimization experience changes one's self-protection behavior. Both victims and non-victims were able to participate. We did not target identity theft victims directly; instead, we asked each subject whether he or she had experienced any scam incident in which someone stole their identity, financial, or other personal information. Those who answered Yes were selfidentified as identity theft victims and were asked to complete further questions regarding their victimization experience and responses. Those who answered No were redirected to another part of the survey and were not included in the study. This non-intrusive, self-reported approach to victim discovery 15

ACCEPTED MANUSCRIPT helps avoid psychological alarm of the victims and solicit their true opinions. On the consent form, we also explicitly stated the privacy policy of the study, assuring confidentiality of the participants. This also helps to address common method bias [46] in the study. Three attention-checking questions were inserted at different places of the survey to ensure data quality, and those respondents who failed any of the

T

questions were filtered.

IP

4.2. Measurements

CR

The measurement items were adopted from extant literature to ensure reliability and validity; see Table 1. For example, items measuring victimization experiences were adopted from the National Crime

US

Victimization Survey by the U.S. Department of Justice [65]; items measuring perceived victimization severity were adopted from the coping literature [8, 68]; and items measuring perceived distress were

AN

adopted from the intrusion/hyperarousal dimension of a subjective stress measure called Impact of Event Scale [13, 25] while items for emotional adjustment were adopted from the avoidance dimension of the

M

measure. Of the latent constructs, perceived victimization severity, refraining from online transactions,

ED

refraining from information disclosure, and subscription to identity theft protection services are measured with items on a 5-point Likert scale (ranging from strongly disagree/very unlikely to strongly agree/very

PT

likely); perceived distress and emotional adjustment are measured with items on a 4-point Likert scale

CE

(ranging from not at all to often) according to the Impact of Event Scale [13, 25]. Using these different scales also helped to reduce the common method bias in the self-administered survey [46].

AC

For the control variables, we measured intensity of Internet use by asking respondents how often they use the Internet in a typical day, such as less than 2 hours, 2 to 4 hours, 4 to 6 hours, and so on. Other control variables such as age, gender, education, and income are each measured with a single item. Table 1 Measurement Items. Constructs Financial loss [65]

Misuse of personal

Measurement Items What is the approximate amount of financial loss you had due to the incident? - Less than $100 - Between $1000 and $2000 - Between $100 and $500 - More than $2000 - Between $500 and $1000 Please check if any of the following situations applies to you after the incident: 16

ACCEPTED MANUSCRIPT

-

-

Government benefits obtained in your name Employment gained in your name Medications, medical treatments or other medical services obtained in your name Avoiding legal/criminal sanctions in your name Other (please specify)

CR

-

-

T

-

New credit card opened in your name New telephone, cellular, or utility service opened in your name New bank account opened in your name Bad checks or unauthorized charges placed on your existing account Loan obtained in your name Driver’s license obtained in your name

IP

-

information [65]

How many hours have you spent in order to resolve the problems related to the incident? - Less than an hour - Between 10 hours and 20 hours - Between 1 hour and 5 hours - More than 20 hours - Between 5 hours and 10 hours

Time elapsed since the incident [65]

How many months ago did the incident happen? - Less than a month ago - 6-12 months ago - 1-3 months ago - More than 12 months ago - 3-6 months ago

Perceived victimization severity [8, 68]

Please indicate the extent to which you agree with the following statements: [Strongly disagree…Strongly agree] - The scam incident caused a lot of troubles in my life. - The consequence of the scam incident was severe for me. - The loss that resulted because of the scam incident was significant for me.

Perceived distress [13, 25]

Below is a list of comments made by people after experiencing a scam incident. Please mark each item, indicating how frequently these comments were true for you. If they did not occur during that time, please mark the “not at all” column. [Not at all…Often] - I had trouble falling asleep or staying asleep because of pictures or thoughts about the incident that came to my mind. - I had waves of strong feelings about the incident. - I had dreams about the incident. - Pictures about the incident popped into my mind. - Other things kept making me think about the incident.

AC

CE

PT

ED

M

AN

US

Time spent resolving the issue [65]

Refraining from online transactions [53]

Whenever I can I will avoid… [Strongly disagree...Strongly agree] - making online purchases. - communicating with my bank via emails or websites. - making online bill payments. - accessing my financial accounts online.

Refraining from information disclosure [53]

Whenever I can I will avoid… [Strongly disagree...Strongly agree] - talking people over the phone for my personal information. - sending my personal information via emails 17

ACCEPTED MANUSCRIPT -

filling my personal information online.

Please indicate the extent to which you agree with the following statements regarding your intention to subscribe to identity protection services. [Very unlikely…Very likely] In the short future… - I am likely to subscribe to identity protection services. - It is possible that I subscribe to identity protection services. - I am certain that I will subscribe to identity protection services.

Emotional adjustment [13, 25]

Below is a list of comments made by people after experiencing a scam incident. Please mark each item, indicating how frequently these comments were true for you. If they did not occur during that time, please mark the “not at all” column. [Not at all…Often] - I stayed away from reminders about the incident. - I felt as if the incident hadn't happened or was unreal. - I tried not to talk about the incident.

Past use of online services [48]

Do you (or have you) use(d) the Internet for the following purposes? [Yes, No] - Online banking, bill payment, and/or finance management - Buying goods or services - Downloading music, films, or podcasts - E-mail or instant messaging

M

AN

US

CR

IP

T

Subscription to ID protection service [8]

4.3. Data collection

ED

We used individuals as the unit of analysis. A total of 636 individuals (435 female, and 201 male)

PT

participated in the study. Of all the subjects, 197 were identified as identity theft victims, including 141 females and 56 males. We did not purposely control for gender balance among the respondents in our

CE

survey, and neither did we filter the participants in our analysis; we have a slightly higher ratio of female than male. Nevertheless, compared to all the subjects in the survey, it means 32.4% females and 27.9%

AC

males are victims of identity theft; this is consistent with previous studies showing that women are more likely to be victimized than men [4]. Detailed profile of the sample is in Table 2. Table 2 Demographic information of the sample. Gender Education 1 Male 56 (28%) Some high school Female 141 (72%)2 High school graduate Some college College graduate Post-graduate education Age

Household income 18

8 (4%) 36 (18%) 68 (35%) 60 (30%) 25 (13%)

ACCEPTED MANUSCRIPT Less than $25,000 $25,000-$50,000 $50,000-$75,000 $75,000-$100,000 $100,000 or more N/A

31(16%) 59 (30%) 52 (26%) 24 (12%) 24 (12%) 7 (4%)

T

30 or less 22 (11%) 31-40 39 (20%) 41-50 34 (17%) 51-60 47 (24%) 61-70 45 (23%) 71 or older 7 (4%) N/A 3 (2%) 1 This represents 27.9% of the males. 2 This represents 32.4% of the females.

IP

5. Data Analysis and Results

CR

5.1. Descriptive analysis

We first conducted descriptive analysis on the variables. Table 3 shows the frequency

US

distributions of measures related to victimization experience (financial loss, misuse of personal

AN

information, and time pent resolving the issue) and time elapsed since the incident. It suggests that most victims (56%) suffered from minor financial loss (less than $100) but others suffered from modest to high

M

loss, and some (6%) even lost over $2,000. In terms of time spent resolving the issues, most victims were able to resolve the issue within hours, but some had to spend several workdays (e.g., 10-20 hours or

ED

longer) on the issue. The kinds of misuse of personal information mostly concentrated on the financial

PT

sectors such as credit cards, bank accounts, and checks, while other areas were also affected. In general, the victimization experiences of our subjects were multifaceted. Table 3 also shows that for most victims

CE

(53%), the incident happened more than 1 year ago, but for some, the incidents happened more recently.

AC

Table 3 Frequency distribution of victimization experience variables. Financial loss Freq. Misuse of info. (multiple selection) <$100 110 (56%) New credit card $100-$500 41 (21%) New phone or utility service $500-$1000 26 (23%) New bank account $1000-$2000 9 (5%) Bad checks or unauthorized charges >$2000 11 (6%) Loan Hours spent Freq. Driver’s license <1 hour 70 (36%) Government benefits 1-5 hours 74 (38%) Employment 5-10 hours 21 (11%) Medical services 10-20 hours 11 (6%) 19

Freq. 59 (30%) 14 (7%) 25 (13%) 55 (28%) 7 (4%) 5 (3%) 7 (4%) 3 (2%) 3 (2%)

ACCEPTED MANUSCRIPT 21 (11%) Freq. 9 (5%) 23 (12%) 25 (13%) 36 (18%) 104 (53%)

Avoiding legal/criminal sanctions Other

7 (4%) 25 (13%)

T

>20 hours Time elapsed < 1 month 1-3 months 3-6 months 6-12 months > 12 months

IP

Descriptive information of the latent constructs is shown in Table 4. The mean values of the

CR

measurement items for each construct were used for the calculation. It suggests that the victims would primarily choose refraining from information disclosure (Mean=3.68) and subscribing to identity theft

adjustment is the last resort (Mean=1.12).

AN

Table 4 Descriptive information of the latent constructs.

US

protection services (Mean=3.18), and then refraining from online transactions (Mean=2.36). Emotional

Mean 2.75 1.75 2.36 3.68 3.18 1.78

Percentiles 5% 95% 1.00 4.67 1.00 3.40 1.00 4.53 1.00 5.00 1.00 5.00 1.00 3.33

Std. Deviation 1.03 0.76 1.16 1.19 1.10 0.81

CE

PT

ED

Perceived victimization severity Perceived distress Refrain from transactions Refrain from info. disclosure Subscription intention Emotional adjustment

M

Constructs

5.2. Test of measurement items

AC

The psychometric properties of the measurement items are reported in Tables 5 and 6, suggesting sufficient reliability and validity of the items. Loadings and cross-loadings of the items are reported in the Appendix, with no significant cross-loadings detected. Table 5 Psychometric Properties of the Constructs. Constructs CA Perceived victimization severity 0.89 Perceived distress 0.87 Refrain from transactions 0.88 Refrain from info. disclosure 0.84 Subscription intention 0.94 20

CR 0.93 0.91 0.92 0.90 0.96

AVE 0.82 0.66 0.74 0.76 0.89

ACCEPTED MANUSCRIPT Emotional adjustment 0.71 0.84 0.63 CA-Cronbach’s alpha, CR-composite reliability, AVE-average variance extracted

Table 6 Correlation matrix. Constructs

1)

1) Financial loss

2)

3)

4)

5)

6)

7)

8)

9)

-

3) Time spent

0.45

0.48

-

4) Time elapsed

0.21

0.13

0.16

-

5) Severity

0.51

0.47

0.54

0.14

6) Distress

0.36

0.33

0.46 -0.04

0.90 0.55

7) Refrain transact.

0.17

0.15

0.15

0.05

0.25

0.81 0.33

8) Refrain disclos.

0.15 -0.03

0.11

0.16

0.14

0.15

0.86 0.40

9) Subscription

0.00

0.05

0.13 -0.11

0.17

0.23

0.19

0.87 0.21

10) Emo. adjustment

0.17

0.13

0.28 -0.13

0.30

0.52

0.33

0.14

11) Past use of online -0.01

0.12

0.06 -0.16

0.02

0.03 -0.36 -0.21

12) Intensity of use

0.06

0.19 -0.03

0.01

13)

14)

15)

IP CR

US

AN 0.06 -0.07

0.01

0.94 0.14

0.80 0.05 -0.13 0.12

0.13

-

0.11 -0.09 -0.20

0.04

0.00 -0.06 -0.19 -0.27 -0.22

0.06

0.08 -0.08

0.05

0.09 -0.01

0.14

0.03

0.03

0.12 -0.09 -0.15 -0.22 -0.05 -0.12 -0.20

M

0.01 -0.01 0.00

0.11

0.08 -0.09

-0.13 -0.09 -0.04 -0.03 -0.16 -0.13 -0.13 -0.05 -0.05 -0.16

-

0.00 -0.04

0.22 -0.01

-

0.14 -0.10

-

0.18 -0.14 -0.03 -0.02

0.44

ED

16) Income

0.06

-0.09 -0.14 -0.12

15) Education

12)

T

0.40

14) Gender

11)

-

2) Info. misuse

13) Age

10)

Square roots of Average Variance Extracted (AVE) are on the diagonal of the matrix.

PT

Common method bias was tested using Harman’s single-factor method and the common method

CE

variance (CMV) test [46]. For the single-factor method, an unrotated exploratory factor analysis yielded a total of six factors, with the first factor explaining 40.6% of variance in the data, less than the cut-off

AC

value of 50%. For the CMV test, we compared the null model (χ2(210)=2559.6), the method-only model (χ2(188)=1609.0), the measurement model with latent constructs (χ2(174)=253.3), and the measurement plus method factor model (χ2(147)=213.9). The χ2 difference suggests that the common method factor is not a major contributor to the model fit. Thus, the data do not suffer from common method bias. 5.3. Test of hypotheses The hypotheses were tested using the Structural Equation Modeling method. SAS 9.4 Proc Calis [54] was used to estimate the model. Common model fit indexes, including χ2/df ratio, SRMR

21

ACCEPTED MANUSCRIPT (Standardized Root Mean Square Residual), RMSEA (Root Mean Square Error of Approximation), AGFI (Adjusted Goodness of Fit Index), and CFI (Comparative Fit Index), are used to estimate the goodness of fit of the research model [26, 29]. The results are shown in Table 7. The overall model fit is acceptable.

IP

T

The research model 496.4 (366) 1.36 0.07 0.04 0.82 0.95

CR

Table 7 Model fit indexes [26, 29]. Fit indexes Threshold values 2 χ (df) χ2/df ratio <5 SRMR <0.08 RMSEA <0.08 Adjusted GFI >0.08 CFI >0.90

US

The hypotheses test results are shown in Fig. 2. Financial loss (β=0.31, p<.001), misuse of

AN

information (β=0.27, p<.001), and time spent addressing identity theft (β=0.29, p<.001) each have a significant impact on perceived victimization severity, supporting H1a-H1c. Perceived victimization

M

severity (β=0.65, p<.001) and time elapsed since the last incident (β= -0.13, p<.05) each have a significant impact on perceived distress, supporting H2 and H3. Perceived distress then has a significant

ED

impact on refraining from online transactions (β=0.37, p<.001), refraining from information disclosure

PT

(β=0.19, p<.05), emotional adjustment (β=0.62, p<.001), and intention to subscribe to identity protection services (β=0.25, p<.001), supporting H4a-H4d. Past use of online services has a significant impact on

CE

refraining from online transactions (β=-0.33, p<.001), refraining from information disclosure (β=-0.24, p<.01), and emotional adjustment (β=-0.20, p<.01), supporting H6a-c, but H6d (i.e., the impact of past

AC

use of online services on intention to subscribe to identity theft protection services) is insignificant. None of the control variables have significant impact on the coping responses. The model explains 48% of variance in perceived victimization severity, 41% of perceived distress, and 9-47% of the behavioral response constructs.

22

IP

T

ACCEPTED MANUSCRIPT

US

CR

n.s. non-significant * p<.05 ** p<.01 *** p<.001

Fig. 2. Results of hypotheses testing.

AN

To test the mediating effect of perceived distress (i.e., H5), we conducted the popular BaronKenny [5] test. The test shows that without perceived distress, perceived victimization severity has

M

significant impacts on refraining from online transactions (β=.26, p<.001), refraining from information

ED

disclosure (β=.15, p<.1), emotional adjustment (β=.30, p<.001), and subscription to ID protection services (β=.17, p<.05). With perceived distress, none of the impacts of perceived victimization severity on

PT

behavioral responses is significant. Further Sobel test [60] shows that the mediated effects of perceived

CE

victimization severity on each of the behavioral responses (b=0.24, 0.12, 0.40, and 0.16, respectively) are all significant at 0.05 level or better, supporting H5. Thus, perceived distress fully mediates the impact of

AC

perceived victimization severity on the responses. It should be noted that we treated refraining from online transactions and refraining from information disclosure as two separate constructs, which differs from earlier research that treated them as components of a single index of long-term behavior [53]. We performed a few supplemental analyses to verify our conceptualization. First, we conducted an exploratory factor analysis on the items measuring both constructs, revealing a two-factor structure matching both constructs. Second, we modeled refraining from online transactions and refraining from information disclosure as subdimensions of a higher order

23

ACCEPTED MANUSCRIPT construct; the model fit (χ2=481.5), however, did not improve substantially, and the two subdimensions exhibit disparate loadings (0.91 and 0.48, respectively). Besides, the correlation between the two constructs is only 0.40 (see Table 6). All these evidences suggest that refraining from online transactions

T

and refraining from information disclosure represent two distinct types of behavioral responses of victims.

IP

6. Discussion and Conclusions

CR

Via an empirical study of 197 self-reported identity theft victims, we address the question of what emotional and behavioral responses a victim may have following identity theft, and what factors influence

US

the responses. We show that perceived victimization severity, driven by the amount of financial loss, misuse of personal information, as well as time spent addressing the incident, is a major determinant of

AN

perceived distress, and perceived distress is an important antecedent of behavioral responses ranging from refraining from online transactions and information disclosure, emotional adjustment, to more proactive

M

engagement in self-protection such as subscribing to identity theft protection services. More importantly,

ED

perceived distress fully mediates the impact of perceived victimization severity on behavioral responses, highlighting the importance of perceived distress in shaping victims’ long-term responses to identity theft.

PT

6.1. Contributions and theoretical implications

CE

The study has three contributions to the cybersecurity literature. First, it examines both emotional and behavioral responses of victims following their identity theft incidents. This extends past research

AC

that has bound to the reporting behaviors of victims. It shows that victims experience distress from identity theft, and such distress will motivate them to engage in a portfolio of coping behaviors. This offers a broader view on victims’ responses. A theoretical implication is that in future research, both types of responses – emotional and behavioral – should be studied in tandem to examine victims’ reactions to identity theft and other security incidents such as malware attack, data breach, file corruption, and damage to important computer resources. Second, our study recognizes the central role of perceived distress in driving coping responses of victims. This suggests that in future research, the psychological impact on victims should be investigated. 24

ACCEPTED MANUSCRIPT Compared to other visible outcomes such as financial loss and missed time from work, the distress associated with identity theft can be long-lasting and devastating [55], and it causes a wide range of behavioral outcomes. Thus, further research is needed to gain deeper insight into perceived distress of victims and its roles in driving behaviors, and find ways to alleviate the distress. In addition, its mediating

T

effect on other victimization experiences, such as perceived severity, should be examined to improve

IP

understanding of how those experiences may eventually drive coping behaviors of the victims.

CR

Third, the study recognizes the negative effects of time elapsed since the incident and the past use of online services on emotional and behavioral responses, revealing potential barriers to the change of

US

behaviors by victims. Past research on factors that lead to behavioral change has mostly been carried out from the coping and RAT perspectives, but overlooked potential hindrance to the changes. This study,

AN

then, reveals the roles of psychological immune system and habit in preventing victims from engaging in

hindrance factors in future research.

ED

6.2. Practical implications

M

protective behavior to cope with identity theft, thus filling in the gap. It calls for more attention to these

As an applied research, this study has practical implications. A study by the Center for Identity at

PT

the University of Texas [10] shows that 52% of identity theft victims suffered from high distress, 33% from medium distress, and only 8% suffered from low distress. Combined with our study on victims’

CE

coping responses, these studies highlight the central role of perceived distress in shaping one’s protective

AC

behaviors. This implies that practitioners who help victims deal with identity theft may focus on emotional responses and communicate the emotional impact of identity theft to promote protective behaviors. For example, practitioners such as security trainers and identity protection service providers may send affective messages [23] to victims to highlight the potential strains in addressing identity theft, such as time and energy needed to contact authorities to reclaim identities and restore reputations, that may arouse strong emotions of the victims and yield expected behavioral outcomes. Such an emotionarousal approach may be more effective than the alternative cognitive approach that focuses on the effectiveness of protective behaviors only. Once the victims’ strong emotions are aroused, the next step 25

ACCEPTED MANUSCRIPT would be to help them determine the behavioral responses. Our study recognizes four long-term behavioral responses of victims, which has implications as well. For refraining from online transactions and information disclosure, it means that identity theft victims will limit their Internet use (whenever and wherever they can, until their perceived distress eases),

T

and are likely to deviate from what they behave normally as others or before the incident. Thus,

IP

organizations should keep alternative means of communication (such as toll-free numbers) despite the

CR

dominance of Internet. This doesn’t necessarily mean that the victims will seclude from the Internet; rather, they may seek alternative ways for shopping or communication, and if necessary, they will use

US

online channels more cautiously. In the U.S., for instance, many citizens communicate with Internal Revenue Service (IRS) via postal service to avoid electronic fraud. For engagement in emotional

AN

adjustment, an implication is for employers with employee victims who had to miss work hours to combat the issue: the employers may provide support to employees, such as the provision of counselling service

M

and employer-sponsored identity theft protection services as a part of employee benefit plans [15]. This

ED

may help reduce productivity losses due to paid or un-paid leave of employees to address the issues [19, 59]. For other victims, they may also overcome the emotional impact using other approaches such as

PT

finding a support team, and exercise [16]. Finally, for subscription to identity theft protection services, an

CE

implication is to enhance the emotional responses of the victims and encourage their adoption of the service: employing affective messages, as mentioned above, may be an option.

AC

The negative effect of time on perceived distress suggests that interventions to change victims’ risky behaviors should be implemented immediately before the kick-off of the psychological immune systems of the victims. For example, if victims learn that the identity theft incident happened long time ago, they may not be willing to take any action since they may believe that the damages had occurred and there is nothing they could do to reverse the situation; in contrast, if they learn that the incident just happened, they may be more willing to take immediate action (such as subscribing to credit monitoring services) to stop misuse of their identities. This implies that individuals should keep vigilant about the safety of their identity and be alerted once identity theft takes place. In terms of identity theft due to 26

ACCEPTED MANUSCRIPT corporate data breach, some companies withheld the announcement of data breach for months and even years, costing victims the opportunity to take immediate corrective actions. This can be considered not only unethical but also illegal [18]. Our study suggests that timely recognition and announcement of the incidents will result in alleviation of perceived distress of victims, as well as encourage them to take

T

immediate actions to address the issue and prevent future damages. Any delay may thwart the emotional

IP

response and cause additional damages to victims including misuse of personal information and further

CR

financial damage.

The negative effect of past use of online services on behavioral responses also has implications.

US

As we mentioned earlier, individuals who use the Internet for banking, emailing, instant messaging, etc. can be up to 50% more likely to be victimized by identity theft than others [48]. As these habits reduce

AN

victims’ engagement in protective behaviors, it asks for alternative ways to change their habit or overcome the negative effect. Because of the significant effect of perceived distress in the research model,

M

it suggests focusing on its effect on victims so as to offset the impact of habit or past use of online

ED

services. 6.3. Limitations

PT

A limitation is that we only examined victims’ personal experience to determine perceived

CE

victimization severity, but other potential antecedents such as environmental factors [71] were not examined. A person who does not have adequate personal experience with identity theft (e.g., they do not

AC

know for sure what information of them has been stolen) may become equally concerned if he or she knows someone who suffered from identity theft, or learns from the media about the consequences of identity theft. These environment factors may contribute to perceived victimization severity. Second, we did not control for coping appraisal [51, 71] of victims when studying their behavioral responses, but only focused on threat appraisal. We acknowledge that coping appraisal, including factors such as response efficacy, self-efficacy, and response cost, mostly influences one’s decision to adopt a particular behavior [33]. Take identity theft protection service as an example: to subscribe to such a service, a person has to be aware of its coverage (i.e., response efficacy), ease of use 27

ACCEPTED MANUSCRIPT (i.e., self-efficacy), and cost (i.e., response cost), and chooses one that has a good combination of these factors. Such appraisal determines which service provider the person chooses, but the intention to subscribe to one of such services is driven by victimization experience and one’s emotional response. Thus, in future, we may extend the research by examining how behavioral intention is linked to actual

T

subscription to a particular service provider in the context of identity theft.

IP

Third, we focused on long-term behaviors of victims in the study without testing their short-term

CR

behaviors such as reporting the incident to the police, or requesting credit reports. Whether these shortrun behaviors may have an influence on long-run behaviors is questionable. For instance, if a person does

US

not see any anomaly in credit report, would he or she take further actions (such as subscribing to identity theft protection service) to prevent future incidents? These topics may be investigated in future research.

AN

In addition, we rely on self-reported data; a better method of data collections such as a field study can be useful to verify the model.

M

Fourth, we did not capture a victim’s all previous victimization experiences, but focused on their

ED

most recent experience. This may fail to distinguish repeat victims from new victims. Thus, how the frequency of victimization experiences may influence a victim’s emotional and behavioral responses is

PT

unknown. This may be addressed in future research.

CE

Another limitation deals with the measurement of past use of online services, as we have used dichotomous measures to determine whether the person has used each of the services before. Although

AC

the items were aggregated to form a summative measure of past use experience across the services, it is possible that the dichotomous items failed to capture the extent of service uses. Future research may employ other measures such as Likert scales to address the limitation. Our study is based on the U.S. sample. The behavioral responses of victims may differ in different countries with varying development of digital economics, that could be further examined.

Acknowledgement This work was supported by the National Science Foundation grant #1651060 and #1724725. 28

ACCEPTED MANUSCRIPT

References

AC

CE

PT

ED

M

AN

US

CR

IP

T

[1] J. Abbott, S.A. McGrath, The effect of victimization severity on perceived risk of victimization: Analyses using an international sample, Victims & Offenders, 12(4) (2017) 587-609. [2] M. Anandarajan, N. Paravastu, B. Arinze, R. D’Ovdio, Online identity theft: A longitudinal study of individual threat-response and coping behaviors, Journal of Information System Security, 8(2) (2012) 43-69. [3] K.B. Anderson, Who are the victims of identity theft? The effect of demographics, Journal of Public Policy & Marketing, 25(2) (2006) 160-171. [4] K.B. Anderson, E. Durbin, M.A. Salinger, Identity theft, Journal of Economic Perspectives, 22(2) (2008) 171192. [5] R.M. Baron, D.A. Kenny, The moderator-mediator variable distinction in social psychological research: Conceptual, strategic, and statistical considerations, Journal of Personality and Social Psychology, 51(1986) 11731182. [6] A. Betz, The experiences of adult/child identity theft victims (unpublished graduate thesis), Iowa State University (2012) [7] P. Bonner, South carolina taxpayer information stolen, Tax Adviser, 44(1) (2013) 6-6. [8] S.R. Boss, D.F. Galletta, P. Benjamin Lowry, G.D. Moody, P. Polak, What do systems users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors, MIS Quarterly, 39(4) (2015) 837-864. [9] A.M. Bossler, T.J. Holt, On-line activities, guardianship, and malware infection: An examination of routine activities theory, International Journal of Cyber Criminology, 3(1) (2009) 400-420. [10] Center for Identity, Identity theft assessment and prediction report, University of Texas at Austin (2017) [11] L.E. Cohen, M. Felson, Social change and crime rate trends: A routine activity approach, American Sociological Review, 44(4) (1979) 588-608. [12] H. Copes, K.R. Kerley, R. Huff, J. Kane, Differentiating identity theft: An exploratory study of victims using a national victimization survey, Journal of Criminal Justice, 38(5) (2010) 1045-1052. [13] M. Creamer, R. Bell, S. Failla, Psychometric properties of the impact of event scale—revised, Behaviour Research and Therapy, 41(12) (2003) 1489-1496. [14] J. D'Arcy, T. Herath, M.K. Shoss, Understanding employee responses to stressful information security requirements: A coping perspective, Journal of Management Information Systems, 31(2) (2014) 285-318. [15] G. Deybach, Identity theft protection as an employee benefit, Employee Benefit Plan Review, 61(7) (2007) 1516. [16] L. Foley, Identity theft: Overcoming the emotional impact, Identity Theft Resource Center, Inc., https://jeffcosheriff.net/wp-content/uploads/2015/10/overcoming-emotional-impact.pdf, accessed February 23, 2019 (2000). [17] D.T. Gilbert, T.D. Wilson, E.C. Pinel, S.J. Blumberg, T.P. Wheatley, Immune neglect: A source of durability bias in affective forecasting, Journal of Personality & Social Psychology, 75(3) (1998) 617-638. [18] S. Goel, H.A. Shawky, The impact of federal and state notification laws on security breach announcements, Communications of the Association for Information Systems, 34(2014) 37-50. [19] K. Golladay, K. Holtfreter, The consequences of identity theft victimization: An examination of emotional and physical health outcomes, Victims & Offenders, 12(5) (2017) 741-760. [20] K.A. Golladay, Reporting behaviors of identity theft victims: An empirical test of black’s theory of law, Journal of Financial Crime, 24(1) (2017) 101-117. [21] D.L. Green, J.J. Choi, M.N. Kane, Coping strategies for victims of crime: Effects of the use of emotionfocused, problem-focused, and avoidance-oriented coping, Journal of Human Behavior in the Social Environment, 20(6) (2010) 732-743. [22] J.J. Gross, Emotion regulation: Affective, cognitive, and social consequences, Psychophysiology, 39(2002) 281–291. [23] B. Hampton, D. Brinberg, P. Peter, C. Corus, Integrating the unified theory and stages of change to create targeted health messages, Journal of Applied Social Psychology, 39(2) (2009) 449-471. [24] P.L. Harman, Assessing identity theft risks, Claims Magazine, 65(5) (2017) 12-14. [25] M. Horowitz, N. Wilner, W. Alvarez, Impact of event scale: A measure of subjective stress, Psychosomatic Medicine, 41(1979) 209-218.

29

ACCEPTED MANUSCRIPT

AC

CE

PT

ED

M

AN

US

CR

IP

T

[26] L. Hu, P.M. Bentler, Cutoff criteria for fit indexes in covariance structure analysis: Conventional criteria versus new alternatives, Structural Equation Modeling: A Multidisciplinary Journal, 6(1) (1999) 1-55. [27] International Mass-Marketing Fraud Working Group, Mass-marketing fraud: A threat assessment, (2010) [28] A.Y. Kim, T.S. Kim, Factors influencing the intention to adopt identity theft protection services: Severity vs vulnerability, in: Proceedings of the 2016 Pacific-Asia Conference on Information Systems (PACIS), (2016). [29] R.B. Kline, Principles and practice of structural equation modeling (3rd ed.), The Guilford Press, New York, NY, (2011). [30] A. Knapp, Stratfor offers customers identity theft protection after hack, Forbes.com, (2011) 10-10. [31] F. Lai, D. Li, C.T. Hsieh, Fighting identity theft: The coping perspective, Decision Support Systems, 52(2) (2012) 353-363. [32] M.R. Lee, T.L. Earnest, Perceived community cohesion and perceived risk of victimization: A cross-national analysis, Justice Quarterly, 20(1) (2003) 131-157. [33] Y. Lee, Understanding anti-plagiarism software adoption: An extended protection motivation theory perspective, Decision Support Systems, 50(2) (2011) 361-369. [34] E.R. Leukfeldt, Phishing for suitable targets in the netherlands: Routine activity theory and phishing victimization, CyberPsychology, Behavior & Social Networking, 17(8) (2014) 551-555. [35] Y. Li, Empirical studies on online information privacy concerns: Literature review and an integrative framework, Communications of the Association for Information Systems, 28(28) (2011) 453-496. [36] H. Liang, Y. Xue, Avoidance of information technology threats: A theoretical perspective, MIS Quarterly, 33(1) (2009) 71-90. [37] M. Limayem, S.G. Hirt, C.M.K. Cheung, How habit limits the predictive power of intention: The case of information systems continuance, MIS Quarterly, 31(4) (2007) 705-737. [38] P.B. Lowry, J. D’Arcy, B. Hammer, G.D. Moody, “Cargo cult” science in traditional organization and information systems survey research: A case for using nontraditional methods of data collection, including mechanical turk and online panels, The Journal of Strategic Information Systems, 25(3) (2016) 232-240. [39] D. Maxey, 5 ways to protect your finances after equifax data breach, Wall Street Journal - Online Edition, (2017) 1-1. [40] M.G. Maxfield, Lifestyle and routine activity theories of crime: Empirical studies of victimization, delinquency, and offender decision-making, Journal of Quantitative Criminology, 3(4) (1987) 275-282. [41] S. McNeeley, Lifestyle-routine activities and crime events, Journal of Contemporary Criminal Justice, 31(1) (2015) 30-52. [42] F.H. Norris, K. Kaniasty, Psychological distress following criminal victimization in the general population: Cross-sectional, longitudinal, and prospective analyses, Journal of Consulting and Clinical Psychology, 62(1) (1994) 111-123. [43] O. Ogbanufe, R. Pavur, Going through the “emotions”: Identity protective responses, in: WISP 2016 Proceedings, (2016). [44] J.A. Ouellette, W. Wood, Habit and intention in everyday life: The multiple processes by which past behavior predicts future behavior, Psychological Bulletin, 124(1) (1998) 54-74. [45] A. Pascual, K. Marchini, S. Miller, 2018 identity fraud: Fraud enters a new era of complexity, Javelin Strategy & Research (2018) [46] P.M. Podsakoff, S.B. MacKenzie, L. Jeong-Yeon, N.P. Podsakoff, Common method biases in behavioral research: A critical review of the literature and recommended remedies, Journal of Applied Psychology, 88(5) (2003) 879-903. [47] J.P. Pullen, What you should do this weekend to protect your credit from the equifax data breach, Fortune.com, (2017) 1-1. [48] B.W. Reyns, Online routines and identity theft victimization:Further expanding routine activity theory beyond direct-contact offenses, Journal of Research in Crime and Delinquency, 50(2) (2013) 216-238. [49] B.W. Reyns, B. Henson, The thief with a thousand faces and the victim with none: Identifying determinants for online identity theft victimization with routine activity theory, International Journal of Offender Therapy and Comparative Criminology, 60(10) (2016) 1119-1139. [50] B.W. Reyns, R. Randa, Victim reporting behaviors following identity theft victimization: Results from the national crime victimization survey, Crime and Delinquency, 63(2017) 814-838. [51] R.W. Rogers, Cognitive and physiological processes in fear appeals and attitude change: A revised theory of protection motivation, in: B.L. Cacioppo, L.L. Petty Eds. Social psychophysiologv: A sourcebook, (Guilford, London, UK, 1983), pp. 153- 176.

30

ACCEPTED MANUSCRIPT

AC

CE

PT

ED

M

AN

US

CR

IP

T

[52] Y. Rogers, New theoretical approaches for human-computer interaction, Annual Review of Information Science and Technology, 38(1) (2004) 87-143. [53] H. Rosoff, J. Cui, R. John, Behavioral experiments exploring victims’ response to cyber-based financial fraud and identity theft scenario simulations, in: Symposium on Usable Privacy and Security (SOUPS), (Menlo Park, CA., 2014). [54] SAS Institute Inc., Sas/stat® 13.1 user’s guide SAS Institute Inc., Cary, NC, (2013). [55] C. Schmitz, Identity theft victim claims emotional distress, InsideCounsel, (196) (2008) 65-66. [56] C. Schreck, E. Stewart, B. Fisher, Self-control, victimization, and their influence on risky lifestyles: A longitudinal analysis using panel data, Journal of Quantitative Criminology, 22(4) (2006) 319-340. [57] L. Seda, Identity theft and university students: Do they know, do they care?, Journal of Financial Crime, 21(4) (2014) 461-483. [58] T. Sharp, A. Shreve-Neiger, W. Fremouw, J. Kane, H. S, Exploring the psychological and somatic impact of identity theft, Journal of Forensic Sciences, 49(1) (2004) 131-136. [59] K. Slosarik, Identity theft: An overview of the problem, Justice Professional, 15(4) (2002) 329. [60] M.E. Sobel, Asymptotic confidence intervals for indirect effects and their standard errors in structural equation models, Sociological Methodology, 13(1982) 290–312. [61] M.R. Stafford, Identity theft: Laws, crimes, and victims, Journal of Consumer Affairs, 38(2) (2004) 201-203. [62] Z.R. Steelman, B.I. Hammer, M. Limayem, Data collection in the digital age: Innovative alternatives to student samples, MIS Quarterly, 38(2) (2014) 355-378. [63] D.N. Stone, Overconfidence in initial self-efficacy judgments: Effects on decision processes and performance, Organizational Behavior & Human Decision Processes, 59(3) (1994) 452-472. [64] J.J. Turanovic, T.C. Pratt, “Can’t stop, won’t stop”: Self-control, risky lifestyles, and repeat victimization, Journal of Quantitative Criminology, 30(1) (2014) 29-56. [65] United States Department of Justice, National crime victimization survey: Identity theft supplement, 2014, in, (Office of Justice Programs, Bureau of Justice Statistics, Inter-university Consortium for Political and Social Research (ICPSR), 2016). [66] A. Vishwanath, T. Herath, R. Chen, J. Wang, H.R. Rao, Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model, Decision Support Systems, 51(3) (2011) 576-586. [67] J. Wang, R. Chen, T. Herath, H.R. Rao, Visual e-mail authentication and identification services: An investigation of the effects on e-mail use, Decision Support Systems, 48(1) (2009) 92-102. [68] J. Wang, Y. Li, H.R. Rao, Coping responses in phishing detection: An investigation of antecedents and consequences, Information Systems Research, 28(2) (2017) 378-396. [69] T. Wilson, D. Gilbert, Affective forecasting, Advances in Experimental Social Psychology, 35(2003) 345–411. [70] T.D. Wilson, D.T. Gilbert, Affective forecasting: Knowing what to want, Current Directions in Psychological Science, 14(3) (2005) 131-134. [71] K. Witte, Putting the fear back into fear appeals: The extended parallel process model, Communication Monographs, 59(1992) 329–349. [72] S. Youn, Determinants of online privacy concern and its influence on privacy protection behaviors among young adolescents, Journal of Consumer Affairs, 43(3) (2009) 389-418. [73] M. Zviran, User's perspectives on privacy in web-based applications, Journal of Computer Information Systems, 48(4) (2008) 97-105.

31

ACCEPTED MANUSCRIPT Appendix. Loadings and cross-loadings

CE AC

32

T

Intention to subscribe 0.143 0.183 0.143 0.204 0.187 0.201 0.225 0.137 0.218 0.073 0.186 0.159 0.171 0.185 0.188 0.962 0.919 0.947 0.040 0.199 0.097

CR

IP

Refrain disclosure 0.125 0.121 0.149 0.178 0.218 0.119 0.070 0.094 0.328 0.388 0.307 0.380 0.786 0.889 0.909 0.204 0.204 0.181 0.156 -0.004 0.197

US

0.447 0.508 0.533 0.816 0.806 0.813 0.804 0.830 0.321 0.273 0.281 0.250 0.059 0.149 0.172 0.243 0.200 0.212 0.399 0.384 0.464

AN

0.879 0.925 0.908 0.408 0.352 0.463 0.490 0.516 0.269 0.214 0.218 0.144 0.092 0.092 0.173 0.162 0.169 0.159 0.258 0.234 0.221

Refrain transaction 0.166 0.280 0.230 0.256 0.303 0.281 0.209 0.297 0.845 0.833 0.871 0.888 0.276 0.273 0.461 0.174 0.172 0.187 0.253 0.269 0.266

M

Distress

ED

Severity

PT

Measurement Items Severity 1 Severity 2 Severity 3 Distress 1 Distress 2 Distress 3 Distress 4 Distress 5 Transact 1 Transact 2 Transact 3 Transact 4 Disclose 1 Disclose 2 Disclose 3 Subscribe 1 Subscribe 2 Subscribe 3 Adjust 1 Adjust 2 Adjust 3

Emotional adjustment 0.281 0.269 0.257 0.436 0.437 0.357 0.416 0.482 0.372 0.253 0.245 0.243 0.060 0.093 0.196 0.130 0.134 0.127 0.787 0.754 0.843

ACCEPTED MANUSCRIPT Author Bios Yuan Li is an assistant professor of information systems at the University of Illinois at Springfield. Earlier, he was an associate professor of business at the Columbia College in Columbia, South Carolina. He received his Ph.D. from the University of South Carolina. His research focuses on online security and privacy, information and knowledge management, and end user computing. His work has been published in Information Systems Research, European Journal of Information Systems, Journal of the Association for Information Systems, Decision Support Systems, and Journal of Organizational and End User Computing, among others.

CR

IP

T

Adel Yazdanmehr is an assistant professor of information systems at Baruch College, City University of New York. He received a Ph.D. in Management Information Systems from The University of Texas at Arlington, MS in Business Analytics from the University of Texas at Dallas, MBA from Mazandaran University of Science and Technology, and BS in Software Engineering from the University of Isfahan. His research interests are mainly in the behavioral aspect of information assurance. His work has appeared in Decision Support Systems journal as well as International Conference on Information Systems (ICIS), Conference of Information Systems and Technology (CIST), and Dewald Roode Workshop on Information Systems Security Research (IFIP).

US

Jingguo Wang is a Professor of Information Systems at the University of Texas at Arlington. He graduated from University at Buffalo, State University of New York. His work has been published in MIS Quarterly, Information Systems Research, Journal of Management Information Systems, Journal of the Association for Information Systems, among others. His current research interests include information security. His research has been supported by National Science Foundation and the University of Texas at Arlington.

AC

CE

PT

ED

M

AN

H. Raghav Rao is the AT&T Chair Professor of Information Systems and Cybersecurity, College of Business at University of Texas at San Antonio. He has a courtesy appointment with Department of Computer Science.

33

ACCEPTED MANUSCRIPT Responding to identity theft: A victimization perspective Highlights Victims’ responses to identity theft and antecedents to the responses are studied.



It shows that victimization severity has a direct impact on perceived distress.



Perceived distress drives behavioral responses of the victims.



Time elapsed since the incident, and habit, both weaken the responses.



The central role of distress in driving protective behaviors is highlighted.

AC

CE

PT

ED

M

AN

US

CR

IP

T



34