Measuring The Organizational Impact of Security Breaches: Patterns of Factors and Correlates

As the use of technology permeates organizations, as well as our personal and professional lives, organizational research has aimed to report the incidence of security breaches. However, selfreporting in survey research is flawed given that organizations are hesitant to admit to loss of sensitive data and other security breaches. Furthermore, there are gradients of breaches, rather than binomial occurrences, or lack of occurrences. Hence, a more comprehensive and less obtrusive measure of the nature and impact of breaches is necessary in order to advance theory and practice. As such, we tested a new measure of impact with representatives from over 500 organizations intended to measure the extent of a breach and its subsequent impact on the organization. We developed the construct using exploratory and confirmatory factor analysis and report on convergent validity. We find the impact of breaches tends to be greater for decentralized organizations, smaller organizations, and those within the financial services industry.