Sage Journals: Discover world-class research

Abstract

This study investigates Facebook users’ perceived benefits and risks on their self-disclosure, likelihood of protection behavior and message valence before, during and after its data breach scandal. A framework based on Protection Motivation Theory was used to test these relationships with trust as a mediator. The model was tested using data from three national consumer panel surveys. The results show that while there is temporal invariance in the model structure, Facebook users are more cautious of the risks and are more likely to engage in protection behavior due to the data breach. However, users are also more likely to weigh the benefits of social media higher than the perceived risks, which supports the consumer privacy paradox. Implications from this study such as consumer protection, privacy laws, private and public policies, and regulations are discussed.

Keywords

self-disclosure protection behavior social media Facebook privacy data breach

Introduction

Given the ubiquity of personal information and online behavior collected, one of the biggest challenges facing firms is large-scale data breaches where a significant amount of data is either accidentally or deliberately released to external parties (Goode et al., 2017). In light of the recent scandals such as security breaches by Cambridge Analytica, there is a growing concern about social media privacy. In 2018, the Breach Level Index (https://breachlevelindex.com), a database monitoring worldwide data breaches, highlighted that data breaches are becoming more frequent and larger in scope. Identity theft was once again the most prevalent data breach type. It accounted for approximately 83% of the accounts breached in H1 2018, a massive growth of 757% over the previous year. Social media accounts for the majority of the data breaches in 2018 (56.2%) compared to only 1.5% in 2017. In a survey conducted by Pew Research, a majority of Americans (64%) have personally experienced a major data breach and lack trust in key institutions—especially the federal government and social media sites—to protect their personal information (Arli & Dietrich, 2017).

The two key problems facing an organization after a data breach are (1) financial losses, and (2) customer misgiving (such as brand equity loss, customer turnover). The average cost of a data breach worldwide reached US$3.92 million, while the US has the highest average cost of US$8.19 million (Ponemon Institute, 2019). Lost business from customer turnover appears to be the biggest cost component of a data breach (Ponemon Institute, 2019). A key problem for firms is that affected customers often discontinue their relationship with the organization. The 2019 global average customer turnover rate is 3.9%, an increase from 3.4% in 2018. This is despite the fact that organizations notify affected customers and offer an apology, explain the nature of the breach, and recommend steps that customers can follow to protect their information.

Although information campaigns are required and customer compensations can be effective in recovery, firms still face the added challenge of the effects these data breaches might have on their customers, especially on consumer psychology and expectations. While data breaches have been looked at by different disciplines such as information systems (Lowry et al., 2017), public policy (Caudill & Murphy, 2000), legal and ethics (Spiekermann et al., 2015), very little has focused on the consumer outcome. Goode et al. (2017) found that most, if not all, studies on consumer outcome have been post-hoc, that is, after they have occurred and they usually suffer from various biases such as recall bias. Our study addresses this weakness by looking at the impact of data breaches on consumer outcome by comparing their attitude and behavior before, during and after a data breach. Our study was fortuitous that we were studying data breach and privacy one year before Facebook’s data scandal. We then were able to collect data during and after the data breach to be able to do multi-period comparisons.

Researchers have tried to look at the effects of data breaches and recovery effectiveness; for example, customer compensation (Goode et al., 2017), customer spending (Janakiraman et al., 2018), corporate reputation (Gwebu et al., 2018), investor confidence and stock performance (Martin et al., 2017), consumer perception such as trust and perceived vulnerability (Chatterjee et al., 2019). The goal of this research is to address the impact of Facebook’s data breach on consumers’ trust and their motivation to engage in protection behavior. To achieve this, we compare the effects over three time periods: before, during and after the data breach.

Five major streams of research inform our work in this paper: (1) technology adoption model (TAM), (2) consumer privacy paradox, (3) service failure, (4) protection motivation theory (PMT), and (5) trust. First, digital life has become such an integral part of consumers’ existence that it is hard to separate the two. Second, while consumers value their personal data, there is an inconsistency between the concerns of people regarding privacy and their actual behavior (Palmatier & Martin, 2019). Research has found that consumers are willing to trade personal data for perceived benefits (Norberg et al., 2007). Third, data breaches are a form of electronically mediated service failure (Bolton, 1998). Fourth, PMT (Rogers, 1975, 1983) provides a theory of how consumers are motivated to protect themselves based on both the threat appraisal and the coping appraisal. Fifth, consumers’ online behavior assumes a certain degree of trust on their part and data privacy of their personal information.

Our study makes three major contributions. First, although research on data breaches is critical, most research is focused on organizational response. Very little research is done to look at the consumer side and how they react to such breach (Goode et al., 2017). This study examines the mechanisms that motivate people to protect themselves from perceived risks to make social media safer for them. Second, our research adds to the service failure literature about how organizations should handle a public relation crisis to restore consumer confidence. Third, most research on data breaches has focused mainly on post-breach analysis, that is, the impact of data breach. In our study, we were able to measure the before-during-after a data breach using cross-sectional panel studies to measure the impact of a data breach on consumers’ perception and behavioral intentions.

Literature Review

The TAM is an information systems model that looks at how users accept and use a technology (Davis, 1989; Venkatesh & Bala, 2008) that is based on the theory of reasoned action (Ajzen & Fishbein, 1970). Two key factors determine users’ willingness to use the technology: perceived usefulness and ease of use. Behavior intention is influenced by the users’ attitude towards the general use of the technology. Attitude in turn is influenced by many external factors such as social influence and design characteristics. There has been substantial empirical support for the TAM over the last few decades. Venkatesh and Bala (2008) found that TAM consistently explains about 40% of the variance in individual’s intention to use a new technology. There have many studies that adopt the TAM model in online behavior such as key drivers of Facebook usage (e.g., Rauniar et al., 2014).

Researchers generally define consumer privacy as a consumer’s ability to control when, how, and to what extent their personal information is to be transmitted to others (G. R. Milne & Culnan, 2004). Past research has looked at the relationship between privacy concerns and various variables; for example, consumer attitudes and behavior (Tsay-Vogel et al., 2018). Consumers’ privacy concern has become an important issue in light of the Facebook–Cambridge Analytica data scandal in early 2018 where Cambridge Analytica had harvested the personal data of 87 million Facebook profiles without their consent and used it for political purposes. In addition, Facebook also revealed other data breaches such as a software bug that may have revealed the posts of up to 14 million users and a security hack that allowed an unknown party to take over 50 million accounts (Abbruzzese & Boyce, 2018).

The outcome of service failures is usually a negative experience for the consumers. Service failure and recovery research has matured over the last three decades and there is a considerable amount of research on how firms that suffer service failure should recover from it (e.g., Bitner et al., 1990). In a review of 44 empirical research, Goode et al. (2017) found the majority of research has focused on recovery strategies such as apology and explanation, and the effects of compensation on consumer reaction. However, there has been no empirical data from affected customers looking at before, during and after a service failure. If there is any research looking at pre- and post-service failure, it is usually done in a simulated lab environment (e.g., Du et al., 2011). There is a gap in the literature looking at the long-term effect of service failure especially on how consumers engage in protection behavior.

The PMT was first introduced by Rogers (1975, Rogers, 1983) as a framework for the prediction of and intervention in health-related behavior (S. Milne et al., 2002). It explains why people engage in different unhealthy practices and offers suggestions how to change these behaviors. According to PMT, an individual’s motivation to protect oneself from risks is influenced by four cognitive assessments: the vulnerability to the risk, the severity of the risk, response efficacy, and self-efficacy. The theory states that people’s motivations to protect themselves are weakened by perceived benefits of risky behaviors and perceived costs of advocated risk reducing behaviors. They can be grouped into two cognitive processes: threat appraisal (severity, vulnerability, and benefits) and coping appraisal (self-efficacy, response efficacy, and costs). Vulnerability refers to the likelihood the risk to occur to oneself and severity of it if it occurs. Response efficacy refers to perceiving that protection behavior to be effective in reducing the risk; and self-efficacy refers to the ability to perform a desired behavior. This study adopts the PMT as the research framework for understanding behavioral choices before, during, and after a data breach, in which threat appraisal is increased with benefits (both intrinsic and extrinsic) and decreased with severity and vulnerability. It assumes that the appraisal of these factors (severity, vulnerability, and benefits) increases or decreases the probability of the maladaptive response. This study thus assumes four sufficient conditions to elicit protection motivation: (1) the threat of data breach is severe, (2) one is personally vulnerable to the consequence of the data breach, (3) one has the ability to perform the coping responses, and (4) the coping response is effective in protecting oneself. According to social contract theory, users voluntarily provide personal information in exchange for the ability to connect socially; therefore, they perceive benefits as well as risks regarding online self-disclosure (Okazaki et al., 2009). Research shows that only when perceived benefits outweigh risks will users practice this social contract (Culnan & Armstrong, 1999). On the other hand, recent studies also show that online disclosure is influenced by both perceived benefits and perceived risks (Krasnova et al., 2010).

In addition to consumers’ protection motivation, the impact of a data breach may have a severe effect on their trust, which affects a firm’s reputation. Jøsang et al. (2007) argue that while trust and reputation are closely linked; however, there are important differences between the two concepts. While reputation is earned mainly from public belief, trust is an internal personal and subjective phenomenon. For example, consumers may choose not to trust a reputable firm after a data breach. When it comes to trust, consumers’ personal experience tends to overwrite public reputation. In marketing, trust is defined as “the willingness to rely on an exchange partner with whom the individual has confidence” because of their expertise or reliability (Moorman et al., 1992). In virtual communication, the absence of social cues necessitates the reliance on trust (Ridings et al., 2002). Research has found that individuals do not normally disclose information about themselves to other individuals if they do not trust them (Wheeless & Grotz, 1977). Building on social exchange theory, Metzger (2004) argues that trust reduces perceived risks, that is, individuals with high trust perceive a low risk of interpersonal exchange and perceive the exchange to be beneficial (Dwyer et al., 2007). In addition, higher levels of trust increase the probability of more self-disclosure (Wheeless, 1976).

Research Framework

In Figure 1, we propose a theoretical model based on the PMT that looks at the impact of perceived risks and benefits on protection behavior, self-disclosure, and message valence that is mediated by trust. Self-disclosure refers to what users reveal about themselves on Facebook. Message valence refers to the intrinsic, emotional goodness (positive valence) or averseness (negative valence) of the postings. Protection behavior refers to the likelihood of controlling their postings on Facebook. Perceived risks refer to the perceived negative consequences (vulnerability and severity) resulting from information disclosure in three areas: social, psychological, and physical. Perceived benefits include the benefits of posting on Facebook: entertainment and maintaining social relationships.

Figure 1.

Conceptual model.

Research shows that consumers feel vulnerable with marketers collecting their personal data (Martin et al., 2017). This may lead to consumers losing trust in a company. Research has found that users rarely-to-occasionally engage in protecting their privacy online (Boerman et al., 2021). Boerman et al. (2021) found that perceived severity significantly predicted protection behavior. Palmatier and Martin (2019) argue that consumers’ perceived vulnerability can be mitigated by firms offering a sense of transparency and giving consumers a degree of control of their personal data. Both perceived risks and trust have been identified as two key antecedents with respect to privacy concerns and intentions (Norberg et al., 2007). The primary focus of this study is driven by the association between risks and benefits (perceptions), trust, and privacy protection (intentions). The theory of reasoned action (Ajzen & Fishbein, 1970) proposes that behavioral intention is a product of one’s relevant attitudes and beliefs. Youn (2009) found that perceived risks increase privacy concerns while perceived benefits decrease privacy concerns. Z. T. Chen and Cheung (2018) found that once users entrench their social profile with a platform, the inertia to remain in it outweighs their needs to secure their privacy; ergo, the privacy paradox. Therefore, the following research question is proposed:

RQ1: What effects do perceived risks and perceived benefits have on privacy protection?

Researchers have looked at the relationships between self-disclosure and social media; for example, motivation to post (Bazarova & Choi, 2014), effects of self-disclosure (Luo & Hancock, 2020), privacy risks (Krämer & Schäwel, 2020), privacy protection behavior (Boerman et al., 2021), etc. For the self-disclosure outcome variable, the effect paths of perceived risks function in an opposite direction, while it is a positive direction for perceived benefits. Liang et al. (2017) argued that content sharing behavior is potentially in conflict with the need to reduce privacy risk on the Internet. On the other hand, Tsay-Vogel et al. (2018) found that social media has cultivated more relaxed privacy attitudes, subsequently increasing self-disclosure in both offline and online contexts. Applying the assumptions to the issue of privacy, one might predict that those who hold more relaxed views of privacy have stronger intentions to self-disclose and vice versa. Therefore, the following research question is proposed:

RQ2: What effects do perceived risks and perceived benefits have on self-disclosure?

According to Petronio’s (2002) communication privacy management (CPM) theory, individuals maintain privacy boundaries (the limits of what they are willing to share) with various partners depending on the perceived benefits and costs of information disclosure. It has been used recently to explain social media privacy management such as message valence. Message valence in previous studies is often treated as a predictor. Studies have found that positive consumer reviews have a positive impact on product sales; in contrast, negative consumer reviews are more likely to influence brand evaluation and product judgement (Z. F. Chen et al., 2017). However, it is not clear whether users who perceive social media as risky will share more positive than negative postings. Therefore, our proposed research question is:

RQ3: What effects do perceived risks and perceived benefits have on message valence?

In a virtual world, individuals have to interact with others with few social cues especially when posting on social media. This necessitates the reliance on trust between communication partners. According to social exchange theory, Metzger (2004) argues that the presence of trust reduces perceived risks when posting private information, that is, an individual with higher trust perceives a lower cost of interpersonal exchange and the exchange to be beneficial (Dwyer et al., 2007). Wheeless and Grotz (1977) found that higher levels of trust increase the probability of more self-disclosure. The importance of trust has been widely recognized in many studies (Norberg et al., 2007). As Facebook users create and share their information, they feel their privacy will be protected. Rauniar et al. (2014) found that trust is a critical determinant in minimizing security and privacy concerns for Facebook users. Therefore, the following research question is proposed:

RQ4: Trust mediates between perceived risks/benefits and protection behavior, self-disclosure and message valence.

Methodology

Sample

For this study, the data came from a national representative consumer panel provider Innovate MR (http://www.innovatemr.com/) that has over 3.5 million panelists in the U.S. An online survey was sent to prequalified Facebook users over three time periods. Wave 1 was conducted one year before the Facebook data breach in April 2017 with 859 respondents. Wave 2 was conducted right after the data breach in May 2018 with 807 respondents. Wave 3 was conducted about 18 months after the data breach in October 2019 with 512 respondents. For each wave, a standard data screening analysis was used to drop respondents based on either too many missing data, disengaged respondents, and missing data for sex. Our final usable sample size is 822 for Wave 1, 773 for Wave 2, and 500 for Wave 3. Series median or mean was imputed for missing data for the remaining respondents. For Wave 1, our sample is made up of users that have been on Facebook around 7.2 years with an average 389.6 friends and spend half hour to one hour on Facebook a day. The average age is 39.8 years and female users make up 55.2%. For Wave 2, the sample has been on Facebook 8.5 years with an average 481.2 friends and spend half hour to one hour on Facebook a day. The average age is 35.6 years and 79.2% are female. For Wave 3, the average years on Facebook is 9.1 years with an average 429.2 friends and spend half hour to one hour on Facebook a day. The average age is 52.6 years and 67% are female. Since the data were collected over two-and-a-half-year period, it would be expected that respondents in Wave 3 would have been on Facebook longer.

Measurement

Four items were used to measure each of three types of online risks: social, psychological, and physical. The scales are adapted from Johnston and Warkentin (2010). Research has identified that two of the most important benefits of engaging on Facebook are social communication and entertainment (Wang et al., 2014). We measure perceived benefits of using Facebook based on social communication or relationship (three items) and social entertainment with friends (three items). We adapt Lee et al.’s (2008) measure of self-disclosure, using three items to measure the self-presentation motivation to intentionally present oneself to others in a favorable style. User protection behavior was measured using two items. Message valence of postings, that is, whether they will post more positive or good things about themselves on Facebook was measured using two items. We measure trust as generalized trust that people have about fellow members of society using the three-item disposition to trust scale by Ridings et al. (2002). All items except for demographic variables are measured on a 7-point Likert scale.

Results

We use the structural equation modeling (SEM) method and multi-group analysis to explore whether the measurement models are similar across the three time periods. We first conducted an exploratory factor analysis (EFA) on the 38 items used. Our factor stopping criteria included using an eigenvalue of one and a factor loading value of .4 for factor interpretation. Principal component analysis (PCA) with promax rotation initially yielded seven factors. Ten items were eliminated due to low or cross-loadings and the structure explained 76.3 percent of the matrix variance. However, one of the factors had both perceived social and psychological risks loaded together and it was decided that it made more theoretical sense to separate them into two factors. Table 1 shows the loadings and Cronbach alphas for all scales that indicate both internal consistency and reliability of all constructs.

Table 1.

Measures and Factor Loadings.

Key constructs^a	Loading
Perceived physical risk (α = .87)
It is likely that information posted on Facebook exposes users to potential physical risks	.88
It is possible that Facebook users are exposed to physical risks	.89
The consequence of physical risks from using Facebook can be significant	.83
When information on Facebook exposes users to physical risks, it would be serious	.58
Perceived psychological risk (α = .92)
It is likely that information posted on Facebook exposes users to potential psychological risks	.74
It is possible that Facebook users are exposed to psychological risks	.83
The consequence of psychological risks from using Facebook can be significant	.86
When information on Facebook exposes users to psychological risks, it would be serious	.85
Perceived social risk (α = .94)
It is likely that information posted on Facebook exposes users to potential social risks	.88
It is possible that Facebook users are exposed to social risks	.90
The consequence of social risks from using Facebook can be significant	.93
When information on Facebook exposes users to social risks, it would be serious	.89
Perceived social relationship benefit (α = .91)
Feel more popular	.92
Feel more cool	.91
Show off	.88
Perceived entertainment benefit (α = .88)
Have fun	.90
Feel entertained	.93
Entertain Facebook friends	.86
Protection behavior (α = .73)
I will avoid posting certain topics on my Facebook	.69
I will weigh the benefits and risks of my posts before I share them	.74
Self-disclosure (α = .89)
I will reveal a lot of personal facts on my Facebook	.79
I will share a lot of my feelings on my Facebook	.95
I will share a lot of my thoughts on my Facebook	.91
Message valence (α = .87)
I will share more “good” things than “bad” things about myself on my Facebook	.88
I will share more positive than negative things about myself on my Facebook	.89
Trust (α = .86)
I generally have faith in humanity	.90
I feel that people are generally reliable	.91
I generally trust other people unless they give me reason not to	.85

easured from 1 = strongly disagree to 7 = strongly agree.

The factor structure was further tested via confirmatory factor analysis (CFA) that examined whether each of the dimensions had good measurement properties and was distinct from the other dimensions. Using AMOS 26, the CFA shows a good fit was achieved [χ² = 1,338.6 (df = 243, p = .000), CFI = .973, RMSEA = .046]. The CFA provided evidence of convergent validity in that factor loadings of all items ranged from .66 to .96. Since we are comparing across three time periods, it is important that both the factor structure and factor loadings are invariant across time in a multi-group confirmatory factor analysis (Steenkamp & Baumgartner, 1998). To test for the invariance, we did a configural invariance test and obtained adequate goodness of fit when estimating a freely estimated model across all three time periods [χ² = 2,001.9 (df = 729, p = .000), CFI = .97, RMSEA = .03, SRMR = .03]. During this model estimation process, no constraints were imposed on any of the parameters. Table 2 shows we have convergent validity as evidenced by the average variance extracted (AVE) all above .50. We have reliability as evidenced by the composite reliability (CR) all above .70. We also have discriminant validity with the square root of the AVE (diagonal values) being greater than any inter-factor correlation.

Table 2.

Reliability and Validity.

	CR	AVE	MSV	MaxR(H)	1	2	3	4	5	6	7	8
Physical (1)	0.88	0.65	0.46	0.898	.803
Psychological (2)	0.92	0.74	0.73	0.923	.681***	.857
Social (3)	0.94	0.78	0.73	0.94	.649***	.855***	.885
Disclosure (4)	0.9	0.75	0.23	0.931	.054*	−.034	−.033	.864
Valence (5)	0.87	0.77	0.19	0.872	.119***	.176***	.172***	.298***	.877
Protection (6)	0.73	0.58	0.19	0.731	.318***	.370***	.372***	−.076**	.434***	.759
Relationship (7)	0.92	0.79	0.24	0.959	.076**	.008	−.005	.484***	.208***	−.051*	.889
Entertainment (8)	0.89	0.73	0.24	0.899	.101***	.077**	.097***	.445***	.413***	.137***	.486***	.857

p < .05. **p < .01. ***p < .001.

Note: Diagonal values are the square root of the average variance extracted (AVE).

We also ran a more rigorous metric invariance test by constraining factor loadings to be equal (fully constrained model) across the three time periods analyzed (Vandenberg & Lance, 2000). The χ² difference between the unconstrained model [χ² = 2,001.9 (df = 729, p = .000), CFI = .97, RMSEA = .03, SRMR = .03] and the fully constrained model [χ² = 2,070.7 (df = 779, p = .000), CFI = .97, RMSEA = .03, SRMR = .03] was significant (p = .04), which indicates that the factor loadings across the three time periods are not invariant. However, complete reliance on the chi-square difference test is not recommended because of problems associated with the chi-square statistic being sensitive to sample size, especially when our study sample size is 2,095 (F. F. Chen, 2007; Steenkamp & Baumgartner, 1998). We therefore focused on the difference in CFI that has received much attention in the literature (Cheung & Rensvold, 2002). There is no consensus on what a significant difference in CFI should be, that is, the null hypothesis of invariance should not be rejected. Cheung and Rensvold (2002) argue that the ΔCFI value should be smaller than or equal to .01. Little (1997) considers a ΔCFI value of .05 to be significant. The CFI difference between our two models is identical to three decimal points, which is less than the threshold suggested by Cheung and Rensvold (2002). Therefore, we conclude we have support for measurement invariance to allow us to compare across the three time periods.

Since we used online surveys to collect all our data, it may introduce systematic response bias or single (common) method bias. We tested for common method bias using the “single unmeasured latent method factor method” suggested by Podsakoff et al. (2003) to extract the common variance. We included an unmeasured latent factor to the measurement model during the CFA that includes all indicators from all other latent factors. We then compared the unconstrained common factor model to the zero-constrained model. The χ² difference between the two models is 333.7 (df = 25, p < .01), suggesting we have a significant shared variance that led us to retain the common latent factor in the model to impute factor scores to account for the shared variance explained by the common latent factor. We ran the CFA again to get the final measurement model and the results [χ² = 1004.9 (df = 218, p = .000), CFI = .98, RMSEA = .04, SRMR = .02] show an improvement in the goodness of fit. These imputed factor scores are then used in testing our path model in the next section.

To test the conceptual model across the three time periods, two separate analyses were conducted mainly due to the way the data was collected. In the first analysis, because trust was not measured in the pre-scandal stage, we were not able to test the full conceptual model in Figure 1 across all three time periods. Trust was measured only in stage 2 (during data breach) and stage 3 (post data breach). In the first model test, we tested using only variables that were available in all three time periods, that is, perceived benefits and perceived risks on protection behavior, self-disclosure and message valence (Figure 2). The overall causal model shows a good fit [χ² = 31.3 (df = 8, p < .001), CFI = .997, RMSEA = .037]. The r² for the three endogenous variables are moderate: protection behavior (.20), self-disclosure (.39), message valence (.22). Both the model fit and r² show that we have good global model fit to test our research questions. From Table 3, we can see that out of the 15 paths, there is statistical significance for twelve of them. Both perceived risks (social, psychological and physical) and perceived benefits (social relationship and entertainment) are statistically significant in determining protection behavior. The higher the perceived risks, the more likely consumers are to engage in protection behavior. For perceived benefits, the more consumers perceive the entertainment benefits, the higher protection behavior; however, the benefits of building a social facade lead to lower protection behavior. Both perceived risks and benefits also affect how much consumers self-disclosure. The higher the perceived social and psychological risks, the less they self-disclosure. However, higher perceived physical risk leads to higher self-disclosure, which is contrary to what would be expected. This may be because consumers believe there is a low probability of physical harm in disclosing on social media. As would be expected, both benefits of social relationship and entertainment affect in a positive direction the volume of self-disclosure. For message valence, only perceived psychological risk and entertainment benefit affect the positivity of the message. In homophilic relationships like those found in Facebook, Himelboim et al. (2016) found that users prefer to interact with others with whom they share message valence, whether it be positive, negative, or neutral.

Figure 2.

Structural model without trust as mediating variable*.

Table 3.

Structural Model Results (Without Trust as Mediator).

Path	Standardized weight	p Value
Social risk → protection	0.150	***
Psychological risk → protection	0.175	***
Physical risk → protection	0.105	***
Entertainment → protection	0.214	***
Social relationship → protection	−0.166	***
Social risk → self-disclosure	−0.099	.003
Psychological risk → self-disclosure	−0.113	.001
Physical risk → self-disclosure	0.116	***
Entertainment → self-disclosure	0.244	***
Social relationship → self-disclosure	0.352	***
Social risk → valence	0.019	.611
Psychological risk → valence	0.148	***
Physical risk → valence	−0.053	.055
Entertainment → valence	0.446	***
Social relationship → valence	−0.001	.960

***

p < .001.

Looking at the standardized weights, the results suggest that the social benefits of posting online outweigh perceived risks in determining consumers engaging in protection behavior, disclosing more about themselves and posting more positive messages. This is consistent with the consumer privacy paradox (Palmatier & Martin, 2019) and other research where consumers are reluctant to self-disclose except when it involves the norm of reciprocity (Hill & Stull, 1982; Moon, 2000; Shaffer & Tomarelli, 1989). The reciprocity effect assumes that people engage in self-disclosure if they believe that their disclosure is returned in kind from their partners. In addition, self-disclosure is a key component in relationship development and maintenance (Derlega et al., 1993).

To test time effect, all the constructs are compared across the three periods with ANOVA and to identify any difference in means using the post-hoc Scheffe test. As shown in Table 4, there is no statistical difference for all perceived risks across the time periods and the means suggest that consumers are aware of the risks with their social media behavior. There seems to be a time effect for perceived benefits and protection behavior. For both perceived benefits, consumers have become more concerned about the benefits of posting online, that is, there is a significant drop in the means during and after the data breach. This is also true for protection behavior and self-disclosure. This pattern suggests there is a significant impact of the data breach on consumers’ perceived benefits of posting on Facebook and they are more likely to engage in protection behavior and less likely to self-disclose. Next, the paths for the model were tested for time differences using multi-group analysis. The results in Table 5 comparing the model (unconstrained) across the three time periods show that there is no statistical difference (χ² = 47.94, df = 38, p = .13). We therefore conclude that the model is invariant across the three time periods, which adds validity and reliability to results for the overall model.

Table 4.

Difference in Means Before, During, and After Data Breach.

Variable	Group means^a			Scheffe test: differing groups
Variable	Wave 1 (before)	Wave 2 (during)	Wave 3 (after)	Scheffe test: differing groups
Physical risk	4.31	4.29	4.24	N.S.
Psychological risk	4.11	4.20	4.12	N.S.
Social risk	4.39	4.48	4.34	N.S.
Social relationship	3.48	2.96	2.78	1 from 2,3
Entertainment	4.08	4.00	3.83	1 from 3
Protection behavior	4.31	4.46	4.42	1 from 2
Self-disclosure	2.42	2.07	2.05	1 from 2,3
Message valence	4.68	4.73	4.58	N.S.

easured from 1 = strongly disagree to 7 = strongly agree.

Table 5.

Time Period Analysis (Without Trust as Mediator).

Path	Standardized Weight
Path	Before	During	After	Difference (df = 2)
Social risk → protection	.144	.146	.145	χ² = 0.98, p = .61
Psychological risk → protection	.169	.172	.171	χ² = 1.03, p = .60
Physical risk → protection	.107	.109	.111	χ² = 1.67, p = .44
Entertainment → protection	.024	.262	.220	χ² = 1.30, p = .52
Social relationship → protection	−.163	−.150	−.156	χ² = 1.80, p = .41
Social risk → self-disclosure	−.096	−.103	−.099	χ² = 9.16, p = .01
Psychological risk → self-disclosure	−.106	−.116	−.112	χ² = 3.47, p = .18
Physical risk → self-disclosure	106	.115	.113	χ² = 1.79, p = .41
Entertainment → self-disclosure	.232	.257	.262	χ² = 1.62, p = .45
Social relationship → self-disclosure	.351	.336	.338	χ² = 7.76, p = .02
Social risk → valence	.018	.018	.017	χ² = 0.45, p = .80
Psychological risk → valence	.150	.154	.146	χ² = 0.90, p = .64
Physical risk → valence	−.053	.054	.053	χ² = 0.07, p = .97
Entertainment → valence	.437	.448	.450	χ² = 1.58, p = .46
Social relationship → valence	−.002	−.001	−.001	χ² = 0.05, p = .97

For the second test of the conceptual model with trust as the mediating variable, we analyzed the relationships specified in the causal model in Figure 3. The overall structural model shows a good fit [χ² = 66.2 (df = 12, p < .001), CFI = .989, RMSEA = .06]. The r² for the four endogenous variables are moderate: trust (.06), protection behavior (.19), self-disclosure (.32), message valence (.21). Table 6 shows the individual standardized coefficient path. The results show that both perceived benefits (entertainment and relationship) significantly affect trust. The more consumers perceive the benefits of posting on Facebook, the more likely they are to trust. In turn, trust significantly affects both protection and valence. The more consumers are trusting of others, they are more likely to engage in protection behavior and have more positive message valence. The positive trust-protection relationship is a surprise as one would expect a user who is more trusting may be less likely to engage in protection behavior; however, the result seems to show the opposite. All the direct paths with trust as a mediator are the same as the previous model without trust in it except for one path. Perceived social risk was found to have a significant negative relationship with self-disclosure without trust as a mediator. When trust is a mediator, the relationship is not significant. Instead perceived social risk directly affect trust which in turn does not significantly affect self-disclosure.

Figure 3.

Structural model with trust as mediating variable*.

Table 6.

Structural Model Results (With Trust as Mediator).

Path	Standardized estimate	p Value
Social risk → trust	−0.047	.38
Psychological risk → trust	−0.004	.95
Physical risk → trust	0.016	.68
Entertainment → trust	0.157	***
Social relationship benefit → trust	0.123	***
Trust → protection	0.066	.01*
Trust → disclosure	0.039	.10
Trust → valence	0.13	***
Social risk → protection	0.186	***
Psychological risk → protection	0.14	.01*
Physical risk → protection	0.095	.01*
Entertainment → protection	0.192	***
Social relationship → protection	−0.141	***
Social risk → disclosure	−0.069	.13
Psychological risk → disclosure	−0.152	.00
Physical risk → disclosure	0.097	.00**
Entertainment → disclosure	0.246	***
Social relationship → disclosure	0.289	***
Social risk → valence	0.026	.60
Psychological risk → valence	0.129	.01*
Physical risk → valence	−0.051	.14
Entertainment → valence	0.411	***
Social relationship → valence	−0.019	.5

p < .05. **p < .01. ***p < .001.

Next, the paths for the model were tested for time differences using multi-group analysis. The results comparing the model (unconstrained) across the two time periods show that there is no statistical difference (χ² = 32.88, df = 27, p = .20). We therefore conclude that the model is invariant across the two time periods. The mediating or indirect effects of trust were tested for each paths between the exogenous and endogenous variables. Table 7 shows that trust mediates the positive effect of both social relationship and entertainment on protection behavior and message valence. Based on the results of our analyses above, we then trimmed the causal model as shown in Figure 4. The final trimmed causal model (χ²/df = 5.287, CFI = .978, RMSEA = .057) maintains a good overall fit.

Table 7.

Indirect Effects Mediated by Trust.

Path	Standardized weight	p Value
Social risk → protection	−.001	.268
Psychological risk → protection	−.001	.561
Physical risk → protection	.001	.352
Entertainment → protection	.004	.033*
Social relationship → protection	.003	.033*
Social risk → self-disclosure	−.001	.279
Psychological risk → self-disclosure	.000	.485
Physical risk → self-disclosure	.001	.331
Entertainment → self-disclosure	.003	.235
Social relationship → self-disclosure	.002	.226
Social risk → valence	−.004	.397
Psychological risk → valence	−.002	.686
Physical risk → valence	.003	.416
Entertainment → valence	.012	.001**
Social relationship → valence	.008	.001**

p < .05. **p < .01.

Figure 4.

Final conceptual model.

Conclusion and Implications

Consumer data privacy has recently become more salient especially in the aftermath of the massive data breach at Facebook. Our study is the first to try to address the “privacy paradox” among users to see if their online behavior (protection, disclosure and message valence) has changed over time due to Facebook’s data breach. We examine this relationship across three periods—one year before the data breach (wave 1), during (wave 2), and a year and half after the data breach (wave 3)—to do a temporal comparison. While they want more control over their personal data, they do not necessarily scale back on the online time especially on social media as digital media is such an integral part of their daily lives. Our results are consistent with other research that shows users are willing to provide personal information in exchange for the ability to connect socially (Okazaki et al., 2009).

Our study found that the structural paths of our model have not changed over the three time periods, suggesting that Facebook’s data breach scandal has not changed users’ pattern of behavior in terms of protection behavior, self-disclosure and message valence. Perceived risks directly affect protection behavior, self-disclosure and message valence. Perceived benefits directly affect protection behavior and self-disclosure. Trust mediates between perceived benefits and protection behavior and message valence. Overall, our study found that perceived benefits outweigh perceived risks in determining consumers’ engagement in protection behavior, self-disclosure and message valence. This is consistent with prior research that shows perceived benefits reduce privacy concerns (Youn, 2009). However, the ANOVA analysis shows that the data breach did raise users’ concern about the benefits of posting online, likelihood to engage in protection behavior, and are less likely to self-disclose. Our study has found that Facebook users do balance between perceived risks (particularly social and psychological) and the social benefits when posting online.

There are a few implications from the results of this study. Companies such as Facebook are under a lot of pressure to secure and protect user data. They need to, either by legal or regulatory means, do a better job of convincing users that their personal information is secure and being used in a judicious and ethical way. Our study shows that if users do not have the confidence and trust with Facebook, they may limit their activities and worst, may abandon Facebook completely. On the other hand, firms such as Facebook need to balance between their business models (ad revenue) while trying to satisfy this external privacy demand. After their data breach, Facebook has made many changes in their business model, including granting more privacy control to users and limiting third party advertisers access to the information. However, this has a huge impact on both their top and bottom line results. Advertisers now have a harder time in using user data to target their audience at a finer individual level. They will instead have to be able to do this at a more aggregated level. More firms are taking advantage of Facebook’s data breach to argue for more consumer choices, more transparency with the way firms handle user data, and some competitors are updating their own privacy policies that could seriously undercut how Facebook makes money. For example, Apple plans to update their privacy policy that requires app developers to get users’ permission to collect data used for targeted advertising, and allows users to opt-out of this type of tracking (Hartmans, 2021; Leskin, 2021). This could mean an extensive cut to Facebook’s advertising revenue and its dominance in the social media advertising space.

The principle of regulations is that consumers have the right to their personal information and how the information is transferred and protected. However, this is aimed at those who collect the information, not at those who disclose it. Hence, motivating consumers to protect themselves is necessary. For example, social media networks should develop algorithms that detect risks in consumers’ posts to notify them to protect themselves. This self-regulation practice would reduce more government regulations, which helps reduce compliance costs. This can position companies as pro-consumers and market leaders.

Finally, privacy advocates and government agencies will also have an important role in this. They have to come up with a sensible set of laws and regulations that have all stakeholders in mind. For example, California has passed the new California Consumer Privacy Act (CCPA) in 2020 where any California consumer is allowed to see all the information a company has saved on them and a full list of all the third parties that data is shared with (Korolov, 2019). Both CCPA and the European Union’s General Data Protection Regulation (GDPR) share similarities and differences; for example, CCPA gives consumers more access to their data.

Limitations and Future Research

Even though our research is the first to look at changes in perception and behavior before, during and after Facebook’s data breach, and it offers valuable insights for researchers, policy makers, and practitioners, it has limitations that may offer opportunities for future research. While we were able to show the structural invariance of our conceptual model, we did not measure trust prior to the data breach and could only test the mediating effect of trust during and after the data breach. This limits our study’s ability to have a benchmark to test the temporal validity of the full model. While our conceptual model is based on PMT, we focused mainly on the risk appraisal and benefits to determine self-disclosure, message valence, and protection behavior. Other researchers may want to include coping appraisal (e.g., self-efficacy) in the future. In addition to PMT, future research may also want to use other social exchange theories to drive the understanding of disclosure and protection behavior. Future research may also want to look at other socio-psychological traits that are important in explaining online behavior such as personality, group dynamics and network analysis. Finally, future research may look at other moderators and/or mediators that may enhance or mitigate the relationships; for example, cross-cultural effects.

Footnotes

Declaration of Conflicting Interests

The author(s) declared no potential conflicts of interest with respect to the research,authorship,and/or publication of this article.

Funding

The author(s) received no financial support for the research,authorship,and/or publication of this article.

ORCID iD

Foo Nin Ho

References

Abbruzzese

Boyce

2018. Facebook’s 2018 Timeline: Scandals, hearings and security bugs. CNBC News. Retrieved January 23, 2019, from https://www.nbcnews.com/tech/tech-news/facebook-s-2018-timeline-scandals-hearings-security-bugs-n952796.

Ajzen

Fishbein

1970. The prediction of behavior from attitudinal and normative variables. Journal of Experimental Social Psychology, 6, 466–487.

Arli

Dietrich

2017. Can social media campaigns backfire? Exploring consumers’ attitudes and word-of-mouth toward four social media campaigns and its implications on consumer-campaign identification. Journal of Promotion Management, 23, 834–850.

Bazarova

N. N.

Choi

Y. H.

2014. Self-disclosure in social media: Extending the functional approach to disclosure motivations and characteristics on social network sites. Journal of Communication, 64, 635–657.

Bitner

M. J.

Booms

B. H.

Tetreault

M. S.

(1990). The service encounter: Diagnosing favorable and unfavorable incidents. Journal of Marketing, 54, 71–84.

Boerman

S. C.

Kruikemeier

Zuiderveen Borgesius

F. J.

(2021). Exploring motivations for online privacy protection behavior: Insights from panel data. Communication Research, 48, 953–977.

Bolton

R. N.

(1998). A dynamic model of the duration of the customer’s relationship with a continuous service provider: The role of satisfaction. Marketing Science, 17, 45–65.

Caudill

E. M.

Murphy

P. E.

(2000). Consumer online privacy: Legal and ethical issues. Journal of Public Policy & Marketing, 19, 7–19.

Chatterjee

Gao

Sarkar

Uzmanoglu

2019. Reacting to the scope of a data breach: The differential role of fear and anger. Journal of Business Research, 101, 183–193.

10.

Chen

F. F.

(2007). Sensitivity of goodness of fit indexes to lack of measurement invariance. Structural Equation Modeling, 14, 464–504.

11.

Chen

Z. F.

Hong

(2017). The joint effect of association-based corporate posting strategy and eWOM comment valence on social media. Internet Research, 27, 1039–1057.

12.

Chen

Z. T.

Cheung

(2018). Privacy perception and protection on Chinese social media: A case study of wechat. Ethics and Information Technology, 20, 279–289.

13.

Cheung

G. W.

Rensvold

R. B.

(2002). Evaluating goodness-of-fit indexes for testing measurement invariance. Structural Equation Modeling, 9, 233–255.

14.

Culnan

M. J.

Armstrong

P. K.

(1999). Information privacy concerns, procedural fairness, and impersonal trust: An empirical investigation. Organization Science, 10, 104–115.

15.

Davis

F. D.

(1989). Perceived usefulness, perceived ease of use, and user acceptance of information technology. MIS Quarterly, 13, 319–340.

16.

Derlega

V. J.

Metts

Petronio

Margulus

S. T.

(1993). Self-disclosure. Sage.

17.

Fan

Feng

(2011). Multiple emotional contagions in service encounters. Journal of the Academy of Marketing Science, 39, 449–466.

18.

Dwyer

Hiltz

Passerini

(2007). Trust and privacy concern within social networking sites: A comparison of Facebook and MySpace. AMCIS 2007 Proceedings, 339.

19.

Goode

Hoehle

Venkatesh

Brown

S. A.

(2017). User compensation as a data breach recovery action: An investigation of the Sony PlayStation Network breach. MIS Quarterly, 41(3), 703.

20.

Gwebu

K. L.

Wang

(2018). The role of corporate reputation and crisis response strategies in data breach management. Journal of Management Information Systems, 35, 683–714.

21.

Hartmans

(2021). Tim cook says Facebook’s objections to letting people pick whether or not to be tracked are ‘flimsy arguments’. Business Insider. Retrieved April 5, 2021, fromhttps://www.businessinsider.com/tim-cook-facebook-objections-over-privacy-feature-flimsy-2021-4

22.

Hill

C. T.

Stull

D. E.

(1982). Disclosure reciprocity: Conceptual and measurement issues. Social Psychology Quarterly, 45, 238–244.

23.

Himelboim

Sweetser

K. D.

Tinkham

S. F.

Cameron

Danelo

West

(2016). Valence-based homophily on Twitter: Network analysis of emotions and political talk in the 2012 presidential election. New Media & Society, 18, 1382–1400.

24.

Janakiraman

Lim

J. H.

Rishika

(2018). The effect of a data breach announcement on customer behavior: Evidence from a multichannel retailer. Journal of Marketing, 82, 85–105.

25.

Johnston

A. C.

Warkentin

(2010). Fear appeals and information security behaviors: An empirical study. MIS Quarterly, 34, 549–566.

26.

Jøsang

Ismail

Boyd

(2007). A survey of trust and reputation systems for online service provision. Decision Support Systems, 43, 618–644.

27.

Korolov

2019. California Consumer Privacy Act (CCPA): What you need to know to be compliant. CSO from IDG. Retrieved January 14, 2020, from https://www.csoonline.com/article/3292578/california-consumer-privacy-act-what-you-need-to-know-to-be-compliant.html

28.

Krämer

N. C.

Schäwel

(2020). Mastering the challenge of balancing self-disclosure and privacy in social media. Current Opinion in Psychology, 31, 67–71.

29.

Krasnova

Spiekermann

Koroleva

Hildebrand

(2010). Online social networks: Why we disclose. Journal of Information Technology, 25, 109–125.

30.

Lee

D. H.

Taylor

C. R.

(2008). Voluntary self-disclosure of information on the Internet: A multimethod study of the motivations and consequences of disclosing information on blogs. Psychology & Marketing, 25, 692–710.

31.

Leskin

(2021). Apple CEO Tim Cook appears to take jab at Facebook, saying App Store would be better with ‘more social networks’. Business Insider. Retrieved May 4, 2021, from https://www.businessinsider.com/apple-ceo-tim-cook-facebook-parler-social-media-sway-interview-2021-4

32.

Liang

Shen

K.-W.

(2017). Privacy protection and self-disclosure across societies: A study of global Twitter users. New Media & Society, 19, 1476–1497.

33.

Little

T. D.

(1997). Mean and Covariance Structures (MACS) analyses of cross-cultural data: Practical and theoretical issues. Multivariate Behavioral Research, 32, 53–76.

34.

Lowry

P. B.

Dinev

Willison

(2017). Why security and privacy research lies at the centre of the information systems (IS) artefact: Proposing a bold research agenda. European Journal of Information Systems, 26, 546–563.

35.

Luo

Hancock

J. T.

(2020). Self-disclosure and social media: Motivations, mechanisms and psychological well-being. Current Opinion in Psychology, 31, 110–115.

36.

Martin

K. D.

Borah

Palmatier

R. W.

(2017). Data privacy: Effects on customer and firm performance. Journal of Marketing, 81, 36–58.

37.

Metzger

M. J.

(2004). Privacy, trust, and disclosure: Exploring barriers to electronic commerce. Journal of Computer-Mediated Communication, 9, JCMC942.

38.

Milne

G. R.

Culnan

M. J.

(2004). Strategies for reducing online privacy risks: Why consumers read (or don’t read) online privacy notices. Journal of Interactive Marketing, 18, 15–29.

39.

Milne

Orbell

Sheeran

(2002). Combining motivational and volitional interventions to promote exercise participation: Protection motivation theory and implementation intentions. British Journal of Health Psychology, 7, 163–184.

40.

Moon

(2000). Intimate exchanges: Using computers to elicit self-disclosure from consumers. Journal of Consumer Research, 26, 323–339.

41.

Moorman

Zaltman

Deshpande

(1992). Relationships between providers and users of market research: The dynamics of trust within and between organizations. Journal of Marketing Research, 29, 314–328.

42.

Norberg

P. A.

Horne

D. R.

Horne

D. A.

(2007). The privacy paradox: Personal information disclosure intentions versus behaviors. Journal of Consumer Affairs, 41, 100–126.

43.

Okazaki

Hirose

(2009). Consumer privacy concerns and preference for degree of regulatory control. Journal of Advertising, 38, 63–77.

44.

Palmatier

R. W.

Martin

K. D.

(2019). The intelligent marketer’s guide to data privacy: The impact of big data on customer trust. Springer.

45.

Petronio

(2002). Boundaries of privacy: Dialectics of disclosure. Suny Press.

46.

Podsakoff

P. M.

MacKenzie

S. B.

Lee

J.-Y.

Podsakoff

N. P.

(2003). Common method biases in behavioral research: A critical review of the literature and recommended remedies. Journal of Applied Psychology, 88, 879.

47.

Ponemon Institute. (2019). Cost of a data breach report 2019.

48.

Rauniar

Rawski

Yang

Johnson

(2014). Technology acceptance model (TAM) and social media usage: An empirical study on Facebook. Journal of Enterprise Information Management, 27(1), 6–30.

49.

Ridings

C. M.

Gefen

Arinze

(2002). Some antecedents and effects of trust in virtual communities. The Journal of Strategic Information Systems, 11, 271–295.

50.

Rogers

R. W.

(1975). A protection motivation theory of fear appeals and attitude change. The Journal of Psychology, 91, 93–114.

51.

Rogers

R. W.

(1983). Cognitive and psychological processes in fear appeals and attitude change: A revised theory of protection motivation. In Petty

J. C. A. R.

(Ed.) Social psychophysiology: A sourcebook, 153–176.

52.

Shaffer

D. R.

Tomarelli

M. M.

(1989). When public and private self-foci clash: Self-consciousness and self-disclosure reciprocity during the acquaintance process. Journal of Personality and Social Psychology, 56, 765.

53.

Spiekermann

Acquisti

Böhme

Hui

K.-L.

(2015). The challenges of personal data markets and privacy. Electronic Markets, 25, 161–167.

54.

Steenkamp

J.-B. E.

Baumgartner

(1998). Assessing measurement invariance in cross-national consumer research. Journal of Consumer Research, 25, 78–90.

55.

Tsay-Vogel

Shanahan

Signorielli

(2018). Social media cultivating perceptions of privacy: A 5-year analysis of privacy attitudes and self-disclosure behaviors among Facebook users. New Media & Society, 20, 141–161.

56.

Vandenberg

R. J.

Lance

C. E.

(2000). A review and synthesis of the measurement invariance literature: Suggestions, practices, and recommendations for organizational research. Organizational Research Methods, 3, 4–70.

57.

Venkatesh

Bala

(2008). Technology acceptance model 3 and a research agenda on interventions. Decision Sciences, 39, 273–315.

58.

Wang

J.-L.

Jackson

L. A.

Gaskin

Wang

H.-Z.

(2014). The effects of social networking site (SNS) use on college students’ friendship and well-being. Computers in Human Behavior, 37, 229–236.

59.

Wheeless

L. R.

(1976). Self-disclosure and interpersonal solidarity: Measurement, validation, and relationships. Human Communication Research, 3, 47–61.

60.

Wheeless

L. R.

Grotz

(1977). The measurement of trust and its relationship to self-disclosure. Human Communication Research, 3, 250–257.

61.

Youn

(2009). Determinants of online privacy concern and its influence on privacy protection behaviors among young adolescents. Journal of Consumer Affairs, 43, 389–418.