Electronic Theses and Dissertations



Document Type


Degree Name

Doctor of Philosophy


Business Administration

Committee Chair

Sandra Richardson

Committee Member

Judith Simon

Committee Member

Michelle Carter

Committee Member

Brian Janz


Computer crime increases in frequency and cost each year. Of all computer crimes, data breaches are the costliest to organizations. In addition to the harm data breaches cause to organizations, these breaches often involve the exposure of individuals personal data, placing the affected individuals at greater risk of computer crimes such as credit card fraud, tax fraud, and identity theft. Despite the breadth and severity of consequences for individuals, existing IS literature lacks coverage of how users respond to data breaches. Routine Activity Theory provides the studys theoretical frame. Routine Activity Theory states that crime occurs when the routine activities of a potential target place them in proximity to a motivated offender in the absence of a capable guardian. This work examines in detail the target-guardian dyad. Using semi-structured interviews, we inquire into potential antecedents to users beliefs about external guardians, how users beliefs about external guardians affect users online routines, and how this process alters in the aftermath of a data breach. This study employs a qualitative case study design to explore, at an individual level, the process by which users outside organizations determine their online routines, in light of their reliance for data protection on external guardians over which they have little to no control, and how the process is affected by awareness of a data breach. The cases selected are 1) the 2017 data breach at the consumer credit agency Equifax and 2) the Facebook Cambridge Analytica data compromise that became public in 2018. Our findings show that users individual, situational, and data characteristics affect users' external guardianship beliefs and online routines. Additionally, under certain circumstances, users can fail to identify data guardians or develop adversarial feelings towards organizations that act as data guardians through control of user data. With some well-defined limitations, after data breaches users report changes in individual characteristics, perceptions of situational and data characteristics, and online routines. Based on these findings, we draw conclusions for future research and practice.


Data is provided by the student.

Library Comment

Dissertation or thesis originally submitted to ProQuest