Communication after a cyber-attack

Professor Paolo Antonetti and Associate Professor Ilaria Baghi have discovered that, when organisations are the victims of a cyber-attack caused by criminals, they are best off apologising and claiming to be victims. Here they explain why

 

If you are a victim, don’t be afraid to say so!

 

In today’s digital age, cyber-attacks have become an alarming and frequent reality for organisations worldwide. As companies face escalating threats from hackers and malicious actors, their communications following these breaches are crucial in shaping public perceptions and maintaining trust. 

 

In a research paper recently published in the Journal of Service Research we provide a compelling case for why claiming victimhood can be an effective response strategy after a cyber-attack. We argue that in cyber-attacks, organisations can adopt a stance of victimhood to elicit sympathy and mitigate negative responses from stakeholders.

 

The research sheds light on how this approach can help organisations manage the reputational fallout after a cyber-attack.

 

The problem with accepting responsibility

Our research started from the observation that most organisations currently respond to data breaches by apologising and accepting responsibility for the incident. This communication approach is legitimate and effective in many circumstances, but it can be problematic for cyber-attacks.

 

We have known from previous studies that admitting responsibility for negative events that are not caused internally by the organisation is not appreciated by audiences. People are suspicious of admissions of responsibility that seem unwarranted. In addition to not being persuasive, a communication that accepts responsibility may unintentionally position the organisation as liable or negligent, rather than as a victim of an external attack. 

 

Our first goal was therefore to demonstrate that accepting responsibility for a cyber-attack is often not a persuasive strategy. To achieve this goal, we compared accepting responsibility to comparable communications that were rejecting responsibility or claiming victimhood.

 

Our findings highlight several circumstances in which claiming victimhood is much more persuasive than the other two alternatives. By claiming victimhood, organisations shift the narrative, underscoring that they, too, are impacted by the malicious actions of skilled cyber-criminals. 

 

How does claiming victimhood work?

The key idea is simple: when organisations frame themselves as victims of cyber-crime, they invoke sympathy from stakeholders. People are more likely to sympathise with companies that portray themselves as wronged parties rather than those that deny or deflect blame. This emotional appeal can humanise the business, mitigating stakeholders’ responses toward the company. 

 

Essentially, this approach positions the organisation as a target of external threats beyond its control rather than as an entity responsible for negligence or incompetence. Our study emphasises that this strategy taps into a deeply ingrained social norm—people’s natural inclination to support those they perceive as victims.

 

Our results demonstrate that stakeholders are likely to be more forgiving and understanding if they believe the organisation has been unfairly targeted by malicious actors. 

 

When to claim victimhood

Not all organisations can claim victimhood and not in all circumstances. Effective victimhood claims hinge on several factors. First, organisations must provide a clear account of the harm inflicted upon them. This is essential in signalling genuine suffering and invoking sympathy.

 

Second, we found that claims of victimhood are most successful when the organisation is perceived as virtuous. Virtuous victims are more deserving of social support and public sympathy. A virtuous organisation would be one engaged in significant CSR programs, or a well-known charitable institution.

 

Third, claims of victimhood are acceptable only when there is no reasonable suspicion that the organisation is partly responsible for the cyber-attack. Organisations cannot claim victimhood if stakeholders (partly) blame them for the cyber-attack.

 

Fourth, claims of victimhood are more persuasive when the cyber-criminal is perceived as more competent. This suggests that organisations can benefit from persuading audiences of the significant technical skills of their attackers.

 

How to get it right

Claiming victimhood does not mean whining or complaining. The focus of the communication should still be about the audience and not about the organisation itself. The goal should never be to portray the organisation as suffering more than the audience but simply to remind audiences that the organisation was also negatively affected by the event.

 

Claiming victimhood should be part of an apology or a communication expressing concern. In this sense, claims of victimhood represent supplementary information to help the audience understand the event.

 

Crisis communications scholars differentiate between a primary and a secondary strategy. The primary strategy is about taking care of the stakeholders affected by the data breach, the secondary strategy should involve clarifying that the organisation was also a victim.

 

The study’s findings offer a novel framework for organisations facing cyber-attacks, encouraging a shift from traditional crisis response strategies to a more effective communication of “co-victimhood”.

 

By carefully considering their position in cyber-attack crises, organisations can mitigate reputational harm, positioning themselves as partners in resilience with their stakeholders.

 

---

 

Paolo Antonetti is Professor of Marketing at EDHEC Business School, and Ilaria Baghi is Associate Professor of Marketing at University of Modena and Reggio Emilia

 

Main image courtesy of iStockPhoto.com and Bjoern Wylezich