From breach to trust: Effective cyber crisis communications
New research suggests that claiming victimhood in the event of a cyberattack can be an effective way to mitigate reputational harm, writes Paolo Antonetti, professor of marketing at EDHEC Business School
The prevailing wisdom in public relations suggests that companies should always accept responsibility for a cyberattack. After all, organisations — particularly law firms — are entrusted with safeguarding their clients’ data and any breach is typically seen as their failure.
However, this perspective overlooks the role of criminal organisations — and the public’s increasing awareness that cybercrime results from the deliberate actions of malicious actors.
In a recent study titled Responding to Cyberattacks: The Persuasiveness of Claiming Victimhood, published in the Journal of Service Research, we demonstrate that organisations can persuasively claim victimhood after a cyberattack. Notably, these claims are often more effective than simply accepting full responsibility.
How can organisations successfully claim victimhood?
Our study identifies several key factors that contribute to effective victimhood claims:
1. Show concern and care
Claims of victimhood should be part of a message that demonstrates genuine concern and care for those affected. Claiming victimhood is not a free pass to neglect the interests of those affected. Organisations can support stakeholders effectively while also denying responsibility for the specific incident.
2. Emphasise organisational harm
A successful victimhood message highlights the harm suffered by the organisation itself. Providing vivid and specific evidence of the damage activates empathy among stakeholders, fostering greater understanding and support for the company’s position.
3. Leverage perceptions of virtue
Organisations perceived as virtuous are more likely to benefit from claims of victimhood. Virtuous victims — those engaged in significant corporate social responsibility (CSR) initiatives like offering pro bono services, or known for charitable work — are seen as more deserving of sympathy and support.
4. Avoid contradictions
Claims of victimhood should only be made when the organisation is confident that its own shortcomings did not contribute to the cyberattack. If stakeholders discover that the company’s negligence played a role in the breach, such claims will backfire and erode trust.
Broader implications
Our findings, along with related research, suggest important implications for crisis communication strategies. Modern audiences understand that organisational failures and crises often have complex, multifaceted causes. Consequently, always accepting full responsibility for every incident is unrealistic and ineffective.
In some situations, organisations can adopt more defensive responses, where responsibility is partially attributed to other actors, such as senior leaders, suppliers or — as in this case — cybercriminals.
The responsibility to care for those affected is not a responsibility to always accept blame. Organisations need to learn how to apologise and express concern without implicitly or explicitly assuming full responsibility for the incident.
Claiming victimhood does not mean whining or complaining. The goal should never be to portray the organisation as suffering more than the audience, but to remind audiences that the organisation was also negatively affected by the event. This is more effective (and reasonable) than trying to appease stakeholders by admitting responsibility for something you have not done.
