Shifting the Blame: Should Breached Companies Play Up Their Victimhood?

New research questions the norms of accepting responsibility following a serious cyber attack. Phil Muncaster investigates

Security breaches can have a significant and lasting impact on the organisations that suffer them. Research reveals that major incidents can sink the stock price, damage brand reputation, drive customer churn, and potentially even open the door to costly class-action lawsuits. Could many of these risks be mitigated somewhat with smarter crisis comms?

A new report from EDHEC Business School argues that, in many situations, claiming victimhood while apologising to impacted customers can boost sympathy and “improve stakeholder responses” following an attack. That could, in turn, give organisations a helpful advantage in managing the financial and reputational fallout of breaches.

Why comms matters

According to report co-author and EDHEC professor, Paolo Antonetti, perception matters following a breach.

“A poor response can reduce stakeholders’ trust and lead to a negative escalation that is very difficult to manage. Organisations seem to underestimate the importance of getting the immediate response right. In our research, we see that the most serious crises are those where the immediate responses were botched in some way,” he tells Assured Intelligence.

“Organisations might have somewhat confused the idea of accepting responsibility with the idea of showing concern” Paolo Antonetti

“In the cybersecurity space, quite understandably, a lot of attention focuses on the technical causes of the breach and its consequences,” Antonetti continues. “This means that perhaps organisations become less concerned with the details of their choice of words and tone in the response they issue. However, communication is extremely important to avoid a negative escalation of the crisis and to ensure that stakeholders behave responsibly in the aftermath of a negative event.”

Some companies may accept responsibility for breaches “to look cooperative”, even though it can increase the chances of legal action and compensation demands, Antonetti adds. This might stem from a misconception that claiming victimhood signals weakness and/or that stakeholders may perceive this as a strategy to shift responsibility.

“We can imagine that organisations might not like to appear vulnerable as they would worry, and this sends a negative impression about their competence and cybersecurity infrastructure. I also believe that organisations might have somewhat confused the idea of accepting responsibility with the idea of showing concern,” says Antonetti.

“There’s an important difference between the two. Organisations should always work to help their stakeholders address the negative consequences of negative events – irrespective of who has caused them.”

How did the research work?

To arrive at its findings, Antonetti and his team conducted five studies. In each, they compared claiming victimhood as part of an apology to accepting or rejecting responsibility. In four studies, participants evaluated fictitious scenarios of a cyber attack, while in the last, participating executives commented on a potential attack inside their organisation. In all studies, participants read about a cyber attack and the corporate response and evaluated the organisation based on the information provided. Usually, each participant saw just one response, except for Study Five, in which the surveyed executives compared the two responses directly.

“The research design allowed us to compare directly the very limited differences in wording between claiming victimhood and the other two control conditions,” says Antonetti. “We found that simply accepting responsibility is a bad idea. In most cases, people simply do not understand why an organisation is doing so, unless the organisational failure that has caused the data breach is clear. Claiming to be a victim can make sense in these situations, not as a strategy to deny responsibly, but as an alternative to having to highlight exactly what went wrong.”

However, the research outlines a vital caveat: Claiming victimhood is effective only when evidence of harm is provided and when the organisation can’t be construed as partly responsible for the attack. It also states that claiming victimhood is more effective if the ‘victim’ organisation is perceived as virtuous and the cyber criminal as very competent.

This is a point echoed by Brian Honan, owner of cybersecurity consultancy BH Consulting.

“I regularly talk about organisations being victims of crime,” he tells Assured Intelligence. “But as the research suggests, this does not mean we give organisations a ‘get out of jail free’ card from their responsibilities to have proper security in place from the beginning.”

Why claiming victimhood works

There are two fundamental reasons why promoting victimhood in crisis comms could help a breached organisation, says Antonetti. First, stakeholders, including impacted customers, may appreciate a response which matches their understanding of who is responsible for an incident. If a supplier or employee’s deliberate or negligent actions were pegged as a breach, claiming victimhood is a more appropriate response than accepting or rejecting responsibility, for example.

Second, doing so can help people empathise with the negative impact a breach can have.

“Consider a cyber attack like the one that has affected the British Library,” says Antonetti. “Our findings clearly show that people would empathise with the impact such a disruptive event can have on employees, and this would make claiming victimhood more effective than simply accepting responsibility.”

How to finesse crisis comms

The key to making a victimhood strategy work after a breach appears to be effectively portraying the attacker as competent and the organisation as in no way responsible. Antonetti explains that while this was not a focus of the research, it should be possible with the right messaging.

“Several studies have shown that people can differentiate between the actions of an organisation and the behaviour of employees,” he says. “So I think it might be possible to claim victimhood even if an employee has fallen for a phishing email, for example.”

However, others aren’t so sure.

“We need to stop blaming the victim for criminal/espionage activity. However, right now, I am not sure it will be effective. One major reason is that there is no generally accepted reasonable standard of cybersecurity,” Arctic Wolf CISO, Adam Marrè, tells Assured Intelligence.

“For a physical business, as long as the company has locks on the doors and maybe an alarm and cameras, no one blames it if it gets broken into. Online, however, even if companies have spent millions on a good faith effort to secure the business, as soon as they are breached, it’s their fault.”

Keeper Security CISO, James Scobey, argues that even a breach involving a malicious third-party actor requires a failure of controls to be effective – therefore implying some level of responsibility from the ‘victim’ organisation.

“Without a well-resourced incident response team, victim firms may never be able to do full attribution and move to the ‘claiming victimhood’ stage” James Scobey

“Many incidents are evolving situations with key details unknown during the initial reporting period. Organisations usually have to report a breach before full attribution is available, which undermines the ability to claim victimhood early in the breach cycle,” he tells Assured Intelligence. 

“This causes the ‘accepting responsibility’ approach to be the default in the early stages of incident reporting. Without a well-resourced incident response team, victim firms may never be able to do full attribution and move to the ‘claiming victimhood’ stage, which this research shows has value in terms of reputation.”

Recognising this grey area, Antonetti explains that it’s crucial to work closely with PR experts to understand the best approach to crisis comms.

“Organisations should test potential responses before engaging in a specific PR strategy,” he concludes. “Our findings show how subtle differences in the situation can cause important shifts in how audiences perceive the breach and the best response.”