The Stakeholder Attributions of Corporate Crisis Responsibility Following a Cyber Attack: An Explorative Case Study on How Stakeholders Perceive Crisis Responsibility Following a Cyber Attack and Which Response Strategies to Apply in Order to Mitigate the Impact of Such a Crisis Type

Elisabeth Ulsted Jørgensen

Student thesis: Master thesis


During the recent three decades, digital technology has been advancing at an accelerating speed creating revolutionary opportunities for societies, organizations as well as individuals. The Internet is an example of such a technological development successfully reinforcing the relations between countries, cultures and societies across the world (Taylor, 2016). However, the growing reliance on the Internet and digital networks has also increased the vulnerability of our societal structures which introduces a new type of complex and high-scale risks (Buchanan, Kelley, & Hatch, 2016). Thus, cyber incidents involving data breaches pose a greater threat towards society now than ever (ITRC, 2017). The American Identity Theft Resource Center reports of a 40 percent increase in American organizations and government institutions that experienced data breaches in 2016 compared to 2015 (ITRC, 2017). As the number of cyber attacks increases, so does the fear of falling victim to one. According to a global cyber crime survey by PwC (2016), 53% of the responding organizations perceived the risk of a cyber attack as more likely which is a 10% increase compared to 2014. Based on the news coverage of these incidents, it seems that the fear of being targeted is justified. Thus, there are several examples of data breach incidents which have turned into crisis situations causing major disruptions to business operations involving companies such as Yahoo Inc., Ashley Madison, Anthem and Sony (Albanesius, 2011). Yet, this area of research is still widely unexplored within the field of crisis management despite the intensified corporate fear of cyber threats along with the increase in cyber incidents, and the multiple examples of data breach crisis incidents involving organizations. However, one of the theories which does offer a framework for managing this specific crisis type is the situational crisis communication theory by Timothy W. Coombs (1995, 2015a; 2001). In order to mitigate the reputational damages caused by a crisis, the theory organizes a list of response strategies based on the attributed level of crisis responsibility in relations to specific crisis types (Coombs, 2015a). In relations to hacker attacks, Coombs (2015a) argues that stakeholders will most likely perceive the targeted organization as a victim with very little responsibility affecting the corporate reputation insignificantly. Nonetheless, according to an international survey by the cybersecurity FireEye (2016), 36% of the responding consumers admit to a weakening perception of organizations involved in a data breach incident. Thus, the purpose of the following study is to examine how the stakeholder attributions of an organization targeted by a cyber attack correlate with the victim crisis framework suggested by Coombs in his situational crisis communication theory. The thesis aims to dis(confirm) two hypothesis suggesting that stakeholders will attribute organizations targeted by a cyber attack with a higher internal crisis responsibility and that the victimage response strategy will prove ineffective in order to minimize the reputational effects. The cyber attack on the Sony PlayStation Network in April 2011 represents an interesting example of how a data breach can develop into an unpredictable entity with massive financial, reputational and operational consequences to the organization and its relationship with stakeholders. Thus, following the attack, the Japanese electronics corporation revealed how hackers had gained access to personal data of more than 70 million customers resulting in expenses to reach an estimated $170 million (M. Williams, 2011a). By applying the research method of archival netnography, the paper studies the online interactions amongst users on the forum of Sony’s official PlayStation blog in response to statements by Sony related to the cyber attack. The method has proven beneficial for the research question of this particular paper as it reflects a more natural and less obtrusive environment compared to the more traditional methodologies such as the interview or the questionnaire. The research findings expose significant differences in the stakeholder reactions towards Sony prior to and after April 26 2011, when Sony announced how a system outage was in fact a data breach incident implicating the personal data and possible credit card details of more than 70 million customers also referred to as the victim stakeholders. Following the data breach notification triggering a crisis situation, Sony applies the victimage strategy amongst a range of other response strategies such as the scapegoating and excusing strategy. However, the strategy proves ineffective in protecting Sony’s reputation as the mood amongst this the victim stakeholders goes from frustration over the network being inaccessible to anger and pledges of lawsuits towards Sony for failing to secure the data properly as well as notify the users about the data breach in time. The attitude amongst government officials categorized as non-victim stakeholders is similarly disapproving of the week-long delay from the recognition of a data breach until the public announcement. In conclusion, the analysis confirms hypothesis 1 as the empirical findings suggests a noteworthy discrepancy between the theoretical suggestions of Coombs situational crisis communication theory and the strong attributions of crisis responsibility towards Sony. The analysis furthermore confirms hypothesis 2 as the victimage strategy seems to be unsuccessful in building sympathy and minimizing the reputational effects of the cyber attack.

EducationsMSc in Business Administration and Organizational Communication, (Graduate Programme) Final Thesis
Publication date2018
Number of pages80
SupervisorsLasse Peter Laursen