Dr. Ari Achiaz, Crisis Communication Lead, Cytactic
Not all cyber crises are created equal – and neither is the blame. A cyber crisis is considered one of the most chaotic events in the life of a company. To protect the organization’s reputation, communication managers and spokespeople have to convey these dynamic and unexpected events to various stakeholders. This task raises an important dilemma: should the company play the victim card, or will it be perceived as culpable, due to passiveness or negligence?
Coombs’ 2007 seminal theory of Situational Crisis Communication Theory, or SCCT, categorizes crises into three attribution clusters:
1) The Victim Cluster comprising events considered to have low attribution to the company, and thus entail only mild reputational threat.
Examples: Natural disasters, force majeure, false rumors, product tampering by external agents.
2) The Accidental Cluster in which steps taken by the company might have unintentionally led to the incident. These incidents have some attribution to the company, thus might pose a moderate reputational threat.
Example: Technical errors that lead to industrial accidents or product recalls.
3) The Preventable or Intentional Cluster includes human-error led accidents, organizational misdeeds or misconduct, negligence, etc. In these incidents, the company has medium to high attribution, therefore they pose a severe reputational threat.
Examples: Negligence, insider threats, executive fraud, or deliberate violation of safety protocols.
So, to which cluster do cyber crises fall? Cyber incidents are mostly attacks by an external threat actor, so they may seem like a Victim Cluster event. But does that mean the public will see it that way? Not necessarily. Recent studies show that many cyber incidents, such as data breaches, are actually viewed as preventable failures, placing them in the Preventable/Intentional Cluster and leading to higher reputational damage.
[Image source: Hit the cyber crisis ground running – no title.jpg]
[Image title&credit: Cyber Crisis Victim. Image: Yonatan Wachsmann ]
Whether or not the company is perceived as the victim depends on a combination of the attack type and the threat actors involved (and other attributes, of course.) The following table details our analysis of several notable attack types and threat actors according to the reputational threat they might pose to the organization:
| Attack Type | Threat Actor | |
| Higher reputational attribution(Culpable) | Data LeakageTriple Ransomware | Former employeeInsider Threat |
| Lower reputational attribution(Victim) | DDoSBEC | Nation-state attackCyber-terrorismCompetitor |
Data leaks and insider threats tend to trigger higher blame, as they involve failures to protect sensitive information. On the other hand, large-scale DDoS attacks or cyber-terrorism incidents are more likely to be perceived as unavoidable, meaning lower reputational damage.
A company could be forgiven for experiencing a nation-state attack, which is resource heavy, potentially devastating, hard to avoid, and arguably an act of war (or at least war-adjacent). Contrarily, a company is expected to sufficiently protect itself against script kiddies or insider threat attacks, and falling victim to them would make the company be considered culpable, if not all-out guilty.
The SCCT also argues that the organization’s response strategy must match the reputational risk. For low reputation risk and blame, “deny strategy” responses, like victimage and scapegoating, are more applicable. When reputation risk and blame are high, “rebuilding strategy” responses, like empathy, apology, and compensation might lead to a better outcome.
Victimage response strategy can backfire if the organization is also to blame, as seen in two real-life crises in 2018. Marriott International’s data breach, exposing records of 339 million guests from its Starwood subsidiary in ‘16. Marriott attributed some blame to Starwood by saying that the breach began in 2014, before the Starwood acquisition.
The second, even more striking example, is Ticketmasters’ payment and personal information breach. Ticketmaster blatantly blamed its third-party supplier for the breach, opening its statement as follows: “On Saturday, June 23, 2018, Ticketmaster UK identified malicious software on a customer support product hosted by Inbenta Technologies, an external third-party supplier to Ticketmaster. As soon as we discovered the malicious software, we disabled the Inbenta product across all Ticketmaster websites.” It also went as far as naming the Compromise “The Inbenta breach.”
However, soon after, Inbenta publicly commented that Ticketmaster misused their product in their payment page without notifying them beforehand, that they would have advised against such use, and that Ticketmaster is their only client that was affected by the breach.
In both cases, public sentiment leaned toward blaming the breached companies for poor security practices rather than viewing them as the victims. Why? Because cybersecurity is now seen as a basic corporate responsibility, especially when it comes to securing client PPI. If an organization fails to protect its data, often the perception is that it could have done more to prevent the attack.
[Image source: Cyber Crisis Training/Simulation.jpg]
[Image title&credit: Cyber Crisis War Room. Image: Yonatan Wachsmann ]]
A startling antithetical example is the elaborate 2016 Bangladesh Bank cyber heist, instituted by the North Korea based APT Lazarus Group. The group attempted to steal almost $1B from the central bank of Bangladesh’s account with the Federal Reserve Bank of New York, instructing the SWIFT international payments network to make 35 transfers to accounts in the Philippines and Sri Lanka (the NY bank thwarted 30 of the transfers, and the hackers ended up only pilfering $101m, of which $38m have since been recovered.)
The heist was well planned well in advance, breaking into the Bangladesh Bank’s systems to learn how transfers are made and swipe the required credentials, opening the shell bank accounts as early as a year before the heist, and taking advantage of both a weekend in Bangladesh and a holiday in the Philippines to guarantee no one was there to notice and attempt to foil their plot. Bangladesh was adamant to disclaim liability, with both the bank and Finance Minister Abul Maal Abdul Muhith blaming The New York Fed.
So when can companies play the Victim?
Even though it was found that accepting some responsibility for cyberattacks yields better reputational results in various cases, this is not always the case. A recent academic research (Antonetti & Baghi, 2024) suggests that accepting blame would be unsuitable in situations where the data breach is caused exclusively by others – what SCCT refers to as a “victim crisis.”
The authors argue that, in these types of situations, organizations can apologize while claiming victimhood. Their main result, in a theoretical model and 5 empirical experiments, is that an apology claiming victimhood outperforms an apology accepting or rejecting responsibility.
However, claiming victimhood is effective only when evidence of external harm is provided and the organization cannot be construed as being even partly responsible for the attack. Furthermore, claiming victimhood is more effective if the cybercriminal is perceived as very competent, as mentioned earlier.
To conclude, when crafting a cyber incident response, the organization must assess how much blame it may face, which depends on the attack type and threat actor identity, on top of additional specific incident characteristics. Understanding whether the public will view it as a victim or a negligent party is critical. The right messaging can mean the difference between a temporary PR challenge and a full-blown reputational crisis.
