Attribution of Responsibility during Cyber Crisis: An experimental application of the Situational Crisis Communication Theory

(1)

Attribution of Responsibility during Cyber

Crisis

An experimental application of the Situational Crisis

Communication Theory

Tsvetelina Shabanska

Final Thesis

MSc Crisis and Security Management

Dr Honorata Mazepus

(2)

Humans nowadays live online. The internet contributes to and facilitates most of our daily activities. On the one hand, this is viewed as astonishing convenience, but also as a potential danger. If before, people and nation-states had to safeguard their safety and security in purely physical terms, at present times there is a whole new cyber realm, which also needs to be protected. On the one hand, security could be viewed from the perspective of politics and economics, in terms of risks and probabilities in an objective sense. On the other, security could be seen as a social phenomenon and a feeling in a subjective manner (Bar-Tal and Jacobson 1998, 62). It is experienced and perceived by people who determine whether they feel safe or not and those people often attribute responsibility for a crisis. This touches upon the objective and subjective dimensions of security. Due to the human factor, there are many cognitive biases that could influence one’s perception of security as a whole and cybersecurity in particular. Sometimes, when systems’ security fails, a cyber crisis could occur. This type of crisis can have serious economic, political, and societal implications. Crises pose a threat to people’s core values and disrupt their sense of normality (Nillson, Alvinius and Enanader 2016, 14). Usually, it is sudden even in which crisis managers should make decisions based on a limited amount of information. When such an atrocious event takes place, people try to make sense of the situation by attributing responsibility and assess whether an organization is the one responsible for a crisis or whether the crisis was created by something in this organization's environment that they could not control. Crisis managers not only have to make important decisions with a limited amount of information, but they also have to communicate effectively with stakeholders in order to ensure them that the crisis is being managed and their organization is in control of the situation.

This study has the aim to explain whether matching a communication response to the crisis type can decrease the attribution of responsibility towards an organization experiencing a cyber crisis. In order to do so, I conducted an experiment with Dutch participants with the aim to see if the way organizations respond to different types of cyber crises influences the way people perceive these crises and how they attribute responsibility. As a main guiding theory, this study uses the Situational Crisis Communication Theory. In simple terms, this academic theory provides a framework and a guideline for crisis managers to “protect reputational assets during a crisis” (Coombs 2007, 163). At the same time, SCCT is a 1

(4)

powerful research tool for academics to study how the attribution of responsibility towards an organization could be influenced (Ma and Zhan 2016, 102). Because the research question is rather broad, the main goal of this study could be divided into two parts following the SCCT logic. First, it will be investigated if the attribution of responsibility towards an organization experiencing a cyber crisis could be grouped the same way as it is divided among the clusters in SCCT (low- limited a high). Second, whether matching a crisis response in accordance with the guidelines in SCCT lowers the attribution of responsibility towards an organization in comparison to an unmatched response.

This research touches upon the moral and societal debate of who falls responsible during a time of crisis, and its conclusion contributes to the work of many practitioners in the field of crisis management and cybersecurity. Furthermore, it provides academics and security practitioners more information about people’s perception of cyber crises and how people attribute responsibility. Thus, this study benefits not only the pool of academic knowledge, but it also provides a useful guideline for practitioners in the field of crisis communication. This can contribute to policymaking and crisis management in the Netherlands and can help experts to make better- informed decisions in times of a cyber crisis. Furthermore, in academic terms, this research will enrich the pool of knowledge in crisis management and crisis communication by putting forward an experiment, a method which is widely used in many disciplines within the social sciences, but underused in the study of technical issues which have societal implications.

This thesis research is structured as follows: the second chapter is a review of the contemporary academic literature that has focused on crisis management and crisis communication. There, the main goal is to introduce all relevant theories and concepts, including the Situational Crisis Communication Theory, crisis response strategies, crises in general, and cyber crisis in particular. Furthermore, this second chapter introduces the two hypotheses that have been tested for this study. The third chapter introduces the methods and the construction of the experiment itself. Following that, the fourth and most important chapter reports the characteristics of the sample, the results of the experiment and discusses the findings. There, I also reflect on the limitations of the experiment and possible future research that could be built upon it. The last chapter will provide concluding remarks on the study.

(5)

Chapter II: Theoretical framework

This chapter is theoretical base of the study. In it, important academic concepts are explained and related to one another. First, the terms crisis and cyber crisis are defined and related to one another. After that, the Situational Crisis Communication theory and crisis communications strategies will be discussed in depth. The chapter is divided into different sections as this helps the reader to easily navigate between them and provides a clearer structure.

What is a crisis?

When people think of a crisis, often, the first things that come to mind are sudden atrocious events like natural disasters or conflicts or some technical failures which happen suddenly, cause harm and pose a danger to many people. However, crises can come in different shapes and forms. In the contemporary crisis literature, there are three defining characteristics of a crisis- threat, uncertainty, and urgency (Boin et al. 2005, 2). Every crisis poses a threat to already established structures and normal functioning of systems or society (Boin et al. 2015, 2). For example, a technological crisis may pose a threat to the proper functioning of a particular factory or a product. Natural disasters pose a threat to the functioning of the state and its society. Economic crises threaten the functioning of the global financial markets and the world's economy. Terrorist acts and conflicts pose a threat to human lives and well-being. Crises endanger and threaten values and things people perceive as dear, important, or even life-sustaining and vital. Another reoccurring characteristic of a crisis short time for reaction, which creates a sense of urgency in a crisis situation (Boin et al. 2015, 3). It is something that needs to be dealt with immediately, and critical decisions are made in a short time frame. Uncertainty is the last defining characteristic which refers to the unknown nature of crises. There is little information on how the crisis has occurred, how it will develop, what actions should be taken in order to mitigate its impact, and are these actions the best possible measures that are employed?

In this research, I will not talk about crises in general, but organizational crises in particular. Here, the interest falls under organizations (be it public or private) and how do they deal with atrocious events and how they communicate with their stakeholders. This specific type of crisis will be defined as "an event perceived by managers and stakeholders as

(6)

highly salient, unexpected, and potentially disruptive—can threaten an organization's goals and have profound implications for its relationships with stakeholders" (Bundy et al. 2016, 1663). An organizational crisis is still considered as threatening, uncertain, and urgent, but additionally, there is an emphasis on the relationship between the organization and its stakeholders. Furthermore, these crises are behavioral and socially constructed, which means that they are subjective, and each affected party has its perceptions and beliefs of the situation (Bundy et al. 2016, 1664). Such events rarely happen in a vacuum. They could also be perceived as a social process where they influence the world around us, and thus people's perception (Nilsson, Alvinius and Enander 2016, 14). Lastly, organizational crises are perceptual (Coombs 2014, 19). That means that one event is a crisis only when its stakeholders perceive it. If there is a crisis according to the organization, but its stakeholders do not perceive this event as such, then by this definition, no crisis has occurred and visa versa.

Lastly, crises could have potentially harmful effects or consequences for the organization itself or its stakeholders (Coombs 2014, 20). These undesirable outcomes could take many forms. For example, they can be financial- loss of money either for the company or their client; loss of trust in a product, brand, employee, or reputational loss for the whole organization; down-time for services, platforms, or production lines; environmental damage; or even loss of human life and injuries.

Crisis management

Crisis management is the process in which organizations deal with crises, and its primary goal is to reduce the negative effects and consequences not only for the organization but also all of its stakeholders (Bundy et al. 2016, 1673). It involves a range of activities from prevention and preparation for a crisis through response and action all the way to revision and post-crisis learning (Coombs 2014, 21). This research will not go into all these aspects, but it will focus solely on crisis response and its perception, which is still part of crisis management. The main goal of effective crisis response is to minimize the negative impacts of a crisis. A significant body of academic literature focuses on how stakeholders perceive crisis and in what way organizations can influence these perceptions (Bundy et al. 2016, 1673). Therefore, when it is talked about crisis management in this study, it will be meant

(7)

managing the perception of the crisis in the eyes of the stakeholder and what consequences does this have for the organization which is experiencing the crisis.

What is a cyber crisis?

This research focuses not on organizational crises in general, but it digs deeper into the topic of a cyber crisis. Technology is around us, and it is an indispensable part of our daily lives. The internet allows information and ideas to flow, it connects people and organizations, and it supports the functioning of industrial systems. However, cyberspace, in its essence, is still a man-made system. Because in its nature, this system is a very complex and interconnected one, even a small disruption can have a significant impact on many of the involved parties, and it can experience crises. In practical terms, many private actors and governments talk about cyber crisis and how it can be managed. A simple search in a search engine will produce more than 21 million results in less than a second; however, in social sciences and crisis management studies, only a few scholars have touched upon what the term means.

So what exactly does cyber crisis entail, and is it distinctively different from other crises? Firstly, this crisis occurs in cyberspace. Cyberspace refers to an environment of interconnected computing devices that communicate with each other. It is composed of billions of devices and networks. "The basis for cyberspace is the Internet as a universal and publicly accessible connection and transport network, which may be supplemented and expanded through other data networks" (ENISA 2014, 28). In most developed countries, digitization and cyberspace are essential for the functioning of society and the economy. A crisis in cyberspace can lead to a chain of incidents and, ultimately, failure of, for example, gas, water, or electricity. Due to the almost complete disappearance of analog alternatives and the absence of fallback options, dependence has become so great that any damage in cyberspace can lead to socially disruptive damage (NSCS 2019).

The European Network and Information Security Agency has attempted to define a cyber crisis practically. According to ENISA, a cyber crisis may pose a threat to the functioning of an IT system, to an organization and its reputation, or vital infrastructures for the proper functioning of society and threats to national security (ENISA 2014, 28). Therefore, the threat level is so diverse that it cannot be allocated into one fixed category. Furthermore, a cyber crisis may have a spill-over effect. Something that starts as a cyber incident could easily be translated into different sectors, and the cyber crisis could have

(8)

transnational implications across countries (ENISA 2016, 22). This also influences the coordination efforts for managing such a crisis. Boeke tries to find a common definition of the term by looking at the national policies of different European countries, however, in his research, he concludes that often politics mainly determine when a cyber incident is categorized as a cyber crisis and still, more academic research should be conducted in order to achieve common definition (Boeke 2017, 451).

Despite all of described unique characteristics so far, cyber crisis still possesses all of the discussed characteristics of a normal crisis. It is still a perception, unpredictable, and almost always leads to a negative outcome (Brown and Ki 2013, 365). That means that if an individual believes that there is a cyber crisis, which means that there is one even if other organizational entities fail to see a certain situation as a crisis. Furthermore, there are instances of threat, urgency, and uncertainty when dealing with a cyber crisis.

Situational Crisis Communication Theory

In academia, it is generally accepted that the actions of organizations and their response during a crisis influence the way people perceive this organization (Cooley and Cooley 2011, 204). My research builds upon the Situational Crisis Communication Theory as designed by Coombs. Currently, SCCT is one of the most popular and tested theories in the field of crisis communication and crisis management. However, there has not been a study that tests whether this theory is applicable in cases of cyber crisis (Cooley and Cooley 2011, 205). Even though SCCT has evolved tremendously in the past 20 years, the main idea of this theory revolves around attribution of responsibility to the affected organization (Tripp 2016, 24). In simple terms, it provides a framework and a guideline for crisis managers to "protect reputational assets during a crisis" (Coombs 2007a, 163). At the same time, SCCT is a powerful research tool for academics to study "how the attribution of responsibility affects an organization's reputation" (Ma and Zhan 2016, 102). Thus, my study adds to the pool of academic knowledge and can be used as a guideline for practitioners in the field of crisis communication when they are facing a cyber crisis.

SCCT roots in the psychological Attributions theory, which in short states that regardless of how well a crisis is handled, it is still perceived as a negative event by stakeholders (Coombs 2007, 173). People try to make sense of a crisis situation situation by attributing responsibility and assess whether the organization was the one responsible for a

(9)

crisis or whether it was something in their environment that they could not control. SCCT offers a system and explanation consisted of two parts. The first one gathers information on what types of crises do generally organizations encounter, how they can be characterized and classified. The second main point of the theory tries to come up with easy to grasp communicative advice for crisis managers and a guideline on what they should say or do in order to manage the crisis and lower perception of responsibility.

Depending on the type of crisis, there are specific responses that can minimize the attribution of responsibility towards organizations. When an event happens, the message that the actors produce contributes to attributions of responsibility in stakeholders and creates feelings and perceptions of the crisis (Weiner et al. 1988, as seen in Wright 2009, 22). The more responsibility is attributed to an organization during a crisis; the more negative the impact is for this organization (Claeys, Cauberghe and Vyncke 2010, 256). This theory relies on the fact that the crisis manager will be able to assess the crisis and correctly determine how it can be classified. Then, based on their assessment, they will produce a matching communicational response, which should minimize the responsibility attributed to the or (Coombs 2007, 166). There are two intensifying factors, which can also influence the way stakeholders perceive responsibility: crisis history and the company's negative reputation. For the purpose of this study, the intensifying factors are not studied because they would only over-complicate the experiment, as they would demand more sophisticated research tools, a bigger pool of respondents, which is not feasible for the purpose of this graduation research. Also, it has been proven that the attribution construct does not change in regards to the crisis history that an organization has, thus the lack of information on this instance should not influence the experiment (Reezigt 2018, 18). Furthermore, there are certain ethics involved in the crisis management rationale. In cases of immediate danger for stakeholders, the initial communication should be focused on warning them for dangers rather than just focusing on saving the reputation of the organization (Coombs 2007, 166). This experiment will not test any situations in which stakeholders are put into danger, and it will be assumed that the basic ethics of crisis management are followed.

There are three main groupings for different crisis types in SCCT. These are Victim Cluster, Accidental Cluster, and Preventable Cluster. Each cluster has a different assumed2

(10)

level of attribute responsibility. Because the groups are different from one another, they will produce different responses among stakeholders, and they will attribute responsibility towards the organization differently (Wright 2009, 25).

The Victim Cluster relates to cases when the organization and its stakeholders are all victims of the crisis (Coombs and Holladay 2002, 179). As can be seen from Table 1. displayed below, the most common example of this cluster are natural disasters or crises that have an external trigger. The cause of the crisis comes outside of the organization, and therefore the organization could be perceived as a victim of the situation. That is why, in such cases, people tend to attribute low levels of crisis responsibility to the organization (Coombs and Holladay 2002, 179). As mentioned in the previous section, cyber crises can have different causes and can pose a threat to an array of different things. The cyber crisis belongs to the victim cluster in cases such as targeted cyber attacks by hackers towards the organization. Recent real-life examples are the ransomware attacks that were very popular around 2015 and affected many internet users around the world, including many Dutch companies (Greenberg 2018). Some of the most famous ones are Petya, NotPetya, WannaCry ransomware. What a ransomware does is that it encrypts all important files of an organization and make them inaccessible. Then the attackers demand ransom in order to decrypt them. In such cases, there is a designated attacker outside of the organization that has caused the crisis. In cyberspace, usually, these attackers are cyber criminals or state-led- cyber groups that issue attacks towards an organization. In the case of the ransomware attack NotPetya towards the company APMT in the Port of Rotterdam, the consequences were downtime for all of the company's operations, its ability to connect to the outside world, and has caused disruptions in all schedules across the harbor (Knowler 2017).

The accidental cluster relates to crises that have occurred due to the unintentional actions of the organization or somebody inside this organization (Coombs and Holladay 2002, 179). For example, by introducing a product that later needs to be recalled due to a technical error that was not discovered at the time of its release (Coombs 2007, 170 and 179). This cluster has limited attributions of responsibility towards the organization (Coombs 2007, 179). A somewhat recent example in the cyber domain is the Medtronic cardiac Devices that were recalled in 2018, due to concerns about unexplored cyber vulnerabilities (McGee 2018). In this case, at the time of the release of the technology, the company was not aware of the potential danger that their device might have on medical patients.

(11)

Table 1. Crisis Clusters and Examples of crises

Crisis Clusters

Victim Accidental Preventable

● Natural disasters ● Rumors

● Attack towards the organization ● Hacking ● Unforeseen technical error accidents ● Product recall ● Unintentional human error accidents ● Intentional negligence that leads to an accident ● Organizational

misdeeds

Source: Adapted from Coombs 2014 p. 180

The third designated cluster is the preventable one, and it relates to cases in which the organization has caused a crisis by "knowingly putting stakeholders at risk" by violating law or regulation, or by human error that could have been prevented (Coombs and Holladay 2002, 179). Here SCCT determines that the attributions of crisis responsibility are the highest. The case of the preventable cluster that could lead to a cyber accident is a knowing violation of a law that has led to a crisis. For example, if higher management in a European company knowingly violates GDPR, and this leads to the compromised data of customers and other stakeholders. Another real-life example is the Dutch company DigiNotar that was responsible for issuing digital certificates in the Netherlands. After it has become known to the company that their operations have been compromised and their certificates flawed, they have tried to knowingly neglect the advice by their consultancy firm to cease any future activity. Some of their clients have been numerous institutions within the Dutch government, who have provided services to people living in the country (van der Meulen 2013, 48). This crisis has resulted in the Dutch government taking over the operations of the company in order to ensure that the crisis could be appropriately handled without any security concerns of the Dutch state or its citizens (van der Meulen 2013, 46).

(12)

H1. The type of cluster that a cyber crisis belongs (victim, accidental, preventable) has an influence of the attributed responsibility towards the organization (low, medium, high).

● The Victim Cluster crisis is associated with a low attribution of responsibility. ● The Accidental Cluster crisis is associated with a limited/ medium attribution of

responsibility.

● The Preventable Cluster crisis is associated with a high attribution of responsibility.

Crisis response strategies

The other central point of SCCT focuses on the response type that an organization has. The theory argues that "communication affects the attribution of responsibility during a crisis" (Coombs 2007, 171). It is generally viewed that using a correct communication strategy could minimize the negative perceptions and has a positive effect on the attribution of responsibility (Cooley and Cooley 2011, 205). SCCT provides a framework and guidelines for communicative advice for crisis managers and what they should say or do in order to manage the crisis and lower perception of responsibility. There are several strategies that an organization could apply as an answer to a crisis. As could be seen from the table above, they have been divided into their corresponding crisis clusters. However, this is only a small part of the communications strategies that an organization may have. For this study, only primary communication strategies would be considered and are presented in the graph. This is because it would be rather hard to conduct an experiment over time with the same participants and expect them to memorize a hypothetical crisis so that one can check the secondary crisis strategies.

The first general type of primary response that is considered here is the deny strategy. Deny strategies often used in response to the victim cluster when the organization is a victim of false rumors. With this response the organization denies that a crisis has taken place (deny) (Coombs 2007, 170). Another popular response that an organization belonging to this cluster could use is victamage. With the victimage the organization portrays itself as a victim of the crisis, the same as their stakeholders and therefore and tried to build sympathy. This keeps the attributions of responsibility towards the organization low. However this strategy can backfire and stakeholders and non-stakeholders can take such communication response as an attempt of the organization to distract the public from the crisis (Coombs 2014, 177).

(13)

Second, the organization can respond using a diminish strategy: an excuse to stakeholders by claiming that there no intent of harm was ever-present and the crisis has spiraled out of control; or they can justify their acts and minimize perceived damage (Cooley and Cooley 2011, 205; Coombs 2007, 170). Here, they can either say that a crisis is not as severe as it appears in order to minimize the responsibility of an organization (Claeys, Cauberghe and Vyncke 2010, 257).

The last employed type of communication strategy used is the deal response: the organization addresses stakeholders, express concern about the victims, apologizes or directly compensates them by offering monetary compensation (to victims) — however, this way, the organization ultimately admits responsibility for the crisis. As the responsibility for the crisis increases, then organizations have to respond proportionally. That means that the stronger stakeholders perceive an organization is responsible for a crisis; the more organization's response should be in accepting this responsibility. If the organization solely finds an excuse or justification for the crisis and does not proceed to repair the damage, this can anger victims and non victims even in cases of an unforeseen accidents (Coombs 2014, 177). If the organization chooses to issue an apology and compensate the victims, this increases the expense for the organization and should be done only in cases when intentional actions of the organization or somebody within has led to the crisis (Intentional/ Preventable Cluster). As with every theory, also this one has certain limitations that should be taken into account. Not always organizations could deliver the matched response that is advised by SCCT. For example, the financial capabilities of an organization could influence the way that an organization can respond to a crisis (Tripp 2016, 30). For example, an organization might want to compensate its victims but do not have enough finances to do so. Alternatively, the organization could recognize the crisis and still choose not to apologize (Tripp 2016, 31). Furthermore, there might be cases where the organization may choose not to react to the crisis at all and does not issue any communication response (Claeys, Cauberghe and Vyncke 2010, 261).

(14)

Cluster Attributions of responsibility Trigger Communication Response Response Group

Victim Low Outside of organization Victimage/ Deny Victamage/Deny

Accidental Medium/Limited Unintentional inside of organization Excuse or Justification of actions Deal Preventable High Intentional inside of organization Apology and compensation Deal Adapted from Coombs 2007 p. 168 and Coombs 2014 p.177

The second hypothesis is derived from the theory discussed so far:

H2. Matching a communicational response to a crisis type will lower the attribution of responsibility towards an organization experiencing a cyber crisis.

Other Studies using SCCT

Many studies have applied this theory to check whether the framework works. Most of them have either been experimental or case studies. Since the theory in its essence is empirically based (Coombs 2007, 163), it could be considered that it is best to also apply it in empirical research, such as this one. Nonetheless, the pool of academic knowledge that already exists gives valuable insights into the theory. For example, according to the experimental study of Claeys, Cauberghe, and Vyncke, the third cluster type- preventable crises - have the most negative effects on organizational reputation, and the best response strategy for it is the rebuilt one. However, the same study has concluded that matching the crisis response to the crisis type does not affect the way people will perceive this crisis and how much responsibility they will attribute to the organization (Claeys, Cauberghe and Vyncke 2010, 261). This goes against the central claim of the SCCT theory and also against H2 of this research. Therefore and is something that should be investigated further.

Cooley and Cooley used a case study to assess how the SCCT is used during the bankruptcy crisis in General Motors by observing their official corporate communication. They focus on the crisis communication techniques used by the management in different stages of the crisis (Cooley and Cooley 2011, 210). However, what they fail to do is to assess

(15)

the effectiveness of the communication efforts taken as perceived from the perspective of the stakeholders. Tripp has applied the SCCT to the case study to The Church of Jesus Christ of Latter-day Saints Handbook Policy Change. She has observed the responses based on the media framing in social media outlets (Tripp 2016, 4). Despite the abundant scholarship on this theory that has analyzed responsibility before, during, or after a crisis, there still has not been a study that has put the SCCT to the test of a cyber crisis. There have been studies that focus on natural disasters and voting behaviors, but it would be compelling to find out whether there is a difference with other types of crises, which is exactly the aim of the presented study.

(16)

Chapter III: Methodology

This explanatory research was carried out with the help of an experimental research technique. Crises do not happen in a controlled environment, and it is not possible to wait for a cyber crisis to strike and then conduct data. Therefore, through the experimental method, a crisis was simulated. In the last few years, there has been an increase in experimental methods in political and social sciences (Druckman et al. 2011, 3). The idea is not original in a sense, because as I mentioned in the previous chapter, other studies have used experiments in order to simulate crises and have applied the SCCT framework. In the study, the main goal is to explore the extent to which attribution of responsibility during a cyber crisis could be mitigated by using the communication strategy as designed in the SCCT. To be more specific, this study applies the survey experiment technique. Survey experiments are an appropriate option when a study aims to obtain opinions or perceptions of participants. Since, in this study, the main goal is to capture attributions of responsibility, which vary from one person to another, the survey experiment proves to be a useful research method for the study. Furthermore, survey experiments are a combination of the causal power of experiments with the generalizability quality for population-based samples from surveys (Mullinix et al. 2015, 109). However, it should be noted that the respondents do start attributing responsibility only during the experiment (Mullinix et al. 2015, 109). They carry the effects of previous experiences, knowledge on the topic of cybersecurity, and maybe even of record of crises which have happened before their eyes.

This type of experiment allows researchers to combine experimental methods in which treatment conditions are randomly assigned and offer manageable quantitative data and the opportunity to use the sample for generalizing this data into representative groups (Krupnikov and Findley 2015, 1). The central research question for this study, as shown in the introduction is:

RQ: To what extent the communication strategy per crisis cluster as designed Situational Crisis Communication Theory’ can alter the attribution of responsibility towards an organization experiencing a cyber crisis?

Because this research question is still very broad, therefore several constraints are taken into account. First and foremost, the experiment will be checking the attribution of responsibility

(17)

towards an organization in the Netherlands with participants living in the Netherlands. Second, two central dimensions will be checked: whether the attribution of responsibility for a cyber crisis could be grouped the same way as it is divided among the clusters in SCCT (low- limited a high) and whether matching a crisis response in accordance to the guidelines in SCCT lowers the perceived responsibility towards an organization. Therefore these two could be put as sub-questions that ultimately answer the main guiding question.

Sub-Question 1:_{Can the attribution of responsibility for cyber crises be grouped the same} way as it is divided among the clusters in SCCT?

● The victim cluster crisis is associated with a low attribution of responsibility. ● The accidental cluster crisis is associated with a limited/ medium attribution of

responsibility.

● The intentional cluster crisis is associated with a high attribution of responsibility.

Based on the review of the theory in the previous section, the first hypothesis that is tested is: H1. The type of cluster that a cyber crisis belongs (victim, accidental, preventable) has an influence of the attributed responsibility towards the organization (low, medium, high).

Sub-Question 2: _{Does matching the communication response to cyber crisis types lead to a} lower attribution of responsibility?

Based on the sub-question and the review of the theory in the previous section, the second hypothesis that is tested is:

H2. Matching a communicational response to a crisis type will lower the attribution of responsibility towards an organization experiencing a cyber crisis.

Table 3. Hierarchical Structure of the Research Research Question

Sub-Question 1 Sub-Question 2

H1 H2

(18)

cluster and makes a comparison across clusters:

● Victim ● Accidental ● Intentional

crisis cluster lowers the attribution of responsibility. Makes comparison within clusters.

The table above- Table 3 shows the hierarchical structure and how the different elements that are studied relate to each other. The first hypothesis derives from the assumption in SCCT that states that there is a difference in the attribution of responsibility per the crisis cluster. These three statements will be tested in the following setting: the respondent is introduced to a description of a cyber crisis and then immediately after they fill in a survey that measures the attribution of responsibility towards the organization. Each respondent is randomly assigned to a different crisis cluster. After they fill in that first questionnaire, they see a randomly assigned communicational response by the organization. This response is either a matched per the SCCT guidelines or unmatched. Following that, the subjects are given the same questionnaire in which they fill in how they attribute the responsibility for the organization after they have read the communication response. It is rather interesting to see how individuals attribute responsibility in something related to the internet domain because usually its governance very often involves “governments, the private sector and civil society” (van Eeten and Mueller 2012, 2). Below there is another diagram (Diagram 1) that shows the basic structure of the survey experiment and the level that each hypothesis is tested.

(19)

This study collected a sample of 242 participants. They are all residents in the Netherlands (both Dutch and international), and the survey experiment aimed to see how the participants attributed responsibility whenever they are faced with a cyber organizational crisis. The experiment was limited only to one country because people around the world understand and deal with crises differently from one another. According to Rippl, people’s way of reasoning is very dependent on their social structures and cultural values (Rippl 2002, 147). Therefore by limiting the sample to this one country, I assumed that even with a completely random sample, there could be some level of general and shared crisis perception. Furthermore, the Netherlands could be associated with “a sophisticated and mature legal and policy framework for cybersecurity” (The Software Alliance 2019), and cybersecurity is rather well developed in both the private and the public sectors. Furthermore, the experimental design included a manipulation of two factors: the crisis type (the clusters mentioned- H1) and the response (matched/unmatched - H2). These two levels could be seen and easily distinguished from the graph above. It is important to highlight once again that each respondent was assigned randomly to only one Crisis Cluster and only one Communication response.

(20)

The survey experiment was carried out with the help of the software platform Qualtrics. This particular platform was chosen to collect the data because it provides a randomizer function, and it offered diverse distribution channels. It allowed participants to fill in the survey from both their computer and mobile devices, and also it allowed me to export the gathered data easier to other statistical software. Survey experiments are arguably more externally valid than laboratory ones because the experiment is carried out in a familiar environment for the participant’s setting (opposed to a laboratory one). Thus this can make the participant’s answers closer to real-world situations and more easily generalizable (Krupnikov and Findley 2015, 6). However, on the other hand, this cannot guarantee that the respondent is focused while filling in the survey and because they might be exposed to different distractions. Furthermore, the experiment was carried out online instead of in-person or in a laboratory environment. It is easier to recruit participants for computer-based survey experiments because they have the comfort of filling in the survey from their homes. This also can decrease the costs of carrying out the study, and it is possible to reach many more people who represent diverse population groups (Krupnikov and Findley 2015, 6). Nonetheless, a negative consequence is that it is impossible to prove how relevant are those population groups for the experimental study. My research aimed to see the perceptions of people living in the Netherlands, but at the same time, it cannot be proven whether all respondents indeed live in the country.

The data collection process took about three weeks from 4 December 2019 till 22 December 2019. I have used two main distribution channels simultaneously: social media and platforms for survey exchange. The social media one was used via Facebook and LinkedIn as I have reached out to my connections and different Dutch study groups. The survey exchange platforms were: SurveyCircle and SurverySwap. The survey exchange platforms proved to be quite useful because they also allowed me to connect with other researchers across Dutch universities and exchange best practices and advice about conducting experiments. A disadvantage that should be pointed out, however, is that even though the sample is considered random, there is a degree of bias. All of the subjects were connected directly or indirectly to me as the researcher and my social networks. Furthermore, the experiment was conducted in English, even though the primary spoken language in the Netherlands is Dutch. However, this is a conscious choice, because any incorrect translation had the risk to change the meaning of information presented in the experiment.

(21)

Furthermore, there were several incentives in order to stimulate higher participation in the study. Two of them were codes/links for survey platforms. They are designed in such a way that in order to receive respondents to your research, you have to fill in other people’s experiments or surveys. You can only fill in given research only once. This has attracted around 60 different respondents to my research, but it has taken me around 17 hours of being a respondent in other people’s studies. The second incentive to increase participation was the inclusion of a small lottery for the chance to a 10 EUR voucher for a popular Dutch website that sells different types of goods. Participation in the lottery was completely voluntarily, and the enrollment for it was carried out on a different platform (not Qualtrics). This strategy has also proven to be ineffective for increasing participation rates because only 44 respondents have enrolled in the lottery. Overall, when looking at the pros and cons, the use of incentives was not necessary in order to attract more participants. Not only was it resource consuming (time and monetary resources) for the researcher, but it also did not attract the expected amount of respondents. Also, it could be argued that including any incentives may influence the bias in the data, and participants take part in the study due to the perks that they might get rather than the study itself. However, this is not the case here, because not every participant had a clear benefit for taking part in this study.

The Experiment

First, the participants were introduced to a welcome screen, which explained the goal of the study, its duration, information about participant’s anonymity, how their data will be processed and information about taking part in a lottery with the chance to win a small prize. All participants needed to give their consent for taking part of study by indicating whether they wish to participate or not. A total of 12 participants have chosen not to take part in the experiment. After the participant has consented to take part in the experiment, the next screen provides them with the explanation that the following experiment will introduce them to a hypothetical scenario regarding a type of a cyber crisis that has affected the Netherlands, after which they are asked a number of questions regarding the scenario they have just read. The full consent form and explanation of the experiment is available in more detail in Appendix I.

(22)

After that the participant is randomly assigned to one of the three crisis clusters and is introduced to an information about randomly assigned (hypothetical) cyber crisis. Each of the respondents has seen one of the following 3 situations.

Victim Cluster

According to a confirmed source, there has been a cyber crisis in the Netherlands and the Dutch Telecom Organization has been affected. The cause of the crisis is a hacker’s attack by a criminal group on one of the organization’s most popular products. This has affected the internet access in the country and the functioning of many businesses for 4 hours. This crisis could not be foreseen nor prevented. The crisis has led to financial losses for the organization in the size of 10 million EUR. The consequences for clients of the telecom-- the majority of residents of the Netherlands-- are still unknown.

Accidental Cluster

According to a confirmed source, there has been a cyber crisis in the Netherlands and the Dutch Telecom Organization has been affected. The cause of the crisis is a management decision which unintentionally has led technical flaw in one of the organization’s most popular products available for purchase. This has affected the internet access in the country and the functioning of many businesses for 4 hours. The crisis could not be foreseen nor prevented at the time of the launch of the product. The crisis has led to financial losses for the organization in the size of 10 million EUR. The consequences for clients of the telecom-- the majority of residents of the Netherlands-- are still unknown.

Intentional Cluster

According to a confirmed source, there has been a cyber crisis in the Netherlands and the Dutch Telecom Organization has been affected. The cause of the crisis is one of the high- level managers in the company who has intentionally neglected the concerns of his employees and has allowed the release of a new potentially dangerous product. This crisis could have been foreseen and prevented. This has affected the internet access in the country and the functioning of many businesses for 4 hours. The crisis has led to financial losses for the organization in the size of 10 million EUR. The consequences for clients of the telecom-- the majority of residents of the Netherlands-- are still unknown.

As it can be noticed, these three situations are written the same way. They all use the same structure, and only the two instances have been changed across the texts: the CAUSE and

(23)

whether the crisis could have been FORESEEN. Across the different clusters, the same organization has been affected by a cyber crisis- the Dutch Telecom Organization (fictional organization). In all cases, the cyber crisis has affected the internet access in the country and the functioning of many businesses for 4 hours. Furthermore, the company has suffered financial loss in the size of 10 million EUR, and it is still unknown what the risks are for clients of the telecom. Here, the information does not state directly that the participants are affected by this crisis. However, it is hinted to the reader that there might be a certain degree of danger for the majority of residents in the Netherlands. Furthermore, the accidental and intentional cluster both have similar crisis introduced: a management decision has led to a flawed product or potentially dangerous product. However, here the cause of the crisis is different. In the accidental cluster, the focus is on a technical flaw, which could not have been foreseen nor prevented, and it is explicitly stated it is unintentional. On the other hand, in the intentional cluster, it is said that the manager in the company has intentionally neglected the concerns of his/her employees.

After filling in the first questionnaire, each participant of the survey was introduced to a communication response by the organization. This response was either matched or unmatched. All of the matched responses are unique per crisis cluster, and they are following the SCCT’s response guidelines. However, the unmatched response was the same across all cases, and it employed denial strategy.

Unmatched Response

The Dutch Telecom apologizes for any inconvenience that their customers might have experienced and they are in the process of managing the crisis. The organization has stated that they regret to hear circulation of false information and they are denying that such an event has taken place. They are in the process of investigating any claims of a _{CAUSE OF} CRISIS_{. Currently all of their systems are running again.}

Cause of crisis: hack, flawed product (2)

The Denial strategy is not a bad communication response per se because there could be cases in which it is more beneficial to use this type of strategy. The denial strategy states that there is no crisis. Even though it is very often used in crisis response, denial is also assessed as the least effective communication strategy (Kim, Avery and Lariscy 2009, 448). However, this

(24)

could be more nuanced. Rather than dismissing this strategy, crisis managers can apply it in cases when the organization is perceived as trustworthy, and the present crisis could not be a real crisis (van der Meer 2014, 539). For the purpose of this study and the cyber crises types presented, the denial strategy was the least appropriate one; that is why it is used for all unmatched responses.

Matched Response Victim cluster:

The Dutch Telecom apologizes for any inconvenience that their customers might have experienced and they are in the process of managing the crisis. The organization has stated that they are a victim of the attack the same way as many of their clients. Currently all of their systems are running again.

Accidental cluster:

The Dutch Telecom apologizes for any inconvenience that their customers might have experienced and they are in the process of managing the crisis. The organization has stated that they are recalling the faulty product from the market and any affected customers are encouraged to reach out to them. Currently all of their systems are running again.

Preventable cluster:

The organization has responded and is in the process of managing the crisis. The Dutch Telecom is apologizing to all affected users that are currently experiencing problems with their new product and will issue monetary compensation for the affected customers in the next following weeks. Currently all their systems are running again.

The victim cluster uses the victimage strategy as a communicative response. The organization presents itself as a victim of the situation and tries to build sympathy for the organization (Coombs 2014, 177). The accidental cluster uses the diminish strategy as a communication response. Here the participant is already aware that the crisis has happened unintentionally, but the company also chooses to recall any faulty product from the market. Because this cluster has a medium attribution of responsibility, the company is transparent in their follow up actions and is open to contact with affected stakeholders. The preventable cluster uses a compensation (rebuild) strategy as their communication response. There the company not only apologizes to all of the affected users but also offers them monetary compensation. The SCCT guideline advises that this type of communicational response should be used in cases

(25)

when the crisis is intentional (Coombs 2007, 172). By using this response, the organization ultimately admits responsibility for the crisis. After the participants were introduced to the organizational response, they had to fill in a second questionnaire that tried to capture their attribution of responsibility towards the organization.

Finally, the participants were introduced to two attention checks. The attention check is included to check whether the participants have understood the necessary elements from the presented information and if they are paying attention to the text (Oppenheimer, Meyvis and Davidenko 2009, 867). Not only that but also these checks can increase the statistical value of an experiment (Oppenheimer, Meyvis and Davidenko 2009, 869). However, participants who failed the attention checks were not excluded from the sample because this could harm the external validity of the experiment (Oppenheimer, Meyvis and Davidenko 2009, 871). The first question is a multiple-choice, reading- comprehension, and it asks which was the main organization in the cyber crisis (The Dutch Telecom Organization). The second question is a statement to which the participants should indicate the extent to which they agree. However, they have to choose the option (Somewhat Agree) regardless of their personal beliefs. The detailed questions could be found in Appendix I.

Lastly, the participants were asked to fill-in four demographics questions, which were optional. They were asked about their gender, age, nationality, and employment status. The detailed questions could be found in Appendix I. The initial claim in this research is that the sample collected is more than a simple convenience sample. However, it can be used as a representative sample of Dutch society. Therefore, in order to make such a claim, it is necessary to check which demographics the sample pool reflects (Mutz and Pemantle 2015, 198).

Scale Measurement

Participant’s attribution of responsibility was captured by using a 7 item Liker-scale. There are 8 statements on a Likert-type scale, and they are identical for all clusters and all conditions. Those are (not shown in this order):

1. The organization is responsible for the cyber crisis. 2. I do NOT trust this organization.

3. The organization is to blame for the crisis.

(26)

5. This crisis could have been foreseen.

6. This organization should NOT be held accountable for the cyber crisis. 7. The organization is NOT at fault for this crisis.

8. The company in the scenario cared about the clients that were affected.

The last 3 statements have positive wording. That is why they were re-coded before any statistical analysis and measuring the reliability of the scale. After the reliability analysis was conducted, it became obvious that the last item (“ _{The company in the scenario cared about} the clients that were affected_{”) often had a negative inter-item correlation with the other} questions. In order to ensure that the scale had high internal and external reliability the last item was removed. Also the wording of the statements is short in order to ensure that it will be easily understood by the participants. Furthermore, there are no open- ended questions, because this makes the processing of the data harder. The Likert scale had 7 dimensions ranging from Completely Disagree to Completely Agree. These options are introduced in the direction demonstrated below. This has the goal of avoiding any confusion in the respondents and mistakes during the analysis.

1. Completely Disagree 2. Somewhat Disagree 3. Disagree

4. Neither Agree or Disagree 5. Agree

6. Somewhat Agree 7. Completely Agree

These items make up a scale which measures the attribution of responsibility towards the considered organization. The scale has the value of [1.00 - 7.00] and is constructed by assessing the mean values for all of the statements. If the scale has a score from 1.00 to 3.99, that means no attribution of responsibility towards the organization was indicated. Scores ranging from 4.00 to 7.00 show level of attribution of responsibility towards the organization. These values are not absolute, but relative to each other and the scale score should be discussed only in relation to the other scores of the same scale.

Each responded was introduced to one cyber crisis scenario, after which they had to fill in the survey that captured their perception of the crisis. After that, they were introduced

(27)

to a communication response by the organization, and they had to fill the same questionnaire capturing their perception of responsibility. Finally, the participants were introduced to one attention question and one reading comprehension question, after which they voluntarily could fill in demographic questions. The whole survey experiment took between 3-8 minutes for each participant. The questionnaire was comprised of a Likert-type scale of 7 statements, which aimed to measure the attribution of responsibility. No participants were excluded from the study or the sample for any reason. All participants took part in the study voluntarily.

(28)

Chapter III: Analysis, Results and Discussion Demographics and Sample

This study has recorded 242 complete responses. In this sample 35.5% of all participants were male (N=86), 59.9% female (N=145), 0.8% other (N=2) and 3.7% prefer not to say (N=8). Furthermore, 44.2% (N=107) of the sample were Dutch and 55.8% (N=135) international. The median age of the participants was 23 years, and most of the participants are in the age category of 20-29 years old (76.4%) . Because the study also required informed consent by the participants, the minimum required age to take part in the experiment was 18 years. Furthermore, 62.8% of the sample were still students (including working students), 34.7% were working either part-time or full time, 0.8% were volunteers and 1.7% were unemployed.

Each responded was introduced to one cyber crisis scenario, after which they had to fill in the survey that captured their perception of the crisis. After that, they were introduced to a communication response by the organization, and they had to fill the same questionnaire capturing their perception of responsibility. Finally, the participants were introduced to one attention question and one reading comprehension question, after which they voluntarily could fill in demographic questions. The whole survey experiment took between 3-8 minutes for each participant. The questionnaire was comprised of 7- point Likert scale of 7 statements, which aimed to measure the attribution of responsibility. No participants were excluded from the study or the sample for any reason. All participants took part of the study voluntarily.

Table 4. Cronbach’s Alpha values per Cluster measuring the reliability of the 7-point Likert scale

Cluster Cronbach’s 𝞪 - Perception before Organizational

Response

Cronbach’s 𝞪 -Perception after Organizational Response

Victim- Matched .802 .856

(29)

Accidental- Matched .858 .893

Accidental- Unmatched .839 .786

Preventable- Matched .859 .807

Preventable- Unmatched .834 .744

The scale that I construed had the goal to measure attribution of responsibility towards an organization. Because the scale has not been applied to any previous study, I had to measure its reliability by conducting Cronbach’s 𝞪 statistical analysis (Sarstedt and Mooi 2019, 280). The Cronbach’s 𝞪 results summarized in the table above show high internal consistency between the items for the created scale. A separate analysis was conducted for each scale individually in order to ensure that in all cases, the 7 point- Likert-scale is a reliable source with high reliability of the questionnaire instrument and internal consistency between the variables. Cronbach’s Alpha is a value between 0 and 1.00. 0 indicates that the items are not measuring the same thing, and 1.00 indicates perfect reliability and consistency between the items (Sarstedt and Mooi 2019, 280). Usually, in social sciences, it is considered that a value greater than 0.7 is sufficient. As it was mentioned in the previous chapter, the scale was comprised of 7 items that aimed to measure crisis responsibility attributed to an organization. Combining several items excludes the possibility of random- measurement error and could provide a higher degree of reliability, accuracy, and validity (Adeniran 2019, 2). Furthermore, it is essential to point out that during the experiment, the original scale consisted of 8 items. However, one of them was subsequently removed because it was not internally consistent with all other values. Also, I have carried out Crobach’s 𝞪 analysis for all groups separately, because I wanted to ensure that the scale is reliable in all cases of the experiment.

There is little available information about the content of questionnaires that other scholars have used. That makes replication of their experiments extremely difficult, and often there is no discussion on the reliability of their scales. Based on the values for internal and external coherence in my experiment, I would suggest that future scholars can apply similar or even the same questionnaire for measuring perception about attribution of responsibility in (cyber) crises.

Attention checks are a standard tool in social sciences. Their main goal is to assess the robustness of an experiment and the validity and generalizability of the data (Aronow, Baron

(30)

and Pinson 2016, 1). In this experiment, I have applied to post-treatment manipulation checks. The reading comprehension check has a success rate of 95.9% (N=232), which means that the majority of participants have comprehended that the involved organization in the cyber crisis is The Dutch Telecom Organization. On the other hand, the other attention check, where the participants needed to select a certain answer (Somewhat Agree) to a given statement has a much lower success rate of only 55.8% (N=135). This translates that nearly half of the participants were not paying attention to the instructions above the question, which might also mean that they have filled in the experiment with a degree of distraction. Having attention checks after the participants have been introduced to the treatment (post-treatment) brings a certain bias to the experiment. What is also quite perplexing is that almost half of the individuals who have passed the first manipulation check have failed the second one. Nonetheless, even the participants who have failed the attention check question(s) were not excluded from the sample because one post hoc measurement does not determine how the treatment has influenced the participants. However, it is important to report on that bias (Aronow, Baron and Pinson 2019, 8).

The first part of this research focused on investigating whether the attribution of responsibility for cyber crises allows the same grouping and division per cluster as devised in the SCCT? The first hypothesis stated that the attribution of responsibility towards an organization experiencing a cyber crisis per crisis cluster is the same as the one devised in the leading theory. Therefore the experiment had the goal to prove that a cyber crisis belonging to the victim cluster can be associated with a low attribution of responsibility. A cyber crisis which is a part of the accidental cluster has a medium (or limited attribution of responsibility). Lastly, a cyber crisis belonging to the preventable cluster has a high attribution of responsibility. In order to check if this is the case, I made comparisons between the attributions of responsibility that the participants had allocated after they were presented with the cyber crisis. In order to do that, I compared the means allocated to each cluster. We can see that if we compare the perception as per the scale that we have, there is a difference within the means for each cluster. It increases — keeping in mind that the scale that we have goes from 1 to 7. 1.00, meaning no attribution of responsibility and 7.00 meaning a high degree of responsibility attributed to the organization.

The descriptive statistics associated with the attribution of responsibility across the three clusters are reported in the table below. It can be seen that the victim cluster was

(31)

associated with the smallest mean level of attribution of responsibility (M= 4.05), and the preventable cluster was associated with the highest level of responsibility attribution (M= 5.32). In order to test the hypothesis that the type of cluster that a cyber crisis belongs (victim, accidental, preventable) influences the attributed responsibility towards the organization (low, medium, high), a between-groups ANOVA was performed. Prior to the ANOVA, the homogeneity of variances was tested and satisfied based on Leven’s F test, and no equal variances are assumed (p>0.01, p=.893).

The independent between-groups ANOVA was carried out in order to compare the attributions of responsibility in- between the three different crisis clusters. There was a statistically significant effect on the attribution of responsibility at the p<.05 level across crisis clusters [F(2, 239)= 32.93, p= .001]. As can be seen from the table below, the significance level in the One-Way ANOVA test is .000, but it has been rounded up to .001, which is below the threshold of 0.05. This means that the difference between the means for the three crisis clusters is statistically significant. Thus the null hypothesis of no difference between the means is rejected. To evaluate the differences between means further, the ANOVA was followed up by a Fisher’s LSD post hoc tests. All three: differences between the Victim Cluster and the Accidental cluster is statistically significant(p= .001). The difference between Victim Cluster and Intentional Cluster (p= .001) is also statistically significant, and the difference between Accidental and Preventable are statistically significant (p= .002). This also confirms the central claim in SCCT, which states that the crisis cluster does influence the attribution of responsibility of an affected organization.

Table 5. Descriptives for Means across the 3 clusters.

Descriptives for Means across Clusters

N Mean Std. Deviation Victim Cluster 74 4.0463 1.02119 Accidental Cluster 85 4.8437 0.98818 Preventable Cluster 83 5.315 0.94728 Total 242 4.7615 1.10747

(32)

Table 6. ANOVA report measuring the difference between means across the 3 crisis cluster: victim, accidental and preventable.

ANOVA- Attribution of Responsibility per Crisis Cluster

Sum of Squares df Mean Square F Sig.

Between Groups 63.848 2 31.924 32.925 .000

Within Groups 231.734 239 0.97

Total 295.583 241

The second part of this research aims at testing the hypothesis that matching a communicational response to a crisis type will lower the attribution of responsibility towards an organization experiencing a cyber crisis. In the experiment that was tested by comparing if there is any difference across the attributions of responsibility before and after the subjects have been introduced to the communication response by the organization. This is done by comparing the means of the difference between the first and the second questionnaire for each respondent. Here the comparison is made within the clusters, not between them. For example, for the Victim Cluster, the comparison that is made between the Matched and Unmatched communication responses only within the Victim Cluster. There, it was tested if there is any difference between the attribution of responsibility that the participants in these groups attribute to the organization. There are several analytical options to conduct this analysis. However, because here we have two observations and two- attributions of responsibility: before the communication response and after the communication response for each case, it makes the most sense to compare the change of the attribution of responsibility for each participant. Therefore, I have computed a new variable, which assesses the difference between the first and the second responsibility attribution that the participants have made. After that, a One-Way ANOVA analysis was conducted in order to compare the attributions of responsibility between the group that had the matched communication response and the other group which had the unmatched communication response. Because there are only two groups to compare, it is also possible to use a t- test for the analysis as it

(33)

would produce the same results. Those t-test were also conducted, but not reported in the paper, because it is rather more difficult to explain their results. Before reporting the ANOVA results, the summarised descriptives of each group could be seen in the table below. Under the Mean section, a negative value indicates that the attribution of responsibility has increased after the participants from this group have been introduced to the communication response by the organization. A positive value indicates that the attribution of responsibility has decreased, and the participants have reduced the responsibility attributed to the organization after they have seen the communication response.

For example, for the Victim cluster, it can be noticed that after seeing the communication response, the participants have attributed a higher responsibility for the crisis to the organization regardless of whether they have been introduced to a matched (M= -0.02) or unmatched response (M=-0.38). Looking only at the means gives no information, whether pairing a crisis with a matched communication response decreases the responsibility that people attribute for a cyber crisis.

Table 7. Descreptives for the difference between the Match/Unmatched groups for every Crisis Cluster by assessing the difference between the Pre and Post- communication response.

Descriptives for the difference between Pre and Post Communication Response

N Mean Std. Deviation Std. Error Victim Cluster Unmatched 37 -0.3822 0.80956 0.13309 Matched 37 -0.0154 0.46265 0.07606 Total 74 -0.1988 0.68034 0.07909 Accidental Cluster Unmatched 42 -0.1939 0.67878 0.10474 Matched 43 0.1196 0.49578 0.07561 Total 85 -0.0353 0.61045 0.06621 Preventable Unmatched 40 0.0964 0.77668 0.1228 Matched 43 0.0764 0.40448 0.06168

Attribution of Responsibility during Cyber Crisis: An experimental application of the Situational Crisis Communication Theory