1
Michael Schonheit s2135485
Master’s Thesis 02/10/2020
Effective Crisis Response Communication
and Data Breaches:
a comparative analysis of corporate reputational crises
Master’s Thesis Crisis and Security Management
2
1 Introduction
2 Literature Review
2.1 Placing data breaches within the cybersecurity discourse
6
2.2 Paradigm Shift: From Prevention to Mitigation
10
2.3 Data breach by Hacking: A Taxonomy of Risk Categories
12
2.4 Economic and reputational Impact on organizations
15
2.5 Theoretical and empirical communication models for data breaches
16
3 Theoretical Framework
3.1 Organizational Crises: An introduction to framing and perceived responsibility
21
3.2 Attribution Theory and SCCT
23
3.3 Crisis Types and Communication Response Strategies
24
3.4 Intensifying Factors: Crisis Severity, Crisis History, Relationship Performance
25
3.5 Communication Response Strategies
27
3.6 SCCT Recommendations and Data Breaches
30
3.7 SCCT and PR Data Breaches by Hacking
32
4 Methodology
4.1 Operationalizing SCCT in the Context of Data Breaches
35
4.2 Stock Analysis and News Tracking: Assessing cases on varying degrees of reputation recovery
36
4.3 Refining the Case Selection Framework and the Analysis Process40
4.4 Intra-periodic Analysis and Inter-periodic Analysis
43
5 Analysis
5.1 Narrowing the Scope: Building the Comparative Case Study
44
5.2 Statistical Recovery: Stock and Revenue Analysis
49
5.3 News Media Tracking and Reputation Index Scores
58
6 Discussion
6.1 Intra-periodic Analysis: Assessing Organizational Responses
72
6.2 Inter-periodic analysis: Verifying the Initial Propositions74
7 Conclusions
77
8 Appendix
79
9 Bibliography
79
3
With the emergence of the digital economy cybersecurity has rapidly become a critical aspect for organizations to thrive and maintain their core business activities. As business information and communication systems are increasingly reliant on digital technology, organizations have the imperative to protect them, and the data contained therein, against an ever-evolving landscape of cyber threats. While providing organizations with undeniable development opportunities, the unremitting trend of digitalization has concomitantly brought upon new risks for their survival. In tackling this so called “dark side of digitalization”, the paramount objective of cybersecurity revolves around preserving the availability, integrity and confidentiality of online data (MERGroup,2020). As early as 2015, IMB CEO Ginni Rometti emphatically asserted that data is the “is the world’s new natural resource” consequently making cybercrime “by definition, the greatest threat to any industry” (Morgan, 2017). With the current volume of online data over 50 larger than it was at the time, drastically increasing the magnitude of the cyber-attack surface, this statement feels now quite prophetic. (ITRC 2020;Morris,2020)
While cyber threats at large encompass any “malicious act that seeks to damage data, steal data, or disrupt digital life”, with a 4300 percent increase in online data creation from 2019, online data breaches represent one of the most recurrent and damaging cyber incidents for organizations worldwide. The Risk Based Security’s year-end report (2020) estimates that in 2019 alone total of 15.1 billion records have reportedly been exposed to unauthorized use of confidential information. This statistic feature represents an all-time high, increasing by 284% compared to 2018, and confirming a constant trend throughout the last decade. (Sobers,2020;Winder,2019;Lavelle,2020). Although information breaches in the physical world well preceded the current wave of digitalization, online data breaches nowadays are stealing the show. Strikingly enough, compared to their “physical” counterpart, online data breaches are highly dependent on factors endogenous to organizations, including inconsistent data retention and handling policies, internal misuse, system vulnerabilities and human errors. Nevertheless, for the exposed records to be leveraged into identity theft or fraudulent abuse of confidential information, data breaches still depend on the illegitimate doings of external actors proactively exploiting unauthorized access to this data. As reported by Goddijn & Kouns (2020), “Hacking, defined as unauthorized intrusion into systems, has been the top breach type by number of incidents for every year of the past decade except for 2010”. In order to depict this pattern and narrow the scope of this research, we assume Martin’s (2019) definition of data breach, as it well depicts an element of intentionality: “A data breach occurs when there is an unauthorized entry point into a corporation’s database that allows cyber hackers to access customer information”. Cyber dependent methods for gaining unauthorized access to organizations restricted information include but are not limited to: malwares, phishing emails, DDoS attacks, backdoor exploitations, and Trojan horses. Looking into the statistics for these attack vectors, combined with data exposed through unintentional leakages, data
4
breaches impose on organizations worldwide unparalleled monetary costs (MERGroup,2020;Arghire,2020).
In particular the gap between economic damages of online breaches and security capabilities of organizations to contrast this phenomenon seems to be widening. In fact, despite the steady rise in organizations awareness and security investments to defend against cyber incidents, the measures implemented have so far had limited effect in containing their impact. While total cyber security expenditures of organizations worldwide have rose from approximately 113 billion of dollars in 2015 to 173 billions in 2020, in the same timeframe the costs of data breaches and cybercrime at large have doubled, reaching an astonishing total of 6 trillion dollars (Columbus,2020). This notable disproportion can be accounted for by delving into the types of damages that businesses are confronted with. Direct costs affecting organizations suffering a data breach include: business disruption and recovery, forensic investigations, legal proceedings, regulatory fines, credit monitoring for customers, crisis management advisory. However, these constitute just the tip of iceberg. In the aftermath of a data breach organizations are often confronted with business reputational damages and loss of consumer trust, which represent much more impactful consequences with the potential to turn the cyber incident into a corporate reputational crisis (Kim et al. 2017; Wang et al. 2017). These indirect costs usually affect businesses in the long run, protracting damages in time and representing the greatest challenge of all for organizations undergoing a data breach.
The distinction between direct and indirect business damages produced by a data breach, is particularly relevant for defining the range left to organizations for effectively reduce the impact of a data breach. While we discussed that, for the large part cyber incidents cannot be entirely prevented by establishing all-encompassing cybersecurity measures, reputational damages are largely connected to the public perception of an organization undergoing a cyber crisis, and thus can be mitigated by handling the incident response phase with effective crisis communication strategies (Kim et al. 2017; Wang et al. 2017). This reasoning is one of the core foundations of crisis management as a field. Because of the uncertainty surrounding the traits of a crisis, these events cannot be entirely anticipated ex ante and adopting an exclusively preventive approach has proved to be widely inefficient. Rather, by emphasizing the larger impact of indirect reputational costs produced by data breaches, this research focuses on mitigation strategies that can be applied to reduce the impact of such events on organizations. In particular, as it will be discussed in the next section dedicated to the theoretical foundations of this research, damages to a company reputation, and its image in general, are strictly connected to the public perception of such organization and the crisis it navigates through.
5
The present research aims, in fact at studying crisis response communication strategies that organizations can employ to effectively reduce reputational damages and loss of consumer trust. As Harrison (2007) observed: “A fundamental principle in the field of crisis management is that there are vital and strategic communication methods that help deal with events that can negatively influence an organization” (41). By investigating this matter, the goal of this study is to derive from the analysis of concrete cases of corporate reputational crises in aftermath of data breaches, an assessment of how organizations can mitigate reputational damages through crisis response communication strategies. In doing so, this research will compare cases of corporate data breaches that vary on the degree of financial and reputational recovery from the crisis. Extrapolating communication strategies from this comparative analysis, this study aims at verifying their impact on the organizations’ recovery trends, as well as to check their validity within the body of theory on the matter. Furthermore, as discussed more in depth in the upcoming sections of this research, the vast majority of academic works that study data breaches focus more on the legal and technological aspects of the phenomenon, leaving the intersection with response communication strategies as under-researched domain. In turn, from the crisis communication academic stream, as stressed by Kim et al. (2017) “there is lack of scholarly research about data breaches in public relations and other communications-related journals”. In general, many authors contented how the field of cyber crisis management remains vastly overlooked. (Hawkins,2017; Kim et al.2017).
This is not say that within the field of crisis communications at large, the effectiveness of best practices adopted in the response phase, is not already a controversial matter. While several contributions have discussed communication tactics that can help contain reputational damages during a corporate crisis, only a few studies have concretely tested their effectiveness (Sandman,2006;Coombs,2007a;Coombs,2010;Robertson,2012;Avery&Park,2014;Park,2017;Laufer et al. 2018). As early as 2007, Coombs affirmed the need of shifting the attention towards validating and applying those theoretical formulations that guide crisis communication managers in their tasks. Given the severe impact that reputational crises can have on society as a whole, Coombs asserts that field operators: “need recommendations that are based on scientifically tested evidence rather than speculation” (2007, p7). The speculative stance of most of these unverified conjectures, is evident from the work of Avery & Park (2014). The authors discuss the fact that the field of crisis communication has been widely driven by the notion of self-efficacy as a predictor for behavioral responses to a crisis. Introducing the concept of crisis efficacy, Avery and Park contended the need to study the impact of communication strategies involving the audience as the primary target, instead of reflecting the validity of such interventions merely towards the organization itself (2007). This contention stresses the need for testing communication strategies for their effectiveness in relation to the perception of the selected audience. In this regard this research sets the study of corporate crisis communication by analyzing the
6
effect of response strategies in relation to the target audience of consumers affected by the event. As in the words of Timothy Coombs crisis management is “a nexus of praxis where theory and application must intersect”, it seems logical to assume the marginal attention given to verifying the best ways to communicate during a crisis as the research problem of this study (2010, p 22). As “theories and principles should help to improve crisis management rather than being academic exercises”, this research aims at contributing to verifying why and how some organizations communicate more effectively during a crisis (Coombs & Holladay,2010, p.21).
This paper aims at contributing to studying this phenomenon by posing the following research question: “Why do some organizations maintain their reputation with their consumers in the aftermath of a data breach, why others fail to do so?”
2. Literature review
2.1 Placing data breaches within the cybersecurity discourse.
The following chapter of this research is dedicated to identifying prominent themes emerging from the literature on data breaches, and to explore the intersection with crisis communication as the academic vacuum that this study aims at bridging. Before delving into the state of the art by examining relevant academic sources, we need to define what a data breach means from a cybersecurity perspective. The initial definition of a data breach in terms of an “unauthorized entry point into a corporation’s database that allows cyber hackers to access customer information” is certainly instrumental for discussing these events from a corporate communication standpoint, but lacks a clear placing within the cyber world (Martin,2019). Are data breaches in and of themselves a specific category of cybercrime? This brief excursion will try to contextualize and answer to this question, with the intent of delineating more accurately the object of inquiry of this study by shedding a light on the technical contours of data breaches. In the introductory section we have looked at the growing occurrence of cyber data breaches, and the impactful consequences they pose, directly or indirectly, for organizations.
When it comes to appreciating the scale of an adverse phenomenon, being this the infant mortality rate in the sub-Saharian region or the recent spread of COVID 19, nothing portrays the gravity
7
of the situation more effectively than its incidence rate in a reference time period. A Clark School study of the University of Maryland conducted by Michel Cukier in 2007, was one of first to quantify the number of cyberattacks that hit network-facing computers on a daily basis. By monitoring their attack surface, the researchers concluded that the tested computers were hit by a cyberattack on average every 39 seconds. This feature, later increased to approximately 1 attack every 20 seconds, not so differently from statistics on epidemics or socio-economic disasters, when taken out of context can lead to misinterpretations (Deloitte,2016). In fact, not all cyberattacks carried out by hackers are successful. To be sure, only a residual minority of attempted hacks manage to reach the desired goal. In this regard, cyber risk management brings forward a critical differentiation between cyber events and cyber incidents. The first group generally refers to any “change in the normal behavior of a given system, process, environment or workflow” (Miller, 2019). Events have the potential to affect risk levels but do not necessarily bring negative consequences for the organization, an instance that needs to be verified by recording and analyzing the event. A suspicious email, a software download, and any unmapped activity is, therefore, a cybersecurity event. Among these changes, those that compromise the integrity, confidentiality or availability of information assets are defined as cybersecurity incidents (Danielson,2017).
The eventual compromise of the infamous CIA triad (confidentiality, integrity, availability) of company data, in information security, effectively stands as the line of demarcation between simple events and impactful incidents (Marden,2018;Rouse,2020). That same suspicious email containing a malicious payload or that software being in fact a drive-by malware unintentionally downloaded on the system, turn those events into cybersecurity incidents (Huq,2015). In other words, as summarily stated by Jason Miller on an article published on Miller (2019): “All incidents are events, but not all events are incidents”. The distinction between incidents and events is a fundamental step in information security management. By collecting alerts and correlating events generated by software and network hardware, security teams complement the monitoring activity performed by Intrusion Detection (IDS) and Intrusion Prevention Systems (IPS) by reviewing log data and identifying security risks. This process, which can optimally be executed through Security Information and Event Management technology (SIEM), allows to filter out false positives (or simply put, events that do not qualify as incidents) and redundant data to focus monitoring and remediation tasks on high priority issues. As reported by Leal (2019), ISO 27001, the leading standard for information security management, clearly outlines the importance of discerning between these phenomena, which “can have a significant impact on the effort, and costs, of security management”.
As the main objective of cyber event examination remains the detection and management of potential incidents, the problem is not simply one of finding the most efficient allocation of security resources. Rather, security teams monitor changes in an organization environment to prevent adverse
8
phenomena from escalating further and damage company assets, a task which, as anticipated in the introduction, can prove to be extremely arduous (Lopes et al. 2019). Out of different types of cyber incidents that threaten organizations, data breaches stand out for being considerably hard to detect, especially in a timely manner. In dealing with security breaches the time of the response is a crucial element as “the longer it (the response) takes, the more likely an attacker is to find and exfiltrate the organization's information” (Chickowski, 2013). There are several factors that hinder the identification of alerts generated by an on-going data breach. Firstly, from a structural perspective, after the access event, there is a limited amount of observable traces left by attackers until the stolen data emerges elsewhere. This limitation relates to the methodological nature of data breaches and will be discussed in details in the upcoming section. Other factors are instead contingent to the specific cyber maturity of a given organization, including poorly implemented automated solutions for event monitoring such a SIEM, and the inefficient coordination among different security and operations team members (Lopes et al.,2019;Marden,2018;Verizon,2020).
While these challenges affect security response capabilities in the real world, they influence the theoretical placing of data breaches at the intersection between events and incidents. Given the scarcity of events relatable to data breaches, even the ones that do not actually lead to the compromise of information assets are often regarded as security incidents. In fact, retracing the definition of cyber incidents put forward by CERT in 2001, this includes “attempts to gain unauthorized access” (Pham, 2001). In a similar fashion, SANS guidelines reported in the publication “Information Security Reading Room” originally inscribed “attempts to harm” as cyber incidents (2001,8). This reasoning, although stemming from the difficulty in discerning impactful events related to security breaches, has the indirect consequence of blurring the boundaries between events and incidents. In fact, more recent publications do not endorse this approach. Miller (2019) reinforces the difference between attempted breaches and actual breaches, claiming that:
“If you count breach attempts as incidents, you may have more incidents than what actually occurred. This mistake creates white noise and alarm fatigue. It also makes the collected incident data less valuable.”
To avoid incurring in similar repercussions, we consider as a subset of cyber incidents only data breaches that have de facto procured unauthorized access to an organizations system. This choice is coherent with the Data Breaches Investigation Report published by Verizon (2020), which clearly conceptualizes a data breach as “An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party”. Looking back at the statistics on cyberattacks (events) presented in the beginning, we have now reduced the scope of this research to those that compromise the CIA of information assets (incidents) through unauthorized access (data breaches). Although the
9
total count (previously attested at 1 every 20 seconds) is bound to drop significantly, it is very hard to come up with a precise estimation. In addition to the problem of detection discussed earlier, even successful data breaches often remain underreported (ITRC,2020). Among others, Campana (2009) who analyzed information security risk patterns among different industry sectors, asserted that only around 1 in 100 data breaches is reported to the public. More importantly for the purpose of this research even fewer data breaches, even if successful and properly reported, eventually turn into corporate reputational crises for the victim organization. Borrowing the definition of reputational crisis put forward by Zyglidopoulos and Phillips (1999), this happens when data breaches turn into ‘‘widely publicized, highly-negative events that lead important stakeholders to reevaluate their impressions’’ of an organization (3). Figure 1.1 outlines the conceptualization of the object of inquiry of this research, which aims at studying data breaches interpreting these phenomena as root causes for corporate reputational crises, hereinafter referred to as “PR Data Breaches”.
10
2.2 Paradigm Shift: From Prevention to Mitigation
Despite the contextualization carried out in the previous section, in the introduction we have emphasized how cybercriminals typically find themselves ahead of the security curve. No matter how systematically and consistently organizations commit to their avoidance, data breaches are bound to happen. As stated by Todd Feinman CEO of Identity Finder “Organizations in all industries must stop working under the assumption of “if,” and instead, build strategies around “when” a data breach will occur” (2015). This highlights the need to abandon a purely preventive approach and complement it with mitigative measures. In itself prevention, at times is the most effective mitigative measure: to avoid contaminating public reserves of fresh water an oil company does not build its pipelines on top of a river spring. However, as in the case of unforeseeable natural disasters such as hurricane Katrina, which exposed the failures of the system of pumps and canals designed to protect the city of New Orleans, preventive measures are far less effective. When prevention is unattainable or too costly, the imperative is to accept the risks and mitigate the consequences (Comfort et al. 2010; Wisner et al. 2012; Sen and Borle 2015).
In the cyber world, and specifically when dealing with data breaches, where both the probability and impact of adverse events are high, it is important to complement protection with detection and recovery measures. This mixed approach, embodied in the National Institute of Standards and
11
Technology (NIST) framework, is the fundamental pillar of cyber risk management, which constitutes the academic landscape for this research (Deloitte,2016;Krumay et al.2018). However, this transition from prevention to mitigation does not only exist as a problem for security teams out there in the real world, but gets widely reflected in the academic field (Sen and Borle 2015). It was anticipated in the introduction how the majority of contributions addressing data breaches tend to focus on the technical analysis of their execution and the relative existing legislative context. This largely follows the traits of popular wisdom, much as it would happen in the physical world. After a crime is committed, the first questions generally posed revolve around the characteristics of the illegal act performed and the legal consequences pending on the perpetrator.
However, contextualized in the cyber world, these themes are still part of an agenda that largely prioritizes on a preventive approach. To study the attack sequence of a data breach by hacking has the ultimate goal of exposing eventual vulnerabilities and improving organizations resilience against future events. Similarly, the system of liabilities imposed in a given legal system has the underlying intent of deterring offenders and simultaneously encourage organizations to invest in their information security system to prevent unintended disclosures of information. Although tackling the issue from two diametrically opposed standpoints, studies that address these dimensions reiterate the same conceptual stance, by setting as their overarching goal to avoid the occurrence of data breaches entirely. With this, we do not mean to undervalue the relevance of contributions which aim at delving in technological and legislative aspects of data breaches, which in fact will be discussed in the upcoming sections. The added value of these contributions, in fact, is to sustain a comprehensive understanding of the phenomenon, and as such, is particularly valuable for investigating the subject. However, as argued by Kim et al. (2017), there is a substantial lack of scholarly research that deals data breaches from a cyber crisis management standpoint, and particularly in terms of crisis communication.
By looking at the landscape of academic sources on the matter, however, it is possible to differentiate among some thematic branches that communication-related publications have previously dealt with. These streams are categorized as follows and will be covered in corresponding sub-chapters of this literature review. First, several authors have dealt with issues connected to the definition of the phenomenon and key terminologies, a line of thought that was partly covered in the previous section and that will be addressed in the upcoming section dedicated to a taxonomy of data breaches as well as to their technological aspects. A second theme, which appears to be the dominant subject matter, relates to the impact of data breaches on organizations, both from an economic and reputational perspective. Thirdly, and arguably closer to the intent of this research, several authors have dealt with the analysis of public announcements and reports in aftermath of data breaches, which constitute rare examples of empirical research on the subject. The division between first-hand observations and theoretical
12
contributions is a key juncture in relation to studies that deal with communication response strategies at large. The difference lies on the fact that while the majority of researches aim at creating communication models that can orientate organizational responses to data breaches, applying theoretical assumptions to the general context of data breaches, a few of them have gone as far as to test these projections on concrete cases of security breaches, validating or disproving such contentions. Within this third category, departing from the topic of data breaches specifically, several contributions, which tested the efficacy of crisis communication responses to different types of reputational crises are consulted to strengthen the academic relevance of this research. In fact, the analysis of the aforementioned groups of academic sources will illustrate that the intersection between data breaches and crisis communication, is one that emerges, reciprocally, from both sides of this academic spectrum. This is to say, that while data breach research has overlooked crisis communication strategies as a domain of interest, on the other hand, academic works stemming from the field of crisis communication have rarely contemplated data breaches as types of reputational crises for their investigations.
2.3 Data breach by hacking: a taxonomy of risk categories.
It is not surprising that given the novelty of the phenomenon, an extensive body of literature is centered around analyzing cyber data breaches from a taxonomic perspective (Kim et al. 2017;Khan et al. 2019). This chapter reflects this academic stream, attempting at classifying data breaches from a risk management perspective. Risk and crisis management in the cyber world share the same locus and a tied relation. For instance, in addition to offering a model that conjugates prevention and mitigation, the NIST framework includes response measures within the mitigation cycle. It follows that within the cyber environment the risk and crisis management dimensions can be de facto reconciled. This is exemplified by the practices of professional service multinationals such as Deloitte or PWC, whose cyber crisis and cyber risk management programs include both risk mitigation and crisis response products in their pipelines (Goldberg et al.2012;Deloitte,2016;Baskerville et al. 2014). What derives from this reasoning, is that to compose a taxonomy of data breaches it is instrumental to categorize them within the risk management discourse at large. Following this leitmotiv, the work by Khan et al. (2019) offers a classification of data breaches based on three risk categories: data breach causes, data breach locus, data breach impact. These categories are the result of an extensive review performed by the authors and coincide with the most recurrent threads emerging from works that deal with defining data breaches as a phenomenon. The so-called locus, as theorized by Wall and Hayes (2000) brings forward a key distinction between physical and logical data breaches, with the latter category being the one under investigation. Logical data breaches as a class encompass any unduly access to sensitive data perpetrated by technological means, including anything from the exploit of vulnerable network
13
infrastructure that leads to man-in-the-middle-attacks, to the use of malicious software spreading viruses within the system (Culnan et al. 2008; Ryan et al. 2012; Huq,2015; Modi et al. 2013). It is by looking at the data breach causes category that we can discern further among data breaches perpetrated in a digital environment. This risk category brings forward, fundamentally, a differentiation between intentionally and unintentionally produced data breaches, which, for a large part, can be referred to as data leakages (Khan,2019). Examples of data leakages are normally attributed to disclosures of information “caused by individuals or processes not acting with malicious intent” (Elifoglu et al. 2018, p.65). Within this class, we find logical data breaches that see the participation of external actors only as accessory agents, such as in the case of the unintended disclosure of confidential data online or the use of unauthorized or flawed software by the victim party, as indicated by several authors (Johnson 2008; Modi et al. 2013; Culnan et al. 2008). Procedural errors can therefore affect the security posture of organizations, creating the opportunity for third parties to leverage access to exposed information assets, an instance that according to Bennett et al. (2010) accounts for 43% of data breaches overall. However, interestingly enough, the vast majority of sources consulted recognize hacking as the main driver for data breaches, as depicted by the trend shown in figure 1.2(Verizon,2020; Huq,2015)
Figure 1.2
Source: Verizon 2020
It is precisely this sub-category of data breaches performed by hacking that, looking at the landscape of current corporate crises, in terms of rate of occurrence and economic impact, represent the biggest threat to multinational corporations (Hawkins, 2017; Kim et al.2017; Ganev,2018; Zhou,2020).
14
If hacking by definition pertains to the logical locus dimension, there is a variety of interpretations as per whether it always represents an intentional cause for a data breach. For instance, Khan et al. (2019) inscribe the exploitation of vulnerabilities (such as unpatched software or the use of weak passwords) within the spectrum of unintentional breaches because they originate from conditions internal to the organization that pre-exist the attack. On the other hand, Verizon in a report published in 2020, extends the definition of hacking to obtaining access through stolen credentials (including weak passwords) and leveraging loopholes in security systems. While data breaches carried out using backdoors and Command and Control techniques are almost unilaterally linked to hacking, there is little agreement in the literature on whether simple actions such as accessing a website with exposed credentials fall in this category or instead should be merely considered (unintentional) leakages.
However, by looking at the attack sequence of concrete cases of cyber data breaches, such as the ones that hit Capital One or the Australian National University, it is possible to draw a baseline definition of what is meant by a data breach by hacking. The reports relative to each incident used the MITRE ATT&CK framework to map the tactics utilized in the attack sequences (Borkar and Goel,2019). Comparing the results, it is evident that hackers can adopt a large variety of techniques to execute the same goal. Fundamentally, despite contextual differences, the two cases shared two important tactical traits: both breaches started by gaining access to an entry point (Initial Access in MITRE ATT&CK) and at a later stage extracted confidential information assets from the organization’s systems (Exfiltration in MITRE ATT&CK) (Borkar and Goel,2019). Notably, according to the MITRE ATT&CK platform, the Initial Access tactic can be executed by applying different techniques. Among these, the most common are spear-phishing, theft of credentials of existing accounts, or drive-by compromise (attack.mitre.org, 2019). However, as exemplified by the cases analyzed, this tactic also includes the exploitation of glitches or weaknesses in online-facing applications and websites to bypass security controls, de facto expanding the definition of hacking. In this light, we can resolve the disparity of interpretations emerged in the body of literature and consider as data breaches by hacking, those that feature any cyber tactic aimed at accessing and subsequently extract confidential information assets regardless of the degree of contextual advantage eventually enjoyed by the hackers. Finally, we have retraced the academic fil rouge surrounding risk management theory in the context of data breaches, addressing two out of three risk categories identified: data breach locus, and data breach cause. After having mapped data breaches by hacking as logical and intentional risks, in the next section we will address the third risk category identified, data breach impact, a controversial and topical theme in the debate on security breaches.
15
The third risk category put forward by Khan (2019), is data breach impact, which, as argued by Sen and Borle (2015) is the most conspicuously debated theme among scholars that deal with this matter. The definition extrapolated from the work of Huang et al. (2008) refers to data breach impact as the “adverse effect a data breach incident may have on an organization.” Khan et al. (2019) proceeding in their literature review, subdivide this last risk category in breaches that affect the different dimensions of the CIA triad: confidentiality, availability, and integrity of information. The working definition of data breach that we previously derived from Verizon’s 2020 investigative report, which related to breaches as “the confirmed disclosure of sensitive data to an unauthorized party”, clearly refers, at a minimum, to incidents that impair the confidentiality of sensitive data. This is because the large majority of data breaches by hacking has the aim of obtaining access to protected information and exfiltrate data from secured systems, effectively affecting the confidentiality of such assets. To be precise, although the availability and integrity of data are at stake in specific, less common, types of data breaches, these can additionally be impaired as indirect consequences of confidentiality-aimed incidents. Cyber-attacks such as DDoS and ransomware are specifically designed to effectively prevent users from access organizations’ resources for a certain period of time, and thus are clear examples of availability breaches (Dutta et al. 2013;Kruse et al. 2017). Similarly, data wiper malwares or the misappropriation of intellectual property normally lead to integrity-related breaches by modifying or even deleting information assets. (Biener et al. 2015;Modi et al. 2013).
However, during a data breach aimed at accessing or stealing restricted information, such as in the case of theft of medical records from a healthcare provider’s systems, the unduly accessed dataset can eventually be rendered unavailable or erased as a result of the cyber penetration. In fact, the level of impact suffered by victim organizations does not necessarily depend on the CIA infringement produced, but rather on the damaging stance of the incident procured (Cavusoglu et al. 2014;Klebnikov (2019). For this reason, in place of a CIA triad-based classification of data breach impact, it is instrumental to analyse this risk category from the perspective of the quantifiable damages that breaches impose on organizations. In other words, how and how much do data breaches affect subject organizations? A closer look at previous works who dealt with the issue of measuring the impact of data breaches on organizations, reveals that costs faced by a breached corporation assume a bi-dimensional shape: economic and reputational damages (Sinanaj and Zafar,2016). The first category comprehends sanctions imposed by regulatory authorities and legal fees of eventual proceedings, together with the financial impact registered on the markets in terms of stock evaluation and revenue stream. The second instead, relates to future consumer behaviour towards the organization, potentially affected by image deterioration due to the scandal produced by the incident. In regards to both categories, however, there is an apparent academic divide on the extent to which data breaches produce harmful consequences for victim organizations. Among others, scholars such as Garg et al. (2003), Goldberg (2013), Cavusoglu
16
et al. (2014), Rosati et al. (2019), Gwebu et al. (2018), who have studied the financial impact of data breaches, argue that data breaches create visibly negative stock market reactions in the aftermath of the announcement of the incident to the public. On the other side of the fence, however, Campbell et al. (2003) Kannan et al. (2007), Chemi (2014), Sinanaj and Zafar (2016), Klebnikov (2019), Foltyn (2019), have extensively criticized the assumption that data breaches would critically hamper the financial stability of corporations involved in a data breach. Among them, Klebnikov (2019) and Foltyn (2019), go as far as to claim that not only shareholders do not react negatively to the news of a data breach, but organizations that are subject to a breach perform better in terms of stock evaluation after 6 months of the breach.
This divergence can be largely associated to the typology of the studies conducted, which, although largely sharing an event study methodology, practically differ in terms of the period analysed in the aftermath of the breach, the statistical methods utilized, and the research goal that drives each research. Ultimately, by reviewing these works, two main common threads can be identified. First and foremost, the sources reviewed unilaterally contend that to accurately capture the impact of data breaches, one should consider precisely those factors that characterize the incidents: the number and nature of the records disclosed, the history and size of the organization, the period of time considered, and the type of breach executed. Secondly, precisely due to the heterogeneity in approaches and case selection criteria adopted, from an empirical standpoint, the original question over the damaging stance of data breaches on organizations, is still missing an all-encompassing answer. An important takeaway is that to find such an answer, the contextual characteristics of the event, such the size of the organizations or the period of time considered, should be isolated and controlled as independent variables.
2.5 Theoretical and empirical communication models for data breaches
As set out in paragraph 2.2, within the literature on data breaches there is a peripheral research stream that deals with crisis communication. This cluster can be subdivided into scholars that focus on the theoretical premises for communicating adequately with the public when navigating a cyber-inducted crisis, and those who aim at testing the validity of these projections by examining concrete cases. Standing out from the ranks of the theorists, Wang and Park (2017) created a public communication model to guide organizations in cyber crisis management. This model is built at a juncture between crisis communication strategies, such as SCCT by Timothy Coombs, and cyber incident handling guidelines as established by the National Institute of Standards and Technology (NIST). The framework proposed by the authors contends that several factors can highly influence the efficacy of corporate communication response: a timely disclosure of the incident, selecting
17
communication strategies on the basis of the perceived responsibility of the organization, using expressions of regret for the incident, the added value of cyber workforce training towards obtaining a multi-disciplinary skillset comprehensive of crisis communication knowhow (Wang and Park,2017;Jenkins et al. 2014). These elements, that in Wang and Park’s work are posed as units of a comprehensive theoretical apparatus, are contemplated in other studies, such as the ones by Brown (2016) Bachura et al. (2017) Gwebu et al. (2018), Jenkins et al (2014), where these are unilaterally inserted within wider response strategies for handling data breaches.
Strikingly enough, these same indications feature in studies that do not specifically deal with data breaches, such as the ones by Seeger (2006), Sandman (2006) and Heath (2007), where these elements are discussed in terms of crisis communication best practices at large. This convergence shows that, regardless of the type of spark that ignites the crisis, these guidelines remain valid across the board. In addition to those previously mentioned, Seeger (2006) and Heath (2007) suggest that honesty and empathy in communicating during a crisis are key components of an effective response, as much as promoting notions of self-efficacy and the inclusion of the public in the recovery process. Sandman (2006) instead offers a critique of these two works, and while endorsing most of the above contentions, the author addresses some points of disagreement, contaminating an otherwise perfectly balanced theoretical positioning. Sandman (2006) in fact criticizes Seeger (2006) and Heath (2007)’s assertion that organizations should communicate with the public by “coordinating and collaborating with credible sources” to deliver a uniform message. Sandman (2006) argues that expressing a single voice is unattainable in the real world, simply because the parties involved to some extent naturally tend to disagree with one another. In these instances, rounding off the different opinions to convey a single message would hardly be beneficial because this line of communication would fall short of representing the heterogeneity of interpretations, de facto impairing the honesty and openness of the crisis response. In other words, Sandman (2006) exposes a trade-off between these two best practices, by asserting that in the real world, things look different. This is a pivotal recognition because it shows how remaining on the theoretical side of the spectrum, even by elaborating previous academic works and popular wisdom, leads to discordant, and unverified projections.
As addressed at the beginning, there is an even smaller group of scholars who concretely tested the validity of these norms analyzing practical cases of crisis communication. In this academic stream, we find the works by Suhonen (2019), Xu et al. (2008) Kim et al. (2017), Wang (2018), Ganev (2018). However, while in the case of Ganev (2018) and Kim et al. (2017) the authors have structured their research assuming a comparative approach among similar cases, a method that provides a systematic assessment of the response strategies utilized across the board, in the remaining ones the focus was limited to just one data breach case. In fact, Xu et al. (2008) analyzed the crisis communication response
18
adopted by TJX, Suhonen (2019) focused her efforts on the Facebook breach that occurred in 2018, and Wang studied the infamous Equifax crisis response case. As a matter of fact, these single-case studies share a rather superficial analysis of the effectiveness of communication strategies used, but instead, tend to capture the overall performance of the organization through the crisis.
On the other hand, both Ganev (2018) and Kim et al. (2017) have argued that withholding information from the public or disclosing them at a later stage produce harsher consequences for organizations, but between these two studies, only the one by Kim et al. (2017) has actually applied theories extrapolated from the field of crisis communication (SCCT) to verify their validity. In assessing the response strategies utilized by a set of 5 organizations hit by a data breach, Kim et al. (2017) arrive at a number of conclusions. Importantly, the authors contend that while the organizations “used a full range of response strategies including denial, ingratiation, and regret, news media outlets assessed that the breached firms chose more advocate strategies such as scapegoat or excuse.”(12) This shows that there is a fundamental discrepancy between the communication strategies utilized by companies going through a data breach reputational crisis and the ones reported in the media. In light of this fact, the authors normatively suggest that those organizations should balance their response strategies with the crisis frame adopted by news outlets, as these do play a role in influencing the overall outcome of the crisis communication. Importantly, this research aims at contributing to verifying this contention within the scope of the analysis.
Secondly, the authors observed some notable patterns concerning the type of responses utilized. While in the two data breaches with fewer records disclosed (Neiman Marcus and Michaels), the organizations adopted a defensive posture and employed deny strategies to invalidate the claims, in the two largest data breaches there is no mention of the use of more accommodative strategies such as regret and apology (Kim et al. 2017). Interestingly, these findings are not consistent with most crisis communication theories and empirical research, that would assume that more severe crises would be treated with more complaisant measures, and argue that the use of a deny posture should be limited exclusively to cases of unfounded rumors or isolated accusations (Coombs,2007b). These peculiarities might signify that cyber crisis communication as a sub-domain somewhat parts from the field of crisis communication in terms of best practices and modus operandi. However, given the scarcity of studies that empirically evaluate communication strategies in data breaches, this hypothesis lacks a definitive answer, just as much as the generalizability of the findings discussed by Kim et al. (2017) cannot be corroborated by similar evidentiary works. Nevertheless, this uniqueness paves the way for the present study to address this vacuum and focus on empirical cases of data breaches to assess the communication response strategy utilized, promoting a better understanding of this academic sphere. Overall, the relevance of the study by Kim et al. (2017) is cast in the positive correlation found between the
19
foundational elements of Situational Crisis Communication Theory (SCCT), which will be at the heart of the upcoming theoretical framework chapter, and the reputational crises caused by a data breach. The study by Kim et al. (2017), ultimately proves (under due limitations) that effective communication response is highly dependent on the level of controllability of the crisis at hand. In other words, among the data breach cases analyzed, the ones that imposed the most damaging consequences for the organization, were those where the media frame attributed the most responsibility for the fact to the organization.
As it was the case for works that tackled crisis communication from a theoretical standpoint, there is a number of studies that, although not focusing on data breaches-related crises, have addressed the effectiveness of crisis communication response strategies from an empirical standpoint. In this research stream, we find the works by Park (2016), Robertson (2012), and Reed (2014). In introducing the relevance of his work Robertson (2012) puts forward a reasoning that lies at the very heart of the present research and that was briefly contemplated in the introduction. The author, in fact, poses the problem of verifying long-standing projections that influence the work of crisis communicators since decades but have rarely been tested academically. Robertson (2012), in particular, focuses his work on the “public relation maxim” that the proactive and timely release of information by organizations impacted by a crisis should reduce the reputational damages. To verify this hypothesis the author analysed news stories of 9 reputational crises during the 6 months following the events, to observe the volume and tone of media attention towards the crisis in relation to when damaging information has been released. The fluctuation of the organizations’ stock value was also observed to provide an additional assessment of the public reaction to the disclosure of information. Furthermore, the author has surveyed over 150 expert journalists to corroborate the results of the study, which indicated that “the consequence of withholding information will be more media coverage, keeping negative information longer in play and raising the odds of reputational damage”. As in regard to the study of Kim et al. (2017), the present research will contribute to verify the contention that a timely disclosure can influence the effect of the response.
The findings of this research are in line with what was discussed above about crisis communication during data breaches, both in terms of communicating transparently with the public and to do so in a timely manner. Differently from what emerged from the study of Kim et al. (2017), in the case of the study by Robertson (2012), we find that best practices from the general field of crisis communication and those specific to cyber crisis communication are aligned. This coherence is additionally verified by the works of Park (2016) and Reed (2014). The first study focuses on base response strategies, which are the first information resealed by the organization during a crisis, and found that showing regret and apology produces more positive effects for a company’s reputation than
20
not responding to it or reiterating an organization’s good deeds prior to the event (reinforcing strategies). Reed (2014) on the other hand, argues that defensive strategies could, in some instances, further intensify the reputational damages suffered by the organizations, and that, in most cases, accommodative strategies sort more advantageous effects for companies navigating a reputational crisis. In both cases, the crisis typology was not considered a determinant factor, but in spite of this, these findings do not particularly collide with what discussed by researches focusing specifically on data breach crisis communication.
To conclude, a limited number of studies have addressed the issue of how to communicate effectively during a data breach, both from an empirical and theoretical standpoint. However, given the scarcity and specificity of each of these works, their value, for the most part, remains intrinsic, leaving the question on how to communicate efficiently during a cyber-inducted reputational crisis open. By taking into account studies that dealt with crisis communication best practices at large we were able to insert the distinctiveness of data breach communication precepts within the wider context of crisis communication. These preliminary insights from the literature indicate that these two dimensions share the same common traits but might as well differ in others. The current impossibility of retracing a definitive picture of the intersection between crisis communication best practices and those emerging from the corresponding cyber sub-domain, at a minimum reinforces the need for this research to proceed towards gathering first-hand observations from reputational crises ignited by data breaches to assess what strategies are to be considered most effective in these instances.
3 Theoretical Framework
3.1 Organizational Crises: An introduction to framing and perceived
responsibility.
The aim of this chapter is to outline the framework of theoretical contributions that will guide the analysis of this research. Before delving into the body of crisis communication theory it is instrumental to introduce the concept of organizational crisis, starting from a key differentiation. Crises that affect organizations can be divided into two main typologies: operational crises and reputational crises. The first refers to adverse events that affect a company business flow, compromising its “ability to generate revenue” (Institute for PR,2016). Most often this category of crises bears hazardous consequences for stakeholders exposing them to direct risks and endangering their safety. Due to the disruptive nature of these incidents, while the main party at stake are the relative stakeholders involved,
21
the primary objective for organizations faced with operational crises is to restore the functioning of their core activities to minimize downtime and monetary losses. An incident in a chemical processing factory can, in fact, lead to the compromise of the production operations as well as put at stake the safety of the surrounding community in case noxious substances are accidentally dispersed in the environment. Given their strong physical characterization, it is not surprising that operational crises have been historically at the top of crisis management agenda (Carroll,2003;Coombs,2007a). On the other hand, reputational crises typically do not produce impactful effects on stakeholder’s safety, and the victim subject is represented by the organization itself. These crises, as the name itself, suggests, threaten the good name of the organization as well as the estimation hold by the public and stakeholders towards that same organization. Needless to say, operational crises could negatively impact an organization’s image, as much as reputational crises could escalate to point of impacting the standard business functioning of the subject entity, or in certain instances, its very existence (Carroll,2016). However, this distinction is fundamental for the purpose of this research as it sheds a light onto the significant role played by public perceptions in regards to the crisis, being this operational or reputational in nature. In fact, regardless of the typology of a crisis, the framing of a crisis widely affects its impact, the response to the event, and ultimately the outcome of such response.
To highlight this pattern, it is instrumental to introduce the concepts of scandals and accidents as set out by the body of corporate crisis management. The first generally spark from “some action that creates public outrage because it is considered illegal or immoral” (Carroll,2016, p.244). Whether the conduct is, in fact, illegal or immoral is of relative significance, because in a scandal there’s always an underlying factor of perceived intentionality. On the other hand, accidents are generally unexpected events that lie outside of the control capabilities of the subjects that cause or endure them. Both scandals and accidents are effectively the sources of trust violations towards stakeholders, consumers, and the public at large. The difference lies in the perceived responsibility that interest groups attribute to the affected organizations. Scandals are defined as integrity-based violations. This presupposes an attribution of immoral conduct to the agent responsible for a scandal, a consideration strongly connected to the deliberate nature of the choice that leads to such behavior in the first place. Cases of corporate fraud are instances that reflect illegal conduct, while a discriminatory statement linked to a company executive represent an example of unethical behavior. Yet, in both instances, the premeditation that sustained the action will likely be met by public outrage, because the event agents will be held responsible for their course of action (Carroll,2016). Differently from scandals, accidents do not assume the same degree of responsibility ex-ante. At most, accidents can eventually be defined as competency-violations in case the event originates from an erroneous task execution by an organization’s responsible staff member. However, even in these cases accidents are rarely attributed to the same level of responsibility generated by scandals.
22
Fundamentally, this paradigm remains true regardless of the typology of the crisis at hand, being this operational or purely reputational. In corporate-fraud-based scandals like the one that affected Enron in 2001, we witnessed enormous backlashes of operational nature, while in case of discriminatory statements made by Barilla’s majority stakeholder Guido Barilla the reactionary damages remained within the reputational dimension. Barilla has since invested in significant egalitarian campaigns that sorted significant effects in restoring the company reputation, while Enron declared bankruptcy a few months after the scandal erupted (Toms,2019;Segal,2020). As the latter case generated much more impactful consequences compared to the second and proved to be much harder to manage, the reasons are to be found in the different degree of public attention generated and the number of stakeholders involved, rather than the crisis typology. Differently from the Enron scandal, a limited number of stakeholders came to know about Guido Barilla’s comments on the radio, while others simply were not concerned with the issue (Toms,2019;Segal,2020). Ultimately, as argued by Carroll (2016) “the greater the number of stakeholders that become offended and outraged, the more threatening the crisis is to the organization’s reputation” (243). As said, this largely depends on how the crisis is framed to the public, reasoning that stands valid for accidents as well. The case of an incident at a chemical facility can become a more or less serious crisis depending on the way the story is told. Stemming from purely adventitious frames such as a pipe failure caused by rising natural gas pressure, to purely competency-based violations such as management negligence towards safety measures, that same event can be attributed to different causes, with varying levels of crisis responsibility. Across the typologies of corporate crises, the impact and the response to the event are ultimately dependent on the way crises are framed.
3.2 Attribution Theory and SCCT
The variability in the narrative of the events shown in regards to scandals and accidents, emphasizes how the crisis responsibility associated to an organization depends on the traits of the crisis as much as on the way these traits are represented and perceived. As argued by Heath and Millar (2004) crises have both a factual and a perceived dimension. Among many authors who have addressed this dualism, Benoit (1997) who initiated the image restoration discourse went as far as to claim that the perceived dimension of a crisis is more important than the reality from which it draws. This reasoning, together with the consequent significance of framing addressed before, further emphasizes the relevance of crisis communication within the wider scheme of crisis management as a field. This perceptive dissonance from the actual development of a crisis strongly influences the outcome of the crisis, and organizations should pursue effective communication with the general public to control the narrative and minimize
23
reputational damages. But how do organizations ensure effective crisis communication? Whether an organization has responded efficiently to a crisis, and specifically employing crisis communication strategies, is inherently hard to verify given the number of concurrent factors that can influence such process. The difficulty emerges from the contextual characteristics that constitute a crisis in the first place, and that makes it unique. For instance, the type and number of stakeholders involved, the proportions of the crisis, the consumers’ reaction to the event, the organizational framework of the company at hand, are all elements that could influence the strategy and thus the success of response communications at large.
This reasoning is at the basis of Timothy Coombs’ Situational Crisis Communication Theory, henceforth referred to as SCCT, a foundational contribution that represents one of the main theoretical references in the field of Crisis Communication (Coombs,2004;2007a;2007b;2010;2013). Coombs’ theory, stemming from the larger domain of Attribution theory, affirms that “Attributions of crisis responsibility have a significant effect on how people perceive the reputation of an organization in crisis and their affective and behavioral responses to that organization following a crisis” (Coombs and Holladay,2010, p38). Introducing the notion of “attributed responsibility”, Coombs (2010) stresses a link between the inherent features of a crisis and the most compatible type of response for such an event. The most significant contribution brought by SCCT to the field of crisis communication is the provision of a comprehensive and systematic framework to reconcile response strategies with situational elements of a crisis. Following this theoretical formulation, the author initially discerns between crisis types and intensifying factors to assess the degree of crisis responsibility that the stakeholders will attribute to the organization navigating the event.
3.3 Crisis Types and Communication Response Strategies
First, SCCT postulates a typology of crises based on incremental organizational responsibility: victim crisis, accidental crisis and preventable crisis, and then associates to each category a predetermined communication response strategy cluster. These strategy clusters (Deny, Diminish Rebuilding, Reinforcing), can be effective as standalone methods or in conjunction with others (Coombs,2007,2013; Amaresan,2019). Crisis types, within the SCCT discourse, correspond to the framing of the event rather than the nature of the crisis itself (differently from operational and reputational categories previously addressed). Frames can be classified in communication frames, or the way information is presented by communicators, and frames in thought, the cognitive structures applied by the recipients to interpret the messages. Exploiting the so-called framing-effect communicators can influence the way the audience elaborates the information, and subsequently, shape its judgement. Therefore, according to SCCT, a crisis type is constructed by assembling the most prominent factors that constitute the narrative of the
24
events as reported by media and communication channels and does not constitute a preliminary fixed category (Coombs,2004;2007;2007b;2010;2013). These types of crisis are built on different degrees or attributed responsibility and correspond to minimal crisis responsibility (victim crisis), low crisis responsibility (accidental crisis), high crisis responsibility (preventable crisis). The underlying rationale for such a scale lies in the identification of an inverse relation between responsibility and reputation, a pattern that retraces the distinction between scandals and accidents. The more an organization is perceived to be accountable for a crisis, the more its reputation will suffer from the crisis. Within the victim crisis type, SCCT includes situations believed to be entirely outside of the control capabilities of the organization, which is de facto included among the affected parties. Victim crises include natural disasters, circulation of false information about the organization’s conduct, workplace violence by an employee, and product tampering by external parties. In this type of crisis, the dominant frame exempts the organization from having a role in the causal process that leads to the event, consequently imposing a mild reputational threat.
In Accidental crises, the organization had a role in the development of the crisis, but its course of actions lacked any intentionality and it had limited control over the event (Coombs,2004; Coombs & Holladay,2010).This category can somewhat blur the line of demarcation between scandals and accidents, as in addition to technical errors leading to failures or products to be recalled from the market, it includes allegations of ethical misconduct on the part of the organization. What differentiates this crisis type from actual scandals is that the organizational misconduct remains a potential but not verified instance. In an accidental crisis, there is a low attribution of crisis responsibility to the organization, and they pose moderate reputational threats on organizations. Lastly, preventable crises (otherwise referred to as intentional) represent situations where high crisis responsibility is attributed to the organization, generating severe reputational threats (Coombs & Holladay,2010). The crisis is perceived as purposively caused by the organization as a result of deliberate conduct. More accurately, the organization is held directly accountable for the crisis development as while it possessed the ability to avoid its occurrence it failed to do so. This typology consists of crises that draw both from integrity-based trust violations (scandals) such as organizational misdeeds, including legal infringements by management or stakeholders, and from competency-based trust violations (accidents) in the form of human errors knowingly causing incidents or harmful products to be recalled (Coombs,2004;2007a;2007b;2010;2013). Human errors are inscribed within this category because differently from technological failures, are generally believed to preventable, a distinction which is particularly relevant for the purpose of this study (Morris, Moore, & Sim, 1999).
25
3.4 Intensifying Factors: Crisis Severity, Crisis History, Relationship
History:
Although being posed as the central cornerstone of SCCT, crisis responsibility is not the only factors that can influence the threatening stance of a crisis, and therefore the corrective measures to rectify it. In fact, Coombs and Holladay (2010) introduced two appurtenant variables to the framework, that, as portrayed in the words of the authors, can be regarded as “intensifying factors”: crisis severity and performance history. Crisis severity refers to the impactful proportions of a crisis regardless of the positioning of the organization towards the event, being its adverse consequences of environmental, financial or human nature. The damages produced by a crisis can in fact significantly alter the perceived responsibility attributed by the public, irrespectively of the nature of the actions carried out by the organization. Contrary to expectations, as revealed by a subsequent study conducted by Park & Len Rios in 2010, the positive relation between crisis severity and reputational threat (although usually verified) is not necessarily a positive one. Rather, the type of “injured party” plays a significant role, as when serious damages affect exclusively an organization these could potentially spark feelings of compassion in the audience (Coombs,1998), whereas when it is consumers to be hurt, the severity of the crisis tends to generate more harmful consequences for an organization’s reputation (Lee,2005). This being said, while partially correlated to the type of party affected by the crisis, crisis severity should be regarded as a fundamental modifying factor for the perceived responsibility of an organization, and consequently for the reputational threat hanging on it (Coombs,2002;2004;2007a;2007b;2013;Coombs & Holladay, 2010).
Performance history follows a similar pattern. This second intensifying factor is the sum of two intertwined but independent variables: crisis history and relationship history. Crisis history refers to precedent cases of similar nature that interested the same organization in the past. A record of previous crises can considerably change the level of attributed responsibility because it establishes a pattern of misconduct and raises suspicions of recidivism (Coombs, 2002,2004,2007; Coombs & Holladay, 2010). Although crisis history was regarded as an intensifying factor by several researches that focused on SCCT, Timothy Coombs in 2002 published a study that tested specifically the multiplying effect of a negative track record of crises has on the degree of responsibility connected to an organization during such events. The author found that, regardless of the typology of reputational crisis at hand, this intensifying factor proved to be significantly increasing the attributed responsibility across victim, accidental and preventable crises.
To understand this phenomenon, it is useful to complement the definition of crisis responsibility that we introduced in chapter 3.2 by looking at three “causal dimensions” (Coombs,2004, p.267) that
