Evidence shows that, in the aftermath of cyberattacks, organizations usually accept responsibility for having failed to protect stakeholders’ data more effectively. While this strategy is reasonable in many circumstances, research suggests that it would be unsuitable in situations where the data breach is caused exclusively by criminal actors, what scholars refer to as a “victim crisis.” We argue that, in this type of situations, organizations can apologize while claiming victimhood. We present a model of moderated mediation explaining the persuasiveness of this strategy as a response to cyberattacks. In five experiments, we show that an apology claiming victimhood outperforms an apology accepting or rejecting responsibility. However, claiming victimhood is effective only when evidence of harm is provided and when the organization cannot be construed as being partly responsible for the attack. Furthermore, claiming victimhood is more effective if the focal organization is perceived as virtuous and the cybercriminal as very competent. The study contributes to the literature on service failure and recovery by offering the first account of how claims of victimhood can be deployed effectively. Furthermore, the study raises important managerial implications by proposing a novel communication strategy that can be deployed in the aftermath of cyberattacks.
AgrafiotisIoannisNurseJason R. C.GoldsmithMichaelCreeseSadieUptonDavid (2018), “A Taxonomy of Cyber-Harms: Defining the Impacts of Cyber-Attacks and Understanding How They Propagate,” Journal of Cybersecurity, 4 (1), 1-15.
2.
AllardThomasDunnLea H.WhiteKatherine (2020), “Negative Reviews, Positive Impact: Consumer Empathetic Responding to Unfair Word of Mouth,” Journal of Marketing, 84 (4), 86-108.
3.
AntonettiPaoloMaklanStan (2016), “An Extended Model of Moral Outrage at Corporate Social Irresponsibility,” Journal of Business Ethics, 135 (3), 429-444.
4.
AntonettiPaoloBaghiIlaria (2021), “When Blame-Giving Crisis Communications Are Persuasive: A Dual-Influence Model and Its Boundary Conditions,” Journal of Business Ethics, 172 (2), 59-78.
5.
BatsonC. DanielO’QuinKarenFultzJimVanderplasMaryIsenAlice M. (1983), “Influence of Self-Reported Distress and Empathy on Egoistic versus Altruistic Motivation to Help,” Journal of Personality and Social Psychology, 45 (3), 706-18.
6.
BiragliaAlessandroFuchsChristophMairaElisaPuntoniStefano (2023), “When and Why Consumers React Negatively to Brand Acquisitions: A Values Authenticity Account,” Journal of Marketing, 87 (4), 601-17.
7.
Boeken Jasmijn (2024). From Compliance to Security, Responsibility beyond Law. Computer Law & Security Review, 52, 105926.
8.
BoltonLisa E.MattilaAnna S. (2015), “How Does Corporate Social Responsibility Affect Consumer Response to Service Failure in Buyer–Seller Relationships?,” Journal of Retailing, 91 (1), 140-53.
9.
BundyJonathanPfarrerMichael D. (2015), “A Burden of Responsibility: The Role of Social Approval at the Onset of a Crisis,” Academy of Management Review, 40 (3), 345-69.
10.
BundyJonathanPfarrerMichael D.ShortCole E.Timothy CoombsW. (2017), “Crises and Crisis Management: Integration, Interpretation, and Research Development,” Journal of Management, 43 (6), 1661-92.
11.
ChenYanZahediFatemeh M. (2016), “Individuals’ Internet Security Perceptions and Behaviors,” MIS Quarterly, 40 (1), 205-22.
12.
CoombsW. Timothy (2007), “Attribution Theory as a Guide for Post-crisis Communication Research,” Public Relations Review, 33 (2), 135-9.
Eichensehr KristenE. (2020). The Law and Politics of Cyberattack Attribution. UCLA Law Review, 520, 520–98.
16.
FaulFranzErdfelderEdgarLangAlbert G.BuchnerAlex (2007), “G* Power 3: A Flexible Statistical Power Analysis Program for the Social, Behavioral, and Biomedical Sciences,” Behavior Research Methods, 39 (2), 175-91.
17.
FournierSusanAlvarezClaudio (2012), “Brands as Relationship Partners: Warmth, Competence, and In-Between,” Journal of Consumer Psychology, 22 (2), 177-85.
18.
FriestadMarianWrightPeter (1994), “The Persuasion Knowledge Model: How People Cope with Persuasion Attempts,” Journal of Consumer Research, 21 (1), 1-31.
19.
GangloffK. AshleyConnellyBrian L.ShookChristopher L. (2016), “Of Scapegoats and Signals: Investor Reactions to CEO Succession in the Aftermath of Wrongdoing,” Journal of Management, 42 (6), 1614-34.
20.
GijsenbergMaarten J.Van HeerdeHarlad J.VerhoefPeter C. (2015), “Losses Loom Longer Than Gains: Modeling the Impact of Service Crises on Perceived Service Quality over Time,” Journal of Marketing Research, 52 (5), 642-56.
21.
GoetzJenniferDacherKeltnerSimon-ThomasEmilina (2010), “Compassion: an Evolutionary Analysis and Empirical Review,” Psychological Bulletin, 136 (3), 351-63.
22.
GoodeSigiHoehleHartmutVenkateshViswanathBrownSusan A. (2017), “User Compensation as a Data Breach Recovery Action,” MIS Quarterly, 41 (3), 703-34.
23.
GrasoMayaReynoldsTaniaGroverSteven L. (2020), “Allegations of Mistreatment in an Era of Harm Avoidance: Taboos, Challenges, and Implications for Management,” Academy of Management Perspectives, 34 (1), 1-27.
24.
GrayHeather M.GrayKurtWegnerDaniel M. (2007), “Dimensions of Mind Perception,” Science, 315 (5812), 619-32.
25.
GrayKurtWegnerDaniel M. (2011), “To Escape Blame, Don’t Be a Hero—Be a Victim,” Journal of Experimental Social Psychology, 47 (2), 516-19.
26.
GrégoireYanyMattilaAnna S. (2021), “Service Failure and Recovery at the Crossroads: Recommendations to Revitalize the Field and its Influence,” Journal of Service Research, 24 (3), 323-8.
27.
GüntürkünPascalHaumannTillMikolonSven (2020), “Disentangling the Differential Roles of Warmth and Competence Judgments in Customer-Service Provider Relationships,” Journal of Service Research, 23 (4), 476-503.
28.
HassonUriSimmonsJoseph P.TodorovAlexander (2005), “Believe it or Not: On the Possibility of Suspending Belief,” Psychological science, 16 (7), 566-71.
29.
HayesAndrew F. (2017). Introduction to Mediation, Moderation, and Conditional Process Analysis: A Regression-Based Approach, 2nd ed. New York: Guilford publications.
30.
HerselMatt C.GangloffK. AsheleyShropshireChristine (2023), “Mixed Messages: Crisis Communication–Dismissal (In)Coherence and Shareholder Trust Following Misconduct,” Academy of Management Journal, 66 (2), 638-66.
InbarYoelPizarroDavid A.CushmanFiery (2012), “Benefiting from Misfortune: When Harmless Actions Are Judged to Be Morally Blameworthy,” Personality and Social Psychology Bulletin, 38 (1), 52-62.
33.
KampfZohar (2009), “Public (Non-) Apologies: The Discourse of Minimizing Responsibility,” Journal of Pragmatics, 41 (11), 2257-70.
34.
KervynNicolasFiskeSusan T.MaloneChris (2022), “Social Perception of Brands: Warmth and Competence Define Images of Both Brands and Social Groups,” Consumer Psychology Review, 5 (1), 51-68.
35.
KervynNicolasBergsiekerHilary B.FiskeSusan T. (2012), “The Innuendo Effect: Hearing the Positive but Inferring the Negative,” Journal of Experimental Social Psychology, 48 (1), 77-85.
36.
KhamitovMansurGrégoireYanySuriAnshu (2020), “A Systematic Review of Brand Transgression, Service Failure Recovery and Product-Harm Crisis: Integration and Guiding Insights,” Journal of the Academy of Marketing Science, 48 (3), 519-42.
KuipersSannekeSchonheitMichael (2022), “Data Breaches and Effective Crisis Communication: A Comparative Analysis of Corporate Reputational Crises,” Corporate Reputation Review, 25 (3), 176-97.
39.
KwokLinchiLeeJungwooHanSpring H. (2022), “Crisis Communication on Social Media: What Types of COVID-19 Messages Get the Attention?,” Cornell Hospitality Quarterly, 63 (4), 528-43.
40.
MalhotraArvindMalhotraClaudia Kubowicz (2011), “Evaluating Customer Information Breaches as Service Failures: An Event Study Approach,” Journal of Service Research, 14 (1), 44-59.
41.
MasuchKristinGreveMaikeTrangSimon (2021), “What to Do after a Data Breach? Examining Apology and Compensation as Response Strategies for Health Service Providers,” Electronic Markets, 31 (3), 829-48.
42.
MiedemaTheresa E. (2018), “Consumer Protection in Cyber Space and the Ethics of Stewardship,” Journal of Consumer Policy, 41 (1), 55-75.
OkEkinQianYiStrejcekBrendanAquinoKarl (2021), “Signaling Virtuous Victimhood as Indicators of Dark Triad Personalities,” Journal of Personality and Social Psychology, 120 (6), 1634-62.
45.
RaiTage. S.Diermeier Daniel (2015). Corporations are Cyborgs: Organizations Elicit Anger but Not Sympathy When They Can Think but Cannot Feel. Organizational Behavior and Human Decision Processes, 126, 18–26.
46.
RaithelSashaHockStefan J. (2021), “The Crisis-Response Match: An Empirical Investigation,” Strategic Management Journal, 42 (1), 170-84.
47.
RasoulianShahinGrégoireYanyLegouxRenauldSénécalSylvain (2017), “Service Crisis Recovery and Firm Performance: Insights from Information Breach Announcements,” Journal of the Academy of Marketing Science, 45 (6), 789-806.
48.
RasoulianShahinGrégoireYanyLegouxRenauldSénécalSylvain (2023), “The Effects of Service Crises and Recovery Resources on Market Reactions: An Event Study Analysis on Data Breach Announcements,” Journal of Service Research, 26 (1), 44-63.
49.
SenRaviBorleSharad (2015), “Estimating the Contextual Risk of Data Breach: An Empirical Approach,” Journal of Management Information Systems, 32 (2), 314-41.
50.
Van VaerenberghYvesVargaDorottyaDe KeyserArneOrsingherChiara (2019), “The Service Recovery Journey: Conceptualization, Integration, and Directions for Future Research,” Journal of Service Research, 22 (2), 103-19.
51.
VenkatramanSrinvasanAloysiusJohn A.DavisFred D. (2006), “Multiple Prospect Framing and Decision Behavior: The Mediational Roles of Perceived Riskiness and Perceived Ambiguity,” Organizational Behavior and Human Decision Processes, 101 (1), 59-73.
52.
XuHaiyueBoltonLisa E.WinterichKaren P. (2021), “How Do Consumers React to Company Moral Transgressions? The Role of Power Distance Belief and Empathy for Victims,” Journal of Consumer Research, 48 (1), 77-101.
53.
YangLinyan W.AggarwalPankaj (2019), “No Small Matter: How Company Size Affects Consumer Expectations and Evaluations,” Journal of Consumer Research, 45 (6), 1369-84.
Supplementary Material
Please find the following supplemental material available below.
For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.
For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.
