Responding to Cyberattacks: The Persuasiveness of Claiming Victimhood

Evidence shows that, in the aftermath of cyberattacks, organizations usually accept responsibility for having failed to protect stakeholders’ data more effectively. While this strategy is reasonable in many circumstances, research suggests that it would be unsuitable in situations where the data bre...

Full description

Saved in:
Bibliographic Details
Published in:Journal of service research : JSR 2024-09
Main Authors: Antonetti, Paolo, Baghi, Ilaria
Format: Article
Language:English
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Evidence shows that, in the aftermath of cyberattacks, organizations usually accept responsibility for having failed to protect stakeholders’ data more effectively. While this strategy is reasonable in many circumstances, research suggests that it would be unsuitable in situations where the data breach is caused exclusively by criminal actors, what scholars refer to as a “victim crisis.” We argue that, in this type of situations, organizations can apologize while claiming victimhood. We present a model of moderated mediation explaining the persuasiveness of this strategy as a response to cyberattacks. In five experiments, we show that an apology claiming victimhood outperforms an apology accepting or rejecting responsibility. However, claiming victimhood is effective only when evidence of harm is provided and when the organization cannot be construed as being partly responsible for the attack. Furthermore, claiming victimhood is more effective if the focal organization is perceived as virtuous and the cybercriminal as very competent. The study contributes to the literature on service failure and recovery by offering the first account of how claims of victimhood can be deployed effectively. Furthermore, the study raises important managerial implications by proposing a novel communication strategy that can be deployed in the aftermath of cyberattacks.
ISSN:1094-6705
1552-7379
DOI:10.1177/10946705241271337