Effective Crisis Response Communication and Data Breaches: a Comparative Analysis of Corporate Reputational Crises

Effective Crisis Response Communication and Data Breaches: a Comparative Analysis of Corporate Reputational Crises

Michael Schonheit s2135485 Master’s Thesis 02/10/2020 Effective Crisis Response Communication and Data Breaches: a comparative analysis of corporate reputational crises Master’s Thesis Crisis and Security Management Table of Contents 1 1 Introduction 2 Literature Review 2.1 Placing data breaches within the cybersecurity discourse 6 2.2 Paradigm Shift: From Prevention to Mitigation 10 2.3 Data breach by Hacking: A Taxonomy of Risk Categories 12 2.4 Economic and reputational Impact on organizations 15 2.5 Theoretical and empirical communication models for data breaches 16 3 Theoretical Framework 3.1 Organizational Crises: An introduction to framing and perceived responsibility 21 3.2 Attribution Theory and SCCT 23 3.3 Crisis Types and Communication Response Strategies 24 3.4 Intensifying Factors: Crisis Severity, Crisis History, Relationship Performance 25 3.5 Communication Response Strategies 27 3.6 SCCT Recommendations and Data Breaches 30 3.7 SCCT and PR Data Breaches by Hacking 32 4 Methodology 4.1 Operationalizing SCCT in the Context of Data Breaches 35 4.2 Stock Analysis and News Tracking: Assessing cases on varying degrees of reputation recovery 36 4.3 Refining the Case Selection Framework and the Analysis Process 40 4.4 Intra-periodic Analysis and Inter-periodic Analysis 43 5 Analysis 5.1 Narrowing the Scope: Building the Comparative Case Study 44 5.2 Statistical Recovery: Stock and Revenue Analysis 49 5.3 News Media Tracking and Reputation Index Scores 58 6 Discussion 6.1 Intra-periodic Analysis: Assessing Organizational Responses 72 6.2 Inter-periodic analysis: Verifying the Initial Propositions 74 7 Conclusions 77 8 Appendix 79 9 Bibliography 79 1. Introduction 2 With the emergence of the digital economy cybersecurity has rapidly become a critical aspect for organizations to thrive and maintain their core business activities. As business information and communication systems are increasingly reliant on digital technology, organizations have the imperative to protect them, and the data contained therein, against an ever-evolving landscape of cyber threats. While providing organizations with undeniable development opportunities, the unremitting trend of digitalization has concomitantly brought upon new risks for their survival. In tackling this so called “dark side of digitalization”, the paramount objective of cybersecurity revolves around preserving the availability, integrity and confidentiality of online data (MERGroup,2020). As early as 2015, IMB CEO Ginni Rometti emphatically asserted that data is the “is the world’s new natural resource” consequently making cybercrime “by definition, the greatest threat to any industry” (Morgan, 2017). With the current volume of online data over 50 larger than it was at the time, drastically increasing the magnitude of the cyber-attack surface, this statement feels now quite prophetic. (ITRC 2020;Morris,2020) While cyber threats at large encompass any “malicious act that seeks to damage data, steal data, or disrupt digital life”, with a 4300 percent increase in online data creation from 2019, online data breaches represent one of the most recurrent and damaging cyber incidents for organizations worldwide. The Risk Based Security’s year-end report (2020) estimates that in 2019 alone total of 15.1 billion records have reportedly been exposed to unauthorized use of confidential information. This statistic feature represents an all-time high, increasing by 284% compared to 2018, and confirming a constant trend throughout the last decade. (Sobers,2020;Winder,2019;Lavelle,2020). Although information breaches in the physical world well preceded the current wave of digitalization, online data breaches nowadays are stealing the show. Strikingly enough, compared to their “physical” counterpart, online data breaches are highly dependent on factors endogenous to organizations, including inconsistent data retention and handling policies, internal misuse, system vulnerabilities and human errors. Nevertheless, for the exposed records to be leveraged into identity theft or fraudulent abuse of confidential information, data breaches still depend on the illegitimate doings of external actors proactively exploiting unauthorized access to this data. As reported by Goddijn & Kouns (2020), “Hacking, defined as unauthorized intrusion into systems, has been the top breach type by number of incidents for every year of the past decade except for 2010”. In order to depict this pattern and narrow the scope of this research, we assume Martin’s (2019) definition of data breach, as it well depicts an element of intentionality: “A data breach occurs when there is an unauthorized entry point into a corporation’s database that allows cyber hackers to access customer information”. Cyber dependent methods for gaining unauthorized access to organizations restricted information include but are not limited to: malwares, phishing emails, DDoS attacks, backdoor exploitations, and Trojan horses. Looking into the statistics for these attack vectors, combined with data exposed through unintentional leakages, data 3 breaches impose on organizations worldwide unparalleled monetary costs (MERGroup,2020;Arghire,2020). In particular the gap between economic damages of online breaches and security capabilities of organizations to contrast this phenomenon seems to be widening. In fact, despite the steady rise in organizations awareness and security investments to defend against cyber incidents, the measures implemented have so far had limited effect in containing their impact. While total cyber security expenditures of organizations worldwide have rose from approximately 113 billion of dollars in 2015 to 173 billions in 2020, in the same timeframe the costs of data breaches and cybercrime at large have doubled, reaching an astonishing total of 6 trillion dollars (Columbus,2020). This notable disproportion can be accounted for by delving into the types of damages that businesses are confronted with. Direct costs affecting organizations suffering a data breach include: business disruption and recovery, forensic investigations, legal proceedings, regulatory fines, credit monitoring for customers, crisis management advisory. However, these constitute just the tip of iceberg. In the aftermath of a data breach organizations are often confronted with business reputational damages and loss of consumer trust, which represent much more impactful consequences with the potential to turn the cyber incident into a corporate reputational crisis (Kim et al. 2017; Wang et al. 2017). These indirect costs usually affect businesses in the long run, protracting damages in time and representing the greatest challenge of all for organizations undergoing a data breach. The distinction between direct and indirect business damages produced by a data breach, is particularly relevant for defining the range left to organizations for effectively reduce the impact of a data breach. While we discussed that, for the large part cyber incidents cannot be entirely prevented by establishing all-encompassing cybersecurity measures, reputational damages are largely connected to the public perception of an organization undergoing a cyber crisis, and thus can be mitigated by handling the incident response phase with effective crisis communication strategies (Kim et al. 2017; Wang et al. 2017). This reasoning is one of the core foundations of crisis management as a field. Because of the uncertainty surrounding the traits of a crisis, these events cannot be entirely anticipated ex ante and adopting an exclusively preventive approach has proved to be widely inefficient. Rather, by emphasizing the larger impact of indirect reputational costs produced by data breaches, this research focuses on mitigation strategies that can be applied to reduce the impact of such events on organizations. In particular, as it will be discussed in the next section dedicated to the theoretical foundations of this research, damages to a company reputation, and its image in general, are strictly connected to the public perception of such organization and the crisis it navigates through. 4 The present research aims, in fact at studying crisis response communication strategies that organizations can employ to effectively reduce reputational damages and loss of consumer trust. As Harrison (2007) observed: “A fundamental principle in the field of crisis management is that there are vital and strategic communication methods that help deal with events that can negatively influence an organization” (41). By investigating this matter, the goal of this study is to derive from the analysis of concrete cases of corporate reputational crises in aftermath of data breaches, an assessment of how organizations can mitigate reputational damages through crisis response communication strategies. In doing so, this research will compare cases of corporate data breaches that vary on the degree of financial and reputational recovery from the crisis. Extrapolating communication strategies from this comparative analysis, this study aims at verifying their impact on the organizations’ recovery trends, as well as to check their validity within the body of theory on the matter. Furthermore, as discussed more in depth in the upcoming sections of this research, the vast majority of academic works that study data breaches focus more on the legal and technological aspects of the phenomenon, leaving the intersection with response communication strategies as under-researched domain. In turn, from the crisis communication

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    92 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us