My first foray into studying information security crises from a communication perspective was a case study of Sony Pictures Entertainment’s 2014 mega breach. Go big or go home?
Eventually, I looped the OPM breach as well and I’ve gone through maybe 3 or 4 different methods in tackling the breaches. After actual years of edits, (with decent dormancy, and split attention) I finally have a version that I’m ready to put out for publishing. That doesn’t mean it will actually be published academically, of course. I want to share some of my findings and the process by which I reached them in a less formal setting. In this post, I’m going to focus on Sony, not OPM. I’ll be talking about that in several other posts that I have cooking.
I was in my first year of graduate school when this was all going down and I watched it with the low-level horror you have when watching people doubling-down on bad decisions. I just watched the crisis escalate and wondered what, if anything, crisis communication theories had to say about that escalation. So I began looking into it.The question I was trying to answer with this research, generally, was “why did it get so bad?” Or crazy, or dumpster fire-like, or whatever term you want to use.
How did I answer that question?
I collected documents to analyze:public statements from Sony, news articles about the breach, and the lawsuit on behalf of current and former employees. I knew interviews would be practically impossible to arrange. In my initial reading of documents I found patterns that almost perfectly aligned with SCCT. Depending on how deep you want to dive into it, you might find some...varied evaluations of SCCT. It is a foundational theory of crisis communication and, because of that, I kind of wanted to avoid it in my research. However, my approach to research requires that I follow that data wherever it takes me. In this case, it was right into the warm, welcoming arms of SCCT.
That initial analysis revealed communication from Sony that almost perfectly fit within SCCT response strategies (see the right side of the table).
Source: Claeys, Cauberghe & Vyncke (2010) adapted from: Coombs (2007), p. 168 and 170.
The interesting findings
The Sony case was big and complex. I’m going to try and focus my attention here. I’m not going to dive into all of my findings, just the most interesting and best supported ones. The two response strategies that I saw in the data that drove me to SCCT were: attacking the accuser and excusing. I also saw evidence of scapegoating, compensation, and corrective action.
Sony as a victim
When an organization is pushing the narrative that it’s the victim of a crisis, it will attack other entities that accuse it of responsibility by contradicting those claims, or the accuser’s credibility, or a combination of the two. This was easy to see in the Sony case. The two key examples of this response strategy were seen against President Obama and the media reporting on the incident. The “attack the accuser” case against President Obama could not be characterized as an attack based on really any other measurement scheme but the CEO of Sony, Michael Lynton, did attempt to characterize the accusation from President Obama that Sony was mishandling the situation as misinformed:
"I don't know exactly whether he understands the sequence of events that led up to the movie not being shown in the movie theaters. Therefore I would disagree with the notion that it was a mistake."
The second instance was a cease and desist letter sent to a number of reporters and news agencies who had been reporting on the incident. The first time I heard about this was through Brian Krebs’ twitter and story. While the letter focused on the possession of the materials, Brian Krebs and others saw the letter as an attempt to stifle reporting. The subtext of the letter was that Sony wanted reporters to “cease publishing detailed stories about the company’s recent hacking” as well as “delete any company data collected in the process of reporting on the breach.” Regardless of text or subtext, this letter made it clear that Sony was attempting to control the narrative in what ways it could.
The hack as unpreventable
The next theme that drove me toward SCCT was Sony characterizing the crisis as unavoidable and entirely out of its control. Sony highlighted the “unprecedented nature” of the hack, asserting via a statement from Kevin Mandia that “the malware was undetectable by industry standard antivirus software and was damaging and unique.” This falls under the excuse response strategy in SCCT which is associated with a moderate level of responsibility, as opposed to the low responsibility associated with the attack the accuser strategy.
Rejecting Sony's narratives
This is a good opportunity to discuss the failure of SCCT in protecting Sony’ reputation. SCCT strategies can only protect a reputation if the narratives are believed and accepted by the public. If the public rejects the narratives, it can actually increase the reputational threat of a crisis. When an organization’s framing is contradicted, when people don’t buy the story Sony is selling, the organization is seen as out of touch, ill-informed, unresponsive, any host of bad qualities for an organization in crisis. The crisis begins spinning out of control, from a PR and reputational perspective, when an organization’s frames of the situation are rejected.
The major player in this rejection is the news media. They are the driving factor behind whether or not the public accepts or rejects organizations’ frames based on whether and how the media promotes an organization's’ narratives. In this case, the media promoted frames that directly contradicted Sony's, frames that placed more responsibility on Sony than they were willing to accept. This battle over responsibility is shared by many of the information security crises I've looked at. The public doesn't understand these crises well enough to attribute responsibility on their own and rely on the media to guide them. Additionally, companies are still new to communicating about these incidents and aren't using frames believable or acceptable to the media or the public.
This attribution and framing problem for information security crises is a big deal from a theoretical perspective but it also has major practical implications. I think I've gone on long enough for one post so I'll delve into those implications next week.