Shaken to the core: trust trajectories in the aftermaths of adverse cyber events

Adverse cyber events, like death and taxes, have become inevitable. They are an increasingly common feature of organisational life. Their aftermaths are a critical and under-examined context and dynamic space within which to examine trust. In this paper, we address this deficit.

Drawing on pertinent theory and reports of empirical studies, we outline the basis of two alternative subsequent trajectories, drawing out the relationships between trust, vulnerability and emotion, both positive and negative, in the aftermath of an adverse cyber event.

We combine stage theory and social information processing theories to delineate the dynamics of trust processes and their multilevel trajectories during adverse cyber event aftermaths. We consider two response trajectories to chart the way vulnerability arises at different levels within these social systems to create self-reinforcing trust and distrust spirals. These ripple out to impact multiple levels of the organisation by either amplifying or relieving vulnerability.

The way adverse cyber events aftermaths are managed has immediate and long-term consequences for organisational stakeholders. Actions impact resilience and the ability to preserve the social fabric of the organisations. Subsequent trajectories can be “negative” or “positive”. The “negative” trajectory is characterised by efforts to identify and punish the employee whose actions facilitated the adverse events, i.e. the “who”. Public scapegoating might follow thereby amplifying perceived vulnerability and reducing trust across the board. By contrast, the “positive” trajectory relieves perceived vulnerability by focusing on, and correcting, situational causatives. Here, the focus is on the “what” and “why” of the event.

We raise the importance of responding in a constructive way to adverse cyber events.

The aftermaths of cyber attacks in organisations are a critical, neglected context. We explore the interplay between trust and vulnerability and its implications for management “best practice”.