Beyond Damage Control: The Science Behind Apologies

Written By Melanie Ensign

This shift in mindset – from defending organizational pride to rebuilding stakeholder trust – can help guide more effective incident response.


When your organization suffers a cybersecurity incident, your first instinct might be to minimize the impact, shift blame, or stay quiet. After all, admitting fault can feel like painting a target on your back for regulators, plaintiffs' attorneys, and competitors. However, recent research on the psychology of apologies suggests this defensive stance may do more harm than good – and an excellent corporate communications team that measures the impact of their company’s incident response can tell you the same thing. 


In a fascinating Hidden Brain episode, psychologist Tyler Okimoto reveals how our instinct to avoid apologizing often backfires, while thoughtful apologies can help repair damaged relationships and rebuild trust. His findings on why apologies work and fail and how to craft them effectively offer valuable lessons for security leaders and communications professionals navigating an incident. Let's explore how understanding the psychology of "I'm sorry" can help your organization maintain stakeholder trust even during security incidents.

Understanding Resistance to Apologizing

In a previous Discernible blog post, Dennis Fisher spoke with Michelle Finneran Dennedy, former Chief Privacy Officer for Cisco and McAfee (now Chief Data Strategy Officer at Abaxx Technologies), Nick Selby, former Chief Security Officer at Paxos and former Director of Cyber Intelligence and Investigations at the NYPD (now EVP at Evertas), and Discernible CEO Melanie Ensign about some of the primary obstacles organizations face when considering apologizing. Their insights align with psychological research on why both individuals and organizations struggle with genuine apologies.


Research shows that our reluctance to apologize stems from deep psychological needs. When we refuse to apologize, we get a short-term boost to our self-esteem and sense of control. For organizations, this often manifests as defensive statements like, "No sensitive data was accessed" or "Our security practices exceed industry standards." Ironically, a strong organizational identity as a security leader can make it even harder to acknowledge vulnerabilities – after all, how could a company that prioritizes security let this happen?


But this protective instinct often backfires. Just as BP's CEO Tony Hayward damaged public trust by saying, "I want my life back," during the Deepwater Horizon crisis, many executives' instinct to view stakeholder concerns as opposition to their desired reputation often makes the situation worse and works against their credibility. When organizations try to minimize incidents or fumble their response, they risk being perceived as uncaring, untrustworthy, and incompetent.

Crafting Effective Apologies

Okimoto's research also reveals several elements of effective apologies that business leaders and communicators should consider:

  • Timing Matters: While immediate response is important, rushing to apologize before understanding the situation can seem insincere. Instead, acknowledge the incident promptly while explaining that your investigation is ongoing. If you need time to investigate, be transparent about why and how/where you will share updates once available. Also, consider whether there is anything people impacted can do now in the meantime to reduce their risk. Action absorbs anxiety, so if you don’t immediately have all the information people need, give them a productive outlet to work through the uncertainty. 

  • Focus on the Future: Emphasize concrete steps you’re taking to support affected parties. Research shows that apologies that focus on future commitments are more effective than those dwelling on past explanations. Your organization’s technical credibility makes promises about future improvements believable rather than empty words. Think of it like a doctor explaining a treatment plan - you're more likely to trust their recommendations when they first demonstrate a deep technical understanding of your condition. Similarly, when an organization shows they thoroughly understand the technical aspects of a security incident, their commitment to prevent future incidents carries more weight. The research on forward-looking apologies becomes especially powerful when paired with technical substance. 

  • Show Genuine Remorse: Expressions of authentic concern for affected parties are also crucial for credibility. This means moving beyond formulaic statements to demonstrate a genuine understanding of the incident's impact on stakeholders regardless of fault or root cause.

  • Remember Different Audiences: Different stakeholders – customers, employees, regulators – may need a different type of response. What reassures customers might not address employee concerns, and vice versa. While messages should be tailored to each audience's needs and concerns, they must all align with a single source of truth managed through centralized incident communications. This coordination ensures no stakeholder group receives conflicting information that could damage credibility or create confusion.

The Bigger Picture

Security incidents often symbolize more significant issues around data privacy and corporate responsibility. Organizations must recognize this broader context while managing their response and remember that stakeholders may see the incident as part of systemic issues rather than an isolated event. This "appraisal gap" between how organizations and stakeholders view incidents can complicate your response because stakeholders often want assurance about broader commitments to privacy and security in addition to technical details and specific mitigations. An organization's preexisting reputation acts as a lens through which stakeholders interpret both the incident and the response. Companies with strong track records of transparency and responsible practices typically face less skepticism about their commitments to improve, while those with previous issues may need to work harder to demonstrate credibility and rebuild trust. This is one reason we advocate strongly for proactive security communication programs that can withstand the public scrutiny of an incident. Effective incident response communications are ongoing, knowing that there’s always another incident around the corner. 

Making Apologies Work

The most important insight from Okimoto's research might be that effective apologies are not about soliciting forgiveness or even protecting your reputation. Instead, they are the beginning of a process to rebuild trust and demonstrate ongoing improvement. In the context of a security incident, this means:

  • Starting communication early while being clear about what is known and unknown

  • Making specific, measurable commitments for improvements

  • Following through with transparent implementation of those improvements

  • Maintaining ongoing communication as new information emerges

  • Demonstrating changed behavior through improved security practices

Leaders worried about the business impact of security incidents should approach apologies as relationship repair tools rather than only as a reputation management exercise. This shift in mindset—from defending organizational pride to rebuilding stakeholder trust—can help guide a more effective incident response. It’s not a solo journey, though; coaching cross-functional teams to operate this way—from legal to PR to the C-suite—is one of the most challenging aspects of security communication and a core reason why Discernible exists.  

Looking Forward

As security threats and privacy concerns continue to grow, incidents are unfortunately inevitable. What distinguishes organizations is not whether they experience incidents but how they respond when incidents occur. Understanding the psychology of apologies can help business leaders navigate these challenging situations more effectively. Organizations can maintain stakeholder trust in the face of security challenges by acknowledging incidents appropriately, communicating transparently, and focusing on the well-being of their most valuable relationships. The key is remembering that an apology is not a sign of weakness or an admission of complete failure. Instead, it's an opportunity to demonstrate organizational values, rebuild relationships, and emerge stronger through improved security practices. Mastering the art of apologies is now an essential skill for security leadership.

Read our customer case study, “Collaborating to Design a Holistic Incident Response Communications Plan.”

For more information on Discernible’s incident readiness and response programs, contact us here.

Melanie Ensign
Previous

📬 Mailbag: What are the elements of a successful post-mortem? 
Next

Meeting the Moment: The Art of Apologizing After a Cybersecurity Incident