All Cases For
Organizational Change 5th Edition by Gene Deszca, Cynthia Ingols, Evelina Atanassova, Tupper F.
Cawsey
Chapter 2-11
Held Hostage in the 21st Century:
Cybersecurity, Ransomware, and Crisis Management (A) and (B)
Teaching Note
Executives across industries increasingly have a particular risk to manage: cybersecurity. 1 This case
set addresses cybersecurity through the lens of one manager‟s experience, paying particular attention to
how she communicates with a broad array of stakeholders about the incident and company response. The
case serves the educational interests of those aiming to train managers in areas such as crisis
communication, risk management, and voicing values in matters of organizational decision-making.
Case Synopsis
Anni Anderson is the founder and CEO of Selah, a software and application company that aims to
support users with everyday communication (similar to a company like Duolingo, for instance). Selah is a
relatively young start-up that saw explosive customer-acquisition growth during the COVID-19
pandemic. Much to Anderson‟s disappointment, Selah experiences a ransomware attack on the eve of
closing its largest ever round of funding from venture capitalists. As Anderson surveys her executive team
in an emergency meeting, it becomes clear that the ransomware attack jeopardizes Selah‟s standing not
only among users but also among investors. Additionally, Anderson must communicate with Selah‟s staff
and board of directors, not to mention regulators, industry partners, and the media. In the A case,
Anderson‟s challenge is to organize and communicate her company‟s response vis-à-vis the cyberattack.
In the B case, we read a synopsis of effective responses that have actually been deployed in such
situations.
Intended Use
This case is intended for use at the MBA and executive-education levels in courses on topics such as
communication, information technology (IT), risk management, public relations, leadership, and ethics.
The approach to teaching embedded in the case is based on the Giving Voice to Values (GVV)
curriculum. This case is part of the GVV collection.2
Learning Objectives
1 This material is part of the Giving Voice to Values (GVV) curriculum. The Yale School of Management was the founding partner, along with the
Aspen Institute, which also served as the incubator for GVV. From 2009 to 2015, GVV was hosted and supported by Babson College. The case is
fictional: Anni Anderson and Selah represent composites of real-world experiences.
2 Giving voice to values. IBIS Initiatives, Darden School of Business. Retrieved April 26, 2022, from
https://www.darden.virginia.edu/ibis/initiatives/gvv
, This case is designed to help students practice the following:
devising a strategic approach toward crisis communications in relation to multiple stakeholders--
both internal and external to the organization--with varying interests,
crafting specific messaging that targets audiences to take desired actions,
planning for risk mitigation and response, amounting to a Mini handbook on cybersecurity risk
management, and
reflecting on the broader implications and complexities involved in cybersecurity risk and
organizational leadership.
References and Background Reading
Brown, S. (2022, January 19). How to respond to a ransomware attack: Advice from a federal
agent. MIT Sloan. Retrieved April 27, 2022, from https://mitsloan.mit.edu/ideas-made-to-
matter/how-to-respond-to-a-ransomware-attack-advice-a-federal-agent
McMillan, R., De Avila, J., & Bunge, J. (2021, June 2). NYC‟s subway operator and Martha‟s
Vineyard Ferry latest to report cyberattacks. Wall Street Journal. Retrieved April 27, 2022, from
https://www.wsj.com/articles/ransomware-scourge-continues-as-essential-services-are-hit-
11622672685
The 2021 geography of cryptocurrency report: Analysis of geographic trends in cryptocurrency
adoption and usage. (October 2021). Chainalysis.
Information risk insights study 2020: A clearer vision for assessing the risk of cyber incidents.
(2020). Cyentia Institute, and Advisen. Retrieved April 27, 2022, from
https://www.cyentia.com/wp-content/uploads/IRIS2020_cyentia.pdf
Poulsen, K., McMillan, R., & Evans, M. (2021, September 30). A hospital hit by hackers, a baby
in distress: The case of the first alleged ransomware death. Wall Street Journal. Retrieved April
27, 2022, from https://www.wsj.com/articles/ransomware-hackers-hospital-first-alleged-death-
11633008116
Nakashina, E., & Lerman, R. (2021, September 21). FBI held back ransomware decryption key
from businesses to run operation targeting hackers. Washington Post. Retrieved March 3, 2022,
from https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-
key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html
McMillan, R., Volz, D., & Hobbs, T. D. (2021, March 11). Beyond colonial pipeline, ransomware
cyberattacks are a growing threat. Wall Street Journal. Retrieved April 27, 2022, from
https://www.wsj.com/articles/colonial-pipeline-hack-shows-ransomware-emergence-as-
industrial-scale-threat-11620749675
Schifrin, N. (2021, October 15). International community joins forces as ransomware attacks
create major disruptions. PBS NewsHour. Retrieved April 27, 2022, from
https://www.pbs.org/newshour/show/international-community-joins-forces-as-ransomware-
attacks-create-major-disruptions
Lyngaas, S. (2020, March 16). Why the Norsk hydro attack is a “blueprint” for disruptive hacking
operations. CyberScoop. Retrieved April 27, 2022, from https://www.cyberscoop.com/norsk-
hydro-lockergoga-ransomware/
, Pearlson, K., Sposito, S., Arbisman, M., & Schwartz, J. A. (2021, September 30). How Yahoo
built a culture of cybersecurity. Harvard Business Review. Retrieved April 27, 2022, from
https://hbr.org/2021/09/how-yahoo-built-a-culture-of-cybersecurity
Rosenbaum, E. (2021, August 10). Main street overconfidence: America‟s small businesses aren‟t
worried about hacking. CNBC. Retrieved April 27, 2022, from
https://www.cnbc.com/2021/08/10/main-street-overconfidence-small-businesses-dont-worry-
about-hacking.html
Stackpole, B. (2022, March 15). How to build a culture of cybersecurity. Ideas Made to Matter,
MIT Sloan School of Management. Retrieved April 27, 2022, from
https://mitsloan.mit.edu/ideas-made-to-matter/how-to-build-a-culture-
cybersecurity?utm_source=thinkingforward&utm_medium=email&utm_id=cyberculture
The inside story of how Sony handled the biggest hack in history. Inc.Com, Associated Press.
Retrieved March 6, 2022, from https://www.inc.com/associated-press/sony-ceo-call-to-google-
got-interview-out.html
Treasury rakes robust actions to counter ransomware. (2021, September 21). US Department of
the Treasury Press Release. Retrieved April 27, 2022, from https://home.treasury.gov/news/press-
releases/jy0364
Yuan, E. S. (2020, April 1). A message to our users. Zoom Blog (blog). Retrieved April 27, 2022,
from https://blog.zoom.us/a-message-to-our-users/
Research Methodology
Though the protagonist and company in this case are fictional, they are representative of real-world
experiences. To avoid identification while simultaneously ensuring authenticity, this case is a composite
of several real-life situations, including, but not limited to, the following:
Colonial Pipeline Co. (2021)
JBS S.A. (2021)
Kaseya (2021)
New York Metropolitan Transportation Authority (2021)
Norsk Hydro ASA (2019)
Sony Pictures Entertainment Inc. (2014)
T-Mobile US, Inc. (2021)
United Health Services Hospitals Inc. (2020)
University of California, San Francisco (2020)
Zoom Video Communications, Inc. (2020)
Information about these organizations and their respective cybersecurity experiences is available in
the public record.
Teaching Plan
Preparation
, 1. Read or review an overview of the philosophy and assumptions of GVV. Ideally, students
should be grounded in the GVV process of analyzing situations and articulating how they
would voice solutions. To achieve this goal, the instructor should assign preparatory reading:
either “Ways of Thinking about Our Values in the Workplace” (UVA-OB-1126) or “Giving
Voice to Values: Brief Introduction” (UVA-OB-1203).3 Some faculty may also find it useful to
have students read “Starting Assumptions for Giving Voice to Values” (UVA-OB-1108).4 If
they wish to go deeper, faculty may assign “Scripts and Skills: Readings” (UVA-OB-1120).5
These documents can be found at Darden Business Publishing‟s online storefront; they are free
of charge.6
2. Students should read “Held Hostage in the 21st Century: Cybersecurity, Ransomware, and
Crisis Management (A)” (UVA-OB-1392) in advance of the class session.7
In-class activity
1. Reintroduce GVV
To start the class discussion, the instructor should remind students that the GVV curriculum makes
several assumptions:
Students will encounter conflicts in values among their peers, their customers, stakeholders,
and the norms of their environments, whether in the public or private sector.
The best way to deal with these conflicts in values is to be clear about one‟s own values,
and to know that one has the confidence and skills necessary to effectively voice and enact
those values.
Research suggests that thinking through the issues prior to encountering a difficult situation
and practicing what one will say are critical steps in preparing to give voice to one‟s values.
2. Students may work in teams--in advance of the class or during class--to address the GVV
discussion questions:
a. What values are involved in the situation? What is the values-based position that you, the
protagonist, want to take?
The instructor can introduce the problem by saying the following:
Imagine you are Anderson. You have both professional and personal values involved in this
situation. Professionally, as founder and CEO of Selah, you take seriously the value of
stewardship--safeguarding, promoting, and acting on behalf of the organization‟s interests.
Relatedly, as a steward of Selah, you want to demonstrate and reinforce the company‟s
three compass values: care, courage, and collaboration. Meanwhile, on a personal level,
your single-biggest pressure point is the value of integrity. Integrity in this situation for you
looks like honesty, following your convictions, and doing what you think is right rather
than what might appear to be easiest.
If Anderson wants to demonstrate these values in responding to the crisis, what might she
say and do?
b. What are your objectives?
3 Gentile, M.C. (2010). Ways of thinking about our values in the workplace (UVA-OB-1126). Darden Business Publishing; Gentile, M.C. (2010). Giving voice
to values: Brief introduction (UVA-OB-1203). Darden Business Publishing.
4 Gentile, M.C. (2010). Starting assumptions for giving voice to values (UVA-OB-1108). Darden Business Publishing.
5 Gentile, M.C. (2010). Scripts and skills: Readings (UVA-OB-1120). Darden Business Publishing.
6 Giving voice to values. Darden Business Publishing. Retrieved April 26, 2022, from http://store.darden.virginia.edu/giving-voice-to-values
7 Feehan, R., & Gentile, M.C. (2022). Held hostage in the 21st century: Cubersecurity, ransomware, and crisis management (A) (UVA-OB-1392). Darden
Business Publishing.
