You are forgetting the implications of tort law.
Even if a physical attack is very unlikely, the costs of the lawsuits which would occurs afterwards would make proceeding a rather risky thing either way.
Don't believe me? The lawsuit against the theater which didn't prevent the Aurora theater shooting continues: http://deadline.com/2014/08/ci...
I was thinking about this the other day. I tend to wonder if it would make sense to completely immunize companies from lawsuits over failure to provide adequate steps to prevent a terrorist and state-sponsored attacks as long as they comply with any direct government instructions and regulations. Victims of these attacks would be compensated by the government, which would be responsible for providing security.
The alternative is nonsense like this.
Companies should only be required to provide security to the extent that it is required by law. By all means pass laws like "you must have a state-certified security guard for every 300 people present on your property" or something like that, and then big venues would have to comply.
If Canada dropped 100 paratroopers on a hockey game and they proceeded to shoot up the place, would it make sense to hold the stadium responsible for failing to repel the attack? I don't see how terrorist attacks are any different, or how having warning makes a difference either. That just allows any nation to basically shut down operations in any other nation by making an idle threat. If the US threatened to bomb the next Olympics and did so, would it make sense to make any store in Rio de Janeiro liable if they stayed open?
If North Korea wants to threaten moviegoers they can publicize their threats themselves, and receive international condemnation in the process. If they just make semi-anonymous threats to the studio the studio should be under no obligation to publicize them, and face no liability if they choose to not do so. Moviegoers could then decide whether to stay away from the movies or not. This would actually deter attacks since the warning would probably have move of the desired effect than an actual bombing, but being forced to publicize the warning since nobody else would do it for them would hurt them. If they just sent a private warning that nobody heard and then bombed a theater, it would completely enrage the public and could very well lead to war.
If the original hack was state-sponsored (which I'm not convinced is the case, but I don't have access to the data), it will be interest to see what the response is. I saw some calling for a response of hacking the computers that were used in the attack, which would be completely pointless. First, being military in nature they're going to be very difficult to target at all, and they're almost certainly going to be backed up with the important stuff off-grid. Besides, the US has had no issues with mounting offensive cyber-war in the past, so to whatever extent that they can penetrate KP systems they're probably already doing it. KP is already under just about every sanction imaginable.
It seems like the only avenues of escalation would be along the lines of:
1. Ask China nicely to punish them.
2. Try to force China to punish them (likely via economic measures).
3. Ask the world (including China) to cooperate in some kind of firewall for nations that don't take hacking seriously. I could see this being some kind of treaty - signatories would grant/receive unfettered access to each other's networks. Non-signatures would be firewalled off (maybe force everything through an http+smtp proxy or the like). This would make network access a little more like other forms of border control.
4. Ask the UN's blessing on some kind of military action. (This obviously requires Chinese cooperation, but might be a way for them to save face - they would not actively support punishing North Korea, but they would not vote against it and would merely uphold their international duties in abiding by the decision.)
5. Take unilateral military action, such as a naval blockade. This might also be a way to allow the Chinese to save face - they could publicly decry the action but privately give pre-assurance to the US that they would not challenge the blockade. A naval blockade without private assurance from major powers that they would not run the blockade would be a diplomatic nightmare. The US probably has the power to enforce it at least for the short term, but a war with China isn't something that anybody actually wants, and it would be a very possible outcome if the Chinese challenged the blockade and were fired upon. Plus, sinking merchant ships isn't as fashionable today as it used to be.
I don't really see any other options open to the US that are likely to have any meaningful effect on North Korea, or a deterrent effect on anybody else. Option #3 above is more of a long-term solution that could be pursued independently of responding to this attack, but certainly playing the victim card could help make it happen. It actually could work as a deterrent as well as a preventative measure. You could block any VPN or encrypted traffic over the firewall (maybe with the exception of sanctioned news sites and such to allow access to dissidents), which basically makes it very difficult for companies to do business with those countries. I do recognize that getting repressive countries onto the internet has global security benefits as well, so this isn't an obviously-great solution.