Reflections on information security from a social science perspective

There are countless reasons people write. There are maybe even more reasons people don’t. Twitter is chock full of writers’ woes about the difficulty of writing when they want to, especially when they need to. I want to explore some of the reasons I haven’t written for...

My last post was a case study of A.P. Møller-Maersk's communication is response to the NotPetya incident that took some of the company's global systems offline in June 2017 and the narratives carried by the news media in covering the incident. In this post, I want to w...

A.P. Møller-Maersk's Chariman Jim Hagemann Snabe said on a panel at the World Economic Forum in January 2018 that "we were basically average when it comes to cybersecurity, like many companies, and this was a wake up call" he also said "we chose a very open dialogue ar...

One aspect of breach response and communication that's fascinated me has been the gravitational field incidents can have. Especially with the major incidents, organizations that weren't involved, or only involved very distantly, forced to respond to the incident. 

This...

There have been enough large-scale data breaches in the news that people now have expectations for how companies respond. There's a script. This script doesn't necessarily leads to successful responses. It just means that people expect companies to communicate in certa...

Speaking the same language as your audience is important. In most cases you're already speaking the literal, high-level language of your audience but it's a lot more nuanced than that. Language at a lower level is one thing that trips people up on the way to understand...

There are a lot of ways to think about audiences of information security messages. Your relationship to your audience influences how you communicate with them. Why are they listening to you? Are you part of an internal team - are you communicating with your coworkers -...

Last post, I went over two methods for understanding or segmenting your audience. The first was based on the influence you have over your audience - why are they listening to you in the first place?

• Affinity

• Required to listen

  • Structural reasons

  • ...

I've mentioned a caveat in a few of my previous posts and talks that "it depends on your audience." Now I want to dive into that caveat a little and talk about the audiences for infosec communication. How does your audience change your communication? 

When you're planni...

There are a few more things you might want to consider when you're using benefit framing for infosec. These are slightly more advanced considerations but they're at least worth having on your mind.

"Topping out"

This is the idea that certain people won't respond to your...