So, what are we talking about here?
My background is in crisis communication and I wanted to start off by explaining how I see the overlap between information security and crisis communication. Most scholars see crises as cycles, there is debate about how many stages there are and what they should be called but the cyclical approach is widely accepted. The simplest one is three stages: pre-crisis, crisis, and post-crisis. The CDC, however, has their Crisis and Emergency Risk Communication (CERC) program that takes a more complex approach with five stages:
There are a lot of places to get more information about how crisis communication works (some of them are referenced below). What I want to focus on is the fact that these cycles assert that crisis communication should be an ongoing process. At a bare minimum, there should be some planning going on when the crisis hasn’t hit yet. Every organization needs to think about what crises they might end up facing and how it’s going to respond. While the “when, not if” idea of data breaches has been spreading, organizations still don’t seem prepared to talk about them.
My initial research into data breach crises indicated that companies were responding to data breaches in a similar way to other, more traditional crises. Their responses fit well within a prominent theory of crisis communication: the Situational Crisis Communication Theory (SCCT). SCCT is based on attribution of responsibility. Depending on how much responsibility can be placed on your organization, you use different response strategies.
Source: Claeys, Cauberghe & Vyncke (2010) adapted from: Coombs (2007), p. 168 and 170.
However, a lot of data breach response goes dramatically awry. The first cases I looked at were Sony and the OPM which both meet that description. There are many reasons breach response can go awry but one specific to the crisis communication aspect of it is the fact that data breaches don’t behave like other crises in a lot of ways. Details that organizations typically rely on for responding to traditional crises aren’t as reliable for a data breach. Answers to the five Ws and one H (who, what, where, when, why, how) aren’t clear cut.
Based on these early findings, I've been exploring the ways in which infosec crises are unique and how crisis communication theories like SCCT can be adapted. Future posts are going to get into this with more detail. This is the starting position for the rest of this blog. Crisis communication principles generally, and SCCT specifically.
Claeys, A. S., Cauberghe, V., & Vyncke, P. (2010). Restoring reputations in times of crisis: An experimental study of the Situational Crisis Communication Theory and the moderating effects of locus of control. Public Relations Review, 36(3), 256-262.
Coombs, W. T. (2007). Protecting organization reputations during a crisis: The development and application of situational crisis communication theory. Corporate reputation review, 10(3), 163-176.
Crisis & Emergency Risk Communication resources from the CDC