There are a lot of projects that I want to do, a lot of questions I want to explore. Unfortunately, I don't have the time and resources to conduct some of this work. I wanted to share some of my larger project ideas to maybe start conversations about how this work can get done or inspire other people to ask similar questions.
Ransomware case study/studies
I'd like to do an exploratory case study (multiple case studies ideally) of communication surrounding ransomware incidents. Some questions I would look to answer: How does the media report on these types of incidents? How do companies affected by them communicate to customers, employees, the public, etc? How do those audiences react to these messages?
Typology of infosec incidents
I want to try to categorize information security incidents in some meaningful way that reflects the different communication needs of the various incidents. Crisis communication has the Situational Crisis Communication Theory which sorts crises based on attribution of responsibility. I've talked about how this categorization doesn't fit many infosec incidents so I'd like to develop a categorization that does.
Barriers to security
I've mentioned this a few times in blogs and talks - we need to know for sure what is holding people back from being more secure. Why don't organizations invest more resources, why don't people use 2FA, etc. I'd like to put together a survey, or maybe some focus groups, to better understand the real barriers and constraints people perceive when making decisions about security. We can't design reliable communication programs until we have this data. I'd like this to be a scalable/adaptable program that can be used for a variety of audiences.
The graviational force of infosec crises
This is a weirder one but it totally fascinates me. I've noticed with recent major incidents tangentially connected entities are getting pulled into the s*** storm. The gravitational pull of the Equifax breach was truly impressive. I want to understand this phenomena a little better. How does an organization respond when it's not actually their crisis? Related to this is how organizations handle a crisis that impacts them but was caused by a third-party. If you contract with a company that was breached, what do you say?
Attribution is a sticky concept in infosec. Responsibility is hard to pin down but the public has certain expectations when we talk about incidents like data breaches. Crisis communication best practices also rely heavily on attribution of responsibility. How can communication better reflect the reality of attribution in infosec?
Responses to infosec communication
How do the recipients of breach notifications and other forms of infosec communication perceive these messages? I have a lot of opinions about breach notification and incident response communication but in order to improve the communication, we need to know what the audience thinks about the current communication. We can also learn what they need from communication through surveys and focus groups.