I'd like to do an exploratory case study (multiple case studies ideally) of communication surrounding ransomware incidents. Some questions I would look to answer: How does the media report on these types of incidents? How do companies affected by them communicate to customers, employees, the public, etc? How do those audiences react to these messages?

I want to try to categorize information security incidents in some meaningful way that reflects the different communication needs of the various incidents. Crisis communication has the Situational Crisis Communication Theory which sorts crises based on attribution of responsibility. I've talked about how this categorization doesn't fit many infosec incidents so I'd like to develop a categorization that does.

I've mentioned this a few times in blogs and talks - we need to know for sure what is holding people back from being more secure. Why don't organizations invest more resources, why don't people use 2FA, etc. I'd like to put together a survey, or maybe some focus groups, to better understand the real barriers and constraints people perceive when making decisions about security. We can't design reliable communication programs until we have this data. I'd like this to be a scalable/adaptable program that can be used for a variety of audiences.

This is a weirder one but it totally fascinates me. I've noticed with recent major incidents tangentially connected entities are getting pulled into the s*** storm. The gravitational pull of the Equifax breach was truly impressive. I want to understand this phenomena a little better. How does an organization respond when it's not actually their crisis? Related to this is how organizations handle a crisis that impacts them but was caused by a third-party. If you contract with a company that was breached, what do you say?

Attribution is a sticky concept in infosec. Responsibility is hard to pin down but the public has certain expectations when we talk about incidents like data breaches. Crisis communication best practices also rely heavily on attribution of responsibility. How can communication better reflect the reality of attribution in infosec?

How do the recipients of breach notifications and other forms of infosec communication perceive these messages? I have a lot of opinions about breach notification and incident response communication but in order to improve the communication, we need to know what the audience thinks about the current communication. We can also learn what they need from communication through surveys and focus groups.