We Should Talk About This: Data Security as an Issue for Communication Research

BSidesDC 2016

Presented by: Claire Tills
Date: Sunday October 23, 2016
Time: 09:00 - 09:50
Location: Grand South
Track: Track 1

Data security is a very hot topic but, as is frequently the case, getting clear and accurate information about a hot topic can be hard. We have seen time and again, organizations totally fail to communicate effectively about data security crises. These failures can be traced most reliably to the fact that the role of a PR practitioner is to be the expert in the client's business and, in most cases, this does not include expertise in data security or data breach response. This lack of knowledge complicates successful response (and leads to some aggressive face-palming by those in the know). My intention, and a very few others in my field, is to better understand data security crises from a perspective that will help communication professionals better prepare for and respond to such crises. To do this, scholars are looking at several theories and areas of scholarship for guidance. Some scholarship in risk and crisis communication sees the two as complementary components of effective response. Crisis and Emergency Risk Communication (CERC from now own) has become a leading approach to both scholarship and practice Â<8a>Â<97>Â<96> adopted and promoted by the CDC Â<8a>Â<97>Â<96> to integrate risk and crisis communication approaches to improve preparedness and resilience. This integration seems to make sense for data security issues as well. According to CERC, communication has different goals depending on the stage of risk or crisis. As the risk progresses and becomes a crisis, communication transitions from a focus on preparedness to uncertainty reduction and self-efficacy. Once the crisis has been resolved, communication focuses on the new understanding of risk gleaned from the crisis and new preparedness measures taken. The overarching goal throughout this entire process is to give the public a more accurate understanding of the risk and direct their decision making towards ideal protective action. While this may sound sensible in theory, it becomes extremely complicated in practice. Communicators have to have a rational understanding of the risk themselves, they have to know what the protective action is, and what barriers the public might have to taking those actions. These are difficult things to know and I hope that my research will make some of it more general knowledge, at least for crisis communicators. There are people who have this information and people in charge of communicating it to the public and they are frequently siloed from each other by organizational structure, or culture, or just time limitations during a crisis. Â<8a>Â<97>¢ What is a "rational understanding of risk" in these cases? o How scared should people be? Â<8a>Â<97>¢ What are some protective actions to be taken before and during such a crisis? Â<8a>Â<97>¢ What barriers are there against people taking these protective actions? These questions represent the future of research in this area as I see it. I started my program of research by looking at how data breaches have been communicated about to get a baseline, if you will, from which to improve. In looking at communication about recent data breaches, one theory stood out based on its ability to explain what was going on in the data Â<8a>Â<97>Â<96> Situational Crisis Communication Theory. At a high level, SCCT asserts that crisis response strategies should be based on attribution of responsibility. In some crises, responsibility is fairly cut-and-dried but I saw in multiple cases that responsibility for a data breach is hard to pin down. The organization and public disagree on where responsibility sits and that creates conflict. If the organization responds as if they were the victim, the public isn't likely to get the apology they expect based on their attribution of responsibility on the organization, leading to outrage. This cycle of mismatched crisis response leading to outrage (and sometimes lawsuits) reaffirmed my belief that those in charge of communicating about these crises don't understand them well enough to do so effectively, driving me toward the questions above. I want to learn what experts know about data security risks, what the public thinks about them, and how communicators can bridge any gaps.

Claire Tills

Claire is a doctoral fellow at the University of Maryland studying Public Relations with a focus on data security issues. Before starting graduate school, she worked in technology PR with W2 Communications. She has had work presented at the International Communication Association Annual Conference and the National Communication Association Conference. Her current research focuses on examining communication during data breach crises in order to explore applicability of existing crisis communication theories.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats