BSides DC 2016 - We Should Talk About This: Data Security as an Issue for Communication Research

The B-Sides DC 2016 videos are brought to you by ClearJobs.net and CyberSecJobs.com, tools for your next career move, and Antietam Technologies, focusing on advanced cyber detection, analysis, and mitigation. Okay, good morning. If you are here for 21st Century War Stories, I am not Ben. There was a change in the program about a week ago, and so today I'm going to be presenting the talk titled, We Should Talk About This, Communication Research Perspectives on Information Security. So just to get that out there, my talk, like I said, is going to be focusing on a communication research perspective on InfoSec issues, primarily data breaches. My name is Claire. I am a doctoral student in Public Relations at the University

of Maryland. So I ask for a charitable ear when I talk about some of the more technical aspects. I'm doing my best. But if you have a correction, question, anything, please don't hesitate to raise your hand and we can have it be more of a discussion than me talking up here for 50 minutes, because 50 minutes is a really long time. So I began my studies in 2014 with a focus on crisis communication generally. Because I started in 2014, the majority of crises I was reading about were data breaches. 2014 has been called the year of the data breach, and I saw data breach response floundering from a communication perspective. And I thought, I can fix that. Two years later, and I'm still trying to tease apart the

complexities that are data breaches and how organizations might respond to one. In my defense, I'm also a full-time graduate student, so Hopefully I can get a little more progress done once I start writing my disk. Still, examining data breach response from a communication perspective is important and breach response needs to be done better for the sake of organizations' reputations, individual sense of well-being, and everyone's sanity. So to many from the C-suite down to the consumer, data breaches are both an unknown commodity and a regular occurrence. I can talk to almost anyone and find out that their personal information has been breached some way or another, but they have no idea what that actually means. This strange duality of breaches is something that's really

stumped me in pursuing my research and something that I just have to circle back to once I get a better handle on things that are happening now. So first I want to start by walking through the process of my research so far. I want to discuss some of these well-established crisis com theories, how they relate to data breach response now, and how I see them informing future more successful breach response. So if we take a look at some of these

news headlines recently, you can see that breach response is not going well. There are lawsuits coming out, there are congressional hearings, pretty much everyone is agreeing that data breach response the communication organizations are putting out after a data breach sucks. And so we're going to start off by looking at the landscape of the breach response and some of the stumbling blocks there specific to communication. So a data breach is a crisis. It's a significant threat to operations that can have negative consequences if not handled properly, which is the definition of a crisis. And the first stumbling block that we see in this handling properly aspect is that most organizations don't have a crisis communication plan at all, let alone one specific to a data breach. And

without a plan, everything is done by the seat of their pants and things are being made up as the situation progresses, which is not ideal in any crisis, particularly a data breach. The second stumbling block is this knowledge gap in most communicators or spokespeople for an organization. PR professionals, their job is to be an expert in their client's business. Typically, that business is not information security. So the PR Pro doesn't have the necessary knowledge to talk about a data breach well. And this leads into the next issue. When responding to a data breach, departments and organizations that may have never worked together before have to play nice. They have to collaborate, they have to share knowledge. And that is especially difficult when you're going from deeply

technical information to the public. There's this translation process that is not easy to do and so far is being done very poorly. Finally, all of this has to be done under the regulation of unfamiliar and extremely confusing laws. Data breach disclosure laws are a mess and any time an organization's information is breached they have to follow these regulations that pretty much no one understands. So, This doesn't look good. What do we do now? What I did was I turned to my trusty theories. I am a scholar and I find comfort in theoretical approaches. What does research say we should do to respond to these crises? So at this point, I'm gonna present two major theories of crisis communication, the crisis and emergency

risk communication model and the situational crisis communication theory, CERC and SCCT respectively.

So I looked at CERC because it integrates risk and crisis approaches. So it offers specific guidelines on how to communicate about preparing for a crisis. Nothing's gone wrong yet, but you want to tell the public about particular risks that they might face. And then it also gives specific guidelines on how to communicate once a crisis is happening. And it takes this cyclical approach. There are five stages of this cycle and each stage has various communication guidelines and they're good, they're specific. They say exactly what sort of messaging you should be releasing at given times. That's partially because this was developed by the CDC in conjunction with several different researchers in response to threats of bioterrorism. So it was originally inspired by the

anthrax attacks and has been developing ever since. And because of that, the government likes specific guidelines, they like cycles, they like stages, and that's where we get CERC.

And so CERC asserts that you have to be talking about the risks all of the time. You don't want to just wait until a crisis happens and then start talking about risk. are talking to the public about the chances of a crisis happening, what they can do now to prevent a crisis from happening, or what they can do now to reduce the damages of it happening down the line. And that's what you do in this first pre-crisis stage. Once there's a triggering event, there's a terrorist attack, a data breach, a natural disaster, the priority of your communication becomes reducing fear and uncertainty by telling people what to do to protect themselves. Shelter in place, evacuate,

board up your windows, get in your tub, whatever that messaging is to keep people safe. That's the priority. Another thing you might need to do is tell people are they actually at risk. Here's how you know if your data was part of the system that was breached. And if it wasn't, don't worry. If it was, here's what you can do to protect yourself. Once the crisis has been resolved, you get into the evaluation stage. You talk about lessons learned and This is also, according to the model, the time when the media and the public start critiquing response. So CERC is an excellent approach, but there are a few problems when trying to apply CERC to data breaches. Does anybody have any guesses as to what a problem might

be?

the public turns off and they don't want to hear about it, so the public isn't really engaging with this cycle. Any other guesses? The ones that I see are problems of timing. So CIRC is based on the assumption that crises have these compressed time frames. So there's a triggering event and things kind of zoom in and everything goes very compressed. You have immediate actions to take. Everything's happening very quickly. Usually you think about a crisis happening over days or weeks where we look at data breaches and that's not the case. It's difficult to determine the beginning or end of a breach and it's especially difficult to communicate those beginnings and ends to the public. And the critiques from the public and the media begin almost immediately.

They don't have any more patience. They're tired of hearing about these breaches and excuses from organizations. So CERC is a great approach, but it's not quite in the place where it can be applied to data breach communication yet. Another problem I see is public understanding of the risk. What's the likelihood that someone is going to be impacted by a data breach? How frightened should they be of being a victim of a data breach? And most importantly, what can they actually do to reduce their risk or prepare for a breach? Eventually, I'd like to answer all of those questions and have a campaign that publicly informs everyone to the answers of those questions, but we have to work with the information that the public has now because

these breaches are happening and companies are a mess when they're responding. So after all of this I started to realize that there might be another approach. We might need to take this from a different direction. So rather than looking at a theory and trying to use it to develop recommendations, maybe I should go at it from the other direction. I looked at communication from organizations responding to breaches to try and see if any existing theories describe what's happening in the data. And so the way I did this was I collected any sort of communication about a breach from a couple of organizations. I looked at press releases, public statements, media articles, lawsuits especially, all of these different forms of communications and I

just read all of them. And I collected information and sorted it based on themes. And we'll see some of the quotes that I've collected as what we call exemplars. And so what's this, this is called discourse analysis. So we're looking at communication to draw conclusions. We're looking at all of this messaging to figure out, okay, what is the organization saying, how can it be kind of lumped into themes, and how can you make conclusions from that? And from that, I was surprised to find that the data I was looking at almost perfectly illustrated another major theory in crisis communication, SCCT,

Situational Crisis Communication Theory. It's by Tim Coombs and it's based on the attribution of responsibility. So who's at fault for the crisis? Depending on that responsibility, there's sort of a formula or script to follow for your response. Crises are grouped into three clusters. Victim, accident, and preventable. In the victim cluster, I like that they're called clusters because that kind of really illustrates what's going on. You have gotten yourself into a cluster. And so, thank you. In the victim cluster, the organization has low responsibility for the crisis. And so this is where there's a malevolent attack against the organization, a natural disaster. There wasn't really anything the organization could do to prevent this crisis from happening. Accidental, they've got a little bit more responsibility. but not

quite as much as preventable. And so under the preventable cluster, these crises are,

sorry, brain fart. These are human errors or organizational misdeeds. So either the organization or someone representing the organization takes an action that causes harm. And

When you've decided which cluster your crisis falls under, SCCT offers you several different response strategies you can use. But what's a problem we might see here? Where does a data breach fall in these clusters?

Usually preventable. And that's why I kind of stayed away from SCCT because when I looked at the communication, Most of these organizations are not acting as if they have responsibilities here. Most of them are operating under the victim cluster. And so we'll look at these response styles now. So first, in the victim cluster, you have deny grouping. You want to deny that the crisis happened because you were the victim. You want to show strength. You want to just move on from whatever has happened. You might focus blame on an external entity, really focusing on the fact that the organization had no responsibility whatsoever, and that's within the deny. So you have attack the accuser, create a scapegoat, or deny that anything has happened.

In the diminished approach, which is associated with accidental crises, you want to focus on an inability to control the event that led to the crisis or try to minimize the perception of damage. So, you know, the crisis really wasn't that bad. It was just an accident. We're not at fault. We couldn't help it. And then finally, with preventable, you're trying to rebuild your reputation because you were responsible for the crisis. The organization apologizes, it provides compensation, and it takes corrective action. So not only did my data show SCCT in spades, it also showed a major limitation of this theory and the reason that many scholars have started to move away from SCCT. What happens when the

public and the media and experts attribute responsibility to the organization, but the organization doesn't want any of it? They are a victim and they operate under these response strategies. What happens then? And what happens then is not good. So a foundation of crisis communication and SCCT is the idea of framing and it helps me explain why data breach responses fail. So according to framing theory, reality is created by one entity, an organization, a person, what have you, using language to convince others to adopt their way of understanding a particular situation. So one of the first ways that this was brought into crisis communication was when the word terrorism is used in association with particular events. That really changes the way the public perceives it.

So using framing to frame something as terrorism can really change response. This theory is particularly important for SCCT because an organization can only really use it well if everyone agrees on a single characterization of the crisis. If there is an agreement, the response strategies won't work and we'll take a look at how far they cannot work.

Exactly.

Exactly. And that's sort of why I wanted to move away from SCCT, but I looked at the data and the data's like, no, as an organization we are communicating based on these clusters, we're using these response strategies and we're not learning from our mistakes. So in the cases we see here, the media, the public, they never adopted the organization's victim frame of the crisis. They weren't buying it. They almost immediately and vehemently rejected these frames. They said, you are not a victim. The public whose information you lost, they're the victims and you need to behave accordingly.

So what I saw was a lot of communication that fits within the deny and diminish response strategies. Both organizations refused any sort of responsibility. And so there's some quotes up here, but I have them down here, so I'll read them. Nothing in this letter should be construed as the OPM or the US government accepting liability for any of the matters covered by this letter or for any other purpose. And this was one of the first pieces of communication that came out was, we're not at fault, you cannot attribute liability to us because we said so. Occasionally, organizations deny anything has happened at all. This usually isn't done when they actually have the full information. It's based on a lack of information. They haven't figured

out the full extent of the breach. Neither OPM nor US cert have identified any loss of personally identifiable information for any users of OPM's internal or external systems. Six months later they released that that's wrong to the tune of about tens of millions of people's PII. So usually it's not malicious. They're not trying to pretend nothing happened, it's because they just don't know that anything has happened. And that's one of the biggest issues with data breaches is we can't figure things out quickly enough to inform the public well. Most commonly, the organizations are trying to diminish the crisis, diminish their responsibility for the fallout. And they do this by framing the breach as unavoidable, not because the organization didn't do enough to secure

their systems, but because, and this is a quote, the attack was unprecedented in nature. The malware was undetectable by industry standard antivirus software and was damaging and unique. And in fact, the scope of this attack differs from any we have responded to in the past. And these are from Sony, and Office of Personnel Management respectively. They might have helped save the organization's reputation if they hadn't been almost immediately challenged by the media security experts and the public in general. So again, the media led by a lot of these security experts, people who know what they're talking about are contesting these frames that the organization is trying to use and pretty much demolishing their data breach

response and showing them that the way they're trying to handle these, the frames that they're using, aren't acceptable. We see some instances of compensation they offer of identity or credit monitoring for a year has practically become cliche. You know, okay, well, I shopped at Target, now I've got free credit monitoring, does that actually help me at all? And even people who don't know for sure are like, I don't think that helps me even a little bit. It's meant to make me feel better, and it doesn't work. So their compensation is usually pretty

lackluster. The biggest missing factor though is an apology. Eponeman's study in 2014 found that 43% of consumers who ended their relationship with an organization after a breach might have reconsidered if they had received a sincere and personal apology. So we take a look at the University of Maryland and so I'm a student of the University of Maryland, I went there for my undergraduate, so I was part of the data breach in 2013. My data was lost and I received all of their breach response which kind of started me on this path. And they started off by apologizing. The first message they sent to their public was an apology. They said we need to do better and we are going to do better. And if we compare the cases

we see Sony and Office of Personnel Management have both been sued. And it's understandable that an organization wouldn't want to take full responsibility for something. Legally, that is insane. There's no way an organization's legal team would let them apologize for a data breach. But we see with University of Maryland, they apologized, they said they were going to do better, and they ended up looking a lot better than a lot of other organizations who experienced breaches. There are definitely other things to consider when comparing these cases. It's not a one-to-one, if you apologize, you won't get sued and everyone will love you, but seeing the rage targeted at Sony and Office of Personnel Management in their lawsuits, a lack of apology might be something to think

about. So maybe if they had just apologized, given a little bit to these victims, things might have gotten a little bit better. Beyond the lack of apology, a major critique of this breach response in both cases has to do with timeliness and completeness of information. And I touched on this a little bit. And this is where data breaches kind of refuse to fit within crisis communication principles. Good crisis communication should be both timely and accurate. Those two characteristics can be mutually exclusive for data breaches. It takes more time than people are willing to tolerate to come up with the correct information, the full extent of the breach. Like I said, OPM went in six months from nothing is wrong to holy shit.

And that's not something that people have toleration for. And it went in steps. Yeah. Not this big, not this big, not this big.

Exactly. They're trying to cover their ass. They're trying to cover themselves because they knew from the start how bad it was and they didn't want to tell us. But then other people started finding out and they had to come clean. And that's the perception that people are getting. And so I'm trying to figure out how to reconcile this. A data breach is a crisis and we have to use crisis communication to respond. But data breaches don't let you do that. They don't let you follow good practices for crisis communication. So The public doesn't understand or have patience for the timeline an organization needs to figure out their breaches. The OPM have not disclosed in a timely or adequate manner the facts surrounding how the breach happened. SPE,

so Sony Pictures Entertainment, delayed confirming the data breach and left its employees in the dark about the scope of the breach and how they and their families were impacted, all of those things. So I have quotes for days talking about how poorly the data breach response was particular to getting the correct information out in a timely manner. And that's something that I am working most to figure out is how can we communicate effectively? How can we tell them we're trying to figure this out but we don't have information for you in a way that they're actually going to tolerate and isn't going to escalate things. An escalation is really something we're seeing a lot. People

whose information has been breached react emotionally, and these emotional responses keep being escalated by the organizations. The organizations are being seen as cold, they're covering themselves, they're only concerned about their own intellectual property and not the safety of the people that they have harmed. And so we see one of these quotes from the lawsuit against Office of Personnel Management. It was the beginning of this terrible, awful experience that would stretch on forever and ever. And that's this idea that Once your personal information has been breached, you are vulnerable forever. There's nothing to be done about it. And organizations aren't taking the gravity of that when they're doing this response, at least the two that I've looked at so far. So when I first started researching breach response,

I didn't want to look at SCCT because I felt it takes too simplistic an approach to the attribution of responsibility. However, I had to follow the data and current examples show that SCCT is what's being used. And I don't know if the organization is intentional using SCCT, if they have crisis communicators who come in to help and that's what they know, so they go with that thinking, okay, well this is what we do for any other terrorist attack, any other crisis. We use SCCT, let's do it here. And are finding, okay, that was a terrible idea.

I use these extreme cases, which obviously they are, they're kind of the worst case scenario you can find, to illustrate my argument that the current approach to data breach response doesn't work, and to start kind of helping me figure out what will. Is there a way we can tailor these crisis clusters to fit better into a data breach? and my future research is hopefully going to address that. Hopefully I can also get other scholars to help me out because at this point it's just me as far as I know. So if you have any advice or help.

That's excellent. And so that's something that I would want to test is Is there a benefit to having sort of negotiations almost or having someone from the public in the room? I think that's something that activism research talks about a lot. And we see in some of these breach response catastrophes that advocacy and activism are engaged. So these two was mostly with internal publics. Employees of the organization were the primary victims and those employees start advocating for themselves and start going against the organization. So perhaps setting up a program or a system where they're allowed in sort of behind the scenes to see that process and better understand. That might be a great way of taking it. And so I am pursuing this by starting looking at

public perception. What does the public know? What do they need to know? What is their level of fear? What should their level of fear be? So I wanna start with the public, get an idea of what they know, what their response is like, and then talk to experts. See where the gap is between the public and the reality of the situation. And then finally, I need to go and develop a program, a plan, a training, a program, a model, what have you, to tell communicators, the people who are facing the public, translating from the experts to the public, tell them what the public needs and then how to actually translate that. My background is in

technology PR and luckily I didn't work with any consumer-based organization so I didn't actually have to do a lot of that translation, but it is a field of communication all in and of itself. How do you talk to the public who knows nothing about these deeply technical issues? So I have to bring that component in. And then finally, what are these protective actions? What can people do to avoid the risk before it happens or respond to the risk once the crisis has erupted? So we know that the credit and identity monitoring isn't sufficient, but is there anything they can do? Because efficacy, this idea that in response to fear, you have high fear and you don't know what to do, you freeze. Where if you have low fear,

don't know what to do, you just disconnect. You don't care and that's where we are right now. People don't know whether or not they should fear data breaches and they don't feel that there's anything they can do to avoid them so they just kind of throw up their hands and like, okay, well, I guess I'll get a new credit card every six months because I've been breached by something or other. My fingerprints are out there. Oh, well, hopefully nobody pretends that I'm dead. And so trying to figure out what can actually be done is a very important step that isn't there. And I'm struggling to kind of put my brain around it. And so at this point, I'd like to open it up to you guys. Get recommendations, get

questions, anything like that.

Yeah, I think that would be a useful component of data breach response legislation because right now it's, you have to notify people that there's been a breach within 24 hours. Within 24 hours of what? So yeah, I think increased punishment is something that would make the public feel better.

And I think also what we want to do is think about also the public perception. So if the public knows that there is a monetary attachment to handling these things wrong, they'll pay more attention. They'll know, okay, this is a serious issue. And if it is screwed up, I should be aware of what's going on. Any other ideas for protective action or things that people can do?

Yeah, and so that's where I would like to get back to CERC. So the cyclical approach of even when you haven't been breached, you're talking about data breach. You're talking about, okay, what do you do once it happens? And...

Exactly. That's what... Having a publicly facing plan of when, they wouldn't say when we discover the breach, but the subtext is when we discover this breach, this is what we're going to do. We are going to compensate in these ways and we will take responsibility. And another thing that I'm seeing is people asking, why are you keeping this stuff? In University of Maryland, it was social security numbers, personal information for people who graduated in 1982 I think. And so in 2013 they're like, why do you still have my social security number on file? And so I think part of it is justifying well why an organization needs to keep the information or creating policies so they're not

keeping information they don't need to have. And I think that's where organizations are floundering a lot, because they're like, it's my data. I want to keep it. I have to have all of it all of the time. I might need it later. And they're hoarding this data. And then they get breached, and people are like, I have not been a part of this organization for decades. You should not have my information. How are you legally allowed to still screw up my life this badly? So I think having a posture of either getting rid of information on a certain basis, having some policy that's publicly facing so people know, you know, if I get into this

organization, if I shop at this store, if I do this, if I do that, they will have my data for X number of years or for this long. Or knowing, you know, after you're done with this organization within three months your data will be cleared. That will create a level of trust. And then also, if you can't get rid of the data, if you need to keep it as an organization, telling the people why, like, okay, we need this information to better serve you, and justifying that and articulating it clearly, I think can kind of help reduce that rage once things hit.

I don't have the tech background to know how to do that, but I do have the communication background to know that the organization can frame that issue in a way that convinces people. So they can say, it's on this backup, there's like, if we were to routinely clear these backups every five years, it would increase your fee for interacting with this organization X amount. And it would probably be a hefty number. And so it's that sort of, speaking to the public in terms they understand. So either you're saying we have to use this information, we have to keep this information to help you make your experience better, or we can't get rid of this information because it's just too expensive. You might get

a little bit of pushback, but you're showing this level of transparency that builds trust with the public and kind of protects you when things start to go wrong over in the back. Two point one about opinion purpose.

Exactly, and that's what I've been kind of struggling with is public information campaigns about data security are not in existence right now, and they should be. They should be around. We need to tell them what's going on so they can better react to these and know what's going on. Yeah.

Yeah, and that's absolutely.

Yeah, I got a new card from my bank at one point and I never figured out which organization was breached. I was like, okay, I have a new card and it tells me, oh, well, somewhere you recently shopped was breached so we sent you a new card. And I'm like, who? I follow the news and I can't figure it out. So is this a secret breach? And so this public information is sort of the pie in the sky that I want. I want these wide reaching public information campaigns that say, this is why you need to care about your personal information and this is why you need to be a little bit scared of a data breach. And you know, there are horror stories, people who have been reported

dead because their identity was stolen, people who have other people go to the hospital using their information and so their insurance gets charged. And there are these horror stories, but they're such a small portion of the population compared to the number of people whose personal information is out there. Most people never actually get impacted other than, oh, well, now I have to memorize a new credit card number. That's the only thing.

Exactly. And so what I kind of want is to empower the communication person in the room, the PR professional to say, here is research, here are numbers, here's things backed up by reality that say, you're going to be screwed if you do this. And so taking a theoretical, a research-based approach to communication has become more of a value for especially the government departments like DHS, DOD, they work through the University of Maryland and other universities to develop training programs, to develop guidelines based on research. And hopefully that will then trickle down to these organizations and kind of see the value of the person who does communication in the room saying, okay, well I have, here's a 20 page document written about how badly

Sony messed up and why communication was one of the big reasons. And what it costs. And I think tied back to what you were saying, the idea of having fines associated and liability of even if you don't get sued, you have to be accountable for this. I think that is a really important step to this.

Yeah, and we see a lot of times with, especially information security, people catch them more than a lot of other things that get covered up because there are ways for security professionals to find things out and to leak it. A lot of times people are hearing about breaches from the media, from security professionals before they hear from the organization itself. And so I do agree that the cover up isn't as likely here, but I think incentives are not a bad way to go. carrot and stick at the same time. So there are fines associated with screwing up, but there are also incentives for having a data breach response plan that involves communication. I think that's a big step that isn't difficult to do. But does anyone know

if their organization has a crisis communication plan? Any? Yes, I know my organization does not. Does not, yes. So most organizations don't have one for responding to an active shooter. let alone a data breach. And we've seen today that even having one for a typical crisis isn't necessarily sufficient for a data breach. And I think a data breach response plan needs to have components of technology and communication to really be effective. So I think I'm getting up on my time, so we'll take a couple more.

One time in the last year. Yeah.

I ask that question at a lot of the conferences that I present at or talks I do. communication people because they're, like I said, I'm one of the few people who's actually studying data breaches from a communication perspective. There was one person in North Carolina and I think she gave up. So I have to kind of convince them, like, this is worthwhile, here's why I'm doing it. I'm like, okay, tell me if your data has been breached. Okay, tell me what that means. crickets. So thank you guys so much for your time and attention. My email address is up here. If you would like to reach out, I'll also be hanging around for a little

bit. But yeah, thank you guys so much.