A framework for effective corporate communication after cyber security incidents

Abstract A major cyber security incident can represent a cyber crisis for an organisation, in particular because of the associated risk of substantial reputational damage. As the likelihood of falling victim to a cyberattack has increased over time, so too has the need to understand exactly what is effective corporate communication after an attack, and how best to engage the concerns of customers, partners and other stakeholders. This research seeks to tackle this problem through a critical, multi-faceted investigation into the efficacy of crisis communication and public relations following a data breach. It does so by drawing on academic literature, obtained through a systematic literature review, and real-world case studies. Qualitative data analysis is used to interpret and structure the results, allowing for the development of a new, comprehensive framework for corporate communication to support companies in their preparation and response to such events. The validity of this framework is demonstrated by its evaluation through interviews with senior industry professionals, as well as a critical assessment against relevant practice and research. The framework is further refined based on these evaluations, and an updated version defined. This research represents the first grounded, comprehensive and evaluated proposal for characterising effective corporate communication after cyber security incidents.

[1]  A. Huberman,et al.  Qualitative Data Analysis: A Methods Sourcebook , 1994 .

[2]  D. Rennie Grounded Theory Methodology , 1998 .

[3]  Sadie Creese,et al.  The Data that Drives Cyber Insurance: A Study into the Underwriting and Claims Processes , 2020, 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA).

[4]  William L. Benoit Image repair discourse and crisis communication , 1997 .

[5]  Mark Burdon,et al.  The mandatory notification of data breaches: Issues arising for Australian and EU legal developments , 2010, Comput. Law Secur. Rev..

[6]  V. Braun,et al.  Using thematic analysis in psychology , 2006 .

[7]  Sora Kim,et al.  A quantitative review of crisis communication research in public relations from 1991 to 2009 , 2010 .

[8]  Juliet Roper,et al.  A Software-Assisted Qualitative Content Analysis of News Articles: Example and Reflections , 2015 .

[9]  Tun-Min Jai,et al.  Cyber alarm: Determining the impacts of hotel’s data breach messages , 2019, International Journal of Hospitality Management.

[10]  Romilla Syed,et al.  Enterprise reputation threats on social media: A case of data breach framing , 2019, J. Strateg. Inf. Syst..

[11]  Kimberly Oostman,et al.  We're Sorry But it's Not Our Fault: Organizational Apologies in Ambiguous Crisis Situations , 2018 .

[12]  D. Moher,et al.  Preferred reporting items for systematic reviews and meta-analyses: the PRISMA Statement , 2009, BMJ : British Medical Journal.

[13]  Michael Faure,et al.  An analysis of the effectiveness of the EU data breach notification obligation , 2018, Comput. Law Secur. Rev..

[14]  Rabih Bashroush,et al.  The impact of repeated data breach events on organisations' market value , 2016, Inf. Comput. Secur..

[15]  Irit Hadar,et al.  Finding the Missing Link to Industry: LinkedIn Professional Groups as Facilitators of Empirical Research , 2015, 2015 IEEE/ACM 3rd International Workshop on Conducting Empirical Studies in Industry.

[16]  H. Raghav Rao,et al.  ICT mediated rumor beliefs and resulting user actions during a community crisis , 2018, Gov. Inf. Q..

[17]  D. Moher,et al.  Preferred reporting items for systematic reviews and meta-analyses: the PRISMA statement. , 2009, Journal of clinical epidemiology.

[18]  Angelo Corallo,et al.  Cybersecurity for Industry 4.0 in the current literature: A reference framework , 2018, Comput. Ind..

[19]  C. Urquhart,et al.  The impact of information. , 1997, Nursing standard (Royal College of Nursing (Great Britain) : 1987).

[20]  N. Soderstrom,et al.  Cybersecurity awareness and market valuations , 2018, Journal of Accounting and Public Policy.

[21]  Priyanko Guchait,et al.  The impacts of hotels’ error management culture on customer engagement behaviors (CEBs) , 2017 .

[22]  Khalil Khoumbati,et al.  Investigating identity fraud management practices in e-tail sector: a systematic review , 2019, J. Enterp. Inf. Manag..

[23]  Lefteris Angelis,et al.  The impact of information security events to the stock market: A systematic literature review , 2016, Comput. Secur..

[24]  Sun-young Park,et al.  Lessons from the five data breaches: Analyzing framed crisis response strategies and crisis severity , 2017 .

[25]  Theo Lynn,et al.  The effect of data breach announcements beyond the stock price: Empirical evidence on market activity , 2017 .

[26]  José Luis Fernández Alemán,et al.  Security and privacy in electronic health records: A systematic literature review , 2013, J. Biomed. Informatics.

[27]  Ilker Etikan,et al.  Comparison of Convenience Sampling and Purposive Sampling , 2016 .

[28]  Sherry J. Holladay,et al.  Helping Crisis Managers Protect Reputational Assets , 2002 .

[29]  Wolter Pieters,et al.  Cyber Crisis Management: A Decision-Support Framework for Disclosing Security Incident Information , 2012, 2012 International Conference on Cyber Security.

[30]  Marijn Janssen,et al.  Building Cybersecurity Awareness: The need for evidence-based framing strategies , 2017, Gov. Inf. Q..

[31]  Paul De Hert,et al.  The new General Data Protection Regulation: Still a sound system for the protection of individuals? , 2016, Comput. Law Secur. Rev..

[32]  A. Gregory Communication dimensions of the UK foot and mouth disease crisis, 2001 , 2005 .

[33]  Maria Grazia Porcedda Patching the patchwork: appraising the EU regulatory framework on cyber security breaches , 2018, Comput. Law Secur. Rev..

[34]  Sadie Creese,et al.  A taxonomy of cyber-harms: Defining the impacts of cyber-attacks and understanding how they propagate , 2018, J. Cybersecur..

[35]  Lu Zhang,et al.  Impact of data breach locality and error management on attitude and engagement , 2019, International Journal of Hospitality Management.

[36]  W. T. Coombs,et al.  Protecting Organization Reputations During a Crisis: The Development and Application of Situational Crisis Communication Theory , 2007 .

[37]  Jee-Hae Lim,et al.  Information security breaches and IT security investments: Impacts on competitors , 2019, Inf. Manag..

[38]  Saurabh Mishra,et al.  Shareholder value implications of service failures in triads: The case of customer information security breaches , 2015 .

[39]  R. Janakiraman,et al.  The Effect of a Data Breach Announcement on Customer Behavior: Evidence from a Multichannel Retailer , 2018 .

[40]  Oliver Hinz,et al.  The influence of data theft on the share prices and systematic risk of consumer electronics companies , 2015, Inf. Manag..

[41]  Parinaz Naghizadeh Ardabili,et al.  Risky business: Fine-grained data breach prediction using business profiles , 2016, J. Cybersecur..

[42]  James P. Titus,et al.  Security and Privacy , 1967, 2022 IEEE Future Networks World Forum (FNWF).

[43]  Sadie Creese,et al.  Understanding Insider Threat: A Framework for Characterising Attacks , 2014, 2014 IEEE Security and Privacy Workshops.

[44]  Katerina Berezina,et al.  The impact of information security breach on hotel guest perception of service quality, satisfaction, revisit intentions and word‐of‐mouth , 2012 .

[45]  Mark Burdon,et al.  The significance of securing as a critical component of information security: An Australian narrative , 2019, Comput. Secur..

[46]  Jackie Rees Ulmer,et al.  The Textual Contents of Media Reports of Information Security Breaches and Profitable Short-Term Investment Opportunities , 2013, J. Organ. Comput. Electron. Commer..

[47]  Theo Lynn,et al.  Social media and stock price reaction to data breach announcements: Evidence from US listed companies , 2018, Research in International Business and Finance.

[48]  Benjamin Edwards,et al.  Hype and Heavy Tails: A Closer Look at Data Breaches , 2016, WEIS.

[49]  Jing Wang,et al.  The Role of Corporate Reputation and Crisis Response Strategies in Data Breach Management , 2018, J. Manag. Inf. Syst..