tl;dr: This paper by academics from the University of Warwick and the University of Kent, UK, lays out a framework for how organizations should communicate after a security incident.
Richard Knight, Research Student, University of Warwick, UK
Jason R.C. Nurse, Associate Professor, University of Kent, UK. twitter, linkedin
Computers & Security, Volume 99, December 2020.
A major cyber security incident can represent a cyber crisis for an organisation, in particular because of the associated risk of substantial reputational damage. As the likelihood of falling victim to a cyberattack has increased over time, so too has the need to understand exactly what is effective corporate communication after an attack, and how best to engage the concerns of customers, partners and other stakeholders.
This research seeks to tackle this problem through a critical, multi-faceted investigation into the efficacy of crisis communication and public relations following a data breach. It does so by drawing on academic literature, obtained through a systematic literature review, and real-world case studies. Qualitative data analysis is used to interpret and structure the results, allowing for the development of a new, comprehensive framework for corporate communication to support companies in their preparation and response to such events.
The validity of this framework is demonstrated by its evaluation through interviews with senior industry professionals, as well as a critical assessment against relevant practice and research. The framework is further refined based on these evaluations, and an updated version defined. This research represents the first grounded, comprehensive and evaluated proposal for characterising effective corporate communication after cyber security incidents.
Before the Crisis
Fig. 3. Framework: before cyber crisis.
Fig. 4. Framework: cyber crisis response (focusing on decision contexts).
Establish What to Disclose
Fig. 5. Framework: cyber crisis response (focusing on how to frame the data breach message).
Fig. 6. Framework for effective corporate communication after cyber security incidents.