Featured article
A Framework for Effective Corporate Communication after Cyber Security Incidents
Richard Knight and Jason R.C. Nurse
Published in the Computers & Security Journal, 2020, Elsevier.
A major cyber security incident can represent a cyber crisis for an organisation, in particular because of the associated risk of substantial reputational damage. As the likelihood of falling victim to a cyberattack has increased over time, so too has the need to understand exactly what is effective corporate communication after an attack, and how best to engage the concerns of customers, partners and other stakeholders. This research seeks to tackle this problem through a critical, multi-faceted investigation into the efficacy of crisis communication and public relations following a data breach. It does so by drawing on academic literature, obtained through a systematic literature review, and real-world case studies. Qualitative data analysis is used to interpret and structure the results, allowing for the development of a new, comprehensive framework for corporate communication to support companies in their preparation and response to such events. The validity of this framework is demonstrated by its evaluation through interviews with senior industry professionals, as well as a critical assessment against relevant practice and research. The framework is further refined based on these evaluations, and an updated version defined. This research represents the first grounded, comprehensive and evaluated proposal for characterising effective corporate communication after cyber security incidents.
Related news/media:
Apr.2021 --- University of Maryland College of Information Studies talk, "Communicating Effectively after Cybersecurity Incidents and Breaches" [link][video]
Feb.2021 --- Best Poster Paper Award at the The Network and Distributed System Security Symposium (NDSS) 2021, for "A Framework for Effective Corporate Communication after Cyber Security Incidents". [poster][NDSS]
Feb.2021 --- Featured in Naked Security "What should you say if you have a data breach? Catch up with Jason Nurse": [link]
Jan.2021 --- Headline talk for SASIG PR Academy "Effective corporate communications and public relations in response to a data breach" [link]- Nov.2020 --- Discussing my research at the Sophos Evolve Cybersecurity Summit: "How to Protect Your Company Brand if a Breach Occurs". [link]
- Oct.2020 --- My research is featured in Infosecurity Magazine: "Interview with Jason Nurse about the Corporate Comms Framework". [link]
- Sep.2020 --- My research is featured in The Register: "Wondering how to tell the world you've been hacked? Here's a handy guide from infosec academics". [link]