A framework for effective corporate communication after cyber security incidents

TL;DR

This paper develops and validates a comprehensive framework for effective corporate communication following cybersecurity incidents, based on literature review, case studies, and industry expert feedback.

Contribution

It introduces the first grounded, comprehensive, and evaluated framework for post-incident corporate communication in cybersecurity contexts.

Findings

The framework effectively guides communication strategies after cyber incidents.

Industry professionals find the framework practical and applicable.

The framework is refined through expert feedback and critical assessment.

Abstract

A major cyber security incident can represent a cyber crisis for an organisation, in particular because of the associated risk of substantial reputational damage. As the likelihood of falling victim to a cyberattack has increased over time, so too has the need to understand exactly what is effective corporate communication after an attack, and how best to engage the concerns of customers, partners and other stakeholders. This research seeks to tackle this problem through a critical, multi-faceted investigation into the efficacy of crisis communication and public relations following a data breach. It does so by drawing on academic literature, obtained through a systematic literature review, and real-world case studies. Qualitative data analysis is used to interpret and structure the results, allowing for the development of a new, comprehensive framework for corporate communication to support companies in their preparation and response to such events. The validity of this framework is demonstrated by its evaluation through interviews with senior industry professionals, as well as a critical assessment against relevant practice and research. The framework is further refined based on these evaluations, and an updated version defined. This research represents the first grounded, comprehensive and evaluated proposal for characterising effective corporate communication after cyber security incidents.