Abstract
In a psychosocial approach to cybersecurity, we cannot neglect the role played by communication, since it is the key of any security strategy and, generally speaking, it is fundamental in any environment where human beings interact. In this chapter, we discuss the importance of both internal communication, in order to disseminate contents related to cybersecurity, and crisis communication management, when crisis events such as data breaches occur. Firstly, communication supports the building of Cybersecurity Culture through the sharing of common values and beliefs among workers. For this goal, it is important to use clear and understandable communication, since it is not obvious that all employees know technical language. Moreover, for effective communication, cognitive and emotional aspects have to be taken into consideration. For example, since communication about risks can evocate adverse effects, messages need to balance positive and negative elements, in order to put people in the condition to feel able to handle threats; otherwise the real risk is the adoption of careless or passive behaviour. Finally, an effective communication strategy for managing crisis events is essential to preserve company’s reputation. In an always-on world the topic of reputation is vital for everyone, individuals and organizations, since it is more and more dependent on people’s interactions in the digital world. Data breaches can produce serious impacts for future business: compromising the relationship with their stakeholders, organizations put at risk the opportunities of new trade, and therefore, they should pay great attention to customers data protection.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
See the research carried out by Opinium and commissioned by Trend Micro (2019). The online survey involved 1,125 IT decision-makers responsible for cybersecurity across the UK, US, Germany, Spain, Italy, Sweden, Finland, France, Netherlands, Poland, Belgium and Czech Republic. https://newsroom.trendmicro.com/press-release/commercial/trend-micro-finds-one-third-cybersecurity-staff-feel-isolated-business.
- 2.
- 3.
Think, for example, to Facebook-Cambridge Analytica scandal in early 2018. It was revealed that about 87 million user’s personal data of Facebook profiles were harvested by Cambridge Analytica and improperly used for political goal, without the consensus of those involved.
- 4.
- 5.
The Labelling Theory (e.g. Becker 1973) is a sociological approach developed in the 1960s in order to understand deviant behaviour. Among factors influencing criminal behaviour, there is also the way by which people are labelled. This theory is associated with the concept of self-fulfilling prophecy (Rosenthal and Jacobson), negatively labelled individuals are more likely to develop negative behaviour. Even though this theory received several critics, it is however interesting to observe how the repetitive use of negative (and also positive) terms can affect individual self-identity.
- 6.
See, for example, the C-Suite 2018, the Annual Survey of Global Business Executives, conducted by Global Business Policy Council in partnership with ATKearney. This report is based on results from a survey including four sections. The first asks executives to assess the likelihood of a variety of discrete potential global developments. The second focuses on the external environment (e.g. economic, political, social) affecting businesses. The third concentrates on business operations, that is firm’s internal processes, people, and systems. In the fourth section a topical issue is chosen; for this report the section is based on cybersecurity strategy, since this topic has consistently ranked as a top challenge among executives in past iterations of this survey. From the study, relating to this specific issue, it emerges that cybersecurity tops the list of challenges for business operations. https://www.kearney.com/web/global-business-policy-council/article?/a/2018-views-from-the-c-suite.
- 7.
The Reputation Leaders study by Reputation Institute (2019) is based on the participation of 179 Global Communication executives. Cyber-attacks and data privacy are the second top Macro-Trends. Among others we can find fake news, female empowerment, CEO activism, and so on.
- 8.
- 9.
According to GDPR, personal data refers to any information that relates to an identified or identifiable, living individual, for example: name, address and phone number, location, health records, income, banking information, cultural preferences, and more https://ec.europa.eu/commission/sites/beta-political/files/data-protection-factsheet-sme-obligations_en.pdf.
- 10.
- 11.
- 12.
A global company specialized on reputation measurement and management. Its model for measurement company’s reputation (RepTrack Model) is a standardized framework internationally recognised.
- 13.
Hackers justified their actions on the grounds that Ashley Madison lied to users and didn’t protect their data properly.
- 14.
- 15.
References
Ablon, L., Heaton, P., Lavery, D., et al.: Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information. The RAND Corporation, Santa Monica, CA (2016)
Bada, M., Sasse, A.: Cyber Security Awareness Campaigns: Why Do They Fail to Change Behaviour? Global Cyber Security Capacity Centre. University of Oxford, Oxford, UK (2014)
Becker, H.S.: Outsiders Studies in the Sociology of Deviance. New York: The Free Press (1973)
Coombs, W.T.: Protecting organization reputations during a crisis: the development and application of situational crisis communication theory. Corp. Reput. Rev. 10(3), 163–176 (2007)
Coombs, W.T., Holladay, S.J.: The Handbook of Crisis Communication, Wiley-Blackwell, John Wiley & Sons, Ltd, Publication (2010)
Corradini, I., Nardelli, E.: La reputazione aziendale. Aspetti sociali, di misurazione e di gestione, Franco Angeli (2015)
Corradini, I., Nardelli, E.: Is data protection a relevant indicator for measuring corporate reputation? Submitted to: 6th International Conference on Human Factors in Cybersecurity, AHFE, San Diego, California, USA, 16–20 July 2020
Chun, R.: Corporate reputation: meaning and measurement. Int. J. Manag. Rev. 7(2), 91–109 (2005)
Dawson, J., Thomson, R.: The future cybersecurity workforce: going beyond technical skills for successful cyber performance. Front. Psychol. 9, 744 (2018)
De Loitte Report: Global survey on reputation risk (2014) https://www2.deloitte.com/content/dam/Deloitte/pl/Documents/Reports/pl_Reputation_Risk_survey_EN.pdf
European Commission: New report shows digital skills are required in all types of jobs. (2017). https://ec.europa.eu/digital-single-market/en/news/new-report-shows-digital-skills-are-required-all-types-jobs
European Commission: The GDPR: new opportunities, new obligations. What every business needs to know about the EU’s General Data Protection Regulation (2018). https://ec.europa.eu/commission/sites/beta-political/files/data-protection-factsheet-sme-obligations_en.pdf
Feldman P.M., Bahamonde R.A., Bellido I.V.: A new approach for measuring corporate reputation, RAE. Revista de Administracao de Empresas 54(1), 53–66 (2014)
Fink, S.: Crisis Management: Planning for the Inevitable. AMACOM, New York (1986)
Fombrun, C.: Reputation: Realizing Value from the Corporate Image. Harvard Business School Press, Boston, MA (1996)
Fombrun, C.J., van Riel, C.B.M.: The reputational landscape. Corp. Reput. Rev. 1(1/2), 6–13 (1997)
Garcia-Marques, T., Mackie, D.M.: The feeling of familiarity as a regulator of persuasive processing. Soc. Cogn. 18, 9–34 (2001)
Haney, J.M., Lutters, W.G.: Skills and characteristics of successful cybersecurity advocates. In: Third Workshop on Security Information Workers (2017)
Infanti, J., Sixsmith, J., Barry, M.M., Núñez-Córdoba, J., Oroviogoicoechea-Ortega, C., Guillén-Grima, F.: A Literature Review on Effective Risk Communication for the Prevention and Control of Communicable Diseases in Europe. Stockholm, ECDC (2013)
Johansen, W., Aggerholm, H.K., Frandsen, F.: Entering new territory: a study of internal crisis management and crisis communication in organizations. Public Relat. Rev. 38(2), 270–279 (2012)
Jøsang, A.: Trust and reputation systems. In: Foundations Security Analysis Design IV, FOSAD 2006/2007-Tutorial Lectures, (Bertinoro, Italy), Springer LNCS 4677 (2007)
Lundgren, R.E., McMakin, A.H.: Risk Communication: A Handbook for Communicating Environmental, Safety, and Health Risks. Wiley, Hoboken, NJ (2013)
McDonald, N.: Organizational resilience and industrial risk. In: Hollnagel, E., Woods, D.D., Leveson, N. (eds) Resilience Engineering, Concepts and Precepts, pp. 155–180. Ashgate Publishing Limited, Hampshire (2006). ISBN 0-7546-4641-6
Pearson, C. M., Mitroff, I.I.: From crisis prone to crisis prepared: a framework for crisis management. Acad. Manag. Rev. 7(1), 48–59 (1993)
Ponemon Institute: Cost of a data breach study: global overview (2018). https://www.ibm.com/downloads/cas/861MNWN2
Reich, Z., Bentman, M., Jackman, O.: A crisis communication guide for public organisations. In: Vos, M., Lund, R., Reich, Z., Harro-Loit, H. (eds) Developing a Crisis Communication Scorecard. Outcomes of an International Research Project 2008–2011, Jyväskylä Studies in Humanities 152, pp. 265–324. Jyväskylä University Press, Jyväskylä (2011)
Reputation Institute: Global RepTrack 100. The World’s Most Reputable Companies (2012)
Reputation Institute: What’s on the mind of the CCO when it comes to corporate brand reputation? Reputation Leaders study 2018 (February, 2019)
Reuters: Ashley Madison parent in 11, 2 million settlement over data breach (2015). https://www.reuters.com/article/us-ashleymadison-settlement-idUSKBN19Z2F0. Accessed 14 July 2017
Ruiter, R.A.C., Kok, G., Verplanken, B., Brug, J.: Evoked fear and effect of appeals on attitudes to performing breast self-examination: an information-processing perspective. Health Educ. Res. 16, 307–319 (2001)
Ruiter, R.A., Kessels, L.T., Peters, G.J.Y., Kok, G.: Sixty years of fear appeal research: current state of the evidence. Int. J. Psychol. 49, 63–70 (2014)
Seeger, M.W., Sellnow, T.L., Ulmer, R.R.: Communication and Organizational Crisis. Quorum Press, Westport, CT (2003)
Soroka, S.N.: Good news and bad news: asymmetric responses to economic information. J. Polit. 68(2), 372–385 (2006)
Tannenbaum, M.B., Hepler, J., Zimmerman, R.S., Saul, L., Jacobs, S., Wilson, K., Albarracín, D.: Appealing to fear: a meta-analysis of fear appeal effectiveness and theories. Psychol. Bull. 141(6), 1178–1204 (2015)
van der Meer, T.G.L.A., Verhoeven, J.W.M.: Emotional crisis communication. Public Relat Rev. 40, 526–536 (2014)
Walsh, F.: Strengthening Family Resilience. Guilford Press, New York (1998)
Winkielman, P., Schwarz, N., Fazendeiro, T.A., Reber, R.: The hedonic marking of processing fluency: implications for evaluative judgment. In: Musch, J., Klauer, K.C. (eds.) The Psychology of Evaluation: Affective Processes in Cognition and Emotion, pp. 189–217. Lawrence Erlbaum, Mahwah, NJ (2003)
Xu, X., Alexander Jr., R.L., Simpson, S.A., Goates, S., Nonnemaker, J.M., Davis, K.C., McAfee, T.: A cost-effectiveness analysis of the first federally funded antismoking campaign. Am. J. Prev. Med. 48, 318–325 (2015)
Zamoum, K., Gorpe, T.S.: Crisis management: a historical and conceptual approach for a better understanding of today’s crises (2018) (interchopen.com)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Corradini, I. (2020). Communication is Not an Option. In: Building a Cybersecurity Culture in Organizations. Studies in Systems, Decision and Control, vol 284. Springer, Cham. https://doi.org/10.1007/978-3-030-43999-6_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-43999-6_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-43998-9
Online ISBN: 978-3-030-43999-6
eBook Packages: EngineeringEngineering (R0)