DOCSLIB.ORG

Effective Crisis Response Communication and Data Breaches: a Comparative Analysis of Corporate Reputational Crises

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Michael Schonheit s2135485 Master’s Thesis 02/10/2020 Effective Crisis Response Communication and Data Breaches: a comparative analysis of corporate reputational crises Master’s Thesis Crisis and Security Management Table of Contents 1 1 Introduction 2 Literature Review 2.1 Placing data breaches within the cybersecurity discourse 6 2.2 Paradigm Shift: From Prevention to Mitigation 10 2.3 Data breach by Hacking: A Taxonomy of Risk Categories 12 2.4 Economic and reputational Impact on organizations 15 2.5 Theoretical and empirical communication models for data breaches 16 3 Theoretical Framework 3.1 Organizational Crises: An introduction to framing and perceived responsibility 21 3.2 Attribution Theory and SCCT 23 3.3 Crisis Types and Communication Response Strategies 24 3.4 Intensifying Factors: Crisis Severity, Crisis History, Relationship Performance 25 3.5 Communication Response Strategies 27 3.6 SCCT Recommendations and Data Breaches 30 3.7 SCCT and PR Data Breaches by Hacking 32 4 Methodology 4.1 Operationalizing SCCT in the Context of Data Breaches 35 4.2 Stock Analysis and News Tracking: Assessing cases on varying degrees of reputation recovery 36 4.3 Refining the Case Selection Framework and the Analysis Process 40 4.4 Intra-periodic Analysis and Inter-periodic Analysis 43 5 Analysis 5.1 Narrowing the Scope: Building the Comparative Case Study 44 5.2 Statistical Recovery: Stock and Revenue Analysis 49 5.3 News Media Tracking and Reputation Index Scores 58 6 Discussion 6.1 Intra-periodic Analysis: Assessing Organizational Responses 72 6.2 Inter-periodic analysis: Verifying the Initial Propositions 74 7 Conclusions 77 8 Appendix 79 9 Bibliography 79 1. Introduction 2 With the emergence of the digital economy cybersecurity has rapidly become a critical aspect for organizations to thrive and maintain their core business activities. As business information and communication systems are increasingly reliant on digital technology, organizations have the imperative to protect them, and the data contained therein, against an ever-evolving landscape of cyber threats. While providing organizations with undeniable development opportunities, the unremitting trend of digitalization has concomitantly brought upon new risks for their survival. In tackling this so called “dark side of digitalization”, the paramount objective of cybersecurity revolves around preserving the availability, integrity and confidentiality of online data (MERGroup,2020). As early as 2015, IMB CEO Ginni Rometti emphatically asserted that data is the “is the world’s new natural resource” consequently making cybercrime “by definition, the greatest threat to any industry” (Morgan, 2017). With the current volume of online data over 50 larger than it was at the time, drastically increasing the magnitude of the cyber-attack surface, this statement feels now quite prophetic. (ITRC 2020;Morris,2020) While cyber threats at large encompass any “malicious act that seeks to damage data, steal data, or disrupt digital life”, with a 4300 percent increase in online data creation from 2019, online data breaches represent one of the most recurrent and damaging cyber incidents for organizations worldwide. The Risk Based Security’s year-end report (2020) estimates that in 2019 alone total of 15.1 billion records have reportedly been exposed to unauthorized use of confidential information. This statistic feature represents an all-time high, increasing by 284% compared to 2018, and confirming a constant trend throughout the last decade. (Sobers,2020;Winder,2019;Lavelle,2020). Although information breaches in the physical world well preceded the current wave of digitalization, online data breaches nowadays are stealing the show. Strikingly enough, compared to their “physical” counterpart, online data breaches are highly dependent on factors endogenous to organizations, including inconsistent data retention and handling policies, internal misuse, system vulnerabilities and human errors. Nevertheless, for the exposed records to be leveraged into identity theft or fraudulent abuse of confidential information, data breaches still depend on the illegitimate doings of external actors proactively exploiting unauthorized access to this data. As reported by Goddijn & Kouns (2020), “Hacking, defined as unauthorized intrusion into systems, has been the top breach type by number of incidents for every year of the past decade except for 2010”. In order to depict this pattern and narrow the scope of this research, we assume Martin’s (2019) definition of data breach, as it well depicts an element of intentionality: “A data breach occurs when there is an unauthorized entry point into a corporation’s database that allows cyber hackers to access customer information”. Cyber dependent methods for gaining unauthorized access to organizations restricted information include but are not limited to: malwares, phishing emails, DDoS attacks, backdoor exploitations, and Trojan horses. Looking into the statistics for these attack vectors, combined with data exposed through unintentional leakages, data 3 breaches impose on organizations worldwide unparalleled monetary costs (MERGroup,2020;Arghire,2020). In particular the gap between economic damages of online breaches and security capabilities of organizations to contrast this phenomenon seems to be widening. In fact, despite the steady rise in organizations awareness and security investments to defend against cyber incidents, the measures implemented have so far had limited effect in containing their impact. While total cyber security expenditures of organizations worldwide have rose from approximately 113 billion of dollars in 2015 to 173 billions in 2020, in the same timeframe the costs of data breaches and cybercrime at large have doubled, reaching an astonishing total of 6 trillion dollars (Columbus,2020). This notable disproportion can be accounted for by delving into the types of damages that businesses are confronted with. Direct costs affecting organizations suffering a data breach include: business disruption and recovery, forensic investigations, legal proceedings, regulatory fines, credit monitoring for customers, crisis management advisory. However, these constitute just the tip of iceberg. In the aftermath of a data breach organizations are often confronted with business reputational damages and loss of consumer trust, which represent much more impactful consequences with the potential to turn the cyber incident into a corporate reputational crisis (Kim et al. 2017; Wang et al. 2017). These indirect costs usually affect businesses in the long run, protracting damages in time and representing the greatest challenge of all for organizations undergoing a data breach. The distinction between direct and indirect business damages produced by a data breach, is particularly relevant for defining the range left to organizations for effectively reduce the impact of a data breach. While we discussed that, for the large part cyber incidents cannot be entirely prevented by establishing all-encompassing cybersecurity measures, reputational damages are largely connected to the public perception of an organization undergoing a cyber crisis, and thus can be mitigated by handling the incident response phase with effective crisis communication strategies (Kim et al. 2017; Wang et al. 2017). This reasoning is one of the core foundations of crisis management as a field. Because of the uncertainty surrounding the traits of a crisis, these events cannot be entirely anticipated ex ante and adopting an exclusively preventive approach has proved to be widely inefficient. Rather, by emphasizing the larger impact of indirect reputational costs produced by data breaches, this research focuses on mitigation strategies that can be applied to reduce the impact of such events on organizations. In particular, as it will be discussed in the next section dedicated to the theoretical foundations of this research, damages to a company reputation, and its image in general, are strictly connected to the public perception of such organization and the crisis it navigates through. 4 The present research aims, in fact at studying crisis response communication strategies that organizations can employ to effectively reduce reputational damages and loss of consumer trust. As Harrison (2007) observed: “A fundamental principle in the field of crisis management is that there are vital and strategic communication methods that help deal with events that can negatively influence an organization” (41). By investigating this matter, the goal of this study is to derive from the analysis of concrete cases of corporate reputational crises in aftermath of data breaches, an assessment of how organizations can mitigate reputational damages through crisis response communication strategies. In doing so, this research will compare cases of corporate data breaches that vary on the degree of financial and reputational recovery from the crisis. Extrapolating communication strategies from this comparative analysis, this study aims at verifying their impact on the organizations’ recovery trends, as well as to check their validity within the body of theory on the matter. Furthermore, as discussed more in depth in the upcoming sections of this research, the vast majority of academic works that study data breaches focus more on the legal and technological aspects of the phenomenon, leaving the intersection with response communication strategies as under-researched domain. In turn, from the crisis communication
Recommended publications
  • UNITED STATES DISTRICT COURT NORTHERN DISTRICT of GEORGIA ATLANTA DIVISION in Re

    UNITED STATES DISTRICT COURT NORTHERN DISTRICT of GEORGIA ATLANTA DIVISION in Re

    Case 1:17-md-02800-TWT Document 739 Filed 07/22/19 Page 1 of 7 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION MDL Docket No. 2800 In re: Equifax Inc. Customer No. 1:17-md-2800-TWT Data Security Breach Litigation CONSUMER ACTIONS Chief Judge Thomas W. Thrash, Jr. PLAINTIFFS’ MOTION TO DIRECT NOTICE OF PROPOSED SETTLEMENT TO THE CLASS Plaintiffs move for entry of an order directing notice of the proposed class action settlement the parties to this action have reached and scheduling a hearing to approve final approval of the settlement. Plaintiffs are simultaneously filing a supporting memorandum of law and its accompanying exhibits, which include the Settlement Agreement. For the reasons set forth in that memorandum, Plaintiffs respectfully request grant the Court enter the proposed order that is attached as an exhibit to this motion. The proposed order has been approved by both Plaintiffs and Defendants. For ease of reference, the capitalized terms in this motion and the accompanying memorandum have the meaning set forth in the Settlement Agreement. Case 1:17-md-02800-TWT Document 739 Filed 07/22/19 Page 2 of 7 Respectfully submitted this 22nd day of July, 2019. /s/ Kenneth S. Canfield Kenneth S. Canfield Ga Bar No. 107744 DOFFERMYRE SHIELDS CANFIELD & KNOWLES, LLC 1355 Peachtree Street, N.E. Suite 1725 Atlanta, Georgia 30309 Tel. 404.881.8900 [email protected] /s/ Amy E. Keller Amy E. Keller DICELLO LEVITT GUTZLER LLC Ten North Dearborn Street Eleventh Floor Chicago, Illinois 60602 Tel. 312.214.7900 [email protected] /s/ Norman E.
  • Big Opportunities in Small Transactions

    Big Opportunities in Small Transactions

    June 27, 2005 • Issue 05:06:02 Inside This Issue: Big Opportunities News Industry Update .....................................12 in Small Transactions Federal Reserve Shutters Check Shops ......22 2005 Calendar of Events ........................ 36 ow many zeros are these transactions to add to their Consumer Data at Its Most Vulnerable? ..... 59 there in a trillion? If income potential. the answer doesn't Features spring immediately to Since then, micropayments have Surcharging Hits Mexico H mind, it's fine; all you really need to moved beyond the limits of use for By John McGill, Contributor, know is that a trillion is a really online purchases like music down- ATMmarketplace.com .......................... 31 big number. loads, making significant inroads NAOPP Board Addresses into the physical POS. The solutions Rumors and 2005 Agenda It's also roughly the total value of also offer sophisticated features for By NAOPP Board of Directors .............. 52 consumer transactions of less than merchants and consumers. Creating Web Site Content ..................... 56 $5 at the point of sale. In 2003, this number was $1.32 trillion, The companies we spoke with this Views according to the latest data from time present a range of micropay- Discover Spin-off Prompts industry research firm, MasterCard ment solutions that integrate with Speculation About First Data International-owned TowerGroup. the existing systems of credit card By Patti Murphy .................................. 26 companies, banks, processors and It's Déjà Vu All Over Again A lot of people in financial servi- acquirers. Their solutions aggregate By Ken Musante ..............................29 ces would like a piece of that pie, tiny transactions for cost efficiency, The Bundled Solution Approach and they've been working to find let consumers pay as they go or offer to Selling, Part II ways to tap into this vast cash subscription options.
  • A PRACTICAL METHOD of IDENTIFYING CYBERATTACKS February 2018 INDEX

    A PRACTICAL METHOD of IDENTIFYING CYBERATTACKS February 2018 INDEX

    In Collaboration With A PRACTICAL METHOD OF IDENTIFYING CYBERATTACKS February 2018 INDEX TOPICS EXECUTIVE SUMMARY 4 OVERVIEW 5 THE RESPONSES TO A GROWING THREAT 7 DIFFERENT TYPES OF PERPETRATORS 10 THE SCOURGE OF CYBERCRIME 11 THE EVOLUTION OF CYBERWARFARE 12 CYBERACTIVISM: ACTIVE AS EVER 13 THE ATTRIBUTION PROBLEM 14 TRACKING THE ORIGINS OF CYBERATTACKS 17 CONCLUSION 20 APPENDIX: TIMELINE OF CYBERSECURITY 21 INCIDENTS 2 A Practical Method of Identifying Cyberattacks EXECUTIVE OVERVIEW SUMMARY The frequency and scope of cyberattacks Cyberattacks carried out by a range of entities are continue to grow, and yet despite the seriousness a growing threat to the security of governments of the problem, it remains extremely difficult to and their citizens. There are three main sources differentiate between the various sources of an of attacks; activists, criminals and governments, attack. This paper aims to shed light on the main and - based on the evidence - it is sometimes types of cyberattacks and provides examples hard to differentiate them. Indeed, they may of each. In particular, a high level framework sometimes work together when their interests for investigation is presented, aimed at helping are aligned. The increasing frequency and severity analysts in gaining a better understanding of the of the attacks makes it more important than ever origins of threats, the motive of the attacker, the to understand the source. Knowing who planned technical origin of the attack, the information an attack might make it easier to capture the contained in the coding of the malware and culprits or frame an appropriate response. the attacker’s modus operandi.
  • The Future of the Internet (For PDF)

    The Future of the Internet (For PDF)

    TODAYS PREDICTIONS FOR TOMORROWS INTERNET JOSH PYORRE (SECURITY RESEARCHER) ▸ Cisco Umbrella ▸ NASA ▸ Mandiant THE WORLD IS A MAGICAL PLACE THE INTERNET IN THE 70’S THE INTERNET IN THE 70’S SMALL MAPPING OF ASN’S TO THEIR IPS TO GET A SENSE OF SCALE INTERNET SIZES TODAY INTERNET SIZES TODAY POODLE OCTOBER 14, 2014 BUG IN SSL VERSION 3.0 MITM 256 SSL 3.0 REQUESTS < 1 BYTE ENCRYPTED DATA HEARTBLEED APRIL 7, 2014 BUG IN OPENSSL BUFFER OVER-READ CLIENTS AND SERVERS POST DATA IN USER REQUESTS SESSION COOKIES/PASSWORDS PRIVATE KEYS YAHOO, IMGUR, STACK OVERFLOW, DUCKDUCKGO, PINTREST, REDDIT, AKAMAI, GITHUB, AMAZON WEB SERVICES, INTERNET ARCHIVE, SOUNDCLOUD, TUMBLR, STRIPE, ARS TECHNICA, SPARKFUN, PREZI, SOURCEFORGE, BITBUCKET, FREENODE, WIKIPEDIA, WUNDERLIST, LASTPASS AND A LOT MORE REVERSE HEARTBLEED AFFECTS MILLIONS OF APPS CAN READ CLIENT MEMORY HP SERVER APPS, FILEMAKER, LIBREOFFICE, LOGMEIN, MCAFEE, MSSQL, ORACLE PRODUCTS, PRIMAVERA, WINSCP, VMWARE PRODUCTS, DEBIAN, REDHAT, LINUX MINT, UBUNTU, CENTOS, ORACLE LINUX, AMAZON LINUX, ANDROID, AIRPORT BASE STATIONS, CISCO IOS, JUNIPER FIRMWARE, IPCOP, PFSENSE, DD-WRT ROUTER FIRMWARE, WESTERN DIGITAL DRIVE FIRMWARE… AND A LOT MORE SHELLSHOCK SEPT 14, 2014 BASH IS USED IN INTERNET-FACING SERVICES CGI WEB SERVERS OPENSSH SERVERS DHCP CLIENTS BASH IS USED IN INTERNET-FACING SERVICES PROCESSES REQUESTS ATTACKER CAN SEND EXTRA DATA SECURE HASHING ALGORITHM 3B260F397C573ED923919A968A59AC6B2E13B52D = I HOPE THIS PRESENTATION ISN'T BORING SHA-1 ▸ Dates back to 1995 ▸ Known to be vulnerable to theoretical
  • Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution?

    Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution?

    Delft University of Technology Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution? Bisogni, F. DOI 10.5325/jinfopoli.6.2016.0154 Publication date 2016 Document Version Final published version Published in Journal of Information Policy Citation (APA) Bisogni, F. (2016). Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution? Journal of Information Policy, 6, 154-205. https://doi.org/10.5325/jinfopoli.6.2016.0154 Important note To cite this publication, please use the final published version (if applicable). Please check the document version above. Copyright Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons. Takedown policy Please contact us and provide details if you believe this document breaches copyrights. We will remove access to the work immediately and investigate your claim. This work is downloaded from Delft University of Technology. For technical reasons the number of authors shown on this cover page is limited to a maximum of 10. Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution? Author(s): Fabio Bisogni Source: Journal of Information Policy , 2016, Vol. 6 (2016), pp. 154-205 Published by: Penn State University Press Stable URL: https://www.jstor.org/stable/10.5325/jinfopoli.6.2016.0154 JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide range of content in a trusted digital archive.
  • Informed Trading and Cybersecurity Breaches

    Informed Trading and Cybersecurity Breaches

    Columbia Law School Scholarship Archive Faculty Scholarship Faculty Publications 2019 Informed Trading and Cybersecurity Breaches Joshua Mitts Columbia Law School, [email protected] Eric L. Talley Columbia Law School, [email protected] Follow this and additional works at: https://scholarship.law.columbia.edu/faculty_scholarship Part of the Business Organizations Law Commons, Information Security Commons, Internet Law Commons, Privacy Law Commons, Science and Technology Law Commons, and the Securities Law Commons Recommended Citation Joshua Mitts & Eric L. Talley, Informed Trading and Cybersecurity Breaches, 9 HARV. BUS. L. REV. 1 (2019). Available at: https://scholarship.law.columbia.edu/faculty_scholarship/2084 This Article is brought to you for free and open access by the Faculty Publications at Scholarship Archive. It has been accepted for inclusion in Faculty Scholarship by an authorized administrator of Scholarship Archive. For more information, please contact [email protected]. \\jciprod01\productn\H\HLB\9-1\HLB103.txt unknown Seq: 1 5-NOV-19 9:40 INFORMED TRADING AND CYBERSECURITY BREACHES* JOSHUA MITTS† ERIC TALLEY‡ Cybersecurity has become a significant concern in corporate and commer- cial settings, and for good reason: a threatened or realized cybersecurity breach can materially affect firm value for capital investors. This paper explores whether market arbitrageurs appear systematically to exploit advance knowl- edge of such vulnerabilities. We make use of a novel data set tracking cyber- security breach announcements among public companies to study trading patterns in the derivatives market preceding the announcement of a breach. Us- ing a matched sample of unaffected control firms, we find significant trading abnormalities for hacked targets, measured in terms of both open interest and volume.
  • Software Bug Bounties and Legal Risks to Security Researchers Robin Hamper

    Software Bug Bounties and Legal Risks to Security Researchers Robin Hamper

    Software bug bounties and legal risks to security researchers Robin Hamper (Student #: 3191917) A thesis in fulfilment of the requirements for the degree of Masters of Law by Research Page 2 of 178 Rob Hamper. Faculty of Law. Masters by Research Thesis. COPYRIGHT STATEMENT ‘I hereby grant the University of New South Wales or its agents a non-exclusive licence to archive and to make available (including to members of the public) my thesis or dissertation in whole or part in the University libraries in all forms of media, now or here after known. I acknowledge that I retain all intellectual property rights which subsist in my thesis or dissertation, such as copyright and patent rights, subject to applicable law. I also retain the right to use all or part of my thesis or dissertation in future works (such as articles or books).’ ‘For any substantial portions of copyright material used in this thesis, written permission for use has been obtained, or the copyright material is removed from the final public version of the thesis.’ Signed ……………………………………………........................... Date …………………………………………….............................. AUTHENTICITY STATEMENT ‘I certify that the Library deposit digital copy is a direct equivalent of the final officially approved version of my thesis.’ Signed ……………………………………………........................... Date …………………………………………….............................. Thesis/Dissertation Sheet Surname/Family Name : Hamper Given Name/s : Robin Abbreviation for degree as give in the University calendar : Masters of Laws by Research Faculty : Law School : Thesis Title : Software bug bounties and the legal risks to security researchers Abstract 350 words maximum: (PLEASE TYPE) This thesis examines some of the contractual legal risks to which security researchers are exposed in disclosing software vulnerabilities, under coordinated disclosure programs (“bug bounty programs”), to vendors and other bug bounty program operators.
  • A Survey of Consumer Protections Throughout North Carolina's Identity Theft Protection Act

    A Survey of Consumer Protections Throughout North Carolina's Identity Theft Protection Act

    Campbell Law Review Volume 42 Issue 1 Winter 2020 Article 7 2020 Protecting Personal Data: A Survey of Consumer Protections Throughout North Carolina's Identity Theft Protection Act James H. Ferguson III Follow this and additional works at: https://scholarship.law.campbell.edu/clr Recommended Citation James H. Ferguson III, Protecting Personal Data: A Survey of Consumer Protections Throughout North Carolina's Identity Theft Protection Act, 42 CAMPBELL L. REV. 191 (2020). This Comment is brought to you for free and open access by Scholarly Repository @ Campbell University School of Law. It has been accepted for inclusion in Campbell Law Review by an authorized editor of Scholarly Repository @ Campbell University School of Law. Ferguson: Protecting Personal Data: A Survey of Consumer Protections Throug Protecting Personal Data: A Survey of Consumer Protections Throughout North Carolina's Identity Theft Protection Act ABSTRACT "Data is the pollutionproblem of the information age, andprotecting privacy is the environmental challenge."' You trade it every day. In a technologically-evolved world, our per- sonal data has become a form of currency in the digitalmarketplace. Who is responsiblefor protecting that data? What happens when it is compro- mised? This Comment conducts a descriptive assessment of North Caro- lina's data breach notification law, exploring the legislative history of the Identity Theft Protection Act and comparing the consumer protections found therein to those offered in other states' statutory schemes. Addition- ally, this Comment evaluates the extent to which a statutorily requiredrea- sonable security standard comports with consumer protections, and their competitive interplay with businesses' economic interests. A B STRAC T ...........................................................................................19 1 IN TRO DU CTION ....................................................................................192 I.
  • Examining How System Administrators Manage Software Updates

    Examining How System Administrators Manage Software Updates

    Keepers of the Machines: Examining How System Administrators Manage Software Updates Frank Li Lisa Rogers Arunesh Mathur University of California, Berkeley University of Maryland Princeton University [email protected] [email protected] [email protected] Nathan Malkin Marshini Chetty University of California, Berkeley Princeton University [email protected] [email protected] ABSTRACT While prior studies have investigated how end users deal with soft- Keeping machines updated is crucial for maintaining system secu- ware updates [18,19,22,30 –32,35,40,45,46,49,50], there has been rity. While recent studies have investigated the software updating less attention on system administrators, whose technical sophisti- practices of end users, system administrators have received less at- cation and unique responsibilities distinguish them from end users. tention. Yet, system administrators manage numerous machines for Industry reports and guides on administrator patching exist (e.g., their organizations, and security lapses at these hosts can lead to Sysadmin 101 [41]), but these lack peer-review and transparent rig- damaging attacks. To improve security at scale, we therefore also orous methods. Prior academic work on system administrators is need to understand how this specific population behaves and how to often dated and focuses on aspects of administrator operations other help administrators keep machines up-to-date. than updating (e.g., on general tools used [11]) or specific technical (rather than user) updating aspects. Given the critical role that sys- In this paper, we study how system administrators manage software tem administrators play in protecting an organization’s machines, updates. We surveyed 102 administrators and interviewed 17 in- it behooves us to better understand how they manage updates and depth to understand their processes and how their methods impact identify avenues for improved update processes.
  • Information Provided by DHS Regarding Russian Scanning Was Incorrect Date: Wednesday, September 27, 2017 12:49:59 PM

    Information Provided by DHS Regarding Russian Scanning Was Incorrect Date: Wednesday, September 27, 2017 12:49:59 PM

    From: (b) (6) To: (b) (6) Subject: FW: Information Provided by DHS Regarding Russian Scanning was Incorrect Date: Wednesday, September 27, 2017 12:49:59 PM From: Secretary of State, Press Sent: Wednesday, September 27, 2017 2:58:05 PM To: Secretary of State, Press Subject: Information Provided by DHS Regarding Russian Scanning was Incorrect AP17:073 FOR IMMEDIATE RELEASE September 27, 2017 CONTACT: Jesse Melgar or Sam Mahood (916) 653-6575 Information Provided by DHS Regarding Russian Scanning was Incorrect SACRAMENTO – California Secretary of State Alex Padilla issued the following statement. “Last Friday, my office was notified by the U.S. Department of Homeland Security (DHS) that Russian cyber actors 'scanned' California’s Internet-facing systems in 2016, including Secretary of State websites. Following our request for further information, it became clear that DHS’ conclusions were wrong.” “DHS confirmed that Russian scanning activity had actually occurred on the California Department of Technology statewide network, not any Secretary of State website. Based on this additional information, California voters can further rest assured that the California Secretary of State elections infrastructure and websites were not hacked or breached by Russian cyber actors.” “Our notification from DHS last Friday was not only a year late, it also turned out to be bad information. To make matters worse, the Associated Press similarly reported that DHS has reversed itself and 'now says Russia didn’t target Wisconsin’s voter registration system,' which is contrary to previous briefings.” epic.org EPIC-17-03-31-DHS-FOIA-20180416-Production-1 000001 NPPD 000650 “The work of our intelligence agencies is critical in defending against cyber threats.
  • A Framework for Effective Corporate Communication After Cyber Security Incidents

    A Framework for Effective Corporate Communication After Cyber Security Incidents

    Oct-2020: This paper has been accepted for publication in Computers & Security Journal A Framework for Effective Corporate Communication after Cyber Security Incidents Richard Knight a and Jason R. C. Nurse b a WMG, University of Warwick, UK b School of Computing, University of Kent, UK Corresponding author: Jason R.C. Nurse, [email protected] Highlights • We develop a framework for corporate communications in the event of a cyber incident • Best practices for effective data breach announcement decisions identified • The framework is grounded in a systematic review and real-world case studies • Interviews with senior industry professionals allow framework evaluation and refinement • The framework can complement security incident response and management in businesses Abstract A major cyber security incident can represent a cyber crisis for an organisation, in particular because of the associated risk of substantial reputational damage. As the likelihood of falling victim to a cyberattack has increased over time, so too has the need to understand exactly what is effective corporate communication after an attack, and how best to engage the concerns of customers, partners and other stakeholders. This research seeks to tackle this problem through a critical, multi-faceted investigation into the efficacy of crisis communication and public relations following a data breach. It does so by drawing on academic literature, obtained through a systematic literature review, and real-world case studies. Qualitative data analysis is used to interpret and structure the results, allowing for the development of a new, comprehensive framework for corporate communication to support companies in their preparation and response to such events.
  • Software Security Building Security In

    Software Security Building Security In

    Software Security Building Security in CMSC330 Spring 2021 1 Security breaches • TJX (2007) - 94 million records* • Adobe (2013) - 150 million records, 38 million users • eBay (2014) - 145 million records • Equifax (2017) – 148 millions consumers • Yahoo (2013) – 3 Billion user accounts • Twitter (2018) – 330 million users • First American Financial Corp (2019) – 885 million users • Anthem (2014) - Records oF 80 million customers • Target (2013) - 110 million records • Heartland (2008) - 160 million records *containing SSNs, credit card nums, other private info https://www.oneid.com/7-biggest-security-breaches-of-the-past-decade-2/ 2 2017 Equifax Data Breach • 148 million consumers’ personal information stolen • They collect every details of your personal life • Your SSN, Credit Card Numbers, Late Payments… • You did not sign up for it • You cannot ask them to stop collecting your data • You have to pay to credit freeze/unfreeze 3 Vulnerabilities: Security-relevant Defects • The causes of security breaches are varied, but many of them owe to a defect (or bug) or design flaw in a targeted computer system's software. • Software defect (bug) or design flaw can be exploited to affect an undesired behavior 4 Defects and Vulnerabilities • The use of software is growing • So: more Bugs and Flaws • SoFtware is large (lines oF code) • Boeing 787: 14 million • Chevy volt: 10 million • Google: 2 billion • Windows: 50 million • Mac OS: 80 million • F35 fighter Jet: 24 million 5 Quiz 1 Program testing can show that a program has no bugs. A. True B. False 6 Quiz 1 Program testing can show that a program has no bugs.