DeepSec Talk 2022: Anticipating Damage Control: Communicating About Cybersecurity Within And Outside Organizations – Prof. Matthieu J. Guitton

Although cybersecurity aims at protecting individuals and organizations from the threats emerging from the massive use of and dependency upon digitalized spaces, the efforts of cybersecurity experts unfortunately do not always succeed in doing so. Therefore, integrated cybersecurity strategies of large organizations should minimally include a plan for damage control.

Damage control strategies are typically handled by public relations experts and tend to follow a classical narrative, combining a mix of both apologizing and reassuring discourses. However, in an age of communication technologies, efficient narrative strategies have to be multi-layered. Indeed, while damage control is typically conceptualized as taking place after the occurrence of a damage causing event, it should also include an anticipatory component, both dealing with communication planning and pre-event communication. Furthermore, a damage control narrative can not exclusively focus on a general public relations discourse, but should also include reflexive components, i.e. narrative elements targeted at organization members themselves on the one hand, and addressing the cybersecurity strategy itself on the other hand.

This presentation will explore this specific aspect of damage control specifically addressing communication related to cybersecurity measures and strategies. We will first identify which components of the cybersecurity policy, measures, and training of the organization workforce can be the target of communication. We will then explore how communicating about these aspects can be done within the organization. Finally, we will discuss how communicating about these elements can be done outside of the organizations specific context and network, before and after the occurrence of damaging events, and how such communication may not only contribute to the degree of security of the assets of the organization, but also to its overall reputation and branding.

We asked Matthieu J. Guitton a few more questions about his talk.

Please tell us the top 5 facts about your talk.

1. Integrated cybersecurity strategies of large organizations should minimally include a plan for damage control.
2. In an age of communication technologies, efficient narrative strategies have to be multi-layered.
3. Damage control strategies should include an anticipatory component, both dealing with communication planning and pre-event communication.
4. Damage control narrative can not exclusively focus on general public relations discourse, but should also include reflexive components, i.e. narrative elements targeted at organization members themselves on the one hand, and addressing the cybersecurity strategy itself on the other hand.
5. Several components of the cybersecurity policy, measures, and training of the organization workforce can be the target of communication.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Most cybersecurity efforts of governmental and corporate organisations are put into reinforcing the systems. Yet, damages resulting from cybersecurity attacks are twofold: direct, immediate damages related to the loss of data, and indirect, delayed damage to the organization’s reputation. Unfortunately, this second category of damage is typically not being addressed. Therefore I wanted to develop this talk.

Why do you think this is an important topic?

As demonstrated by numerous actual cases of cybersecurity attacks, damage control is critical for any organization. All the benefits of cybersecurity efforts for a company’s reputation could be ruined in a few instants by poor communication. Thus, including a communication plan on damage control into any long-term cybersecurity strategy is critical.

Is there something you want everybody to know – some good advice for our readers maybe?

Cybersecurity experts need to work with communication specialists to optimize the damage control strategy of their organization. Communication on cybersecurity itself – particularly on what are the cybersecurity measures and trainings provided in the organization – has to be part of any long-term integrated damage control plan.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

With the increase of the dependency upon technology and digitalized spaces, cyber-attacks are going to be more and more prominent in the future. As cyber-attacks are going to be more and more complex and difficult to counter, developing communicational counter-measures to do damage control will be more and more critical. Fields such as social engineering might provide interesting solutions to help further such post-attack defense strategies.

Matthieu J. Guitton is Full Professor at the Faculty of Medicine and Full Professor at the Graduate School of International Studies at Université Laval (Quebec City, QC, Canada), Fellow of the Royal Anthropological Institute, and Senior Researcher/Group Leader at the CERVO Brain Research Center (Quebec City, QC, Canada). He is Editor-in-Chief of the Computers in Human Behavior family of journals, which includes Computers in Human Behavior (the world leading journal in the field of cyberpsychology), and Computers in Human Behavior Reports, and serves on several other editorial boards, such as Acta Psychologica (where he acts as the Psychology and Technology Section Editor) and Current Opinion in Behavioral Sciences. A graduate from the University of Rouen and Université Pierre et Marie Curie – Paris VI, he obtained his PhD from the University of Montpellier (France) and was a Koshland Scholar/Postdoctoral Fellow of Excellence at the Weizmann Institute of Science (Israel). He has published over 120 research papers, book chapters, or editorials on subjects ranging from neuropharmacology and health sciences to cyberpsychology, cyberbehavior, or security issues. Some of his recent works have appeared in journals such as Computers in Human Behavior, the International Journal of Intelligence and CounterIntelligence, or the International Journal of Intelligence, Security, and Public Affairs. He has been invited speaker or guest lecturer at many universities across the world, such as the Embry-Riddle Aeronautical University (USA), the Russian Academy of Science, or the Renmin University of China.