Every day, our society becomes more dependent on the Internet and virtual connections – everything from daily financial transactions, records management and retention and business operations to social media and national security. Ever-present cyber threats directly impact how we safeguard important and sensitive information. The growing number of attacks targeted at individuals and organizations affects every aspect of our lives. “In general, organizations recognize that they are very, very vulnerable, and they don’t actually have enough resources to get the job done properly,” says chairman and founder of the Ponemon Institute, Larry Ponemon, showing an increased need for support.
U.S. federal, state and local government agencies play an important role in preventing and countering these threats and building a network of information assurance, security and resilience. Concurrently, urgent (crisis) and emergent (risk) communications play a crucial role toward ensuring that organizations are ready to rapidly and accurately assess and respond to a spectrum of cyber threats and to partner with other organizations to respond, recover and build resilience during and after times of crisis. Given these realities, Booz Allen Hamilton has developed the Dynamic Communications Model (DCM) based on our 4PMR methodology, which embeds cyber urgent and emergent communications within a broader dynamic defense approach to cyber security. The DCM model tackles urgent and emergent communication from varying perspectives (e.g., individual and organizational) and at varying levels (e.g., social, behavioral and cognitive).
The Need for Urgent and Emergent Communications as Part of a Dynamic Defense
The scope and speed at which the cyber landscape is changing calls for a dynamic and proactive approach to cyber preparedness, response and communications. While intrusion detection systems and perimeter-based security are important, they fail to detect and protect against new malware signatures and stealthy and persistent adversaries. In addition, no organization can claim immunity to these and other emerging cyber threats. Recognizing this trend, Booz Allen has developed a methodology that offers a dynamic defense to cyber security – proactively and head-on. The methodology consists of four key areas: threat intelligence, incident response, preemptive response and integrated remediation. The key to driving a secure posture is to implement an urgent and emergent communications strategy to more effectively anticipate, prepare and practice for the defensive (threats) and offensive (opportunities) nature of cyber preparedness.
As part of a dynamic defense, proactive communications provide critical, timely information about threats and their impacts on an organization. From the information gained, threat intelligence can offer situational awareness on the operational impacts embedded throughout every programmatic, technical and operational function. In the event an indicator evolves into an actual threat, urgent communication occurs simultaneously as part of the incident response process, implementing best practices of urgent communications and taking into account the psychology of human response, behavior and perception.
Last, as the crisis is mitigated and data collection informs response and reaction assessments, post-event, emergent communication ensures the organization remains agile in the event of any future threats or attacks, and in the development of appropriate strategies for integrated remediation – the commitment to longer-term investments and remediation efforts across policy, people, management, operations and technology solutions.
Dynamic Communications Modeling
Cyber events, whether a potential threat or an actual attack, represent a unique class of risk situations in that they challenge traditional approaches to urgent and emergent communications. Given the volatile and unpredictable nature of cyber threats, dynamic defense provides a stable yet flexible framework to engage, support and build the communications capabilities needed. This methodology serves as a framework for improving current approaches to urgent and emergent communication during all phases of a cyber attack, successfully engaging the groups and sub-groups that would be affected most. Dynamic defense further provides a platform for examining the interactive effects of risk perceptions (e.g., public) with the actual communications response before, during and after an attack. What emerges is increased situational awareness and a common operating picture that reflects the demands of the crisis as it unfolds, media coverage intensifies and public trust and reaction fluctuates depending on how effectively (or poorly) the organization responds.
A persistent concern with many of the existing communication models is that they implicitly assume that public trust only involves delivering the right information in the right format and through the right channels to motivate individuals to adopt recommended cyber-precautionary and mitigation behaviors. For example, in an initial response, actions are aimed at providing the public with accurate information and improving their understanding of the risks. However, this ignores the issue of value judgments and different ways people may receive, process and make actual risk decisions. Even if the public understands the risks and accepts evidence about cyber threats, they typically value a “precautionary principle” approach to making decisions about such threats. Given the small probability of side effects or impacts on any one individual, traditional messaging will not always be persuasive enough to motivate and sustain action.
Integral to the Dynamic Communications Model (DCM) is our 4PMR enterprise methodology. It is comprised of the core competencies and skills cyber personnel need to effectively learn and use in their communications response. The “4Ps” – people, processes, partners and platforms – are the foundation of an effective urgent and emergent communications strategic plan. Focusing on having the right people will ensure that there is a multidisciplinary team in place that is prepared to advise and implement comprehensive strategies, messages and tactics. The most effective way to manage cyber-specific hot-button issues is to identify clear communications processes for crisis planning, preparedness, response and recovery. While working through the process with the designated team, always remember that integral to communications success is keeping your partners engaged and informed of the chain of events. This ensures continual and consistent coordination with key stakeholders and other federal partners. As the last component, platforms are the communication vehicles (e.g., print, broadcast, electronic) that your multidisciplinary team will use to effectively disseminate messaging.
With the foundations of the “4Ps”in place, the team can then focus on the “4Ms” – comprised of an organization’s spokesperson or messenger(s); the messages and how the messengers will address background information, threats and challenges specific to an incident; the media; and the markets. The person who delivers the message and the message itself can either bring resolution or add to the complexity to the crisis. The role of media and markets in reaching audience segments that are impacted can potentially influence outcomes. Leveraging an optimal mix of communication channels – such as websites and e-alerts – before, during and after a crisis will ensure you are driving consistent communications to all personnel.
Last, the remaining section, the “4Rs” – readiness, response, recovery and resilience – is our phased methodology to dynamic communications. Readiness aims at anticipating, preparing and practicing for a range of cyber threats and opportunities. Response focuses on activating and deploying the entire 4M enterprise for communicating effectively – internally and externally – before, during and after crises. Recovery and resilience round out the approach. Once through the crisis, it is important for an organization to continue to provide services and support, return to normal business operations and implement recovery/resilience communications derived from lessons learned and new best practices for improving future cyber communications.
The DCM offers three major benefits. First, it incorporates a values-based approach for how decisions are made as a cyber event or attack unfolds, and how information is processed by individuals or groups as the organization reacts to events with high levels of uncertainty and ambiguity. An important element to any response is dispelling the notion that a refusal to take cyber threat prevention and mitigation actions is a reflection of not understanding the risks or simply a lack of trust in the information or its source. Responses also need to consider the “adaptation” approach, which suggests that messaging needs to consider other factors that can lead to intended (and unintended) outcomes. For example, other psychological variables that may influence risk reduction decisions and actions during and after a cyber attack include regret, threat perception and anticipated consequences, divergent values and post-attack regret for decisions not made and actions not taken.
Second, DCM assesses cyber attacks from a dynamic perspective as an event unfolds. Within the first few minutes and hours of a cyber attack, when risk perceptions and behaviors are in constant flux, people may change their perspectives in real time. Therefore, the decision to act quickly to mitigate impacts is not a one-time decision. In fact, there may be multiple opportunities for reassessing and modifying decisions based on new and emerging information about the attack – such as changing news coverage and social media activity – that can shape and reinforce perceptions and opinions.
Finally, the model represents a more continuous, circular dynamic rather than a discrete and linear categorization, which does not consider changing circumstances within and outside the attack sphere. The model includes a “continuous dimension” (e.g., minute-to-minute continuous process improvement), which suggests the continuous need to improve readiness and focuses on the relationship between the intensity of a crisis and the characteristics of the communications response. The model helps our clients rapidly and accurately assess the crisis intensity level of incidents, and the corresponding communication response, from “minimally intense” to “highly intense.”
As society becomes more dependent on the Internet and virtual connections to manage financials, business operations and even social media, it is important for organizations to be able to safeguard sensitive, digital information. To help prevent cyber attacks, organization leaders need reliable tools (models) that can help them develop and implement appropriate, proactive communication strategies throughout the lifecycle of a cyber threat or crisis. These tools should be dynamic and based on industry best practices, as well as on lessons learned from an individual organization’s previous incident experiences. Senior management should also ensure that staff has been properly trained to respond to, and minimize, any potential damage that could result from an urgent or emergent cyber threat.
Organizations need to recognize how urgent and emergent communications play a crucial role in ensuring that they are ready to rapidly and accurately assess and respond to a spectrum of cyber threats, and acknowledge the need for partnering with other organizations to respond, recover, and build resilience during and after times of crisis.
About the Author:
Dr. Timothy Tinker is an Independent Consultant with BMO Partners. He can be reached at firstname.lastname@example.org.