Monday, March 20, 2017

The "Five Stages" of being breached
Doing data breach investigations in the commercial sector introduces you to many new people.  One of the nice things that people have said to me is "Great to meet you, but I hope to never see you again".  A few people that have been through a data breach will have a quiet chuckle to themselves and know what this means, but for the fortunate others this means "thanks for helping when we were having a bad time, and we hope to never have to use your services again because it means we are going through another data breach".  In the early days I found it hard to understand why some of my customers where less than happy to work with us, and some were even angry with me.  I'm thinking "WTF??? I'm the one trying to help you".  Others have said "If we let you in, how do we know you are not going to steal all of our information" and again I'm feeling like they see me as the bad guy.  I tend to take things a bit personally, I'm an only child, so yeah "It is all about ME ;-)".

Trouble is that most of the people going through a breach situation are totally unprepared and experiencing a data breach starts their thoughts spiralling into all sorts of conspiracy theories, thoughts about how everyone has let them down, denying that they had an issue because it was a mistake and "could not possibly be us" and many others.  After a while you start to realise that there is a pattern and one day when looking over my partners shoulder at home I saw she was what she reading.  I and had an epiphany as I recognised the behaviours, but it was from a social sciences model and nothing to do with technology.  My partner is an almost full time University lecturer, former perennial part time student, and part time counsellor.  In one of her main fields of study I saw the Five Stages of Grief model being discussed and immediately recognised a few of the stages.  To provide context of what I'm talking about the stages of grief in the model are:
  1. Denial;
  2. Anger;
  3. Bargaining;
  4. Depression; and 
  5. Acceptance. 
The Denial and Anger stages were the first trigger 😁 as I had seen so much of this.   But I started to recognise that during investigations customers showed some, or all, of these traits as we worked our way through the incident (i.e. kicking out bad guys, reporting on what had happened, and advising how to stop it from happening again). 

A few examples of the phases that I saw are:
"It could not possibly be us, we don't store that data"
"We have the lock in the browser so all of our transactions are secure"
"I rang my IT guy and he/she said we are secure"
"Why would anyone want to hack into us in [insert-tiny-location-here] from [insert-known-hive-of-hackers-country-here] and ruin my business"
"How would a hacker find us on the Internet"
There's a few pearls in the list above, but this is/was often the things that Incident Responders have to deal with from our customers.  Don't forget that often (2/3 of cases typically) a third party discovers the breach and the victim is informed without coming to the discovery themselves.

Anger (limited number for the PG audience)
"Why are you trying to ruin my business"
Being treated poorly, eg. working in a hot room without air-conditioning when temperature is over 40C outside.
"Why do things like this happen to me?"
Angry stream of conscious emails from the customer early in the morning (eg 2:30AM) that lack rational reasoning.

I suspect that many of these are internalised and few are shared with the IR team.  My partner described this as the "if only phase".
"If we made the changes that you are talking about will all of this go away?"
"Can I pay a fine so I can get back to my normal business?"
"Can I install a firewall to fix all these problems?"

In my opinion this can be a lack of communication with the investigator as the customer has withdrawn to deal with their situation.  It's OK they are coming to terms with the new normal and the fact that they have really had a data breach and now need to improve their security.

"What do we need to do to ensure this cannot happen again"
My partner also pointed out that in her experience, and that of most in the counselling field, that the grief process is not linear (1-2-3-4-5) and people vacillate between different phases and often go back and forth for a period of time. Thankfully dealing with a computer security incident is not as difficult as dealing with interpersonal grief, so the process does not last as long as when dealing with personal loss, but don't be surprised when/if people go backwards.  It does happen and the better prepared we are the better we can deal with other people's emotions.

This got me thinking that one of the things we are not trained for as incident responders is dealing with the customers in this situation.  As a counsellor my partner worked part time for a few years to complete a Masters Degree (another one) to learn how to deal with people going through this cycle and as IR professionals dealing with many people going through the breach grief cycle we do not get any training and have to work out how to deal with customers going through this cycle ourselves.

I live and work in Australia for quite a lot of my life and we have recently passed mandatory data breach disclosure legislation as part of our existing Privacy Act.  Whilst it is not yet required for  Australian businesses to disclose a data breach, it is coming within 12 months of the passing of the amendment to the Act.  Reflecting on the countries in which I have worked in the last decade I can see a pattern that those who do not have mandatory breach disclosure legislation more often have business leaders that are incredulous that a data breach could affect them versus other regions (eg. USA, Japan, Europe).  Perhaps it is a matter of awareness of the potential for data breaches? 

Please note that the intent of this blog is not to trivialise grief, or the feelings of loss that people have to deal with in the personal life, merely the observation that IR people can possibly learn from research into grief.  Even knowing that this may be what the customer is experiencing can help the responder deal with them more effectively.  At the end of the day it's not all about the number of records stolen, or the value of sensitive data that has been compromised, it is about how the people feel about it and I think a small amount of grief is natural in that circumstance.  Understanding  the victims perspective definitely helps us to be empathetic with their position, and therefore we are better placed to help them make the right decisions in what may be one of their toughest days of their professional life.


Post a Comment