Risk Communications: An Introduction
Risk makes individuals, groups, and markets behave in certain ways. Our success as security and privacy professionals depends on our ability to help non-experts make risk-related choices. The study of risk communications examines the processes that determine how our communication with these stakeholders enhances or degrades their decision-making ability.
Dr. Baruch Fischhoff, the Howard Heinz University Professor at the Institute for Politics and Strategy and the Department of Engineering & Public Policy at Carnegie Mellon University, has studied risk communications for decades and authored some of the most significant research and theory in this area. I discovered his work years ago and had the pleasure of participating in a workshop with him a few years ago at UC-Berkeley to investigate the current state of risk communications in the technology sector.
In my experience, a risk communications framework is more appropriate for security and privacy issues instead of crisis communications work, which is primarily reactive by design. As I’ve written before, incentivizing crisis communications over crisis prevention communications is a recipe for disaster. It’s why I founded Discernible in the first place, to give security and privacy organizations a communications partner that was equally invested in preventing crises.
Even when counseling clients through incident response, our north star isn’t to defend mistakes or put lipstick on a pig. Our goal is always to inform people about the benefits, risks, and other costs of their decisions, so they can make sound choices. Every stakeholder benefits from helpful, empowering, and productive communications. Risk communications addresses their fear head on, strengthening relationships and helping people move forward.
For example, let’s look at how Fischhoff's 4 steps for effective risk communications can help organizations work through incident response communications. Fischoff outlined these steps in his 2012 overview of communication sciences presented to the National Academy of Sciences. I’ve added my own commentary and context regarding incident response.
1. Identify the science most relevant to the decisions people face
First, we need to define who the “people” are in our situation. It could be customers, regulators, employees, other third party security teams, law enforcement, investors, etc. Typically, it’s a combination of overlapping stakeholders who consume information differently in various contexts.
Informed choices usually require knowledge about multiple sciences. In most security or privacy incidents, the decisions facing our stakeholders might include aspects relevant to psychology, sociology, and economics.
Why does this matter? Because one of the most important responsibilities of a professional communicator is identifying the specific facts that people need to know among the myriad of facts that would be nice to know. That analysis depends on the decisions we need to inform. We have to put ourselves in the position of our stakeholders and ask:
“When deciding what to do, how much difference would it make to learn X, Y, or Z?”
Our messages should begin with the most valuable information first and then continue as long as the benefits of learning more outweigh its costs i.e. recipients reach their absorptive capacity and don’t retain the most valuable information. You can also consider linking to additional information for those that are interested.
Remember the facts that matter to security and privacy professionals may not matter to other stakeholders. However, we cannot disregard these professionals in our communications strategy either because of the influence they have over other stakeholders.
As Fischhoff put it:
“No layperson could understand all of the relevant sciences to any depth. Indeed, neither could any scientist. Nor need they have such vast knowledge. Rather, people need to know the facts that are “material” to their choices (to use the legal term). That knowledge might include just summary estimates of expected outcomes (e.g., monetary costs, health risks). Or, it might require enough knowledge about the underlying science to understand why the experts make those estimates. Knowing the gist of that science could not only increase trust in those claims, but also allow members of the public to follow future developments, see why experts disagree, and have a warranted feeling of self-efficacy, from learning—and being trusted to learn—about the topic.”
2. Determine what people already know
Following a security or privacy incident, your stakeholders will think, feel, and believe a number of different things based on what they already know (or think they do). How much do they know about your organization’s security and privacy capabilities and investments? This is my plug for proactive risk communications that distribute knowledge to your stakeholders in advance of an incident. 😉
Be careful to avoid using full disclosure as a way of burying inconvenient facts within irrelevant ones. When your audience is forced to read between the lines of expert statements, they can’t make full use of the knowledge you’re giving them. Nor can they fairly evaluate our performance as experts – if you ever hope to receive the benefit of the doubt in the wake of an incident, you need proactive risk communications to educate stakeholders before that information becomes critical in their decisions regarding an incident.
3. Design communication to fill the critical gaps
More than a century of social, behavioral, and decision science research has revealed many principles that can be used in designing effective risk communications.
According to Fischhoff, “a comprehensive approach to communication would consider not only principles of judgment and choice, but also behavioral principles identified in studies of emotion, which find that feelings can both aid communication, by orienting recipients toward message content, and undermine it, as when anger increases optimism—and diminishes the perceived value of additional learning. A comprehensive approach would also consider the influences of social processes and culture on which information sources people trust and consult.”
Security and privacy communications must factor in how stakeholders make decisions about the related risks. For example, fear may draw more initial attention to a message, but it also impedes judgment and sound decision-making; so informing without amplifying fear is important for risk communicators.
4. Evaluate adequacy and repeat as necessary
Poor communications cause immediate damage if they keep people from using available security or privacy knowledge. They cause lasting damage if they erode trust between organizations and their stakeholders. This happens when stakeholders see organizations as insensitive to their needs and security/privacy professionals treat our stakeholders as incapable of grasping seemingly basic facts.
Fischhoff provides a simple task analysis to test the adequacy of our communications. A communication is adequate if it: 1) contains the information that recipients need, 2) in places they can access, and 3) in a form they understand.
Because each of these elements can be measured, it’s possible to measure general performance of our communications. However, these are outputs, not outcomes and to truly measure our effectiveness, we need to measure the impact of our communications, such as changes in organizational reputation, trust, and stakeholder behavior.