Measuring Communication Effectiveness in Security and Privacy

Research, Analysis, and Evaluation

Copyright Melanie Ensign

Copyright Melanie Ensign

One of the most well-known communication models is the one developed by political scientist and communication theorist Harold Lasswell in 1948. It’s been adapted many times over the years due to it’s easy-to-understand description of communication:

Who ➡️ Says what ➡️ To whom ➡️ With what effect?

Communication is critical to every aspect of security and privacy operations. While major incidents steal the headlines and public attention, the reality is that everything within the purview of security and privacy benefits from improved communications. Without effective communication, incident response is sluggish and chaotic, policies aren’t followed or enforced, business leaders make uninformed decrees, audits drown team morale, and confusion among external stakeholders breeds mistrust and resentment. 

If there was ever a time for security and privacy leaders to upgrade their communication skills and those of their team, this is it! 

Folding communication theory and practice into a security or privacy organization is a natural part of earning trust, credibility, and influence. However, it’s not always obvious how to build this capability without a formal communications mandate or experienced staff. 

Fortunately, the Institute for Public Relations (IPR) offers a useful guide for quantifying the impact of communications using research, analysis, and evaluation. Initially intended as a resource for chief communication officers, the guide is applicable to anyone who seeks to improve communications within their function, measure its impact, and articulate that value to leadership. 

The non-linear process of communication, as defined by IPR, includes five core components: 1) landscape analysis, 2) setting objectives, 3) developing strategy, 4) tactical creation and activation, and 5) evaluation and continuous improvement. 

Our team at Discernible is often called in to rescue security and privacy communication initiatives that stall and burn out before advancing beyond tactical creation and activation. It’s easy to get excited about specific program elements or new assets. It’s also easy to measure to measure outputs. You can simply count how many times you distributed a communication asset such as to an email, presentation, newsletter, blog post, or quarterly business review (QBR) report.

However, without conducting research to first understand the environment, to define and prioritize objectives based on those findings, or to develop appropriate messaging for various stakeholders, programs born solely from tactical creation and activation can easily end up as an expensive shot in the dark. Additionally, communication programs that lack evaluation rob your team of the ability to accurately capture and articulate value beyond output volume.

Image Credit: Institute for Public Relations

Image Credit: Institute for Public Relations

Outputs, Outtakes, and Outcomes -- why does it matter what we measure? 

When measuring the effectiveness of communication activities, it’s imperative that we use valid metrics—meaning they actually measure what they’re supposed to. Metrics like click through or open rate can’t measure the persuasiveness of a message or its effect on perception, credibility, and trust. 

Your overall communication objectives — outputs, outtakes, or outcomes — dictate what we need to measure in order to evaluate the effectiveness of our efforts. 

  • Output: the number of communication artifacts produced and/or distributed. It’s a measure of what the organization does rather than its impact. 

  • Outtakes: measurement and analysis of how stakeholders received your communication such as awareness, recall, understanding, and retention.

  • Outcomes: the effect, consequence, or impact of communication activities, ultimately representing the perspective of stakeholders with a quantifiable change in attitude or behavior.

This comparison from IPR’s report further illustrates the difference between how outputs, outtakes, and outcomes can be measured in the field of public relations. 

Image Credit: Institute for Public Relations

Image Credit: Institute for Public Relations

Below, I’ve made a simple adaptation to show how this same framework can be applied to communication initiatives for security or privacy. Remember, we can’t just claim that our activities lead to trust or reputation benefits, we must measure it in order to prove it. In certain cases, I recommend partnering with business partners that already measure these types of outcomes for the company at large (i.e. marketing, customer research, PR, etc.) and ask how your efforts might be included in their ongoing research and evaluation measurements. 

Image Credit: Discernible Inc

Image Credit: Discernible Inc

Whether your team needs to communicate about a new security training program, data protection regulation, or emerging incident, don’t miss your opportunity to research, measure, and evaluate the effectiveness of your communication investments. 

I highly recommend reviewing the entire IPR guide for more insights on how to effectively measure communication effectiveness, and adapting these principles to meet the communication needs of your security and privacy organizations. 

Previous
Previous

Metacommunication and Bug Bounty Programs

Next
Next

Preparing for Task Loading During Incident Response