As an incident response (IR) professional, investigating data breaches has introduced me to many new people, but it's never under the best circumstances.
I've had more than one client say, "It's been great to meet you, but I hope to never see you again,” which in the world of IR means: “Thanks for helping us when we were having a bad time, but we hope to never have to use your services again because it means we are going through another data breach.”
In the early days of my career, I found it hard to understand why some of my customers seemed less than happy to work with me and some were even angry, when I was trying so hard to help them. I've also encountered mistrust as though the customer is thinking, "If we let you in, how do we know you are not going to steal all of our information?" — which also made me feel like the bad guy.
What I wasn't always considering and what I understand better now is that most people going through a breach situation are totally unprepared for what is likely a catastrophic event in their lives. I've witnessed people in this situation start spiraling into all sorts of conspiracy theories or feelings that everyone has let them down or even denying that they have an issue — insisting it's been a mistake and "could not possibly be us" and similar expressions.
After a while you begin to realize there is a pattern. One day when looking over my partner's shoulder at home, I saw what she was reading and had an epiphany. I realized that the behaviors I recognized are from a social sciences model that has nothing to do with technology. One of the fields my partner studies involves the Five Stages of Grief — a paradigm that I immediately recognized as similar to what my customers seemed to be going through. The Five Stages of Grief were hypothesized and made famous by Dr. Elizabeth Kubler Ross in her book, “On Death and Dying.” These stages are:
The denial and anger stages were what triggered me initially because I had recognized these emotions in so many of my customers. I realized that during investigations, customers showed some or all of the traits typically associated with these stages as we worked our way through an incident, which usually entails kicking out bad guys, reporting on what had happened and advising the customer on how to stop it from happening again.
The following are some reactions I've gotten from customers that represent patterns of behavior similar to the stages of grief.
Denial: Data breach victims experiencing the denial stage will say things such as:
● "It could not possibly be us, we don't store that data"
● "We have the lock in the browser so all of our transactions are secure"
● "I rang my IT guy and he/she said we are secure"
● "Why would anyone want to hack into us in [insert tiny location] from [insert known hive of hackers' country] and ruin my business?”
● "How could a hacker find us on the Internet?"
These sorts of statements are what IR professionals often must deal with from our customers. It's also important to remember that in many cases, typically, two-thirds of them, a third party discovers the breach and the victim is informed without ever coming to the discovery themselves — adding to their frustration.
Anger: Although limited in how explicit I should be with quotes from the anger stage, you'll hear statements such as:
● "Why are they trying to ruin my business?"
● "Why do things like this happen to me?"
Anger can also take the form of “stream of consciousness” emails from customers that don't always make sense — sometimes arriving at 2:30 A.M.
Bargaining: Although I suspect that many of the thoughts around this stage are internalized, customers sometimes share them with the IR team. My partner, who is a counselor, described this as the "if only” phase:
● "If we made the changes that you are talking about, will all of this go away?"
● "Can I pay a fine so I can get back to my normal business?"
● "Can I install a firewall to fix all these problems?"
Depression: This stage may stem from a lack of communication with the investigator, causing the customer to withdraw and try to deal with the situation on their own. This stage can also signal that the customer is coming to terms with the “new normal” and the fact that they have really had a data breach and now need to improve their security.
Acceptance: The most common expression you hear from customers in this stage is, "What do we need to do to ensure this cannot happen again?"
Not a Linear Process
My partner also pointed out that in her experience, and that of most in the counseling field, the grief process is not necessarily linear — people don't go in an orderly fashion from one stage to the next. Actually, people vacillate between different stages, often going back and forth for a period of time. Fortunately, dealing with a computer security incident is not as difficult as dealing with interpersonal grief, so the process usually doesn't last as long. However, don't be surprised if people go backwards and move from one stage to an earlier one. This can happen and the better prepared you are for it, the better equipped you'll be to deal with your customer's emotions effectively.
Unfortunately, as IR professionals, we aren't trained to deal with customers who may be going through the stages of grief resulting from a breach. While therapists and counselors are well trained in how to deal with people going through the grief cycle, in IR there is no comparable training — we have to work out how to deal with customers going through this cycle ourselves.
In Australia, where I live and work, we have recently passed mandatory data breach disclosure legislation as part of our existing Privacy Act. Although it is not yet required that Australian businesses disclose a data breach, it will be within 12 months of the passing of the amendment to the Privacy Act. Over the last decade, I've worked in a number of different countries and have noticed another pattern: countries that don't have mandatory breach disclosure legislation are more likely to have business leaders who have difficulty accepting the fact that a breach has happened to them.
However, in regions such as the U.S, Japan and Europe, where such legislation exists, there seems to be more awareness that a data breach can occur.
How IR is Enhanced by Understanding the Five Stages
The intention of this article is not to trivialize grief or the feelings of loss that people have to deal with in their personal lives, rather, it's to make the observation that IR professionals could learn something by researching the grieving process.
Even knowing that this may be what your customers are experiencing can help you deal with them more effectively. Because at the end of the day it's not just about the number of records stolen, or the value of sensitive data that has been compromised, it is also about how your customer feels about it — a certain amount of grief is natural. Understanding the victim's perspective can help IR investigators be more empathetic with their customers and therefore, better prepared to help them make the right decisions in what may be one of the toughest days in their professional lives.