As an incident response (IR) professional, investigating data breaches has introduced me to many new people but it is never under the best circumstances. I’ve had more than one client say, "It’s been great to meet you, but I hope to never see you again,” which in the world of IR means, “Thanks for helping us when we were having a bad time, but we hope to never have to use your services again because it means we are going through another data breach.”
In the early days of my career, it was difficult to understand why some of my customers were unhappy and sometimes angry to work with me, when I was trying so hard to help them. I have also encountered mistrust as though the customer is thinking, "If we let you in, how do we know you are not going to steal all of our information?" which made me feel like the bad guy.
What I wasn’t always considering is that most people going through a breach situation are totally unprepared for what is likely a catastrophic event in their lives. I’ve witnessed people in this situation start spiralling into all sorts of conspiracy theories or feelings that everyone has let them down or even denying that they have an issue – insisting it’s been a mistake and "could not possibly be us" and similar expressions.
After a while you begin to realise there is a pattern. One day when looking over my partner’s shoulder at home, I saw what she was reading and had an epiphany. I realised that the behaviours I recognised are from a social sciences model that has nothing to do with technology. One of the fields my partner studies involves the Five Stages of Grief – a paradigm that I immediately recognised as similar to what my customers seemed to be going through. The Five Stages of Grief were hypothesised and made famous by Dr. Elizabeth Kubler Ross in her book, “On Death and Dying.” These stages are:
How IR Customers Express These Stages
The denial and anger stages were what triggered me initially because I had recognised these emotions in so many of my customers. I realised that, during investigations, customers showed some or all of the traits typically associated with these stages as we worked our way through an incident.
The following are some reactions I’ve received from customers that represent patterns of behaviour similar to the stages of grief.
Denial: Data breach victims experiencing the denial stage will say things such as:
- "It could not possibly be us, we don't store that data"
- "We have the lock in the browser so all of our transactions are secure"
- "I rang my IT guy and he/she said we are secure"
- "Why would anyone want to hack into us in [insert tiny location] from [insert known hive of hackers’ country] and ruin my business?”
- "How could a hacker find us on the Internet?"
These sorts of statements are what IR professionals often must deal with from our customers. It is also important to remember that in many cases (typically, two-thirds of them) a third party discovers the breach and the victim is informed without ever coming to the discovery themselves – adding to their frustration.
Anger: Although limited in how explicit I can be with quotes from the anger stage, you’ll hear statements such as:
- "Why are they trying to ruin my business?"
- "Why do things like this happen to me?"
Anger can also take the form of “stream of consciousness” emails from customers that don’t always make sense – sometimes arriving at 2:30 A.M.
Bargaining: My partner, who is a counsellor, described this as the "if only” phase. Although many of the thoughts around this stage are internalised, customers sometimes share them with the IR team:
- "If we made the changes that you are talking about will all of this go away?"
- "Can I pay a fine so I can get back to my normal business?"
- "Can I install a firewall to fix all these problems?"
Depression: This stage may stem from a lack of communication with the investigator, causing the customer to withdraw and try to deal with the situation on their own. This stage can also signal that the customer is coming to terms with the “new normal” and the fact that they have really had a data breach and now need to improve their security.
Acceptance: The most common expression you hear from customers in this stage is, "What do we need to do to ensure this cannot happen again?"
Not a Linear Process
My partner also pointed out that, in her experience, the grief process is not necessarily linear. Actually, people move between different stages, often going back and forth for a period. Fortunately, dealing with a computer security incident is not as difficult as dealing with grief, so the process usually doesn’t last as long. However, don’t be surprised if your customers move from one stage to an earlier one. This does happen, and the better prepared you are for it, the better equipped you’ll be to deal with your customer’s emotions effectively.
Unfortunately, as IR professionals, we aren’t trained to deal with customers who may be going through the stages of grief resulting from a breach. While therapists and counsellors are well trained in how to deal with people going through the grief cycle, in IR there is no comparable training – we have to work out how to deal with customers going through this cycle ourselves.
In Australia, where I live and work, we have recently passed mandatory data breach disclosure legislation as part of our existing Privacy Act. Although it is not yet required that Australian businesses disclose a data breach, it will be within 12 months of the passing of the amendment to the Privacy Act.
Over the last decade, I’ve worked in a number of different countries and have noticed another pattern: countries that don’t have mandatory breach disclosure legislation are more likely to have business leaders who have difficulty accepting the fact that a breach has happened to them. However, in regions such as the U.S, Japan and Europe, where such legislation exists, there seems to be more awareness that a data breach can occur.
How IR is Enhanced by Understanding the Five Stages
I want to note that the intention of this discussion is not to trivialise grief or the feelings of loss that people have to deal with in their personal lives. Rather, it is to observe that IR professionals could learn something by researching the grieving process. Even knowing that this may be what your customers are experiencing can help you deal with them more effectively.
Because at the end of the day it's not just about the number of records stolen, or the value of sensitive data that has been compromised, it is also about how your customer feels about it – a certain amount of grief is natural. Understanding the victim’s perspective can help IR investigators be more empathetic with their customers and therefore, better prepared to help them make the right decisions in what may be one of the toughest days in their professional lives.
CrowdStrike Services provides a wide range of offerings that can help your organisation improve security to better avoid a breach, or expertly deal with a breach that has already occurred. Learn more.