Information Security Failures and Brand Impacts

Although I joined LinkedIn some time ago, I do not often check my account there. On a recent login, I noticed that Jeff Lowder — a Director of Information Security and Risk Management at the Walt Disney Internet Group — asked a great question. He gave me permission to post it here:

As opposed to the “Fear, Uncertainty, and Doubt” (FUD) approach, how should potential impact to an organization’s brand factor into information security risk analysis?

It is quite common to hear people talk about somehow factoring potential damage to an organization’s brand into the equation when thinking about information security risks, but it seems to me that the brand impact issue is much more complicated than usually assumed. Not all impacts to the brand are equal. Furthermore, depending on the organization and the type of risk there may not actually be a measurable impact to the brand. Can anyone recommend a good approach for taking “brand impact,” within information security risk analysis, to the next level?

Please note: I am not necessarily taking about trying to quantify the impact of damage to the brand, though that could certainly be one possible approach. Rather, I’m wondering if there is some sort of framework that can be adapted to individual organizations.

What I really enjoyed about this question is that on the surface it appears to be an information security question, but in fact it’s not.

To me, it really asks: How are brands damaged? And, how can we understand information security failures to fit into a paradigm about how brands are damaged since information security failures are only one way for brands to be diminished?

The question asks for a framework; I began to sketch one. I soon realized that a full article on how brands are damaged would clearly be beyond the scope of this post: it would take a book.

So I offer my thoughts on the matter without much more than that. It’s meant to be a starter and subject to change, not the final word. Here are a few points of interest.

Relativity: A brand represents value, the values of the company and its core competency. The closer (or more relative) the event is to that core competency, the worse the damage. Example: Choicepoint [Note: this particular link is to a paper I wrote on data breaches.]

Brevity or Longevity: Brand damage may happen suddenly or over time. While the sudden events are well documented, the long term damage is also a factor. An case of long term brand decline would be a clothing company that cannot reinvent itself and it’s styles fall out of favor. Example: LaCoste (although it ultimately came back into style).

Proximity: Whether B2B or B2C, the closer the direct effect of the event is to those effect by it the worse it is. Will I even be aware of it? We tend to care less about something the less it seems to directly effect us. The converse is also true. Example: Taco Bell E. coli.

Extremity: How significant or dangerous is the event? Will it kill me? Example: Tylenol Crisis of 1982.

Frequency: How often does something detrimental happen? Examples: Incidences at Six Flags Great Adventure.

Duration: How long does the incident occur? Example: JetBlue 11-hour delay.

Scope: How far reaching (or large) is the event? Example: TJX.

It seems to me that these categories can also be applied to analyzing about how an information security event may damage a company’s brand. So, this is somewhat of a framework but incomplete.

Post a Comment

Your email is never published nor shared. Required fields are marked *