In the first installment of this three-part series, we talk with Kelley Misata, Ph.D. candidate at Purdue University Center for Education and Research in Information Assurance and Security (CERIAS), on the topics of privacy and risk management communication.

Question: Hello Kelley, and thank you so much for participating in this interview on privacy and risk communication. Can you let us know a little bit about how you decided to enter the Ph.D. program at Purdue CERIAS with a focus on privacy and risk communication?

Answer: Fate has a funny way of putting things in your path you never expected. While attending a dinner event at RSA in 2011, I had the pleasure of meeting Dr. Gene Spafford (Spaf). Throughout the year, we kept in touch, then he asked if I would come speak at Purdue about my entry into cybersecurity, privacy and risk communication. So while there in February 2012, I met with Spaf and Dr. Marcus Rogers. Both mentioned to me this exciting interdisciplinary Ph.D. program in information security and said that I should consider applying. At the time I laughed and said, “Yeah, right, why would this program want someone with an MBA in marketing who hasn’t been in academia in over 15 years?”

After some careful thought about opportunities life puts in front of us just when we need them most, I applied and determined at that point I fulfilled the opportunity. Much to my surprise, I received an email from Spaf a few months later saying, “Welcome to the program!” I was floored and took some time to really consider what this would mean for me, for my daughters (putting up with me) and my path in this field. September 2012, I started, and I haven’t looked back — it has been an incredible (difficult, humbling, wonderful) journey so far.

You’re finishing up the program in just over a year. Can you talk a little bit about the research you’re doing for your dissertation and the impact on privacy and risk communication?

Yes! I’m very excited about this research as it allows me to explore all the new things I’ve learned in the program while utilizing my over 17 years of communications, marketing and strategy skills.

When I started the program, I had it in my mind that I would focus my research on victims, like I was, of online abuse — stalking, harassment, domestic violence, etc. — and finding ways to help them. I realized through my coursework and other conversations that one of the important missing links in helping victims of abuse and technology are the crisis organizations.

Therefore, my research is focusing on the technology protocols, policies and education programming that crisis organizations have in place to keep their ecosystems safe from intrusion, eavesdropping and attack.

The hypothesis is that many of these organizations are struggling to keep pace with the technologies, legal complexities and human dynamics regarding information security. Ideally, through this research, potentially life-threatening gaps in security and privacy will be identified in order to provide recommendations on next-step realistic protocols.

The ultimate “so what” in all of this is that if we can help the organizations that are so passionate about helping victims of domestic violence, abuse, stalking and harassment understand security better from the inside, then, maybe, they will be able to transfer that knowledge and support to their clients.

Coming full circle, I came to realize in my own situation that you can’t control the bad guys, but we can help the people who are there helping the victims and the survivors.

Hear more from Kelley Misata in this exclusive podcast interview

I’ve heard you speak about how there is an intersection between crisis communications, privacy and risk communication and infosec/cybsec comms that you identified when you were Director of Outreach and Communications for the Tor Project. Can you talk a little bit about that? And how has your thinking evolved during your graduate studies?

Again, it sort of goes back to that comment earlier about fate: You really never know what life will throw your way. In June 2013, I was working at Tor as Director of Communications when the news about Edward Snowden broke. As many people saw, one of the first photos of him was of him sitting with a laptop prominently displaying a Tor sticker on it. Wow! How do we deal with this?

As conversations sparked and the flood of requests from the press came into Tor, I quickly realized: We are in a great spot here. Instead of going on the defensive, finally the world is talking about privacy, anonymity, big data and what all this technology is doing for us, both good and bad. This was a door to having educational, important conversations that may not happen again for a long time, so we better be ready to step in.

Fortunately, through my graduate studies and my years in marketing and communications, you learn some methods to assess a crisis situation where even though things can look bleak you find a way to trudge through it. What I’m discovering in a lot of my work (now post-Tor; I left in September 2014) and my research is that all of these topics — privacy, anonymity, big data, surveillance — are all very scary. I feel it is part of my place in this world (in this field) to help people to not be scared but to be informed so that they can make the best decisions for themselves.

Don’t miss part two of this interview, where Kelley discusses how reframing what we think we know can help us change the privacy conversation.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…