Developing Privacy Incident Responses to Combat Information Warfare




incident response, privacy, information warfare, disinformation


Violations of privacy harm real people, and as nation-state actors grow their information warfare capabilities, civilians suffer these harms as part of coordinated and targeted actions on objectives. When privacy harms manifest, they allow threat actors to injure data subjects by weaponizing their information to harm individuals, communities, and societies. These attacks injure civilians as the confidence of legitimate authorities, institutions, and defences is eroded, and consequences may impact national security. Distinct from cybersecurity, privacy depends upon confidentiality, integrity, and availability but encompasses a unique set of concerns. Whereas security incident response has an established practice and research history, approaches to privacy incident response, such as unauthorized disclosure, are not well researched or documented in academic literature in the unique context of privacy. By mapping privacy harm to techniques and tactics, a cohesive framework emerges to distinguish tailored mitigation strategies for each. This paper proposes a conceptual model and classification framework for privacy-related harms, tactics, techniques, and mitigation strategies to address sophisticated privacy threat actors. Using this model and framework, contingency planners can develop privacy incident response strategies to defend against the privacy harms of information warfare.

Author Biographies

Sean McElroy, Dakota State University, Madison, USA

Sean McElroy has built financial services products throughout his 20-year career. He serves as the CSO of Lumin Digital, a digital banking fintech. Previously, he co-founded Alkami Technology. Sean is a Ph.D. student in Dakota State University’s Cyber Defense program and earned a Masters of Science in Information Security Engineering from the SANS Technology Institute.

Lisa McKee, Dakota State University, Madison, USA

Dr. Lisa McKee, a highly regarded security and privacy expert, has 20 years of industry experience, and a regular featured speaker at conferences and events globally including RSAC. Her Ph.D. is in Cyber Defense and dissertation in Privacy from Dakota State University where she shares her passion for privacy and security as an associate professor.