June 18, 2015 By Diana Kelley 4 min read

In the first installment of this three-part series, we talk with Kelley Misata, Ph.D. candidate at Purdue University Center for Education and Research in Information Assurance and Security (CERIAS), on the topics of privacy and risk management communication.

Question: Hello Kelley, and thank you so much for participating in this interview on privacy and risk communication. Can you let us know a little bit about how you decided to enter the Ph.D. program at Purdue CERIAS with a focus on privacy and risk communication?

Answer: Fate has a funny way of putting things in your path you never expected. While attending a dinner event at RSA in 2011, I had the pleasure of meeting Dr. Gene Spafford (Spaf). Throughout the year, we kept in touch, then he asked if I would come speak at Purdue about my entry into cybersecurity, privacy and risk communication. So while there in February 2012, I met with Spaf and Dr. Marcus Rogers. Both mentioned to me this exciting interdisciplinary Ph.D. program in information security and said that I should consider applying. At the time I laughed and said, “Yeah, right, why would this program want someone with an MBA in marketing who hasn’t been in academia in over 15 years?”

After some careful thought about opportunities life puts in front of us just when we need them most, I applied and determined at that point I fulfilled the opportunity. Much to my surprise, I received an email from Spaf a few months later saying, “Welcome to the program!” I was floored and took some time to really consider what this would mean for me, for my daughters (putting up with me) and my path in this field. September 2012, I started, and I haven’t looked back — it has been an incredible (difficult, humbling, wonderful) journey so far.

You’re finishing up the program in just over a year. Can you talk a little bit about the research you’re doing for your dissertation and the impact on privacy and risk communication?

Yes! I’m very excited about this research as it allows me to explore all the new things I’ve learned in the program while utilizing my over 17 years of communications, marketing and strategy skills.

When I started the program, I had it in my mind that I would focus my research on victims, like I was, of online abuse — stalking, harassment, domestic violence, etc. — and finding ways to help them. I realized through my coursework and other conversations that one of the important missing links in helping victims of abuse and technology are the crisis organizations.

Therefore, my research is focusing on the technology protocols, policies and education programming that crisis organizations have in place to keep their ecosystems safe from intrusion, eavesdropping and attack.

The hypothesis is that many of these organizations are struggling to keep pace with the technologies, legal complexities and human dynamics regarding information security. Ideally, through this research, potentially life-threatening gaps in security and privacy will be identified in order to provide recommendations on next-step realistic protocols.

The ultimate “so what” in all of this is that if we can help the organizations that are so passionate about helping victims of domestic violence, abuse, stalking and harassment understand security better from the inside, then, maybe, they will be able to transfer that knowledge and support to their clients.

Coming full circle, I came to realize in my own situation that you can’t control the bad guys, but we can help the people who are there helping the victims and the survivors.

Hear more from Kelley Misata in this exclusive podcast interview

I’ve heard you speak about how there is an intersection between crisis communications, privacy and risk communication and infosec/cybsec comms that you identified when you were Director of Outreach and Communications for the Tor Project. Can you talk a little bit about that? And how has your thinking evolved during your graduate studies?

Again, it sort of goes back to that comment earlier about fate: You really never know what life will throw your way. In June 2013, I was working at Tor as Director of Communications when the news about Edward Snowden broke. As many people saw, one of the first photos of him was of him sitting with a laptop prominently displaying a Tor sticker on it. Wow! How do we deal with this?

As conversations sparked and the flood of requests from the press came into Tor, I quickly realized: We are in a great spot here. Instead of going on the defensive, finally the world is talking about privacy, anonymity, big data and what all this technology is doing for us, both good and bad. This was a door to having educational, important conversations that may not happen again for a long time, so we better be ready to step in.

Fortunately, through my graduate studies and my years in marketing and communications, you learn some methods to assess a crisis situation where even though things can look bleak you find a way to trudge through it. What I’m discovering in a lot of my work (now post-Tor; I left in September 2014) and my research is that all of these topics — privacy, anonymity, big data, surveillance — are all very scary. I feel it is part of my place in this world (in this field) to help people to not be scared but to be informed so that they can make the best decisions for themselves.

Don’t miss part two of this interview, where Kelley discusses how reframing what we think we know can help us change the privacy conversation.

More from CISO

CISOs drive the intersection between cyber maturity and business continuity

4 min read - The modern corporate landscape is marked by rapid digital change, heightened cybersecurity threats and an evolving regulatory environment. At the nexus of these pressures sits the chief information security officer (CISO), a role that has gained newfound influence and responsibility.The recent Deloitte Global Future of Cyber Survey underscores this shift, revealing that “being more cyber mature does not make organizations immune to threats; it makes them more resilient when they occur, enabling critical business continuity.” High-cyber-maturity organizations increasingly integrate cybersecurity…

CISO vs. CEO: Making a case for cybersecurity investments

4 min read - Ask CISOs why they think there is a cyber skills shortage in their organization, what keeps them up at night or what the most important issue facing the industry is — at some point, even if not the first response, they will bring up budgets.For example, at RSA Conference 2024, a roundtable discussion about issues facing the cybersecurity industry, one CISO stated bluntly that budgets — or lack thereof — are the biggest problem. At a time when everything is…

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today