Design preview · adopts the Kaharagian design system
An official training service of the State of the Kaharagians
Royal Army CollegeRoyal Army CollegeRoyal Kaharagian ArmyThe College of the Army
CIS 310 Cyber Incident Response and Continuity
Lesson 8 of 10CIS 310

Crisis Communication, Notification, and Coordination

Lesson Overview

A cyber incident is not only a technical problem to be solved; it is an event that other people need to know about, that may oblige the Principality to tell those affected, and that often requires coordinating several parties at once. The team can contain and recover an incident flawlessly and still fail badly if it communicates poorly: leaving its own command uninformed, failing to tell the nationals whose data was exposed, contradicting itself in public, or coordinating in chaos with the partners and authorities a serious incident involves. This lesson is about the human and external side of incident response: communicating clearly during a crisis, notifying those who must be told, and coordinating the people, internal and external, whose involvement an incident requires. It complements the technical response of the earlier lessons with the equally essential discipline of handling the people and the message, which a serious incident makes as important as the fix.

Two ideas govern the lesson. The first is that in a crisis, communication must be deliberate, because poor communication causes its own harm. Under the pressure of an incident, communication left to chance goes wrong, the wrong people are told or not told, the message is confused or contradictory, panic spreads or complacency reigns, and these failures compound the incident with a second, self-inflicted crisis of confusion and lost trust. So communication in an incident is planned and controlled as deliberately as the technical response: who is told what, when, by whom, through what channel, decided and managed rather than left to whoever speaks first. The second is that the Principality owes honesty to those affected, especially the nationals whose data it holds in trust, so notification, telling people their data or service was affected, is a duty, not an inconvenience to be avoided, and is done honestly and in good time. Together, deliberate crisis communication and honest notification protect what an incident most threatens after the systems themselves: the trust of the people and partners the Principality depends on.

This is the knowledge layer; the practice of crisis communication and coordination is led by those responsible, with the most serious decisions resting with command. It rests on recognised crisis-communication and breach-notification practice and the Principality's duties to its nationals, and is defensive and lawful. Read this to understand the discipline; the practice is led under command.

By the end you will be able to explain why crisis communication must be deliberate, communicate clearly and consistently during an incident, notify those who must be told honestly and in good time, coordinate the internal and external parties an incident involves, and understand the disclosure duty to nationals and the limits of the responder's role.

Key Terms

  • Crisis communication: the deliberate, controlled communication conducted during an incident, internally and externally, to inform without causing further harm.
  • Notification: the telling of those affected by an incident, especially the people whose data or service was compromised, that it occurred.
  • Disclosure duty: the obligation to inform those affected, and where required the proper authorities, of an incident, honestly and in good time.
  • Internal communication: keeping the force's own command and members informed during an incident, so the response is directed and not blind.
  • External communication: communication with parties outside the force, affected nationals, partners, providers, authorities, the public.
  • Coordination: the orderly involvement of the several parties an incident requires, so they work together rather than at cross-purposes.
  • Single voice: the discipline of speaking with one consistent message, through designated communicators, rather than many contradictory ones.
  • Holding line: an honest, agreed initial message that can be given while facts are still being established, without speculation.
  • Need-to-know in a crisis: telling each party what they need, balancing honesty and timeliness against not spreading sensitive incident detail unnecessarily.
  • Command decision: the most serious communication and disclosure decisions, which rest with command, not the technical responder alone.

Why crisis communication must be deliberate

It is tempting, in the heat of an incident, to treat communication as secondary to the technical fix, something to be dealt with later or left to whoever happens to speak. This is a serious mistake, because poor communication during an incident causes real harm of its own, independent of the technical damage. Communication left to chance goes wrong in predictable ways: the force's own command is left uninformed and cannot direct the response or make the decisions only it can; the people affected are not told, or told too late, and are harmed and angered by the silence; the message to the outside is confused or contradictory, as several people say different things, which spreads alarm and destroys confidence; rumour and speculation fill the vacuum that controlled communication should have occupied. These are not minor inconveniences but a second crisis, of confusion, panic, and lost trust, layered on the first, and entirely self-inflicted.

The harm of poor crisis communication is, above all, to trust, which is exactly what a digital Principality can least afford to lose. The Principality depends on the trust of its nationals, who entrust it their data and rely on its services, and of its partners; an incident already threatens that trust by showing the systems can be harmed, and poor communication, silence, evasion, contradiction, confirms the worst of it, suggesting a state that cannot be honest or competent in a crisis. Good communication, by contrast, can actually protect trust through an incident: a Principality that communicates honestly, clearly, and consistently, telling people what they need to know in good time and managing the message competently, demonstrates exactly the honesty and competence that sustain trust even when systems have failed. So how an incident is communicated shapes whether it costs the Principality its people's trust or, handled well, even reinforces it.

This is why crisis communication is deliberate and controlled, planned and managed as carefully as the technical response. It is decided, not left to chance: who is told what, when, by whom, and through what channel, are determined by those leading the response and, for the serious decisions, by command, so that the right parties are informed appropriately and the message is consistent. The discipline is to treat communication as a core part of the response, with its own plan and its own designated communicators, rather than an afterthought left to improvisation, because the difference between deliberate and chance communication in a crisis is the difference between protecting trust and destroying it. The rest of the lesson is the practical content of that deliberate communication: keeping the right people informed, telling those who must be told, and coordinating the parties involved.

Communicating clearly during an incident

Communicating well during an incident divides into the internal and the external, and both follow the discipline of clarity, consistency, and control. Internal communication keeps the force's own command and members informed, and it is the foundation, because a response whose command is uninformed is a response that cannot be directed or have its key decisions made. The team keeps command informed with timely, honest, accurate briefings, what is known, what is being done, what decisions are needed, so that command can direct the response and make the decisions, especially the serious communication and disclosure decisions, that rest with it. The timeline and the facts of the incident (Lessons 02 and 07) feed these briefings, so command is informed from evidence, not rumour. Good internal communication is what lets a response be commanded rather than merely happening.

External communication, to nationals, partners, providers, authorities, and the public, is where the discipline of the single voice matters most. The cardinal rule is that the force speaks with one consistent message, through designated communicators, not with many voices saying different things, because contradictory messages from different people in a crisis spread confusion and destroy confidence, suggesting a force that does not know what is happening. So external communication is channelled through those designated to give it, who speak the agreed, consistent message, while others refrain from speaking publicly about the incident; this is not secrecy but coherence, ensuring that what is said is accurate, consistent, and authorised. Where the facts are still being established and there is pressure to say something, a holding line, an honest, agreed initial message that acknowledges the situation without speculating beyond what is known, lets the force communicate responsibly while it learns more, rather than either staying silent (which breeds rumour) or speculating (which spreads error).

Through both internal and external communication runs the discipline of honesty without speculation: saying what is known, honestly, and not asserting what is not yet established, because a crisis tempts both the evasion that destroys trust and the speculation that spreads error, and the discipline is to avoid both, communicating the established facts honestly and being honest, too, about what is not yet known. A message that is honest, clear, consistent, and within what is actually known, builds confidence even in a crisis; one that is evasive, confused, contradictory, or speculative, compounds the crisis. The member who communicates by these disciplines, command kept informed, external message single and consistent, honesty without speculation, handles the communication of an incident in a way that protects rather than squanders the Principality's trust.

   CRISIS COMMUNICATION  (deliberate, not left to chance)

   INTERNAL        keep COMMAND informed: timely, honest, accurate briefings
                   (what's known / being done / decisions needed) from the
                   evidence -> the response can be DIRECTED and decisions made

   EXTERNAL        the SINGLE VOICE: one consistent message through DESIGNATED
                   communicators (not many contradictory ones, which destroy
                   confidence). A HOLDING LINE while facts are established:
                   honest, no speculation.

   THROUGHOUT      HONESTY WITHOUT SPECULATION: say what's known, admit what
                   isn't; avoid both evasion (destroys trust) and speculation
                   (spreads error)

   The harm of poor crisis comms is to TRUST, which a digital state can least
   afford to lose. Good comms can PROTECT trust through an incident.

Notification: the duty to tell those affected

A particular and weighty form of external communication is notification: telling those affected by an incident, especially the nationals whose data was exposed, that it occurred. The governing principle is that notification is a duty, not an inconvenience to be avoided: when an incident affects people, their data exposed, their service disrupted, those people have a legitimate claim to be told, both because it is honest, the data protection lesson's custodianship of their privacy demands honesty when that privacy is breached, and because being told lets them protect themselves, change a password, watch for misuse, take precautions. A Principality that hides an incident affecting its nationals, hoping it goes unnoticed, betrays the trust the data-protection duty placed in it, and compounds the breach with a deception; one that tells them honestly and in good time honours that duty even in failure.

Notification is done honestly and in good time, which resists two temptations. The temptation to delay, to put off telling people while hoping the situation improves or resolves itself, harms the affected, who need to know in time to protect themselves, and worsens the trust damage when the delay is later discovered; so notification is made in good time, as soon as the affected can usefully be told, not deferred indefinitely. The temptation to minimise or evade, to tell people as little as possible or to obscure what happened, likewise betrays the honesty the duty requires and is usually exposed eventually, deepening the breach of trust; so notification is honest about what occurred and what it means for the affected, within what is properly known. Honest, timely notification is harder in the moment than silence or evasion, but it is what the duty to the affected requires and what, in the end, best protects the Principality's trustworthiness.

Crucially, notification and disclosure decisions rest with command and the proper authorities, not the technical responder alone. Whether, when, and how to notify affected nationals, and whether an incident must be disclosed to any proper authority, are serious decisions with legal, ethical, and reputational dimensions, and they belong to those responsible for such decisions, command and those it designates, not to the responder in the middle of the technical work. The responder's part is to provide command the accurate facts on which to base these decisions (the evidence and scope of Lessons 02 and 07), to understand that the duty to notify exists so they support rather than resist it, and to carry out the communication as directed, not to make the disclosure decision themselves. The member supports honest, timely notification by giving command the truth to decide on and executing the decision, while recognising that the decision itself is command's, which keeps the weighty disclosure judgement where it belongs.

Coordination, and the limits of the responder's role

A serious incident often involves several parties at once, and coordination, their orderly involvement so they work together rather than at cross-purposes, is the third strand of this lesson. An incident may involve the force's own response team and command; partners whose systems connect to the force's; providers of cloud or other services that are affected or whose help is needed; affected nationals; and, for serious incidents, authorities who must be informed or whose help is sought. Coordinating these, ensuring each is involved appropriately, kept appropriately informed, and working with rather than against the others, is necessary because an incident handled by several parties pulling in different directions is handled badly, with gaps, duplication, and contradiction. The coordination is led by those responsible, who ensure the parties are brought together, given what they need to play their part, and kept aligned, which connects to the interoperability and external-coordination themes of the wider courses.

Coordination follows the disciplines already drawn: a single, consistent picture shared among the coordinating parties so they act on the same understanding; need-to-know in a crisis, telling each party what they need to play their part, balancing the honesty and timeliness owed against not spreading sensitive incident detail more widely than necessary; and clear ownership, so it is known who is leading and who is doing what, rather than several parties each assuming another has it. For a small force, the coordination may be modest in scale but the principles hold: bring in the parties an incident needs, keep them aligned on one picture, tell each what they need, and lead it clearly, so the several hands work as one.

Finally, the limits of the responder's role must be clear, because crisis communication and coordination involve decisions above the technical responder. The most serious decisions, what to disclose, when and how to notify, what to say publicly, how to engage authorities, are command decisions, resting with those responsible, not with the responder in the technical work; the responder supports these by providing accurate facts and executing the decisions, not by making them. And the whole effort is, in keeping with the course, defensive and honest in purpose: communication and coordination to inform, protect, and recover, conducted with honesty toward those affected, never to deceive, evade responsibility, or mislead. The member who communicates and coordinates within their role, supporting command's decisions with the truth and executing them clearly, and who upholds the honesty owed to the affected, handles the human side of an incident in the way that protects the Principality's trust, which is what crisis communication, notification, and coordination are for.

In Practice: Handling the People and the Message

A member of the Royal Kaharagian Army in a serious incident sees that containing and recovering it technically is only half the task, and that the other half, handling the people and the message, can make or break how the Principality comes through. A team that treats communication as an afterthought leaves command uninformed, tells the affected nationals nothing or too late, contradicts itself in public, and coordinates in chaos, compounding the incident with a self-inflicted crisis of confusion and lost trust. The disciplined member handles the human side deliberately.

Internally, they keep command informed with timely, honest, accurate briefings drawn from the evidence and timeline, what is known, what is being done, what decisions command must make, so the response is directed and the serious decisions can be taken by those they belong to. Externally, they observe the single voice: the force speaks one consistent message through designated communicators, not many contradictory ones, with an honest holding line while the facts are still being established, and honesty without speculation throughout. On notification, they understand that telling the affected nationals is a duty, not an inconvenience, honoring the custodianship of their privacy and letting them protect themselves, so they support honest, timely notification, giving command the accurate facts to decide on, because the disclosure decision rests with command, not with them.

They coordinate the parties the incident involves, the response team, command, affected nationals, any partners, providers, and authorities, keeping them aligned on one shared picture, telling each what they need to know to play their part, and ensuring clear ownership so the several hands work as one rather than at cross-purposes. And they hold the limits of their role: the weighty decisions, what to disclose, when to notify, what to say publicly, are command's, which they support with the truth and execute clearly, not make themselves, and the whole effort is honest and defensive in purpose. Because the member handled the people and the message as deliberately as the technical fix, the Principality comes through the incident with its trust protected, even reinforced, by demonstrated honesty and competence, rather than squandered in silence and confusion. That handling of the human and external side is what crisis communication, notification, and coordination contribute to responding to an incident well.

Check Your Understanding

  1. Explain why crisis communication must be deliberate, the harms poor communication causes (uninformed command, untold affected, contradictory message, rumour), and why the chief harm is to trust, which good communication can actually protect through an incident.
  2. Describe communicating well during an incident: internal communication keeping command informed, external communication's single voice through designated communicators (and the holding line), and honesty without speculation throughout.
  3. Explain why notification of those affected (especially nationals whose data was exposed) is a duty done honestly and in good time, why disclosure decisions rest with command not the responder, and the coordination of the parties an incident involves.

Reflection (write a short paragraph): This lesson argues that a team can contain and recover an incident flawlessly and still fail badly by communicating poorly, and that the chief casualty of poor crisis communication is trust, which a digital state can least afford to lose. Why is it tempting, in the technical heat of an incident, to treat communication as secondary, and what does that neglect cost? Then consider the duty to notify affected nationals honestly and in good time: why are silence, delay, and minimisation so tempting, and why do they ultimately betray the trust and deepen the damage more than honest disclosure would?

Summary

  • A cyber incident is also a human and external event: containing and recovering it technically is only half the task, and poor communication causes real harm of its own, uninformed command, untold or angered affected people, a contradictory public message, rumour filling the vacuum, a self-inflicted second crisis. The chief casualty is trust, which a digital Principality can least afford to lose and which good communication can protect through an incident. So crisis communication is deliberate and controlled, not left to chance.
  • Communicate well: internal communication keeps command informed (timely, honest, accurate briefings from the evidence, so the response is directed and decisions made); external communication observes the single voice (one consistent message through designated communicators, with an honest holding line while facts are established); and throughout, honesty without speculation (say what is known, admit what is not, avoid evasion and speculation alike).
  • Notification of those affected, especially nationals whose data was exposed, is a duty, not an inconvenience, done honestly and in good time (resisting delay and minimisation), honouring the custodianship of their privacy and letting them protect themselves. Disclosure decisions rest with command and proper authorities, not the responder, who provides the accurate facts and executes the decision.
  • Coordinate the several parties an incident involves (response team, command, nationals, partners, providers, authorities) on one shared picture, telling each what they need to know, with clear ownership, so they work as one. The most serious decisions are command decisions; the whole effort is honest and defensive in purpose.
  • This is the knowledge layer; crisis communication and coordination are led by those responsible, with the serious decisions resting with command. The lesson complements the technical response of Lessons 02 to 05, draws its facts from the evidence of Lesson 07, honours the data-protection duty of CIS 220, and uses the disciplined-communication and coordination themes of SIG 220 and SIG 410. Everything here is defensive and lawful.

Crown Copyright © 2026 | Published by Authority of H.R.H. The Prince of Kaharagia

Lesson 8 · Knowledge Check

Question 1 of 3

What is the chief casualty of poor communication in an incident?