Abstract
Cybersecurity breach communication is often assessed as disclosure, yet disclosure does not necessarily give stakeholders resources to act. This article develops jargon debt as the communicative burden created when technical precision, legal caution, and reputational self-protection are not translated into stakeholder-usable pathways. Using an incident-first, corpus-assisted analysis of 207 public texts linked to 120 cybersecurity incidents, the study compares SEC filings, customer notices, public statements, and breach-registry records through human-coded debt, actionability, translation mechanisms, incident-matched contrasts, cluster-robust models, close readings, and a refined proxy for protective-action infrastructure. Results show that genre matters more than surface simplicity: customer notices provide the strongest action infrastructure, registry records create visibility with minimal guidance, and remedy verification plus audience segmentation convert technical and legal detail into practical affordances. The article contributes to business, technical, information-systems, and corporate communication by theorizing disclosure as stakeholder-action translation. It offers a practical audit for breach-writing teams across genres.
Keywords
Introduction
Cybersecurity breach communication is no longer a specialist after-action notice issued only by security professionals. It is a recurring form of written and electronic business communication through which organizations address investors, customers, publics, regulators, journalists, and employees after information-system failure becomes organizational news. The organizations in this corpus include publicly traded firms, financial and health-related organizations, professional-service providers, technology firms, restaurants, retailers, and nonprofits. Their breach texts appear in regulatory filing systems, attorney-general portals, corporate websites, investor-relations pages, and public registries. The same incident can therefore become several kinds of business communication at once.
The empirical problem is not that public breach documents are available, but that they circulate as different kinds of organizational texts. A filing, a notice, a statement, and a registry record do not simply repeat the same incident; they assign the incident different audiences, obligations, and action possibilities. The unit of theoretical interest is therefore the incident-level relation among genres rather than any single repository or database.
Cybersecurity breaches sit at the intersection of information systems, corporate accountability, investor relations, customer protection, public trust, and organizational legitimacy (Suchman, 1995). When a breach becomes public, an organization is not simply reporting that a technical event has occurred. It is attempting to coordinate action across stakeholder groups that require different kinds of language. Investors need materiality and risk information; customers need to know whether they are affected and what they should do; publics and journalists need a credible account of what is known, what remains under investigation, and how the organization is responding. These tasks make breach communication a useful case for business communication theory because technical, legal, managerial, and corporate communication obligations converge in a single event.
This study asks how cybersecurity disclosure becomes, or fails to become, stakeholder-actionable communication. The distinction is important. A text can be timely, formally accurate, legally cautious, and still leave readers without enough infrastructure to act. To keep this claim observable rather than inferential, the analysis includes refined Protective Action Enablement (PAE), a non-circular textual proxy that measures direct action infrastructure: contact channels, protective action pathways, support or remedy markers, deadlines or enrollment windows, and audience-specific directions. General source links, registry landing pages, SEC archive links, and bare organizational homepages are excluded from PAE unless they provide direct protective-action access.
Recent business communication research has already established cybersecurity breach communication as an organizational communication problem. Kim and Lee (2021) examine official breach statements in the United States and South Korea, while Naidoo et al. (2026) analyze press releases acknowledging cyber breaches and identify response clusters through which organizations reveal attacks to external stakeholders. Marsen and Biddle (2025) move the discussion toward linguistic understandability by studying how non-experts interpret figurative and literal cybersecurity language. This article extends that line of IJBC research by shifting from response posture or lexical comprehensibility to the textual conditions that make breach communication actionable across genres.
The question aligns with the central domains of business communication: business composition and technical writing, information-systems communication, management communication, and organizational and corporate communication. Breach texts are technical writing because they translate specialized information about attacks, systems, credentials, and personal data. They are information-systems communication because the incident originates in digital infrastructure and becomes public through organizational texts. They are management communication because legal, security, investor-relations, and communication teams must coordinate a coherent public account. They are organizational and corporate communication because the organization must sustain trust and legitimacy while enabling stakeholder action.
The study develops and tests the construct of jargon debt to explain why formal disclosure can fail to become stakeholder-actionable communication. Jargon debt refers to the cumulative communicative burden created when technical precision, legal caution, and reputational self-protection are not translated into stakeholder-usable language. The mechanism is a repayment chain: an information-systems event enters a genre obligation; debt-bearing details are either translated through mechanisms or remain burdensome; translation becomes observable as action infrastructure; and action infrastructure creates a stakeholder-action affordance.
The study uses an incident-first, corpus-assisted multi-genre design to analyze 207 public breach texts associated with 120 cybersecurity incidents. The corpus includes investor-facing SEC filings, customer-facing breach notices, public statements or updates, and public breach registry records. It combines human coding, incident-matched comparisons, cluster-robust models, rhetorical close readings, refined PAE validation, and sensitivity checks that preserve the registry boundary. Rather than treating existing records as an undifferentiated database, the design treats public organizational texts as naturally occurring business communication through which breach events are translated for different audiences.
The contribution is not the narrow observation that organizations use complicated words after a breach. The contribution is a theory of stakeholder-action translation in which business communicators must decide how technical, legal, and reputational pressures are converted into usable pathways. The paper therefore speaks directly to IJBC’s interests in written and electronic communication, technical and business writing, information systems communication, management communication, and organizational and corporate communication.
Literature Review
Cybersecurity Breach Communication as Business Crisis Communication
For the purposes of this study, the central distinction is between reputational restoration and action support. A firm may use corrective action, reassurance, and expressions of concern to reduce blame or maintain trust, yet affected customers may still lack the information needed to change credentials, monitor accounts, contact support, or understand whether a risk is immediate or speculative. Crisis communication therefore provides the relational vocabulary for breach communication, but business and technical communication provide the task vocabulary needed to examine how texts become usable.
Cybersecurity breach communication differs from many crisis contexts because the event is often initially invisible to external stakeholders. Organizations may discover, investigate, contain, and assess a breach before customers, investors, or the broader public know that it occurred. This temporal asymmetry gives organizations some time to prepare messages, but it also creates communicative and ethical tension. Organizations may know enough to recognize risk but not enough to specify all consequences. They must decide how much certainty to communicate while preserving investigative flexibility, legal defensibility, and reputational stability.
Crisis communication theory provides important starting points for this problem. Image repair theory explains how organizations defend, excuse, correct, or apologize after reputation-threatening events (Benoit, 1997). Situational crisis communication theory explains how response strategy should vary with stakeholder attributions of responsibility (Coombs, 2007). Broader crisis communication scholarship emphasizes that crises involve uncertainty, legitimacy, and multiple publics (Marsen, 2020; Sellnow & Seeger, 2013). Yet cyber breaches add a distinctive technical layer. Stakeholders may not know what a credential, endpoint, vendor-hosted database, ransomware intrusion, or exfiltration event means for them. A response can therefore be reputationally appropriate and still practically incomplete.
Prior business communication scholarship has treated cyber breach communication primarily as a crisis response problem. Kim and Lee (2021) compare official organizational statements following breaches and identify differences in apology, concern, compensation, assurance, and representation between the United States and South Korea. Naidoo et al. (2026) extend this line by studying press releases that reveal cyber breaches and by identifying response clusters that organizations use to acknowledge, assure, restore confidence, and rebuild loyalty. These studies show that breach communication involves reputation repair and relational maintenance, not merely technical reporting.
The present study builds on this work but shifts the analytic question. Response strategy and stakeholder actionability are related but not identical. A text can express concern and assurance while remaining vague about affected data, stakeholder risk, or next steps. A filing can be legally sufficient yet practically thin. A press statement can display organizational competence while leaving customers unsure whether they need to change passwords, monitor accounts, or wait for further notice. The present study therefore asks not only what posture organizations take but also how texts allocate technical, legal, and reputational meaning across stakeholder tasks.
Business and Technical Communication Under Legal Constraint
Legal constraint changes the work of technical communication. In a classroom or user manual, the writer can usually foreground user needs without the same level of market, litigation, and investigative risk. In breach communication, however, the writer must often keep uncertainty visible. That does not remove the obligation to guide action; it makes the obligation harder. The practical question becomes how to tell stakeholders what is not yet known while still telling them what they can do. The framework developed here treats that problem as a defining feature of business and technical communication under institutional constraint.
This approach also avoids an overly mechanical plain-language standard. Plain language is valuable, but a breach text can be plain and still unhelpful if it lacks data specificity, consequence mapping, or next-step sequencing. Conversely, a text can include technical terms and still be usable when those terms are defined, contextualized, and connected to stakeholder tasks. Actionability therefore complements readability. It asks not only whether the text is easy to read, but whether the text gives readers the resources needed to act.
Cybersecurity breaches require expert-to-non-expert translation. Terms such as ransomware, exfiltration, credential stuffing, unauthorized access, encryption, malicious actor, and data environment may be familiar to security specialists but opaque to investors, customers, employees, and journalists. Business and technical communication research has long emphasized that specialized knowledge must be adapted to audience needs, contexts of use, and action tasks rather than merely simplified. The disappearance of business communication from some professional communication programs, noted by Dubinsky and Getchell (2021), makes this boundary especially important: breach communication is both business communication and technical communication, because it must translate technical expertise into organizational action.
Marsen and Biddle (2025) are especially important here because they demonstrate that even literal cybersecurity wording may not eliminate non-expert misunderstanding. Their findings caution against assuming that audience understanding follows automatically from replacing metaphors with literal language. The present study does not replicate their audience-comprehension design. Instead, it asks what textual conditions make actionability more or less available in real organizational breach communication. In doing so, it treats actionability as a property of texts and genres, not as a direct measure of audience cognition.
Recent research on workplace jargon also supports this move. Bullock and Bisbey (2025) show that jargon can reduce processing fluency, self-efficacy, and information seeking and sharing. The present study extends that insight from workplace messages to public breach communication. However, it avoids treating every specialized term as an error. In breach communication, some technical detail is necessary because stakeholders need to know which systems, data types, credentials, or vulnerabilities are involved. The problem is not technical language by itself but technical language that has not been translated into consequences and tasks.
The distinction between readability and actionability is equally important. Readability scores measure surface features such as sentence length or word difficulty, but stakeholders need more than easy prose. They need an account of event scope, affected assets, risk consequences, recommended actions, organizational remedies, and follow-up pathways. Smeuninx et al. (2020) show that corporate reporting can remain difficult even when it is intended for broad audiences; the present study adds that even texts that appear concise may fail if they do not connect information to stakeholder tasks.
Corporate Disclosure, Investor Communication, and the Materiality Frame
Materiality is not simply a legal threshold; it is also a communicative frame. It organizes a breach as a possible event of financial, operational, or market significance. That frame is essential for investor communication but incomplete for many other audiences. Customers usually do not approach a breach notice by asking whether the incident is material to the firm’s financial performance. They ask whether their data were involved, whether identity theft or account compromise is plausible, and what protective steps are available. The same event therefore has different communicative stakes depending on genre.
Corporate disclosure research treats reporting genres as more than containers of facts; they enact relationships among organizations, markets, regulators, and publics. Cybersecurity filings belong to that same family of corporate communication, but they also connect corporate disclosure to information systems and risk communication. They are therefore useful for examining how organizations translate digital incidents into public accounts of materiality, responsibility, remedy, and legitimacy.
Investor-facing breach communication is shaped by a disclosure logic that differs from customer guidance. The SEC adopted rules in 2023 requiring registrants to disclose material cybersecurity incidents under Item 1.05 of Form 8-K and to describe material aspects of an incident’s nature, scope, timing, and material or reasonably likely material impact. In 2024, the SEC clarified that voluntary or immaterial cybersecurity incident disclosures should generally be filed under other items, such as Item 8.01, to avoid investor confusion (Securities and Exchange Commission, 2023, 2024). These rules make cybersecurity incidents a structured corporate disclosure practice, not merely an operational security issue.
Business communication scholarship has long treated investor communication and corporate reporting as business communication genres rather than neutral information containers. Bruce (2014) examines corporate disclosure communication as a site where organizations enact criticality. Cheng and Ho (2017) study financial analyst reports as corpus-based business texts shaped by semantic fields and metaphors. Laskin (2018) shows that annual reports use narrative strategies that vary by organizational performance. J. Thomas (1997) demonstrates that annual reports construct meaning in the marketplace. These studies show that disclosure documents are communicative genres with rhetorical purposes, not simply containers of information.
The present study extends this line into cybersecurity disclosure. A Form 8-K may be highly appropriate as investor communication and still be low in customer actionability. That is not a defect of the filing; it is a genre difference. Investor-facing texts are organized around materiality, risk, and market information. Customer-facing texts are organized around affected data, personal risk, and next steps. Public statements are organized around confidence, control, and legitimacy. Treating these genres as if they had the same communicative purpose would flatten the most important business communication problem in the corpus.
The corpus is therefore not treated as a set of interchangeable documents. It is organized by incident and by genre. The same breach can be examined as market disclosure, customer notification, public reputation repair, and public visibility infrastructure. This incident-first design allows the study to ask how organizations re-author the same event for different audiences.
Cybersecurity Disclosure, Data Breach Communication, and Protective Action
Information-systems and cybersecurity disclosure research also extends the present argument beyond investor materiality and SEC filings. Gao et al. (2020) show that public companies’ cybersecurity risk disclosures vary in content, location, and linguistic features, demonstrating that cybersecurity disclosure is itself a communication practice rather than a neutral compliance container. Amani et al. (2025) review cybersecurity risks and incidents disclosure as an expanding interdisciplinary literature concerned with disclosure determinants, informativeness, content quality, theoretical perspectives, methods, outlets, and data sources. That literature is important for this article because it treats cybersecurity disclosure as a distributed communication problem and shows why disclosure quality cannot be reduced to the fact that a public record exists.
Data breach communication research makes the same point from the perspective of affected stakeholders. L. Thomas et al. (2022) argue that breach communications may be one of the few windows through which external stakeholders can understand the incident, the organization’s response, and the practices used to protect data. This work connects breach notices to accountability, trust, responsible portrayal of the breach, and explanation of risks and actions. The present article brings those concerns into business communication by asking which genre features convert cyber incident disclosure into stakeholder-usable action infrastructure.
This broader literature also clarifies the actionability claim. The Federal Trade Commission (n.d) advises breached organizations to develop communication plans for affected audiences and not withhold key details that could help consumers protect themselves. In that sense, actionability is not an optional stylistic preference. It is a communication condition under which disclosure can support harm reduction, accountability, and informed stakeholder response. The present study therefore treats actionability as an underexamined dimension of cybersecurity disclosure rather than as a replacement for legal compliance or investor materiality. More specifically, the gap is not simply whether cyber incidents are disclosed, but whether disclosure quality is operationalized as direct protective-action infrastructure across the genres through which organizations address investors, customers, publics, and regulators.
Genre Repertoires and Multi-Audience Translation
The concept of multi-audience translation helps explain why a one-message strategy is insufficient. The organization may desire consistency across texts, but consistency does not mean sameness. Investors, customers, publics, regulators, and journalists require different levels of detail, certainty, and guidance. Translation is the work of preserving coherence across the communication ecology while adapting each genre to its audience task. The study’s genre categories are therefore not merely descriptive labels; they represent distinct communicative obligations.
The registry category is the most delicate boundary because it is public but not expressive in the same way as a press release or FAQ. This article deliberately treats registry records as public visibility infrastructure. They are useful for documenting that a breach entered public record, and they can support accountability by making notices searchable. But they do not ordinarily perform the rhetorical work of explaining consequences or sequencing actions. Treating them separately protects the paper from overclaiming and strengthens the genre analysis; it also prevents a searchable record from being misclassified as stakeholder guidance.
Genre theory offers a way to understand why the same breach appears differently across organizational texts. Swales (1990) and Bhatia (1993) define professional genres through recurrent communicative purposes and conventions. Yates and Orlikowski (1992) and Orlikowski and Yates (1994) show that organizations maintain genre repertoires that structure communication practices. A breach is therefore not communicated through one text but through a repertoire: filings, notices, press statements, FAQs, blogs, and registry records.
The public statement or press release is especially hybrid. Press-release research shows that such texts often combine informative and promotional functions (Catenaccio, 2008; Maat, 2007). In breach communication, this hybridity intensifies. A public statement may explain the incident, reassure stakeholders, signal competence, provide a timeline, and protect reputation. That hybrid status makes public statements valuable but also risky: they can support action when they include practical information, or they can substitute confidence language for guidance.
Public breach registry records require a separate genre boundary. They are publicly accessible and incident-linked, but they are not press releases and should not be evaluated as if they were full customer notices. Regulatory portals such as those maintained by the California Department of Justice create searchable public records of breach notices (California Department of Justice, Office of the Attorney General, n.d). Their function is public traceability and visibility. Treating them as public statements would inflate or distort claims about public-facing communication. The study therefore names them public visibility records and analyzes them separately.
This study treats breach communication as multi-genre translation. Translation is not mere simplification. It is the work of adapting technical, legal, and reputational information to audience tasks. In investor filings, translation means connecting the incident to material risk without overstatement. In customer notices, it means connecting affected data to personal consequences and protective steps. In public statements, it means connecting organizational response to credibility and practical guidance. In registry records, it means making the incident visible as a public record while recognizing that visibility alone is not guidance.
Corpus-Assisted Business Communication and Qualitative Boundary Work
Corpus-assisted methods are increasingly visible in business communication research. Cheng and Ho (2017) analyze financial analyst reports through semantic fields and metaphors. Gillings (2025) uses corpus-assisted discourse analysis to study corporate wrongdoing in the Boeing 737 Max crisis. Tao and Ryan (2025) examine fashion firms’ webpage sustainability discourse through a corpus linguistic design. Smith and Batchelor (2025) argue that business-related corpora require qualitative decisions about language-domain operationalization and corpus balance. Carradini et al. (2025) similarly emphasize that qualitative methods remain central to business communication because they reveal meaning, context, and interpretive structure that cannot be captured by counts alone.
The present study follows that standard by making the incident, not the isolated text, the primary sampling logic. It also distinguishes between public statements or updates and public registry records rather than treating all public documents as the same genre. That boundary work is essential because the corpus is intended to represent organizational communication tasks, not merely the availability of public records.
The study also combines quantitative and qualitative methods because actionability is partly measurable and partly rhetorical. JDI, SAI, and TMC scores allow comparison across genres. Incident-matched contrasts show how the same event changes across texts. Cluster-robust models show associations between textual features and actionability. Close readings show how those patterns are built in language. The method is therefore corpus-assisted rather than corpus-determined.
Conceptual Framework and Research Questions
Jargon Debt and Stakeholder Actionability
The debt metaphor is useful because it captures accumulation, translation, and repayment. A technical term by itself may impose little burden. A legal hedge may be necessary. A cautious timeline may be responsible. But when these elements accumulate without translation, stakeholders inherit a communicative burden. Translation mechanisms repay that burden by converting specialized, cautious, or reputationally framed information into usable knowledge. The framework specifies the mechanism as a chain: technical incident and uncertainty, genre obligation and audience task, debt-bearing detail, translation mechanisms, action infrastructure, and stakeholder-action affordance.
This framing also clarifies why JDI and SAI can move together in some models. JDI measures debt-bearing detail, not only opaque vocabulary. Texts that provide more incident-specific detail may score higher on JDI because they include technical and legal specificity, but those same texts may also provide stronger action resources. The theoretical issue is not whether jargon is good or bad in isolation. It is whether the organization has translated the burden created by specialized and cautious information into a set of contacts, deadlines, remedies, steps, and audience-specific paths.
Jargon debt is the accumulated communicative burden that arises when technical precision, legal caution, and reputational self-protection are not translated into stakeholder-usable language. The construct has six recurring dimensions: technical opacity, legalistic hedging, agency ambiguity, temporal vagueness, impact underspecification, and remedy underspecification. These dimensions can appear separately, but they become consequential when they accumulate without repayment.
Stakeholder actionability refers to the extent to which a text allows an intended stakeholder to identify what happened, whether and how they are affected, what risks follow, what the organization has done or will do, and what action should be taken next. Actionability is not the same as comprehension, trust, or realized behavior. It is a textual affordance. The study tests that affordance against PAE, an observable measure of whether a text provides the concrete infrastructure that stakeholders would need before action is possible.
The PAE construct is also informed by the Protective Action Decision Model (PADM). PADM explains how people exposed to hazard information move through predecision processes such as reception, attention, and comprehension, develop perceptions of threat, protective actions, and stakeholders, and then decide whether and how to respond (Lindell & Perry, 2012). This article does not test PADM behaviorally. Instead, it examines the communication-side preconditions that make such decision processes more or less possible in breach texts.
From this perspective, contact channels, action pathways, remedy support, deadlines or enrollment windows, and audience segmentation are textual resources that reduce friction before protective action can occur. They do not prove that stakeholders will understand, trust, or act on the notice. They indicate whether the text supplies enough protective-action infrastructure for those later outcomes to become plausible. PAE therefore bridges business communication and risk communication while remaining a genre-level textual measure rather than a measure of realized behavior.
The relationship between jargon debt and actionability is therefore not a simple negative relationship. A low-debt registry record can be low in actionability because it is short and indexical. A detailed customer notice can have measurable jargon debt because it contains technical and legal information, yet it can still be highly actionable when it defines terms, maps consequences, sequences steps, verifies remedies, and provides action infrastructure. The framework interprets JDI as disclosure-complexity burden rather than as a pure toxicity score. Figure 1 summarizes this repayment chain.

Jargon debt repayment chain and stakeholder-action translation.
Research Questions and Hypotheses
Method
Research Design
The design has six features that connect the corpus to the research questions. First, the sampling logic begins with incidents and then maps texts to incidents, rather than treating a regulatory portal or filing system as a ready-made corpus. Second, the public-text boundary distinguishes expressive public statements from registry records. Third, the constructs are human-coded at the pragmatic level. Fourth, incident-matched comparisons test how the same breach is rewritten across genres. Fifth, the PAE proxy adds an outcome-facing validation layer by measuring whether texts contain observable action infrastructure. Sixth, a qualitative decision log records domain operationalization, corpus-balance decisions, inclusion and exclusion rules, and treatment of registry records.
The study uses corpus-assisted multi-genre discourse analysis. It combines quantitative coding, incident-matched comparison, regression modeling, rhetorical close reading, and outcome-facing textual validation. This design is appropriate because the research question is not only whether certain words appear but how organizational texts perform different audience tasks across business genres and whether those tasks leave stakeholders with actionable pathways.
The study does not treat the corpus as a source of word counts alone. It constructs an incident-first corpus, separates genre functions, applies human coding to pragmatic constructs, tests incident-matched differences, validates actionability against non-circular action-infrastructure markers, and interprets findings through close readings. Public documents are therefore empirical sites where business communication work is performed, not merely convenient records from an existing database.
Sampling Frame, Time Window, and Representativeness Boundary
The corpus was constructed as an analytic sample of public-document-visible cybersecurity incidents rather than as a prevalence estimate of all breaches. The sampling unit was the incident, and texts were then mapped to the incident when a public source could be identified and classified into one of the predefined genres. Public source dates in the corpus ranged from January 12, 2024 to April 20, 2026; parsed incident dates ranged from December 2023 to April 2026. The corpus therefore uses a public-availability cutoff of April 24, 2026 while representing public-document-visible breach communication from early 2024 through April 2026. Text-level source-date metadata are provided in the Supplemental Materials. The Supplemental Appendix supplied with the revision reports incident IDs, text IDs, genre labels, source families, source dates, parsed incident dates, public-source identifiers, text-derived breach-type indicators, affected-population indicators, and human-coding reliability outputs.
Incidents were eligible when they met five criteria: they concerned a cybersecurity breach, data incident, ransomware event, unauthorized access event, or comparable information-system compromise; they could be linked to an identifiable organization; at least one public text was available; the text could be assigned to investor filing, customer notice, public statement/update, or registry record; and the record could be given a unique incident identifier. Materials were excluded when they were generic cybersecurity risk statements without a specific incident, duplicate records, inaccessible or private documents, media reports not authored by an organization or regulator, or broad corporate updates in which a cyber incident was only incidental.
Industry and severity were not used as inclusion filters. This choice reflects the article’s communication question: how public genres translate visible incidents into audience tasks. For context rather than legal classification, the Supplemental Appendix reports text-derived indicators of source family, breach type, and affected population. At the incident level, the corpus contains 80 SEC-led incidents and 40 California Attorney General-led incidents. These source-family counts describe the public-source structure of the analytic corpus; they were not preset quotas and are not treated as population proportions. Text-derived breach-type indicators include data breach or security incident, third-party or vendor involvement, unauthorized access, credential or phishing references, cyberattack or network disruption, ransomware, and cases where the available public text did not specify the breach type. Text-derived affected-population indicators include customers or users, patients or health-plan members, employees or former employees, investors or shareholders, clients, California residents, and broadly described affected individuals. These indicators help readers assess corpus boundaries, but they are not treated as verified legal classifications or additional model covariates.
Corpus Construction and Public-Text Boundary
The four genre categories were defined before analysis. Investor filings include SEC filings that disclose or discuss a cybersecurity incident in relation to materiality, operations, risk, or governance. Customer notices include breach notices directed to affected or potentially affected individuals. Public statements or updates include company-authored press releases, FAQs, website updates, or blog posts centered on the incident. Registry records include public database entries or indexed breach pages that make a notice publicly traceable but do not independently provide a full public statement.
The boundary rule was applied conservatively. When a text was a general earnings release, broad investor presentation, annual report section, or routine corporate update with only incidental mention of a cyber incident, it was excluded from the public-statement category. When the registry record served only as an index to a notice or filing, it was retained as a registry record and interpreted as public visibility infrastructure. This distinction is central to the study’s validity because it prevents registry records from being treated as failed press releases.
The corpus contains 207 texts associated with 120 cybersecurity incidents. The sampling frame combines investor-facing SEC filings, customer-facing breach notices, public-facing breach statements or updates, and public breach registry records. Each text was linked to an incident identifier so that different genres associated with the same incident could be compared. Sixty-one incidents included two or more genres, enabling incident-matched analysis and validation of PAE within the same breach context. Because the public statement/update category contains only 14 texts linked to 10 incidents, findings for this category are treated as exploratory and genre-indicative rather than as population-level estimates.
The public-text boundary was deliberately strict. Public-facing statements or updates were retained only when their title and opening paragraphs centered on a breach, data incident, cyberattack, ransomware event, unauthorized access event, or cybersecurity response. Broader earnings releases, investor presentations, corporate updates, or general risk-management pages were excluded unless the breach was the central topic of the text. This rule was introduced to prevent the public-facing category from absorbing documents that merely mentioned an incident in passing.
Registry records were handled through an additional boundary rule rather than folded into the public-statement category. A registry record was retained only when it indexed a specific breach record in a public breach portal or official registry and could be matched to an incident. These pages were treated as public visibility records. They indicate that an incident has entered an official public trace, but they are not interpreted as press releases, customer notices, or full stakeholder guidance.
This distinction matters for credibility. Without it, the study would overstate the communicative work performed by registry records or understate the guidance provided by public statements. The analysis therefore reports results for public statements or updates and public visibility records separately. The registry category is used to test the boundary between public visibility and stakeholder guidance, not to claim that registry records should perform all functions of breach communication.
Boundary and provenance controls. Each text was retained only when it could be linked to a specific breach incident, a public source, and a communicative genre. Excluded materials included duplicate downloads, inaccessible private documents, purely internal incident-response materials, advertising pages without breach content, and registry pages that only indexed another notice without adding a communication function. When a registry record linked to a source notice, the registry record was coded as visibility infrastructure and the notice was coded separately only if the notice itself was available as a stakeholder-facing text. This rule prevents the same URL or portal function from being counted as both disclosure infrastructure and stakeholder guidance. Table 1 reports the resulting corpus profile, and Figure 2 summarizes the incident-first construction logic.
Corpus Profile by Genre.
Note. Public statements/updates are retained for theoretical comparison but should be interpreted as exploratory and genre-indicative because this subset includes 14 texts linked to 10 incidents.

Incident-first corpus construction and public-text boundary.
Measures
The coding was deliberately designed to capture business communication functions rather than surface lexical features alone. For example, legalistic hedging was not counted simply because a modal verb appeared. It was coded when caution shaped the ability of a stakeholder to understand scope, timing, responsibility, or remedy. Similarly, remedy specificity required more than a statement that the organization had acted. It required information that made the remedy identifiable, concrete, or verifiable.
The Translation Mechanism Codes were designed as a bridge between debt and actionability. They do not measure tone or positivity. They measure rhetorical work: defining a term, mapping a technical fact to consequence, clarifying roles, anchoring time, sequencing action, verifying remedy, or segmenting audiences. This is why TMC is central to the interpretation of the JDI-SAI relationship. Translation mechanisms explain how a text can carry technical and legal complexity while still becoming useful.
The Jargon Debt Index includes six dimensions: technical opacity, legalistic hedging, agency ambiguity, temporal vagueness, impact underspecification, and remedy underspecification. Each dimension was coded to capture whether specialized, cautious, or underspecified language created communicative burden for the intended audience.
The Stakeholder Actionability Index includes seven dimensions: event clarity, affected-data specificity, affected-stakeholder specificity, risk-consequence clarity, action-step clarity, remedy specificity, and follow-up pathway. These dimensions capture whether a text provides the resources that stakeholders need to interpret and act on the breach.
Translation Mechanism Codes record the presence or absence of seven mechanisms: plain-language definition, consequence mapping, role clarification, timeline anchoring, action sequencing, remedy verification, and audience segmentation. These mechanisms operationalize the translation work that can repay jargon debt. A text can contain technical or legal detail and still be actionable when these mechanisms connect detail to stakeholder tasks.
Protective Action Enablement (PAE) is added as an outcome-facing validation proxy. It is deliberately separate from the human-coded SAI and TMC scales. PAE is computed from observable action-infrastructure markers in the raw texts: direct contact channels, protective action-pathway markers, support or remedy markers, deadline or enrollment-window markers, and audience segmentation. Generic regulatory URLs, SEC archive links, and source-document navigation links are not counted as direct contact or action pathways unless they provide stakeholder support. This refinement prevents registry records from receiving actionability credit merely because they make a notice traceable.
The relationship between PAE and PADM is intentionally limited. PAE markers correspond to communication-side facilitators of protective action: direct contact channels support source access; action-pathway markers support protective-action perception; support or remedy markers provide evidence of organizational response capacity; deadlines or enrollment windows reduce temporal uncertainty; audience segmentation increases recipient relevance; and the absence of these markers creates follow-up friction. These markers cannot show whether an audience member actually acts, but they indicate whether the document provides the infrastructure needed before such action can occur.
Human Coding and Reliability
Reliability was assessed at both component and scale levels because the constructs are pragmatic and genre-sensitive. Percent agreement captures coding consistency, total-score correlations capture scale stability, and unweighted Cohen’s κ summarizes whether dimension-level agreement exceeds chance. The κ values reported in Table 2 are strongest for SAI and TMC, with JDI slightly lower because debt-bearing detail depends on the interaction of technical, legal, and remedial language rather than on a single lexical marker.
Human Double-Coding Reliability at Scale Level.
Two independent human coders double-coded a stratified reliability subsample of 54 texts, representing 26.1% of the corpus. The subsample was stratified by genre to include investor filings, customer notices, public statements or updates, and registry records. Coders were trained on the codebook and then coded texts independently before adjudication. The final corpus scores use the adjudicated coding after this reliability check, and the Supplemental Materials include the coder A, coder B, adjudicated coding, and reliability-output files for auditability.
Reliability was substantial. At the scale level, the two coders’ total-score Pearson correlations were .947 for JDI, .973 for SAI, and .948 for TMC. Mean dimension-level percent agreement was .880 for JDI, .918 for SAI, and .947 for TMC; mean unweighted Cohen’s κ was .770 for JDI, .841 for SAI, and .803 for TMC. These results support the reliability of the coding architecture while acknowledging that actionability remains a pragmatic construct requiring interpretive judgment.
Analysis
Sensitivity checks examined whether the main claims depended on the inclusion of registry records. The central genre pattern remained interpretable when registry records were excluded: customer notices retained the strongest protective-action infrastructure, and public statements occupied an intermediate position between investor filings and customer guidance. Registry records are therefore not used to manufacture contrast; they clarify the theoretical difference between public traceability and stakeholder actionability.
The analysis proceeds in five stages. First, descriptive genre profiles compare mean JDI, SAI, TMC, and PAE by genre. Second, incident-matched comparisons examine differences within incidents that have two or more genres. Third, cluster-robust regression models estimate associations between textual features and normalized SAI while clustering by incident. Fourth, PAE validates whether the actionability construct corresponds to observable action infrastructure and follow-up friction. Fifth, close readings of high- and low-actionability cases explain how the quantitative patterns are rhetorically produced.
The models are not interpreted as causal estimates of audience behavior. They describe associations among textual features within a public corpus. The addition of PAE narrows this boundary: the study still does not observe realized comprehension, trust, or behavior, but it now directly measures whether texts supply the infrastructure that stakeholders would need before protective action could occur.
A second interpretive boundary concerns the JDI coefficient. JDI is not treated as a toxicity score in which any positive association would mean that opaque jargon improves communication. Because the index includes technical and legal specificity as well as underspecification, higher JDI can co-occur with higher actionability when detailed texts also contain strong translation mechanisms and high action infrastructure. The models therefore test the specificity-actionability paradox: breach-specific detail may create debt, but translated detail can also provide the resources for action.
Results
Genre Profiles: Actionability is Not a Simple Function of Jargon
The genre profile shows why the paper must distinguish public statements from registry records and why an outcome-facing proxy is necessary. Public statements and updates are the smallest category in the corpus (14 texts linked to 10 incidents), so the results for this genre should be read cautiously. They are retained because they capture a theoretically important hybrid genre: statements usually explain some combination of what happened, what the organization did, and where readers can look next, while the refined PAE score asks whether the text itself provides direct protective-action infrastructure rather than only a public trace.
The genre-level profile shows that actionability varies more sharply by genre than jargon debt alone. Customer-facing breach notices have the highest mean stakeholder actionability (M = .951), strong translation mechanism scores, and the highest refined PAE (M = .884). Public statements have high actionability (M = .867) but lower refined PAE (M = .518), a pattern that should be interpreted as indicative rather than definitive because of the small public-statement subset. Investor filings have moderate actionability (M = .661) but low refined PAE (M = .196), while registry records have low actionability (M = .317) and nearly no direct protective-action infrastructure (M = .009).
This finding is central. If the study were only about jargon density, registry records should look successful because they are short and low in jargon debt. Instead, they are low in actionability and PAE because they provide public visibility rather than guidance. Conversely, customer notices can contain technical and legal information and still be highly actionable because they usually specify affected data, remedies, steps, follow-up pathways, and deadlines. The outcome-facing evidence therefore supports the core theoretical claim rather than merely acknowledging the absence of behavioral data. Figure 3 displays these genre profiles.

Genre profiles of jargon debt, stakeholder actionability, and translation mechanisms.
Incident-Matched Comparisons: The Same Breach Becomes Different Business Communication
These matched comparisons are the heart of the multi-genre claim. They show that genre differences are not merely differences among unrelated organizations or industries. The same incident can be rewritten as a materiality disclosure, a customer guidance document, a public reassurance text, and a public trace. The patterns therefore reveal how organizations distribute communicative labor across their genre repertoire.
Incident-matched comparisons show how genre re-authors the same breach. Among incidents with both investor filings and customer notices, customer notices reduce normalized JDI by 0.139 on average while increasing normalized SAI by 0.224, TMC by 0.929, and refined PAE by 0.744. These differences suggest that customer notices do not simply simplify investor disclosure; they redirect the same incident toward personal risk, support, deadlines, and concrete next steps.
Public statements or updates behave differently, although this matched comparison rests on only 10 incidents and should therefore be interpreted cautiously. Relative to investor filings for the same incident, public statements increase JDI slightly (mean difference = 0.073), increase SAI by 0.101, increase TMC by 1.033, and increase refined PAE by 0.330. This pattern supports the interpretation of public statements as hybrid texts: they do more translation work than filings, but their action infrastructure is still less systematic than that of customer notices.
Registry records confirm the visibility-guidance boundary. Compared with customer notices for the same incident, registry records reduce jargon debt by 0.144 but reduce actionability by 0.634, translation mechanisms by 4.185, and refined PAE by 0.875. Compared with investor filings, registry records reduce JDI by 0.234, reduce SAI by 0.439, reduce TMC by 3.500, and reduce refined PAE by 0.209. Visibility is therefore not the same as guidance. Table 3 reports the matched contrasts.
Incident-Matched Genre Contrasts.
Note. Public statement/update contrasts in Table 3 are based on 10 matched incidents and should be interpreted as genre-indicative rather than population-level estimates.
Models: Translation Mechanisms Repay Debt
The model results should be read alongside the matched comparisons and the PAE validation. The coefficient for JDI is not a free-standing endorsement of complex language. It is a signal that developed breach texts often contain both more debt-bearing detail and more action resources. The mechanism-level model clarifies which resources matter most. Remedy verification and audience segmentation are especially important because they convert organizational action into stakeholder-usable information.
The regression results reinforce the genre interpretation. In the baseline model predicting normalized SAI, TMC is positively associated with actionability (b = 0.059, p < .001), while investor filings and public statements or updates are associated with lower SAI relative to customer notices. Because the public statement/update coefficient is estimated from a small category, it is retained to preserve the four-genre comparison but interpreted less strongly than estimates for the larger investor filing, customer notice, and registry groups. Log word count is positive, indicating that more developed texts often provide more resources for action.
The positive JDI coefficient requires careful interpretation. It does not mean that jargon improves communication. It means that, in this corpus, texts with more breach-specific detail often also contain more actionable detail. Registry records make this visible: they are low in JDI because they are short and indexical, but they are also low in SAI. Customer notices and some public statements carry more debt because they include technical, legal, and remedial content, but they repay that debt through translation mechanisms.
The mechanism-level model identifies two especially stable translation mechanisms. Remedy verification is strongly associated with actionability (b = 0.142, p < .001), and audience segmentation is also positive (b = 0.086, p = .003). These mechanisms matter because they connect the organization’s response to stakeholder tasks. A remedy that is named, specific, and verifiable is more useful than a generic statement that security has been enhanced.
Sensitivity checks support this reading. When registry records are excluded, the baseline pattern remains: JDI remains positive and TMC remains positive. When the sample is restricted to customer notices and public statements only, the JDI coefficient becomes small and nonsignificant, which suggests that the strong full-corpus JDI relationship is partly driven by contrast between indexical registry records and more developed breach texts. The appropriate interpretation is therefore not “jargon helps,” but “specificity requires translation.” Figure 4 shows mechanism prevalence by genre, Figure 5 summarizes the model visually, and Table 4 reports selected estimates.

Translation mechanism prevalence by genre.

Cluster-robust model of stakeholder actionability.
Selected Estimates from Mechanism-Level Model.
A stricter PAE audit was applied before final interpretation. Links to SEC archives, registry pages, source-document landing pages, and general corporate homepages were not counted as action infrastructure unless they directly supported protective action. This conservative coding makes the low registry PAE substantively meaningful: the issue is not that registry records are unavailable, but that they normally require stakeholders to perform additional search, interpretation, and action planning outside the record itself.
The outcome-facing validation partially addresses the concern that a public-document study lacks stakeholder outcome evidence because it observes protective-action infrastructure rather than realized behavior. Refined PAE is strongly patterned by genre: customer notices average 0.884, public statements 0.518, investor filings 0.196, and registry records 0.009. The proportion of high-PAE texts (PAE ≥ 0.60) is 0.963 for customer notices, 0.429 for public statements, 0.035 for investor filings, and 0 for registry records.
PAE also validates the coded actionability construct without simply repeating it. Across texts, refined PAE correlates with normalized SAI (r = .800) and TMC (r = .640). A cluster-robust model predicting PAE from normalized SAI and genre shows that SAI remains positive (b = 0.464, SE = 0.060), while investor filings, registry records, and public statements all have lower PAE than customer notices. This confirms that actionability is tied to observable action infrastructure but still organized by genre.
The matched results make the validation more concrete. Within the same incidents, customer notices exceed investor filings by 0.744 in refined PAE, while registry records fall below customer notices by 0.875. These differences are not just differences in tone or readability. They show whether an affected stakeholder can find a direct contact route, protective step, enrollment path, deadline, support offer, or audience-specific instruction after reading the document. Figure 6 summarizes the PAE and follow-up-friction pattern.

Protective-action enablement and follow-up friction by genre.
Close Readings: How Actionability is Built or Withheld
The close readings below extend the quantitative results by showing how actionability is built or withheld through textual organization. They are not treated as additional statistical evidence. They clarify how genre conventions, paragraph sequencing, and rhetorical moves produce the JDI, SAI, TMC, and PAE patterns reported above. To make the qualitative evidence more concrete, this section draws on three illustrative source texts listed in the supplemental metadata: T0046, a loanDepot, Inc. customer notice; T0208, a Stryker Corp. public update; and T0215, an AT&T Inc. public breach registry record.
T0046, the loanDepot customer notice dated February 23, 2024, illustrates high-actionability guidance (JDI 8/18; SAI 14/14; TMC 7/7; PAE 5/5). The notice names itself as a “NOTICE OF DATA BREACH,” uses the heading “What Happened?” to anchor the event, identifies potentially affected personal information, and moves from event explanation to reader-facing guidance. Its action pathway is not only declarative but procedural: readers are told that Experian IdentityWorks is provided “at no charge,” that monitoring begins through a specified enrollment process, and that they must “Ensure that you enroll” by May 31, 2024 because the code will not work after that date. The activation-code pathway converts remedy language into a concrete task sequence.
The loanDepot notice also shows why customer notices can carry jargon debt while still being highly actionable. Terms such as data security incident, unauthorized third party, containment, remediation, and investigation introduce technical and legal specificity. Yet the notice repays that burden by pairing specificity with consequence mapping, remedy verification, and follow-up access. The text provides 24 months of Experian IdentityWorks, an online enrollment site, an activation code, identity-restoration support, and a dedicated toll-free response line with operating hours. These features make the document more than a narrative of breach response; they create a usable protective-action route.
T0208, the Stryker public update dated April 9, 2026, illustrates the hybrid public-statement pattern (JDI 7/18; SAI 14/14; TMC 7/7; PAE 3/5). The update names a “cybersecurity attack” and “global disruption,” states that the organization “activated our incident response plan,” and describes work with third-party cybersecurity experts, government authorities, and law enforcement. It also gives stakeholders operational reassurance by saying that product supply remains healthy, that commercial, ordering, and distribution systems had been restored, and that work continued around the clock. These moves generate high event clarity and strong translation mechanisms because the text explains both the incident and the organization’s response.
At the same time, the Stryker case shows why public statements usually provide less direct action infrastructure than customer notices. Its FAQ-style sections route readers by stakeholder task: “Supply, ordering and shipping” frames operational continuity; “Who do I direct all product-related questions to?” sends readers to local sales representatives; and the connected-beds and stretchers question clarifies product impact. These are meaningful support signals, but they are not the same as a customer notice that gives affected individuals enrollment links, codes, deadlines, and identity-restoration instructions. The Stryker statement therefore demonstrates partial actionability: it translates uncertainty and operational status for broad publics while relying on external support channels for individualized action.
T0215, the AT&T registry record dated April 9, 2024, illustrates visibility without direct guidance (JDI 4/18; SAI 6/14; TMC 2/7; PAE 0/5). The registry page supplies index fields such as “Organization Name,” “Date(s) of Breach,” “Reported Date,” “Sample of Notice,” and “Report URL.” These fields make the breach publicly traceable and help users locate a linked notice. However, the page itself does not segment affected readers, explain personal risk consequences, sequence protective steps, or provide a direct support path. Its communicative action is indexical: it points to a record and a linked document rather than translating the incident inside the registry page.
The AT&T record therefore clarifies the study’s visibility-guidance boundary. Low PAE does not mean that the registry is useless; it means that the registry page performs accountability rather than guidance. The reader must leave the record, open the linked “Customer Notification Letter Template.pdf,” interpret whether the template applies to them, and search outside the registry page for action steps. That linked-record behavior is precisely the follow-up friction measured in the study. Registry records thus make incidents visible to regulators, journalists, researchers, and watchdogs, but they should not be counted as substitutes for stakeholder-facing guidance.
Together, the three close readings show that the quantitative genre patterns are produced through textual organization rather than through surface simplicity alone. The loanDepot notice repays debt through sequencing, deadlines, remedy verification, and direct contact. The Stryker update translates incident status and operational continuity while providing only partial individualized pathways. The AT&T registry record creates public traceability but shifts sensemaking and action planning to other documents. These cases make visible the rhetorical mechanisms behind the corpus-level JDI, SAI, TMC, PAE, and follow-up friction patterns.
Taken together, the three cases show the continuum from protective-action infrastructure, to hybrid public explanation, to public traceability without direct guidance. They also show why the quantitative patterns are rhetorically produced rather than merely numerical: actionability depends on how a text orders the breach, identifies the relevant audience, maps consequences, verifies remedies, and supplies follow-up infrastructure.
Discussion
The study’s broader argument is that cybersecurity breach communication is not a narrow special case. It is a revealing case for business communication theory because it exposes how organizations write when accuracy, caution, speed, reputation, and stakeholder action collide. The corpus shows that the problem is not simply whether organizations disclose, or whether their prose is readable, but how disclosure is organized for use across a genre repertoire and whether it leaves observable action infrastructure behind.
From Disclosure Sufficiency to Stakeholder Actionability
This contribution connects several strands of business communication theory. Business composition and technical writing are involved because the texts must turn specialized information into usable language. Information systems are involved because the event begins in digital infrastructure and becomes public through disclosure genres. Corporate communication is involved because the organization must sustain legitimacy while making uncertainty and responsibility intelligible (Suchman, 1995). Written and electronic communication are involved because the entire action chain is textual, digital, and publicly archived.
The first contribution is to distinguish disclosure sufficiency from stakeholder actionability. In a regulatory environment, an organization may reasonably focus on whether a filing is timely, accurate, and legally defensible. Yet business communication scholarship must also ask what the text makes possible for its intended users. Stakeholder actionability foregrounds the task-oriented function of organizational communication: helping stakeholders interpret an organizational event and decide what to do next. PAE strengthens this contribution by showing that actionability aligns with observable infrastructure rather than only with coder interpretation.
This distinction helps explain why the same breach may appear coherent in one genre and incomplete in another. A filing can be a strong investor communication document but weak customer guidance. A registry record can be a legitimate public trace but weak practical communication. A public statement can repair trust while still leaving action gaps. The study therefore moves beyond evaluating texts as good or bad in general. It evaluates whether each genre performs the action task implied by its audience and whether that performance is visible in contact channels, action verbs, remedies, deadlines, and audience segmentation.
Jargon Debt as a Business and Technical Communication Construct
The second contribution is the construct of jargon debt. Prior discussions of jargon often treat specialized language as a lexical problem. The present findings show that breach communication requires a more layered account. Jargon debt is produced by the interaction of technical opacity, legal hedging, agency ambiguity, temporal vagueness, impact underspecification, and remedy underspecification. It is a debt because it creates a communicative obligation: if organizations use specialized or cautious language, they must repay that burden through translation that produces action infrastructure.
This metaphor is theoretically useful because it prevents an overly simple anti-jargon conclusion. Technical language is sometimes necessary. Legal caution is sometimes responsible. Reputational self-protection is sometimes an unavoidable part of corporate communication. The problem is not the presence of these elements but their lack of translation. Business and technical communication theory should therefore treat clarity not as the removal of complexity but as the organization of complexity for use.
The positive model relationship between JDI and SAI should be understood through this translation logic. Texts with more breach-specific detail may accumulate more debt because they include technical and legal information. Yet those same texts can become more actionable when they contain remedies, audiences, roles, and steps. Registry records make the boundary clear: low debt without guidance is not high actionability. The PAE results further clarify the mechanism: debt is repaid when a text gives readers contact pathways, support mechanisms, deadlines, and action sequences.
Genre Repertoires, Information Systems, and Corporate Communication
The third contribution is to information systems communication and organizational genre theory. Cybersecurity breaches are information-system events, but stakeholders encounter them through organizational genres. These genres do not simply transmit facts. They transform incidents into market disclosure, customer guidance, public reassurance, or public traceability. The incident becomes communicatively real through genre-specific work.
This finding contributes to organizational and corporate communication because it reveals a tension between market disclosure, customer protection, public visibility, and public legitimacy. Organizations do not merely write one message for several audiences. They allocate different parts of the incident across a repertoire. The study therefore extends genre repertoire theory into cybersecurity communication by showing how a single incident is distributed across texts that perform different business functions.
Registry records are especially important for theory because they demonstrate the difference between visibility and actionability. A public registry record can enhance accountability by making a breach searchable. It can also be useful for journalists, researchers, regulators, and watchdogs. But it does not automatically help affected stakeholders act. PAE makes this distinction measurable: registry records have low action infrastructure and high follow-up friction even though they are publicly visible.
Methodological Contribution: Corpus-Assisted Analysis with Genre Accountability
The article relies on existing public documents because public breach communication is itself a documentary phenomenon. The documents are the organizational performance under study, not a proxy for some hidden communication event. The methodological challenge is therefore interpretive design: selecting the incident as the unit of comparison, separating genre functions, validating coding with reliability checks, connecting numerical patterns to rhetorical meaning, and testing whether actionability corresponds to observable protective-action infrastructure.
The study also contributes methodologically. It demonstrates how corpus-assisted business communication research can avoid two common weaknesses: reducing texts to automated counts and blurring genre boundaries. The analysis uses quantitative coding and models, but it also requires qualitative decisions about sampling, genre classification, corpus balance, domain operationalization, and rhetorical interpretation. This approach follows the argument by Smith and Batchelor (2025) that corpus construction is itself a qualitative research act, and it extends that argument by showing how boundary rules can be tied to business communication tasks.
The strict treatment of public texts is particularly important. The corpus distinguishes direct public statements and updates from registry records, and the analysis makes clear that the public statement/update subset is small and should not be overgeneralized. This boundary work is not a technical housekeeping issue; it is part of the paper’s theoretical contribution because it shows that publicness itself must be disaggregated.
The analysis shows why public organizational texts can support theoretically meaningful business communication research when the corpus is structured around communicative functions. The empirical contribution comes from incident-first sampling, genre classification, human-coded pragmatic constructs, matched-genre comparisons, PAE validation, robustness checks that protect the registry boundary, and close rhetorical interpretation.
Practical Implications
For business communicators, the findings suggest that breach communication should be reviewed through both legal and actionability lenses before release. Legal teams may understandably focus on defensibility, while cybersecurity teams may focus on technical accuracy. Communication professionals can add value by asking whether the text has translated uncertainty into usable options. This is a management communication function as much as a writing function, because it requires coordination across departments.
Organizations preparing breach communication should audit actionability, not only compliance and tone. A filing should answer materiality questions, but it should not be treated as a substitute for customer guidance. A customer notice should name affected data categories and sequence protective steps. A public statement should not substitute competence narratives for practical risk information when stakeholders need both. A registry record should be understood as a public trace rather than a full communication solution.
The results suggest a practical actionability checklist: identify the incident, specify affected data or systems, state who is affected or likely affected, explain risk consequences, sequence actions, verify remedies, provide follow-up pathways, segment audiences when one message cannot serve all stakeholders, and test whether the text contains contact channels, support markers, deadlines, and clear action paths. This checklist translates the theoretical framework into writing practice for business communicators, technical communicators, legal teams, investor-relations officers, and crisis managers.
The registry findings also have policy-facing implications. Public breach registries should be understood and designed as accountability infrastructure rather than substitutes for stakeholder guidance. If regulators want registries to support affected individuals as well as journalists, researchers, and watchdogs, registry interfaces could include standardized fields for affected data categories, recommended protective actions, direct support channels, enrollment deadlines, and links to full notices. These fields would not turn a registry record into a customer notice, but they would reduce follow-up friction and make the boundary between public traceability and protective guidance clearer.
Limitations and Future Research
The study has limitations, but it does not leave the outcome-data problem unaddressed. Refined PAE directly measures whether a document supplies the minimum infrastructure required before protective action is possible: direct contact, action paths, support or remedy, deadlines or enrollment windows, and audience segmentation. PAE is still not realized comprehension, trust, or behavior. It is an outcome-facing textual affordance connected to, but not a behavioral test of, the Protective Action Decision Model.
The corpus is shaped by the U.S. disclosure environment, particularly SEC cybersecurity incident rules and state breach-notification systems, and by the public-availability cutoff used to construct the dataset. Public source dates ranged from January 12, 2024 to April 20, 2026, with parsed incident dates ranging from December 2023 to April 2026. The contribution therefore concerns a theoretically specified communication problem rather than a universal prevalence estimate. Cross-national studies should examine whether the framework travels to the European Union, the United Kingdom, and Asia-Pacific jurisdictions. International business communication research could compare how different disclosure regimes organize the same stakeholder-action translation problem.
Two additional limitations require emphasis. First, the public statement/update category contains only 14 texts linked to 10 incidents. It is analytically useful because it captures a hybrid genre between filings and customer notices, but its estimates should be treated as exploratory and genre-indicative rather than population-level claims. Second, because the corpus is built from public-document visibility rather than from a closed breach population, it should not be used to estimate the prevalence of breach communication practices across all incidents. The Supplemental Appendix reports text-derived context indicators for source family, breach type, and affected population, but these indicators are boundary aids rather than verified legal classifications. A future version of this project could combine the present genre design with a fully time-bounded sampling frame and richer incident metadata, including industry, severity, number of affected individuals, and breach type.
The PADM connection also identifies a clear future research path. PAE measures textual infrastructure that can support protective-action decision making, but it does not measure reception, comprehension, trust, protective-action perception, or behavior. Future experiments, interviews, or platform-trace studies should test whether higher-PAE documents improve PADM-relevant outcomes such as message comprehension, perceived action efficacy, information seeking, enrollment in protection services, password changes, fraud monitoring, and contact with support channels.
Finally, the study observes public outputs rather than internal production. It cannot show how legal teams, cybersecurity teams, investor-relations officers, executives, and communication professionals negotiate language before texts become public. Interviews with practitioners could reveal how jargon debt is produced, recognized, and repaid inside organizations and how teams decide when action infrastructure is legally, technically, and reputationally safe to disclose.
Conclusion
Cybersecurity breach communication is often judged by whether an organization disclosed, reassured, apologized, or complied. This article argues that business communication scholarship should also ask whether disclosure becomes actionable. Jargon debt names the burden that accumulates when technical precision, legal caution, and reputational self-protection are not connected to stakeholder tasks. The evidence shows that debt is not eliminated by short language and not necessarily created by technical language alone. It is created when complexity remains untranslated and when documents fail to provide action infrastructure.
By analyzing investor filings, customer notices, public statements, and registry records as parts of a multi-genre communication ecology, the study shows how the same breach becomes different business communication. The central lesson is that actionability depends on translation work. Organizations do not need to remove all technical or cautious language. They need to connect it to consequences, remedies, steps, audiences, and follow-up channels. That insight advances business and technical communication theory while offering a practical framework for more usable breach communication.
Supplemental Material
sj-docx-1-job-10.1177_23294884261460020 – Supplemental material for Making Cybersecurity Disclosure Actionable: Jargon Debt, Genre Repertoires, and Protective-Action Infrastructure in Business Communication
Supplemental material, sj-docx-1-job-10.1177_23294884261460020 for Making Cybersecurity Disclosure Actionable: Jargon Debt, Genre Repertoires, and Protective-Action Infrastructure in Business Communication by Yidan Ding, Anhua Zhou and Yichen Xiao in International Journal of Business Communication
Footnotes
Ethical Considerations
Ethical approval was not required for this study because it analyzes publicly available organizational, regulatory, SEC filing, breach-notice, public-statement, and breach-registry documents. The study did not involve human participants, interviews, surveys, experiments, private data, or non-public personal information. Personally identifying details in source documents were not analyzed or reproduced.
Author Contributions
All authors contributed to the conception of the study, manuscript development, and revision. The corresponding author is responsible for communication with the journal.
Funding
The authors disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This work was supported by the Jiangsu Provincial Department of Education under Grant SJCX25_0012 (2025 Jiangsu Province Postgraduate Practice Innovation Program); and Huazhong University of Science and Technology under Grant DJSZ202568 (Huazhong University of Science and Technology Party-Building Research Project). The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript; or in the decision to submit the article for publication.
Declaration of Conflicting Interests
The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Data Availability Statement
Supplemental Material
Supplemental material for this article is available online.
Author Biographies
References
Supplementary Material
Please find the following supplemental material available below.
For Open Access articles published under a Creative Commons License, all supplemental material carries the same license as the article it is associated with.
For non-Open Access articles published, all supplemental material carries a non-exclusive license, and permission requests for re-use of supplemental material or any part of supplemental material shall be sent directly to the copyright owner as specified in the copyright notice associated with the article.
