Especially in recent weeks and months, information security has become an issue of interest to a lot of different people. Over the last several years, more people have started paying attention to infosec issues, which means the audience of infosec communication has drastically grown and changed. Effective communication is audience-dependent. You have to adapt your message to your audience, so let’s examine some different audiences of infosec communication and how the messaging should change to be effective for them.
For this discussion, I’m thinking of infosec communication as a persuasive effort. The goal is to convince people to change their behavior to be more secure or to just think about security more. So, who are we trying to persuade, and how should communication change to achieve that behavior change? There's no form or style of communication that's going to convince everyone so we have to tailor it. Getting people to engage with infosec communication is a challenge all on its own, but I’m going to focus on situations in which people are listening. So, why might people listen to infosec communication?
- Affinity – they like you and trust you and would probably listen to anything you say
- Required to listen:
- Structural reasons – you outrank them
- Checkbox – there is a regulation, standard, or social pressure, and the audience wants to be able to point and say "we did the thing"
- Someone else told them they had to – most common in lower-level employees or end-users when security training is required
- Fear – they saw something in the news, heard a story from a friend, and are afraid that they are vulnerable, so they wanted to talk to you
- Legitimate interest – the holy grail that frequently goes along with affinity; the person speaking to you is legitimately curious about security and wants to learn more
Now the question is: how does your communication change to accommodate these different groups? If your audience is listening to you under some kind of duress, you need to work a lot harder than if they are listening voluntarily. You have to make it worth their while. Here’s some guidance on how to tailor your communication in three of these scenarios:
Affinity
This will likely be framed as "tell me about what you do" rather than "tell me what I need to do." Affinity is great to start a conversation, but it can lead to polite listening rather than active listening. This type of audience won't necessarily be thinking about how what you're saying applies to their lives, so you have to draw that picture very clearly for them.
Someone else told them they had to listen
In some ways, this can be your best case scenario because it's structured and planned. You have time to prepare and can follow an outline or script. Also, these are typically mandated trainings, so you know that people will actually show up. The downside to this is that your audience probably isn't psyched to be there. With a reluctant or captive audience, your first step should be to build affinity or trust. Building one or both of these will increase the chances they’ll pay attention and that they’ll take your recommendations.
Fear
"I saw such and such on the news, could that happen to us?," or even better, "Do we have a blockchain?" The key to this sort of conversation is that they're talking to you to assuage their fears. They want to hear "we're good, no need to worry." A key to persuasion is to move from a negative emotion to a positive one. You can start the conversation by saying “yes, we are at risk,” but you can’t keep it there.
Move the conversation to a more positive, maybe hopeful, place – “we are at risk, but here’s how we can be more secure.” If they feel worse after speaking to you, they won't do it again. Encourage this sort of behavior regardless of who is doing it – end-users, executives, family and friends. Anytime someone shows an interest in security, they should be encouraged. Try to think about their motivations for asking to tailor your response.
If they heard about a new technology, that's totally inappropriate for the situation. Redirect to something actually useful – "Yes, that's super cool. Have you heard about this though?" Match enthusiasm with enthusiasm; reassure them if they're afraid. These are just some basics for tailoring infosec communication to different audiences.
About the Author: Claire Tills recently received her M.A. in Communication from the University of Maryland. With a professional background in technology and security public relations, her research focuses on the communicative side of information security. She applies communication theories to InfoSec issues with the goal of advocating security to a variety of endusers and improving resilience after InfoSec crises like data breaches.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.
