Language is at the heart of communication. Every time we speak or write, we choose language appropriate to our audience to get our desired message across. Why should it be any different in cyber security?
Yet, the cyber security industry has a problem. Too often, security experts use technical jargon to describe threats facing people and their organisations. People switch off. They don’t engage with later training and education programmes, and cyber security risks go unchallenged.
So, what needs to change? How can we use language to engage and empower people instead of lecturing and finger-pointing?
Putting people back into security
People need to be front and centre of security efforts. Most data breaches are linked to human error. This does not mean we need to start blaming people for their errors. Instead, we should recognise that people are an essential part of reducing cyber risk. We need to treat them as a priority rather than an obstacle to better security practices.
At CybSafe’s recent IMPACT 2021 event, Emma W, Senior Representative at the National Cyber Security Centre (NCSC), gave a keynote entitled “Why are people, and couldn’t they just not?”. Emma made the case for empathetic security. She provided examples of how the NCSC adopted this approach four years ago with its messaging to the general public.
Emma shared the key challenges her team faced trying to get the language right for the NCSC’s advice for the public. Understanding the audience was crucial. Without appreciating what the audience already knew and what they were trying to achieve, there was no hope of engaging them. Next, Emma and her team strove to understand barriers to their messaging. Did the audience lack resources to act on the messaging provided? Were there deeply held beliefs about security needing to be challenged?
Finally, the team thought about language. What kind of words was the audience familiar with? Which words would mean nothing to the audience? Terms to avoid included technical jargon such as “encryption” or “multi-factor authentication.” Instead, clear descriptions of what these terms meant were necessary to support public understanding.
Stay on message
The NCSC’s approach is applicable across the industry. Security professionals may get excited about technical details. After all, it’s their bread and butter! But they should stay on message when delivering education and training support to employees. This means sticking to key points and providing clear explanations of actions needed to reduce risk.
This approach doesn’t just improve the understanding of key cyber risks. It shows people that security teams care about them. Engaging people by using simple language challenges the idea that security teams “just want to catch people out”. Instead, security teams are there to understand the issues people face and help address them. As Emma W wisely says: “Empathy is a security superpower.”
To watch a replay of Emma W’s IMPACT 2021 keynote, follow this link.