Some of the greatest advances of human civilization are normalized over time and are eventually seen as ordinary. Fire, electricity and the combustion engine all revolutionized human existence but are no longer seen as exceptional. Another significant advance which is largely taken for granted is language. That is, our ability to communicate and share experiences outside of our immediate existence. The ability to communicate has meant that we don’t have to personally suffer from a hazard to be wary of it. It’s also mean that we can pre-equip people with expectations of social norms without having to personally violate each social norm in turn in order to understand it. One of us was impacted from a threat or transgressed a social norm and then shared the experience either through oral traditions or through writing. A good example of this is the traditional fairy tales which are told to children from a young age. Through these stories, children learn about dangers such as strangers and moral lessons to help them understand right and wrong. For example, children learn that going into someone else’s house and testing the temperature of breakfast dishes and the softness of chairs without permission is likely to result in an unpleasant confrontation. What better way to get a child’s attention than a story about a confrontation with household occupants who are both angry and bears? For someone seeking to understand the world they live in and who wants to be able to approach life with a degree of prediction, stories help build mental models. Mental models are simplified views of the world to help understand cause and effect with an acceptable degree of prediction. Mental models are invariably simplified versions of reality but they have the advantage of being time savers. People can make decisions based on simple rules of thumb rather than analyzing all aspects of every decision. This is a product of evolution since the cavemen who had a sit down and think response when spotting a lion were unlikely to survive. Stories therefore are an important way of influencing people’s mental models. You don’t have to make people listen to stories either since they normally find them intuitively interesting. In a work context we often spread stories and news using informal channels. The watercooler effect is one such method where sometimes the most productive office communication happens in the break room.
In an information security context, we often struggle to communicate complicated risks and tell a cohesive story to non-technical audiences. In particular, audiences find it challenging to contextualize the conversation and relate the information they are given to their understanding of the world. How common is a threat? Who does it apply to? What exactly is a flux capacitor? One of the reasons that people often fail to understand information security messages is that they are applying a different mental model to the risk communicator. What makes sense to the communicator is therefore difficult for the audience to assimilate in the way that the communicator intended. The audience applies the wrong context and then either arrives at the wrong conclusion or applies the learning to the wrong risk trigger.
There are steps we can take to help audiences apply the correct mental model. The Analogies Project is a fantastic initiative to use what people already know in terms of politics, art, history, theatre, sport, science and other experiences to relate concepts to information security. In essence, the analogies are metaphors to help invoke a specific mental model in the audience that the risk communicator can use to frame the security advice. Basically, the project attempts to de-mystify security by applying to situations that are widely understood and are easy to relate to for non-technical audiences.
The project has reached its 50th contributor and contributors so far are a mix of marketers, lawyers, futurists and comedians in addition to information security professionals. The project brings to life numerous examples through history of how confidentiality, integrity and availability were important. Contributors have applied information security to an amazing range of topics including stories about superheroes, seatbelts, motorway signs and suicidal kangaroos.
It’s fantastic to see an initiative such as the Analogies Project which recognizes that we need to improve the way that we communicate information security risks. It’s long overdue and that’s why I’m excited about supporting the project as a contributor. If you’re interested in contributing please do get in touch with the project.
Published in the July 2014 edition of the ISSA International Journal.