When it comes to security awareness, there’s no such thing as a blank canvas. Your audience will already have pre-conceived notions about your topic. The language, tone and media you use will invoke associations in people’s mind, both helpful and unhelpful. These associations will influence how people view the root causes, likelihood and potential outcomes. A good example of the mental connections people make between concepts is found in word association. For example, you say email, someone else thinks of spam. You say security awareness training, they think of PowerPoint and a feeling of being trapped. You get the idea.
In Metaphors We Live By, George Lakoff explains how the language we use frames our discussions. He points out that our communications are framed by metaphors that we often take for granted as part of social discourse. For example, the metaphor ‘argument is war’ frames a discussion about arguments where statements such as ‘He shot down all my arguments’ and ‘Your claims are indefensible’ seem natural. Lakoff argues that the metaphor that is invoked and the way an issue is framed will determine our response to a large extent.
Understanding people’s pre-conceived notions when it comes to information security is critical to achieving the best possible impact from your communications. Before communicating, it’s vital to understand what frame of reference your audience is likely to invoke in your intended audience and how that will frame your content. There could be a large gap between what you intended as an expert on the subject and how your audience interprets it, especially if it’s an intangible risk. Without understanding the framing, your advice may be sensible and well intentioned but the results will be inconsistent. Some metaphors work really well because they are intuitive. Computer viruses are good examples. Consider how well the metaphor works of biological vs software. Both are conceptually small and invisible, can be caught from others from a lack of hygiene and are things that you really want to avoid. Framing can be very powerful when conveying a message and a great example is the London Transport Cabwise campaign (inset). Rather than bombard an audience with facts, the campaign seeks to leverage a metaphor of stranger danger which is emotionally powerful and spans different cultures and ages.
So, how can we understand these pre-conceived notions and word associations in a systematic way? In the field of safety risk communications, a common approach is to use mental models. Mental Models, sometimes called ‘Folk Models’ are simplified explanations of cause and effect. They are rarely perfect in terms of an expert view, but they normally allow people to reach an adequate decision quickly. Mental models also allow a systematic way of identifying pivot or fulcrum points on which people’s decision making is largely decided, and also gaps in people’s knowledge. In my book I’m writing about security awareness I plan to apply mental models to the security field.
Currently in information security awareness, we largely ‘teach the topic’ and hope that behaviour approves. I’ll leave the last word to experts in safety risk communication with decades of research to back up their position: “An effective communication must focus on the things that people need to know but do not already. This seemingly simple norm is violated remarkably often in risk communications…Rather than subject draft communications to rigorous empirical evaluation by individuals like those who will use them, communicators pass them around to staff or expert committees for approval…Under such conditions, it is not surprising that audiences often miss the point and become confused, annoyed or disinterested.”