One of the problems with the current approach to information security awareness is that methodologies such as ENISA are detailed about the logistics of planning security awareness but don’t have much to say about the content of security awareness.
So, how would you determine what information an audience needs to know so that they can manage the risks they face? Mental models offer a structured way of approaching risk communications rather than just “broadcasting facts”.
A mental model is a pattern of understanding held by an individual. It consists of what beliefs they hold, the strength of those beliefs and the connection between beliefs. Safety experts note that when risk communication takes place the audience will have some degree of pre-existing knowledge which forms their mental model:
“…for most risks, people have at least some relevant beliefs, which they will use in interpreting the communication. They may have heard some things about the risk in question. It may remind them of related phenomena.” (Morgan et al 2002)
Technical experts routinely approach risk communications with a different “mental model” of the risk than the audience perceives. The difference of mental models between technical experts and their audiences are not only caused by differences in beliefs and their connections, but also by problems with terminology. False fluency is an example where key terms are misunderstood by audiences. If an audience has a fundamental misunderstanding about the meaning of a key word such as “virus” or “password” then unless reliable, agreed definitions are established then it is likely that any security awareness on the subject will fail to achieve its objective.
A mental model approach involves creating an expert model of a risk as perceived by technical experts and then contrasting it with the mental models of the intended audience. Differences between mental models then become the specific focus of attention in risk communication efforts.