From fear to friendship: how positive language boosts cybersecurity awareness
02/14/23 • 41 min
Poor communication is a major roadblock in getting people to adopt cyber-safe habits. It also created a major disconnect between information security specialists and the people they serve.
For instance, threat-filled emails with a negative or sometimes threatening tone only confuse non-IT experts who need simple explanations and psychological safety to learn.
This makes empathy essential in the cybersecurity space because it’s a constant reminder that things which are quick and easy for technical specialists can be complex and unnecessary to people with a different background.
By revamping security training and communication, we can make people feel comfortable with digital security practices and appreciated for their continued efforts. This is the most effective way to encourage compliance with safety measures such as strong passwords and secure document handling.
Leading organizations and their leaders through this change takes a special kind of person.
Today, we're thrilled to welcome Ceri Jones, Head of Security Awareness & Community at Lego, to the podcast!
Ceri is a brilliant specialist who turns research from multiple fields into real-world tactics that build security-focused internal cultures. With over a decade of experience in people-focused security and awareness, Ceri is a true champion of positive security and language. She's a firm believer in fresh approaches to security awareness that “make security more approachable, conscious and considerate.“
Tune in to:
- discover why companies need to embrace positive language in their cybersecurity communications
- learn how heavy cognitive load affects people's response to security best practices, and
- get inspired by the positive changes happening in the exciting world of cybersecurity.
In this episode we cover:
- The power of positive language in cyber defense (05:09)
- A winning case of cyber-positivity straight from Ceri’s experience (12:35)
- The personal drive behind Ceri's journey in cybersecurity (18:07)
- The brain-drain effect on cyber safety measures (22:24)
- Positive changes shaping the future of cybersecurity (29:58)
Connect with Ceri:
Let’s connect!
Poor communication is a major roadblock in getting people to adopt cyber-safe habits. It also created a major disconnect between information security specialists and the people they serve.
For instance, threat-filled emails with a negative or sometimes threatening tone only confuse non-IT experts who need simple explanations and psychological safety to learn.
This makes empathy essential in the cybersecurity space because it’s a constant reminder that things which are quick and easy for technical specialists can be complex and unnecessary to people with a different background.
By revamping security training and communication, we can make people feel comfortable with digital security practices and appreciated for their continued efforts. This is the most effective way to encourage compliance with safety measures such as strong passwords and secure document handling.
Leading organizations and their leaders through this change takes a special kind of person.
Today, we're thrilled to welcome Ceri Jones, Head of Security Awareness & Community at Lego, to the podcast!
Ceri is a brilliant specialist who turns research from multiple fields into real-world tactics that build security-focused internal cultures. With over a decade of experience in people-focused security and awareness, Ceri is a true champion of positive security and language. She's a firm believer in fresh approaches to security awareness that “make security more approachable, conscious and considerate.“
Tune in to:
- discover why companies need to embrace positive language in their cybersecurity communications
- learn how heavy cognitive load affects people's response to security best practices, and
- get inspired by the positive changes happening in the exciting world of cybersecurity.
In this episode we cover:
- The power of positive language in cyber defense (05:09)
- A winning case of cyber-positivity straight from Ceri’s experience (12:35)
- The personal drive behind Ceri's journey in cybersecurity (18:07)
- The brain-drain effect on cyber safety measures (22:24)
- Positive changes shaping the future of cybersecurity (29:58)
Connect with Ceri:
Let’s connect!
Previous Episode
How emotions shape human behavior in cybersecurity
People are critical to advancing cybersecurity on all fronts, whether it’s keeping an organization safe or building safer software. Using security software or rolling out an awareness course is not enough. You need to understand how people interact with the system and where following best practices fails them – and why.
This allows the creation of user-friendly policies that make people feel supported instead of hounded for their mistakes. A more empathetic approach to building relationships with cybersecurity (specialists, concepts, and practices) encourages people to ask for help when they identify a potential threat because they don’t feel judged.
Our guest today is Erlend Andreas Gjære, co-founder & CEO of Secure Practice, a Norwegian company that creates data-driven tools to engage, influence, and cultivate security within organizations. He specializes in security and people, focusing on security awareness, training and culture, human risk, behavior, and user experience.
In this episode, you will hear about the role of emotions in human behavior as it manifests and relates to cybersecurity, based on Erlend’s experience as a researcher. You’ll also learn why communication is one of the most important components of making things work in this space. Additionally, you’ll discover real examples that show why fear-based communication is ineffective in getting people to adopt a safer behavior.
In this episode, you will learn:
- How Erlend’s experience as a research scientist shaped his mission in cybersecurity (05:27)
- Why having management backing is not the most important element for building a security-focused culture (07:53)
- Real examples of the range of emotions that cybersecurity triggers in people (19:49)
- How using fear-based communication damages the willingness to act on security advice in the long run (24:32)
- How specialists’ familiarity with cybersecurity makes them underestimate the complexity of concepts and advice they give people (32:16)
- A practical example of how to make a good business case for using empathy to advance secure behavior (34:49)
Resources:
- Book: Nonviolent Communication
- Study: Rule breakers, excuse makers, and security champions
- Security Practice - Exit Report
Connect with Erlend:
Let’s connect!
Next Episode
Why security teams need an empathy filter
Everyone who works in cybersecurity needs this reminder from time to time: people who are not in this space aren’t obsessed with the latest attacks and their impact. They probably don’t care at all because they already have other difficult projects they’re working on or personal issues that stretch them thin.
Any security team that wants to be effective and make a difference needs to keep this idea at the top of their mind when rolling out an awareness campaign or sending out an email.
Overly technical and dramatic messages about trending or successful attacks fly right by busy ears.
So what’s the solution?
Creating simple messages that resonate with people in their context. This is a practical way of using empathy to create true resonance, but it’s often difficult to accomplish without help. That’s why a non-IT specialist with communication expertize can act as an empathy filter for the security team when bringing them on board.
My guest today, Lance Spitzner, Director of Security Awareness at the SANS Institute and founder of the Honeynet Project, coined that term (“empathy filter”) as we were recording.
His over 20 years of security experience in cyberthreat research, security architecture, and awareness training really shine in this episode, creating momentum and motivation for change.
Lance has published three security books, consulted in over 25 countries, and helped over 350 organizations build awareness programs to manage their human risk. He remains hands on, dedicated, and an energetic vector for the cybersecurity community.
In this Cyber Empathy episode, Lance explains why simplifying security is the best approach to protecting cybercriminals’ favorite target: people. He also shares examples of how to do this in practice and who to ask for help to achieve this. What’s more, this episode helps you find out how to determine if the security team is empathetic.
In this episode, you will learn:
- Why simplifying security is the best approach to secure people (02:24)
- Why security teams need an “empathy filter” and who can play that role (10:20)
- The importance of having an empathetic security team (18:13)
- Lance shares an empathetic security approach success story (30:00)
Resources:
- Lance’s books
- The ADKAR Model
- Lance Spitzner and Carolyn Crandall at RSAC 2019
- Lance Spitzner - Securing the Human Being
- The Honeynet Project
- Daniel Kahneman books
- Cass R. Sunstein books
- Robert B. Cialdini books
Connect with Lance:
Let’s connect!
If you like this episode you’ll love
Episode Comments
Generate a badge
Get a badge for your website that links back to this episode
<a href="https://goodpods.com/podcasts/cyber-empathy-538233/from-fear-to-friendship-how-positive-language-boosts-cybersecurity-awa-69451552"> <img src="https://storage.googleapis.com/goodpods-images-bucket/badges/generic-badge-1.svg" alt="listen to from fear to friendship: how positive language boosts cybersecurity awareness on goodpods" style="width: 225px" /> </a>
Copy