Reflections on information security from a social science perspective

January 30, 2018

Speaking the same language as your audience is important. In most cases you're already speaking the literal, high-level language of your audience but it's a lot more nuanced than that. Language at a lower level is one thing that trips people up on the way to understand...

January 16, 2018

There are a lot of ways to think about audiences of information security messages. Your relationship to your audience influences how you communicate with them. Why are they listening to you? Are you part of an internal team - are you communicating with your coworkers -...

December 13, 2017

Last post, I went over two methods for understanding or segmenting your audience. The first was based on the influence you have over your audience - why are they listening to you in the first place?

  • Affinity

  • Required to listen

    • Structural reasons

    • ...

November 13, 2017

There are a few more things you might want to consider when you're using benefit framing for infosec. These are slightly more advanced considerations but they're at least worth having on your mind.

"Topping out"

This is the idea that certain people won't respond to your...

November 6, 2017

Last time, I introduced the basics of gain-loss framing from health communication. I also discussed how this approach should be applied to infosec issues. Now I'm going to give you more detail on how to actually use gain-loss framing.

What needs to be manipulated

In orde...

October 26, 2017

I've spoken before about the need for infosec communication and persuasion to move in a more positive and proactive direction. (This isn't an original argument. @iMeluny and @jessysaurusrex have been saying this for a long time now, among others.) Fear isn't an effecti...

July 26, 2017

Fear can be a great motivator but it can also be paralyzing. Scholars have examined the use of fear appeals in advertising and  public information campaigns quite thoroughly and achieved mixed results. While experimental studies have supported the motivating effect of...

July 12, 2017

UPDATE: I gave a talk on this at BSidesDC and Delaware 2017. Here are my slides for that talk. 

I've wanted to cover efficacy for a while. When talking with people at conferences like BSides, it kept popping to mind as a solution to some of the problems I kept hearing a...

July 3, 2017

It’s commonly known that we (humans) are bad a evaluating risk. We're consumed by worry about risks that are unlikely to impact us and disregard risks that are more likely. People are afraid of flying and worried about terrorist attacks but don’t think twice about gett...

Please reload

Our Recent Posts

November 17, 2019

Please reload


Please reload




This blog is a place for me to explore issues in information security from a somewhat scholarly and very communication-centric viewpoint. Here I'll be talking about scholarly theories from my time in graduate school, best practices (both academic and not) from communication, and how they all play out in information security. I'll also be looking at specific cases and analyzing the communication around them. I'll include citations and links to relevant resources as appropriate in my posts so you can continue explroing some of these topics on your own.



I have my M.A. in communication from the University of Maryland. My research there focused primarily on crisis communication and public relations. Using theories from those fields, I’ve begun examining certain information security issues. Specifically how organizations and individuals communicate about infosec and how it can be done more effectively.