Speaking the same language as your audience is important. In most cases you're already speaking the literal, high-level language of your audience but it's a lot more nuanced than that. Language at a lower level is one thing that trips people up on the way to understanding. Jargon, acronyms, slang, and cultural quirks can all act as barriers to mutual understanding - which is the whole reason we communicate. These are so ingrained in us, however, that it takes effort to suppre

Last time, I introduced the basics of gain-loss framing from health communication. I also discussed how this approach should be applied to infosec issues. Now I'm going to give you more detail on how to actually use gain-loss framing. What needs to be manipulated In order to drive behavior - particularly preventative/protective actions - your audience needs to be in a certain mental space. There are a few measures from scholarship that we can look at and alter in our audience

I've spoken before about the need for infosec communication and persuasion to move in a more positive and proactive direction. (This isn't an original argument. @iMeluny and @jessysaurusrex have been saying this for a long time now, among others.) Fear isn't an effective way to motivate action in infosec. To effectively persuade people to be more secure, we need to move away from dark, scary, sky is falling narratives. In the last post we learned that framing is about focusin

I don't want to hop on the meme-train here but the saga of Trevor gave me some ideas so here they are. Humor is rare in crisis communication but it's not unheard of. Rumor, on the other hand, is common. People seek information and explanation in a crisis and aren't as critical of the information they receive - scarcity lowers standards. Rumor has impacted the infosec community in a lot of situations so talking about how to counteract it is important. Trevor wasn’t really a ru

So, Equifax happened... this blog is not about that, even though it seems like it is. I wrote it before that news broke. Any resemblance to that situation is coincidence. Previously, I went through the first two stages of CERC, pre-crisis and initial, and how they interact with incident response efforts. Now, we move on to the last three stages of CERC: maintenance, resolution, and evaluation. These are some of the most active stages for the organization. Each department will

In a previous post, I presented a couple of cases in which communicative attribution (responsibility) and technical attribution conflicted. I selected those cases specifically to show that the public (media, employees, etc.) can pick and choose whether or not to incorporate results of technical attribution in their outrage. Now, let's try to learn something to avoid these cases happening to us. How can communication and technical attribution work together to increase the like