Speaking the same language as your audience is important. In most cases you're already speaking the literal, high-level language of your audience but it's a lot more nuanced than that. Language at a lower level is one thing that trips people up on the way to understanding. Jargon, acronyms, slang, and cultural quirks can all act as barriers to mutual understanding - which is the whole reason we communicate. These are so ingrained in us, however, that it takes effort to suppre

There are a lot of ways to think about audiences of information security messages. Your relationship to your audience influences how you communicate with them. Why are they listening to you? Are you part of an internal team - are you communicating with your coworkers - or are you an external entity - a contractor/consultant? Is your audience internal or external - are they employees of the company or are they customers/clients/end-users/etc.? Let's look at the pros and cons o

Last post, I went over two methods for understanding or segmenting your audience. The first was based on the influence you have over your audience - why are they listening to you in the first place? Affinity Required to listen Structural reasons Check box Someone else told them they had to Fear Legitimate interest Based on these, here are some scenarios and how to tailor your communication to that audience: Scenario 1: A (work) friend asks how they can be more secure (affinit

There are a few more things you might want to consider when you're using benefit framing for infosec. These are slightly more advanced considerations but they're at least worth having on your mind. "Topping out" This is the idea that certain people won't respond to your messaging because they're already doing the recommended behavior. It's also from that sunscreen study I keep talking about (citation below) and I think it might apply to infosec, especially with certain audien

Last time, I introduced the basics of gain-loss framing from health communication. I also discussed how this approach should be applied to infosec issues. Now I'm going to give you more detail on how to actually use gain-loss framing. What needs to be manipulated In order to drive behavior - particularly preventative/protective actions - your audience needs to be in a certain mental space. There are a few measures from scholarship that we can look at and alter in our audience

UPDATE: I gave a talk on this at BSidesDC and Delaware 2017. Here are my slides for that talk. I've wanted to cover efficacy for a while. When talking with people at conferences like BSides, it kept popping to mind as a solution to some of the problems I kept hearing about. The many conversations about "soft skills" also brought it to mind. The skills mentioned in these conversations (like empathy, professional writing and public speaking, and working with other departments)

Now that I’ve covered the first incident that pulled me into security communication and shown how infosec and crisis communication intersect, I’m happy to move on. Too often, communication is only used in infosec when there is a crisis. Communication has a lot more to offer than just crisis management and, when used properly, it might help reduce the need for crisis communication, or make the crisis communication easier. In this post and a couple to follow, I’ll be discussing