How to use benefit frames for infosec
Last time, I introduced the basics of gain-loss framing from health communication. I also discussed how this approach should be applied to infosec issues. Now I'm going to give you more detail on how to actually use gain-loss framing.
What needs to be manipulated
In order to drive behavior - particularly preventative/protective actions - your audience needs to be in a certain mental space. There are a few measures from scholarship that we can look at and alter in our audiences to potentially effect change. This first section will go over what these measures are and then I'll get into how to change them.
Salience of issue/behavior
Salience: the act of being prominent or conspicuous.
This concept from social psychology basically asks: how much mental energy will it take your audience to think and make decisions about the issue? Is the audience thinking about the issue already, or have they never considered it before? If they aren't even thinking about the issue, you're uphill battle is much steeper. You want to either time your persuasion when the issue is on their mind or put the issue on their mind somehow. Catch people at the beach to talk to them about sun protection. They're already thinking about the sun and it isn't much of a mental leap to get them thinking about sun protection. It would be a very different situation if you were trying to talk to beach-goers about putting snow-tires on their car.
To increase the success of your persuasive efforts, you want to bring the desired behavior to the top of their mind - increase the salience.
Level of involvement
This concept runs through a lot of disciplines. I know it from public relations as a determining factor for whether a person is part of a "public." It asks whether and how much your audience thinks the issue impacts them. How involved are they with the issues being discussed? If they don't think they're involved, they aren't going to see any value in action. I've brought this up with efficacy as well but, some audiences for infosec communication have low perceived level of involvement with the issues. It isn't their department, they aren't a target, they've already done enough, or maybe they just don't know the issue exists. To get them to act, you have to change their perceived level of involvement - show that the issue impacts them directly and immediately. It is your circus and these are your monkeys.
This is where framing comes in. Through framing, you're highlighting specific pieces of information that bias your audience's information processing towards a certain conclusion. I'm arguing that the information you should highlight is the benefits your audience obtains by being more secure. The goal is for them to develop positive associations with security, the specific behavior, and you (the source of the message). This doesn't mean denying or ignoring anything negative or the drawbacks of your proposed action. It means that the central focus of your communication should be on positive outcomes, rather than scary consequences. Even if it's true, don't focus on "if you don't do this, terrible thing will happen."
How to do this
Now that we have these key concepts for motivating behavior change down - how do we use them to develop persuasive communication? We need to increase the salience of security issues and our audience's level of involvement with them. Thankfully, these go hand in hand. They're about either catching the audience when the issue is at the forefront of their mind or using stimulus to bring it there. For example, talking about sunscreen with people currently at the beach or talking about security when a major breach is dominating the headlines. If an issue is at the top of mind - particularly if it's a threat - your audience is likely already thinking about whether/how it impacts them and you can jump on that. While lately it seems like we're constantly in the midst of a major breach, at some point we might not be. So how do you make infosec more salient and increase your audience's involvement with it?
Think about anything that might link to your issue or behavior in the audience's mental map. (If you are familiar with schemas and heuristics - what else is "security" in a schema with?) Locking your doors at night, fire drills, wearing a seat belt, a body guard, horror movies, maybe even a cozy blanket: these are all things that might bring security to mind.
Increasing salience and level of involvement can be done in many ways and your audience determines which will be most effective. If it's a more formal setting, you might want to stick to harder facts - statistics, news clippings, legal requirements/regulations - to bring the issue to the top of their minds. Statistics and hard facts are fantastic and I recommend using them often but you should also find ways to pepper in more qualitative tactics. Tactics like:
Asking questions - use questions like breadcrumbs to build up to your main issue. What makes you feel safe? What makes you feel unsafe? How does it feel to be safe? What are some dangerous things you do on a daily basis? How do you make those things less dangerous?
With these questions, you are making the audience think about their general safety and security and the positive feelings associated with being secure. Then, you will tell them that there is something else they can do to feel more secure...
You can keep this brief or stretch it out depending on your audience. Some audiences might require a more gradual process, and more connecting dots, while others are already halfway there when you start. Use the responses you get to the first question to dial in on your audience's needs. Be responsive to them.
Telling stories - These could be real, hypothetical, or crowd-sourced. The goal is to use or create a narrative into which your audience can place themselves that supports your goal. Make it a "that could happen to me story" to increase the audience's level of involvement. If they can't picture that situation happening to them, they won't feel the need to act. Talk about a different business that adopted a more secure posture and the initial investment paid off big and they were able to get a leg up on their competitors. Tell the story of how you helped your entire family set up 2FA during the holidays.
You could also have the audience craft their own stories - have them envision a future where they've taken your recommendation and predict what will happen. This is also a good way to figure out and misconceptions or biases your audience has against the behavior. If they focus on the expense of the process, you can interject with long-term benefits or ROI figures - or whatever - to correct the misconception or bring the focus back around to the benefits.
Asking questions and telling stories are two of my go-to tactics for persuasion. There are many more but I picked these because they align with the goal of being more positive with infosec communication. Perhaps your audience is better with visuals and you can increase salience by showing a video or picture.
So your audience is thinking about security. You've convinced them that the issue has an immediate impact on them. Now, you can tell them how the specific action you're recommending will solve their problems. Frame it consistently around benefits from start to finish. As you're making the audience think about security, you're also making them think about the things they'll gain from being more secure. They will develop positive associations and feel better thinking about security in the future.
Next post, I'll cover a couple of other considerations when applying benefit-framing for infosec communication. Specifically, how empirical testing can and should be used to test the efficacy of benefit-frames.
Detweiler, J. B., Bedell, B. T., Salovey, P., Pronin, E., & Rothman, A. J. (1999). Message framing and sunscreen use: gain-framed messages motivate beach-goers. Health Psychology, 18(2), 189.
Rothman, A. J., & Salovey, P. (1997). Shaping perceptions to motivate healthy behavior: the role of message framing. Psychological bulletin, 121(1), 3.
Tversky, A., & Kahneman, D. (1985). The framing of decisions and the psychology of choice. In Environmental Impact assessment, technology assessment, and risk analysis (pp. 107-129). Springer, Berlin, Heidelberg.