Audiences of infosec communication
I've mentioned a caveat in a few of my previous posts and talks that "it depends on your audience." Now I want to dive into that caveat a little and talk about the audiences for infosec communication. How does your audience change your communication?
When you're planning communication, you have to think about who you're trying to convince. If the answer is "everyone" you need to try and be a little more strategic (read: realistic). There's no form or style of message that's going to convince everyone.
Public relations does a lot of work with audiences (we call them "publics"). There is a lot of scholarship examining how publics form, respond to communication, and engage with organizations. A lot of organizations, when asked who their audience is, will say "everyone" and it's the job of PR to bring in reality and discover who the audience is and define an organization or message's publics. One of the big theories on this is the Situational Theory of Publics (STP) and I've actually talked about it already.
STP says that a public is determined by: problem recognition, constraint recognition, level of involvement. The idea is, different levels of these three measures change the way a person engages with a message. I've discussed these concepts as things you're trying to manipulate to motivate infosec behavior. That means all these three are low in your audience. In STP, if all three are low, you have a "non-public," they aren't going to engage with your message much. So what a lot of infosec communication is doing is convincing people that they are your public. Infosec breaks communication theory again.
But all hope isn't lost! STP is just one method for understanding audiences/publics. Two other methods I want to cover are based on your relationship to your audience. The first was inspired by Robert M. Lee on DtSR episode 269 and is about working within your sphere of influence. This led me to segmenting audiences of infosec communication based on the type of influence you have over them. If you're just casually trying to be a security advocate, you'll be working with people within your sphere of influence - friends, family, people who already trust you. That makes persuasion easier. If you are trying to change security behaviors from a more professional/strategic direction, you have to work with the influence you have.
So, how should we think about your level of influence over your audience? We can think about it in terms of: why is your audience talking to you about security at all?
Affinity - they like you and trust you and would probably listen to anything you say
Required to listen
Structural reasons - you outrank them
Check box - there is a regulation, standard, or social pressure and the audience wants to be able to point and say "we did the thing"
Someone else told them they had to - most common in lower-level employees or end-users when security training is required
Fear - they saw something in the news, heard a story from a friend and are afraid that they are vulnerable so they wanted to talk to you
Legitimate interest - the holy grail, frequently goes along with affinity, the person speaking to you is legitimately curious about security and wants to learn more
This probably isn't an exhaustive list but it hits the major segments. So the question is: how does your communication change to accommodate these different groups? If your audience is listening to you under some kind of duress, you need to work a lot harder than if they are listening voluntarily. If they are forced to listen, make sure it's worth their while. Fear as motivation for listening has its own quirks to deal with. The next post will go into more specifics on tailoring communication to these audiences.
You should also think about your power relationship with your audience. If they end up doing what you say, is it because you persuaded them or because you outrank them? Option two will lead to higher adoption rates but will also maybe lead to more reactance and subversion. People don't like being told what to do and if they feel that they have no choice in their actions, they're more likely to look for ways around it. That's how you get shadow IT and whatnot. If the behavior is really important - as most security behavior is - you should go beyond "because I said so" even if it's technically true.
The second method is based on location. Internal or external to the organization. Two possibilities:
You are internal or external - are you part of an embedded security team or are you a consultant brought in?
Your audience is internal or external - are they employees, clients, or customers? Also includes general public and media to an extent.
but these lead to four possible relationships:
You're internal working with an internal audience
You're internal working with an external audience
You're external working with an internal audience
You're external working with an external audience
You have a different status and standing in all of these cases. You have familiarity, shared experiences, and institutional knowledge when it's internal/internal (you might also have some interpersonal friction). However, being an external consultant might allow you a little more latitude to play bad cop with your audience when needed.
If your relationship to your audience is external (either you're a consultant or they're a client/customer/end-user) you need to do more work to understand them - this might require research (your marketing team will probably be able to help if its customers) or just good old empathy. I really recommend working with your communication or marketing team on any communication to clients and customers. Even if it's something you're a total expert in, getting a communicator's eyes on it will really up your persuasive power.
So these are a couple of ways to segment audiences for infosec communication and the start for how you tailor your communication accordingly. Next post will get into a lot more detail on that tailoring.
Grunig, J. E. (1997). A situational theory of publics: Conceptual history, recent challenges and new research. Public relations research: An international perspective, 3, 48.