Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/3/2019
10:30 AM
Zack Schuler
Zack Schuler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How Storytelling Can Help Keep Your Company Safe

Well-crafted narratives can help you win over users in the battle to develop a sustainable cybersecurity culture.

When was the last time you felt a deep emotional connection to a PowerPoint slide? How often do you find yourself enraptured by a lecture? Take a moment to imagine the sheer number of corporate presentations, training sessions, and mass emails that have failed to make any lasting impression (or any impression whatsoever) on their target audiences. When it comes to your company's security, you really don't want to add to that number.

Whether we're talking about gaining or maintaining an audience's attention, narrative is one of the most powerful tools you have. Human beings are naturally drawn to stories — they generate empathy, tension (the good kind), and emotional investment. They entice viewers to keep watching to see what happens next. And they provide coherent, digestible messages that audiences actually want to hear.

Research by Paul J. Zak, a professor of economics, psychology, and management at Claremont Graduate University, has shown that "character-driven stories with emotional content result in a better understanding of the key points a speaker wishes to make and enable better recall of these points weeks later."

Because stories are so reliant on the power of empathy, it's crucial to make them as relatable as possible. Zak explains that it's easier to convey the "transcendent purpose" of your company by "describing the pitiable situations of actual, named customers and how their problems were solved by your efforts. Make your people empathize with the pain the customer experienced and they will also feel the pleasure of its resolution."

Employees also need to be reminded that even the best-known companies in the world have been the victims of major security breaches, and this can be done by telling their stories. For example, Equifax recently announced that US regulators are seeking damages for its massive 2017 breach, which has already cost the company hundreds of millions of dollars. There's a reason why the expression "cautionary tale" is so common — there's no better way to prepare people for the worst.

In a review of the research literature on narrative and cognition published in Proceedings of the National Academy of Sciences, Michael F. Dahlstrom points out that narratives are "often associated with increased recall, ease of comprehension, and shorter reading times." This is because, as Dahlstrom explains, narratives "seem to offer intrinsic benefits in each of the four main steps of processing information: motivation and interest, allocating cognitive resources, elaboration, and transfer into long-term memory."

These are all salient points for CISOs and other digital security professionals who are trying to develop and sustain a culture of security at their companies. What's the use in security training programs that won't be remembered a few weeks or months after they're implemented? This is why companies should avoid perfunctory, check-the-box security exercises like occasional information dumps from the IT department, monotonous PowerPoint presentations, and training modules that employees rush through as quickly as possible. Instead, they should focus on narrative-driven messaging that highlights real-life data breaches and what could have been done to prevent them.

To return to our Equifax example: If you simply tell your employees to keep software patched, they won't be thinking about why this is so important. But what if you introduce the issue like this? "In the summer of 2017, the personal data of 145 million American consumers were stolen when Equifax was targeted by one of the largest hacks in US history. The breach could have been prevented if Equifax would have patched a vulnerable web application, but it failed to do so. This is why it's vital to make sure all of our software is up-to-date." A call to action is much more powerful if it comes at the end of a compelling story.

We live in an age of perpetual distraction. According to a recent study published in the Journal of the Association for Consumer Research, even the mere presence of a smartphone "reduces available cognitive capacity." A Microsoft survey found that the percentage of people who "get side tracked from what they're doing by unrelated thoughts or day dreams" increases dramatically if they're early tech adopters, heavy social media users, and/or consumers of large amounts of media (the vast majority of your employees probably fit these criteria). The same report discovered that almost one-fifth of online viewers "defect in the first 10 seconds." 

In other words, it has never been easier for employees to ignore warnings and absent-mindedly click through the training exercises that are supposed to keep your company safe. Professional communicators should never forget this fact — if you can't seize your audience's attention right away, there's a good chance you'll lose it for good. And even if you manage to keep the audience engaged for the first 10 or 20 seconds, you're waging a constant battle to reach 30 seconds, 40 seconds, and so on.

Well-crafted narratives can help you win this battle, which is why they should be an integral part of your cybersecurity platform. 

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Zack Schuler is the CEO/founder of NINJIO, an IT security awareness company that empowers individuals and organizations to become defenders against cyber threats. He is driven by the idea of a "security awareness mindset," in which online safety becomes part of who someone is ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-2498
PUBLISHED: 2020-02-20
The Linux kernel from v2.3.36 before v2.6.39 allows local unprivileged users to cause a denial of service (memory consumption) by triggering creation of PTE pages.
CVE-2012-2629
PUBLISHED: 2020-02-20
Multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) vulnerabilities in Axous 1.1.1 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator account via an addnew action to admin/administrators_add.php; or (2) c...
CVE-2014-3484
PUBLISHED: 2020-02-20
Multiple stack-based buffer overflows in the __dn_expand function in network/dn_expand.c in musl libc 1.1x before 1.1.2 and 0.9.13 through 1.0.3 allow remote attackers to (1) have unspecified impact via an invalid name length in a DNS response or (2) cause a denial of service (crash) via an invalid ...
CVE-2015-2923
PUBLISHED: 2020-02-20
The Neighbor Discovery (ND) protocol implementation in the IPv6 stack in FreeBSD through 10.1 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.
CVE-2014-4660
PUBLISHED: 2020-02-20
Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:[email protected]