Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/3/2019
10:30 AM
Zack Schuler
Zack Schuler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How Storytelling Can Help Keep Your Company Safe

Well-crafted narratives can help you win over users in the battle to develop a sustainable cybersecurity culture.

When was the last time you felt a deep emotional connection to a PowerPoint slide? How often do you find yourself enraptured by a lecture? Take a moment to imagine the sheer number of corporate presentations, training sessions, and mass emails that have failed to make any lasting impression (or any impression whatsoever) on their target audiences. When it comes to your company's security, you really don't want to add to that number.

Whether we're talking about gaining or maintaining an audience's attention, narrative is one of the most powerful tools you have. Human beings are naturally drawn to stories — they generate empathy, tension (the good kind), and emotional investment. They entice viewers to keep watching to see what happens next. And they provide coherent, digestible messages that audiences actually want to hear.

Research by Paul J. Zak, a professor of economics, psychology, and management at Claremont Graduate University, has shown that "character-driven stories with emotional content result in a better understanding of the key points a speaker wishes to make and enable better recall of these points weeks later."

Because stories are so reliant on the power of empathy, it's crucial to make them as relatable as possible. Zak explains that it's easier to convey the "transcendent purpose" of your company by "describing the pitiable situations of actual, named customers and how their problems were solved by your efforts. Make your people empathize with the pain the customer experienced and they will also feel the pleasure of its resolution."

Employees also need to be reminded that even the best-known companies in the world have been the victims of major security breaches, and this can be done by telling their stories. For example, Equifax recently announced that US regulators are seeking damages for its massive 2017 breach, which has already cost the company hundreds of millions of dollars. There's a reason why the expression "cautionary tale" is so common — there's no better way to prepare people for the worst.

In a review of the research literature on narrative and cognition published in Proceedings of the National Academy of Sciences, Michael F. Dahlstrom points out that narratives are "often associated with increased recall, ease of comprehension, and shorter reading times." This is because, as Dahlstrom explains, narratives "seem to offer intrinsic benefits in each of the four main steps of processing information: motivation and interest, allocating cognitive resources, elaboration, and transfer into long-term memory."

These are all salient points for CISOs and other digital security professionals who are trying to develop and sustain a culture of security at their companies. What's the use in security training programs that won't be remembered a few weeks or months after they're implemented? This is why companies should avoid perfunctory, check-the-box security exercises like occasional information dumps from the IT department, monotonous PowerPoint presentations, and training modules that employees rush through as quickly as possible. Instead, they should focus on narrative-driven messaging that highlights real-life data breaches and what could have been done to prevent them.

To return to our Equifax example: If you simply tell your employees to keep software patched, they won't be thinking about why this is so important. But what if you introduce the issue like this? "In the summer of 2017, the personal data of 145 million American consumers were stolen when Equifax was targeted by one of the largest hacks in US history. The breach could have been prevented if Equifax would have patched a vulnerable web application, but it failed to do so. This is why it's vital to make sure all of our software is up-to-date." A call to action is much more powerful if it comes at the end of a compelling story.

We live in an age of perpetual distraction. According to a recent study published in the Journal of the Association for Consumer Research, even the mere presence of a smartphone "reduces available cognitive capacity." A Microsoft survey found that the percentage of people who "get side tracked from what they're doing by unrelated thoughts or day dreams" increases dramatically if they're early tech adopters, heavy social media users, and/or consumers of large amounts of media (the vast majority of your employees probably fit these criteria). The same report discovered that almost one-fifth of online viewers "defect in the first 10 seconds." 

In other words, it has never been easier for employees to ignore warnings and absent-mindedly click through the training exercises that are supposed to keep your company safe. Professional communicators should never forget this fact — if you can't seize your audience's attention right away, there's a good chance you'll lose it for good. And even if you manage to keep the audience engaged for the first 10 or 20 seconds, you're waging a constant battle to reach 30 seconds, 40 seconds, and so on.

Well-crafted narratives can help you win this battle, which is why they should be an integral part of your cybersecurity platform. 

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Zack Schuler is the CEO/founder of NINJIO, an IT security awareness company that empowers individuals and organizations to become defenders against cyber threats. He is driven by the idea of a "security awareness mindset," in which online safety becomes part of who someone is ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12855
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.