Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/3/2019
10:30 AM
Zack Schuler
Zack Schuler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How Storytelling Can Help Keep Your Company Safe

Well-crafted narratives can help you win over users in the battle to develop a sustainable cybersecurity culture.

When was the last time you felt a deep emotional connection to a PowerPoint slide? How often do you find yourself enraptured by a lecture? Take a moment to imagine the sheer number of corporate presentations, training sessions, and mass emails that have failed to make any lasting impression (or any impression whatsoever) on their target audiences. When it comes to your company's security, you really don't want to add to that number.

Whether we're talking about gaining or maintaining an audience's attention, narrative is one of the most powerful tools you have. Human beings are naturally drawn to stories — they generate empathy, tension (the good kind), and emotional investment. They entice viewers to keep watching to see what happens next. And they provide coherent, digestible messages that audiences actually want to hear.

Research by Paul J. Zak, a professor of economics, psychology, and management at Claremont Graduate University, has shown that "character-driven stories with emotional content result in a better understanding of the key points a speaker wishes to make and enable better recall of these points weeks later."

Because stories are so reliant on the power of empathy, it's crucial to make them as relatable as possible. Zak explains that it's easier to convey the "transcendent purpose" of your company by "describing the pitiable situations of actual, named customers and how their problems were solved by your efforts. Make your people empathize with the pain the customer experienced and they will also feel the pleasure of its resolution."

Employees also need to be reminded that even the best-known companies in the world have been the victims of major security breaches, and this can be done by telling their stories. For example, Equifax recently announced that US regulators are seeking damages for its massive 2017 breach, which has already cost the company hundreds of millions of dollars. There's a reason why the expression "cautionary tale" is so common — there's no better way to prepare people for the worst.

In a review of the research literature on narrative and cognition published in Proceedings of the National Academy of Sciences, Michael F. Dahlstrom points out that narratives are "often associated with increased recall, ease of comprehension, and shorter reading times." This is because, as Dahlstrom explains, narratives "seem to offer intrinsic benefits in each of the four main steps of processing information: motivation and interest, allocating cognitive resources, elaboration, and transfer into long-term memory."

These are all salient points for CISOs and other digital security professionals who are trying to develop and sustain a culture of security at their companies. What's the use in security training programs that won't be remembered a few weeks or months after they're implemented? This is why companies should avoid perfunctory, check-the-box security exercises like occasional information dumps from the IT department, monotonous PowerPoint presentations, and training modules that employees rush through as quickly as possible. Instead, they should focus on narrative-driven messaging that highlights real-life data breaches and what could have been done to prevent them.

To return to our Equifax example: If you simply tell your employees to keep software patched, they won't be thinking about why this is so important. But what if you introduce the issue like this? "In the summer of 2017, the personal data of 145 million American consumers were stolen when Equifax was targeted by one of the largest hacks in US history. The breach could have been prevented if Equifax would have patched a vulnerable web application, but it failed to do so. This is why it's vital to make sure all of our software is up-to-date." A call to action is much more powerful if it comes at the end of a compelling story.

We live in an age of perpetual distraction. According to a recent study published in the Journal of the Association for Consumer Research, even the mere presence of a smartphone "reduces available cognitive capacity." A Microsoft survey found that the percentage of people who "get side tracked from what they're doing by unrelated thoughts or day dreams" increases dramatically if they're early tech adopters, heavy social media users, and/or consumers of large amounts of media (the vast majority of your employees probably fit these criteria). The same report discovered that almost one-fifth of online viewers "defect in the first 10 seconds." 

In other words, it has never been easier for employees to ignore warnings and absent-mindedly click through the training exercises that are supposed to keep your company safe. Professional communicators should never forget this fact — if you can't seize your audience's attention right away, there's a good chance you'll lose it for good. And even if you manage to keep the audience engaged for the first 10 or 20 seconds, you're waging a constant battle to reach 30 seconds, 40 seconds, and so on.

Well-crafted narratives can help you win this battle, which is why they should be an integral part of your cybersecurity platform. 

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Zack Schuler is the CEO/founder of NINJIO, an IT security awareness company that empowers individuals and organizations to become defenders against cyber threats. He is driven by the idea of a "security awareness mindset," in which online safety becomes part of who someone is ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16978
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\devices\device_settings.php uses an unsanitized "id" variable coming from the URL, which is reflected on 2 occasions in HTML, leading to XSS.
CVE-2019-16979
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\contacts\contact_urls.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16980
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app\call_broadcast\call_broadcast_edit.php uses an unsanitized "id" variable coming from the URL in an unparameterized SQL query, leading to SQL injection.
CVE-2019-16990
PUBLISHED: 2019-10-21
In FusionPBX up to v4.5.7, the file app/music_on_hold/music_on_hold.php uses an unsanitized "file" variable coming from the URL, which takes any pathname (base64 encoded) and allows a download of it.
CVE-2019-16530
PUBLISHED: 2019-10-21
Sonatype Nexus Repository Manager 2.x before 2.14.15 and 3.x before 3.19, and IQ Server before 72, has remote code execution.