Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

5/3/2019
10:30 AM
Zack Schuler
Zack Schuler
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How Storytelling Can Help Keep Your Company Safe

Well-crafted narratives can help you win over users in the battle to develop a sustainable cybersecurity culture.

When was the last time you felt a deep emotional connection to a PowerPoint slide? How often do you find yourself enraptured by a lecture? Take a moment to imagine the sheer number of corporate presentations, training sessions, and mass emails that have failed to make any lasting impression (or any impression whatsoever) on their target audiences. When it comes to your company's security, you really don't want to add to that number.

Whether we're talking about gaining or maintaining an audience's attention, narrative is one of the most powerful tools you have. Human beings are naturally drawn to stories — they generate empathy, tension (the good kind), and emotional investment. They entice viewers to keep watching to see what happens next. And they provide coherent, digestible messages that audiences actually want to hear.

Research by Paul J. Zak, a professor of economics, psychology, and management at Claremont Graduate University, has shown that "character-driven stories with emotional content result in a better understanding of the key points a speaker wishes to make and enable better recall of these points weeks later."

Because stories are so reliant on the power of empathy, it's crucial to make them as relatable as possible. Zak explains that it's easier to convey the "transcendent purpose" of your company by "describing the pitiable situations of actual, named customers and how their problems were solved by your efforts. Make your people empathize with the pain the customer experienced and they will also feel the pleasure of its resolution."

Employees also need to be reminded that even the best-known companies in the world have been the victims of major security breaches, and this can be done by telling their stories. For example, Equifax recently announced that US regulators are seeking damages for its massive 2017 breach, which has already cost the company hundreds of millions of dollars. There's a reason why the expression "cautionary tale" is so common — there's no better way to prepare people for the worst.

In a review of the research literature on narrative and cognition published in Proceedings of the National Academy of Sciences, Michael F. Dahlstrom points out that narratives are "often associated with increased recall, ease of comprehension, and shorter reading times." This is because, as Dahlstrom explains, narratives "seem to offer intrinsic benefits in each of the four main steps of processing information: motivation and interest, allocating cognitive resources, elaboration, and transfer into long-term memory."

These are all salient points for CISOs and other digital security professionals who are trying to develop and sustain a culture of security at their companies. What's the use in security training programs that won't be remembered a few weeks or months after they're implemented? This is why companies should avoid perfunctory, check-the-box security exercises like occasional information dumps from the IT department, monotonous PowerPoint presentations, and training modules that employees rush through as quickly as possible. Instead, they should focus on narrative-driven messaging that highlights real-life data breaches and what could have been done to prevent them.

To return to our Equifax example: If you simply tell your employees to keep software patched, they won't be thinking about why this is so important. But what if you introduce the issue like this? "In the summer of 2017, the personal data of 145 million American consumers were stolen when Equifax was targeted by one of the largest hacks in US history. The breach could have been prevented if Equifax would have patched a vulnerable web application, but it failed to do so. This is why it's vital to make sure all of our software is up-to-date." A call to action is much more powerful if it comes at the end of a compelling story.

We live in an age of perpetual distraction. According to a recent study published in the Journal of the Association for Consumer Research, even the mere presence of a smartphone "reduces available cognitive capacity." A Microsoft survey found that the percentage of people who "get side tracked from what they're doing by unrelated thoughts or day dreams" increases dramatically if they're early tech adopters, heavy social media users, and/or consumers of large amounts of media (the vast majority of your employees probably fit these criteria). The same report discovered that almost one-fifth of online viewers "defect in the first 10 seconds." 

In other words, it has never been easier for employees to ignore warnings and absent-mindedly click through the training exercises that are supposed to keep your company safe. Professional communicators should never forget this fact — if you can't seize your audience's attention right away, there's a good chance you'll lose it for good. And even if you manage to keep the audience engaged for the first 10 or 20 seconds, you're waging a constant battle to reach 30 seconds, 40 seconds, and so on.

Well-crafted narratives can help you win this battle, which is why they should be an integral part of your cybersecurity platform. 

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Zack Schuler is the CEO/founder of NINJIO, an IT security awareness company that empowers individuals and organizations to become defenders against cyber threats. He is driven by the idea of a "security awareness mindset," in which online safety becomes part of who someone is ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
I 'Hacked' My Accounts Using My Mobile Number: Here's What I Learned
Nicole Sette, Director in the Cyber Risk practice of Kroll, a division of Duff & Phelps,  11/19/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2079
PUBLISHED: 2019-11-22
A cross-site request forgery (CSRF) vulnerability in the Activity module 6.x-1.x for Drupal.
CVE-2019-11325
PUBLISHED: 2019-11-21
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
CVE-2019-18887
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
CVE-2019-18888
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. T...
CVE-2019-18889
PUBLISHED: 2019-11-21
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.