By Mindi McDowell
From communication to healthcare, and power grids to household appliances, almost every facet of our lives relies on the Internet and networked devices. Although advances in technology and global connectedness create opportunities, they can also cause a surge of new security risks. Mass media outlets regularly report incidents of computer viruses and other malicious software (malware), data breaches, and theft of credit card and medical information.
Communicating information about those issues is important for helping individuals and organizations protect themselves, but being a technical communicator in the field of cybersecurity often comes with interesting challenges. How do you convey cybersecurity information to audiences with a range of technical proficiency? How do you maintain consistency and comprehension when the lexicon associated with Internet threats evolves almost as quickly as the threats themselves? What’s the balance between timeliness, completeness, and accuracy?
Relaying Information to Diverse Audiences
Due to the pervasiveness of Internet-connected devices, cybersecurity affects everyone from non-technical users to highly technical security researchers and network administrators. Understanding the needs and priorities of diverse audiences can help you tailor information accordingly. An inexperienced user might need explanations about fundamental concepts coupled with simple, straightforward instructions and guidance. Executives often want easy-to-scan highlights that capture key points. Network administrators may rely on details in a technical analysis to determine risk, potential impact, costs, tradeoffs, and appropriate solutions in their environment. Consider the following aspects when assessing how to adapt information to a specific audience:
- Message—What information does the audience need or want to know?
- Depth—What level of detail is appropriate?
- Format—What is the best way to present the information (language, tone, style conventions, graphics, examples, etc.)?
Often, information about cybersecurity issues is not confined to a single audience. After reviewing key points, an executive may want to forward technical details so a network administrator can assess implementation feasibility. A network administrator may need to provide users with simple guidelines to secure their systems. A reporter may interpret research findings to relay information about a potential threat to the general population. Offering only one representation of the information targeted at a specific audience can force other audiences to interpret or adapt the content themselves. One solution for accommodating reuse is to create multiple versions of the same information, customized for different types of readers. Another solution is to segment the information into different sections or to produce companion pieces. These approaches give you more control over the information and how it is presented, allowing for wider distribution to multiple audiences without misinterpretation, misrepresentation, or degradation.
Maintaining Consistency and Comprehension
As the field of cybersecurity evolves, so does the associated vocabulary. Representations of common terms can vary across sources, with differences in capitalization and spelling (e.g., website, web site, Web site, Website), hyphenation (e.g., antivirus versus anti-virus), acronyms and initialisms (e.g., C2 versus C&C to represent command and control), and even choice of terms to refer to an incident (e.g., attack, intrusion, breach, hack, compromise). Some terms that appear to be interchangeable may actually have distinct interpretations based on context and perspective, and a few seemingly generic terms (e.g., breach, exploit, vulnerability) have specific legal meanings. The terminology tends to shift over time as certain conventions become more widely adopted. This fluidity is challenging for technical communicators, particularly when working with authors and subject matter experts who are used to different conventions.
A bigger challenge for comprehension is the use of multiple names to refer to the same threat. For example, antivirus vendors or security researchers may assign different names to the same malware. Threat groups can also be known by different names, evidenced in late-2015 by media reports describing activities conducted by the Islamic State of Iraq and the Levant (also known as ISIL, IS, ISIS, and Daesh).
In the absence of universal standards, there are simple strategies that technical communicators can use to promote consistency and comprehension:
- Create a “living” style guide—Establish a common vocabulary within your organization, and periodically review and update guidance to ensure that it remains in line with current conventions used by other cybersecurity organizations and publications.
- Acknowledge alternate names—When appropriate, reference other names for the same threat (e.g., Dyre, also known as Dyreza, Dyzap, and Dyranges, is a banking trojan.).
- Define potentially unfamiliar terms—Ensure that the surrounding text includes sufficient context to explain a term, and consider linking to other sources for more detailed explanations of complex concepts.
Balancing Timeliness, Completeness, and Accuracy
Cybersecurity has an inherent sense of urgency. Proactive communications need to reach audiences in enough time to protect their systems against a threat, and reactive communications are important for minimizing impact. However, speed is not the only consideration. Figure 1 shows various factors to consider when determining what to say, and when.
Relevance is an overarching consideration, as the other factors don’t matter if the information is irrelevant. But the overlap of timeliness, completeness, and accuracy in Figure 1 is intentionally small. It is rare to strike a perfect balance, but determining which factor to emphasize can be difficult. Favoring completeness and accuracy over timeliness could allow another organization to publish first, but rushing to publish could spread inaccurate information that you later have to retract or correct. The wrong decision could threaten your organization’s reputation and relationships with customers and consumers, particularly if they invested resources, time, and money into ineffective solutions.
The type of content may influence which factors are most important:
- Summary of current events—timeliness
- Initial details about an emerging threat—timeliness
- Notification about a serious, active, widespread threat—timeliness, accuracy
- Instructions for mitigating a threat—accuracy, completeness
- Detailed analysis of a threat or threat group—accuracy, completeness
Conclusion
You don’t have to be a professional communicator to be aware of the Internet’s influence on language. Selfie, googling, tablet, tweet, and cloud are a few examples of new or redefined terms that have become part of mainstream communication, but lack of standardization in the general vocabulary can cause confusion. Awareness of cybersecurity issues has also become mainstream as malware and data breaches become more prevalent. As our reliance on technology grows, communicating cybersecurity information to a range of audiences will become increasingly important for protecting everyone.
MINDI MCDOWELL has more than 15 years of experience as a writer and editor in the field of Internet and network security. She has edited, authored, and co-authored numerous documents describing Internet security topics for technical and non-technical users. Mindi earned a Bachelor’s degree in English, a Master’s degree in professional writing, and a certification in instructional technology.
