Columns July/August 2021

When Information Isn’t Enough: Cybersecurity Scholarship and the Human Factor

By Thomas Barker | STC Fellow

In an era of international cyberattacks and social anxiety over data security, knowing where to start with communicative interventions can be a challenge. Technical communicators wishing to raise awareness of cybersecurity, increase stakeholder ownership of secure activities, and enhance user autonomy in threat mitigation need to take their words to the next level. These outcomes will quickly take the inexperienced communicator to the realization that information isn’t enough.

In this article, we will turn to the academic conversation about cybersecurity and communication to see how researchers are exploring and solving the problem of stakeholder engagement in cybersecurity mitigation. We will look first at the communication situation: where do technical communicators fit into the big picture of cybersecurity communicative interventions. A look at communication skills for cybersecurity writing can help you identify learning resources. The next section will examine promising strategic—and persuasive—approaches like brain modeling. Finally, we will look at a few additional sources of investigation into communication modeling tools to get you out of a bind when you realize that information isn’t enough.

Where Do Communicators Fit In?
This column focuses on a broad range of practical academic issues from teaching and training to professional concerns, research, and technologies of interest to teachers, students, and researchers. Please send comments and suggestions to column editor Thomas Barker at ttbarker@ualberta.ca.

The challenge facing communicators about cybersecurity issues are global and ubiquitous. I visited the Center for Strategic and International Studies to get a sense of the global nature of cybersecurity. High-profile attacks of government vs. government or government vs. global trade groups are common, but abstract and irrelevant to most organizations. Closer to home, hacker groups practice targeting water supplies, creating fake Twitter and blog accounts, email phishing, and ransomware attacks. Take ransomware attacks alone: according to Mimecast.com, these occurred in six out of 10 companies. Email threats were also about that high. Almost 80 percent of organizations suffered from cyberattacks.

The role of technical communicators in cybersecurity is both external and internal. Externally, technical communicators need schooling in types of cybersecurity threats and organizational vulnerabilities to support data protection policies. The skill set for this work is complex, dynamic, and changing almost every day. Keeping up can be challenging, with a barrage of acronyms and hierarchical levels. To get a taste of this, check out Compliance Forge’s Example Cybersecurity & Privacy Documentation. A good place to start might be the online training in the cybersecurity framework provided by the U.S. National Institute of Standards and Technology (NIST) Online Learning portal. Learn how to assess, profile, and plan your cybersecurity documentation initiatives. Want more? The NIST Computer Security Resource Center maintains an index of journal articles, white papers, conference papers, and books.

Internally, technical communicators and communication managers need to know at a basic level how to write audit reports, and at a larger level how to research, report on, communicate, develop, and staff security programs, assess security needs, communicate program design and training, and provide ongoing support and training. What’s more, they need to work with cybersecurity professionals to learn their processes and solutions in order to convey that content to users.

Communication Skills

As a cybersecurity documentation specialist, you’ll be working closely with individuals in other roles and departments, and it’s important to be able to effectively communicate and explain your findings, concerns, and solutions to others. It’s important to be able to speak clearly and concisely on cybersecurity strategy and policy, as well as to be able to convey technical information to individuals who possess different levels of technical comprehension.

The bottom line for cybersecurity writers is twofold: helping employees understand and follow cybersecurity best practices, and helping employees adopt a productive attitude towards these practices. A research paper on password policy by NIST insiders makes this point clearly: “Positive attitudes are related to more secure behaviors such as choosing stronger passwords and writing down passwords less often, less frustration with authentication procedures, and better understanding and respecting the significance of protecting passwords and system security.” What this tells us is that with cybersecurity, as with so many other complex and detailed policies, users need more than just information; they need to know why. In these instances, words are not enough.

When words are enough, you can count on documentation of tools, formats, and examples of crafting of policy and assessment and audit reports to get you by. Here, again, the NIST can provide a number of tools and templates for privacy and security assessment, including use cases. Betterteam offers a host of templates for all sorts of cybersecurity policy documents, including policy, but also on cybersecurity topics that relate to social media use, remote work, cell phones, and other equipment. An even more informative list of employees’ cybersecurity concerns (email, internet, encryption, anti-virus software, hardware, security breaches, and non-compliance) can be found at the FreePrivacyPolicy.com site.

But back to that problem that goes beyond information, when words fail to persuade. A 22-minute NPR story (see references below) can be your gateway into the science of persuasion. Why guess and stutter when you can use persuasion science! Good persuasion always starts with a problem, and works toward a solution. We read about this in Paul Anderson’s textbook Technical Communication: A Reader-Centered Approach, which is easy to find on Google Books. Why trot out tired information about why people should protect passwords when all you have to do is suggest the dire consequences of not changing passwords?

Persuasion 101

Persuasive strategies like this, said expert Robert Cialdini, can turn attitudes about cybersecurity your way. The principle of encouraging users to be part of the correct choice and a unifying choice can sway attitudes. What does this mean for cybersecurity? The message may not be “protect your password” but “be a password protector.” The shift here is subtle but powerful, because the second technique has the logic of social proof behind it. Additionally, prospect theory, the idea that loss framing can motivate, can also help employees internalize security behaviors, especially if those employees are prone to taking security risks. As a rule of thumb, gain-framing can work for risk-averse individuals (who, guess what, already make good decisions about security) but loss-framing can galvanize those risk-prone individuals who just don’t see the danger of logging in to unsecure networks. The social norms theory approach can also work well in cybersecurity arguments, when the well-informed technical communicator can accurately show that most employees do, in fact, use safe cybersecurity behaviors. This technique can bring others on board.

The Academic Conversation about Cybersecurity

How important is the human factor in cybersecurity? Let’s just ask the psychologists. Bruce Schneier, an early guru of cryptography, wrote: “Only amateurs attack machines. Professionals target people.” They go for the soft target for a better return. Lillian Ablon, writing for Rand Corporation, puts it this way, “The human element is becoming increasingly prevalent in cyber and computer network operations—and is also the most unpredictable factor in cybersecurity.” Most cyber attacks, it turns out, are not due to technical failures, but to human errors: the clicking on, opening up of, and entering onto phony accounts.

Considering the human element often means focusing on human behavior and its limitations. Alex Blau and his colleagues focus on this, showing how cognitive errors can creep. This occurs when users are updating software, responding to security warnings, and coding errors. In Deep Thought: A Cybersecurity Story, these psychologists suggest ways to help users make the right human decisions when faced with threats in these areas. For example, they show how users “go with their gut” in making bad decisions about downloading dangerous software: a cognitive shortcut known as the “affect heuristic.”

My Brain Hurts!

In this article we looked briefly at the role of technical communicators in cybersecurity thinking and writing, both internally and externally. We looked at how the informative approach often gives way to a more strategic approach. Taking this path can point the content developer and policy writer to the real problem: people. The human element is where it’s at in cybersecurity writing. So how to tap into the human brain for safer computing? The connection between technical communication and psychology has been documented by a number of researchers and academics. As Kai Weber notes, “Technical communication benefits greatly from cross-pollination with related disciplines, such as cognitive psychology.” As we have seen in this article, technical communicators can use psychology and the human element to “think strategy” when words aren’t enough.

References

Betterteam. n.d. “Cyber Security Policy.” Accessed June 11, 2021. https://www.betterteam.com/cyber-security-policy.

Blau, Alex, Alhadeff, Alexandra Stern, Michael, et al. Deep Thought: A Cybersecurity Story. New York, NY: Ideas42, 2017.
https://www.ideas42.org/wp-content/uploads/2016/08/Deep-Thought-A-Cybersecurity-Story.pdf.

Center for Strategic and International Studies. n.d. “Significant Cyber Incidents.” Accessed June 11, 2021.
https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents.

Compliance Forge. n.d. “Example Cybersecurity & Privacy Documentation.” Accessed June 11, 2021.
https://www.complianceforge.com/example-cybersecurity-documentation.

NIST. n.d “Online Learning Portal.” Accessed June 11, 2021. https://www.nist.gov/cyberframework/online-learning.

NIST. n.d. “Risk Assessment Tools.” Accessed June 11, 2021.
https://www.nist.gov/itl/applied-cybersecurity/privacy-engineering/collaboration-space/focus-areas/risk-assessment/tools.

NIST. 2015. “What 4,500+ People Can Tell You: Employees’ Attitudes Toward Organizational Password Policy Do Matter.” Accessed June 11, 2021. https://csrc.nist.gov/publications/detail/conference-paper/2015/08/02/what-4500-people-can-tell-you-employees-attitudes-password.

NPR. 2008. “The Science of Getting A ‘Yes.’ ” Accessed June 11, 2021. https://www.npr.org/templates/story/story.php?storyId=93872977?storyId=93872977.

Download the July/August 2021 PDF

2020 PDF Downloads

Ad

Ad

Ad