How to use storytelling to create a culture of cyber security engagement
16 September 2016
From storytelling traditions to the latest video games, there is no denying that the humble story has found ways to evolve and engage with different generations. However, it seems that the art of storytelling has not made its way into the IT security profession and as a result, we deprive ourselves of one of the most useful tools available to us.
It’s not hard to see why we have not made use of the seemingly childish “story”. The binary world with its certainties (let’s ignore quantum here) deals purely with fact, not fiction. Traditionally, there has been very little space for expression, emotions, and dare I say it, very little need to engage with individuals on a personal level.
But times have changed and the growing demand to create a security awareness culture within organisations is now a Board level concern. This should be easy as cyber security is an interesting topic regularly peaking media interest, but most companies still struggle to engage their employees.
The problem therefore lies with the delivery of the message. IT professionals have been attempting to develop a security culture using tried and tested techniques within IT: concise language designed to impart vast amounts of information to the user base. However what is not realised, is that many people completely disengage from a subject when a formal dictatorial tone is used. The prose is dull and there is little incentive for the user to continue reading. Here are two examples where storytelling could be used to engage your employees:
- The creative use of language is the IT security professional’s secret weapon; their very own Trojan horse crying out to be used. It is capable of delivering key messages to audiences through the use of analogies or anecdotes to create mental imagery. For example, getting your car clamped and having to pay a release fee can be used as a way to explain the concept of ransomware, or a shocking story could be used to paint a picture demonstrating the consequences of a negligent user for company’s network.
- One thing we can also try and do is make parts of the stories relevant to the audience. Take examples from your own company, be transparent and honest, use security incidents and your own KPIs, but frame them in a way that people understand. The overall financial cost of an incident is a great measurement for the board, but is it something that your factory employees, for example, will be able to comprehend and engage with? Describe the impact of security incidents as the cost of new factory machines, a weeks’ worth of factory output or something else that you know your audience will engage with, be creative and take the time to understand your employees’ interests.
There are plenty of ways of optimising stories for your own needs. You may need help with this unfamiliar field and may need to engage with areas of the business that IT does not traditionally work with, but in doing so you will be making significant steps towards achieving your end goal.
So dust off that library card, dig out your favourite novel, and consider how you can spin your own yarn to engage with your users about cyber security.