Oh no! The users have learned about a terrible new cyber threat and want immediate guidance! What do you do? There are several options; the most challenging option requires to you to engage your users according to their varying levels of technical sophistication. It’s going to be difficult, but it will be worth it over the long run.
Imagine it’s Monday morning. You’ve just sat down to start the new week. Before you can check your calendar for appointments, your phone rings. It’s Bob from Accounting, concerned about the potential impact of the new ASUS “supply chain” attack that he heard about from a radio newscaster on his drive in to work. Good fellow, Bob. He’s being diligent and he’s paying attention to current events.
A quick shufti around InfoSec news sites reveals that hackers compromised a software update server run by computer manufacturer ASUS between June and November 2018. Any ASUS customers who used their update tool could have downloaded infected software updates during the compromise period. Up to a million customers could have been affected by the trojan-ized driver and application updates, however only 600 or so specific users were specifically targeted by the hackers for exploitation.
A quick check of the PC fleet reveals no ASUS computers, so … problem sorted. You reassure Bob that this cyber attack isn’t a threat to the company, wish him well, and open your e-mail client.
DING! You normally receive a dozen e-mails over the weekend. Today, there’s three times that number waiting, most of which came from well-intentioned users concerned about the recent ASUS attack. Everyone’s abuzz – Are we affected? What steps do we need to take to make ourselves safe? What’s the potential impact? All great questions, showing admirable willingness to take necessary action.
DING! The Instant Messaging app chimes for your attention. Four more people – including your boss! – want updates on the ASUS threat. It’s definitely time to research the problem, draft an all-hands alert message, and assure your users that everything is under control. There’s only one critical decision left to make before publishing: Which standard storytelling approach do you use to motivate your users?
Rapidly-evolving stories often need to be addressed immediately. There isn’t time for an Analysis of Alternatives. The pressure is on to pick an approach and live with the fallout.
This matters more than you might expect. Cyber security writers generally adopt one of three standard approaches to this sort of notification, and each one has its selling points.
First, many security professionals will use the story to inspire “cyber attack dread” so their users will be more motivated to follow security protocols. This was common in the early days of corporate IT, when users were less technologically sophisticated; conventional wisdom said that users had to be frightened into complying with security rules.
The upside of this approach is that it’s fast, emotionally charged, and effective: people will react. The downside is that users will eventually learn that you exaggerated the threat, which will undermine the security department’s long-term credibility. Call this the “EVERYTHING IS BAD!” approach.
Second, other security professionals will downplay the story to keep users from panicking. This approach was common when media outlets first started using scare tactics to get attention. (e.g., “KILLER VIRUS WILL EXPLODE YOUR COMPUTER! TUNE IN AT ELEVEN!”) Frustrated security techs fought back against this trend by calmly reassuring their users that the threat was being irresponsibly blown out of proportion. By assuring the users that they could relax and ignore the news, the overburdened security team could focus on more pressing issues and users could happily get back to work.
Reassuring others makes people happy, which leads naturally to warm gratitude and lingering goodwill. The urge to dismiss a scary situation can be seductive for its immediate interpersonal benefits.
The upside of this approach is that it makes people feel safe and confident. It’s like tossing a blanket on a small appliance fire. Everything returns to normal swiftly before anyone gets hurt. The downside is that users will become desensitized to media alerts and cyber attack warnings, leading to dangerously slow reaction time and slipshod compliance. This will undermine the company’s defences and the users’ willingness to take swift action when required. Call this the “EVERYTHING IS FINE!” approach.
Third, some security colleagues will attempt to put the story into context so that users can better understand the entire story. Through thoughtful explanation, the security department can teach the users why the story is important strategically even if the cyber attack doesn’t directly affect anyone in the organisation.
The upside here is that the users (hopefully) become more sophisticated and discerning through example-driven security education. The downside is that it requires precise language, detailed explanations, difficult conversations, and lots of time. It also introduces a high probability of causing confusion, especially where the story depends on people understanding complicated and obscure technologies. Call this the “EVERYTHING IS COMPLICATED!” approach.
So … it’s Monday morning and the ASUS story (or one like it) has just gone viral across your company. Attentive users are clamouring for your guidance. You need to release a statement, and fast. Which of the three common approaches will you take? Is everything “BAD!”, “FINE!”, or “COMPLICATED!”?
What’s the worst that could happen?
Obviously, the ideal answer is to take the third approach. You don’t need a five thousand quid security “boot camp” to recognize the least simple option in a multiple-choice battery is probably the right answer.  That being said, how do you actually do it? It’s easy to frighten people; exaggerate the threat and raise the tone. It’s not quite as easy to calm things down during a panic, minimizing the threat and lowering the tone can be done. Educating people, especially a large population whose technological sophistication varies considerably, can be difficult.
The mistake that many security colleagues make when they try the nuanced education approach is to craft a single message for all users that effectively educates everyone, from the tech aficionados to the tech-ambivalent. A one-size-fits-all technique almost always fails because no one message is equally effective for all readers.
My recommended approach is to eschew the single message approach for a series of overlapping, complimentary messages, each optimized for a different audience. Go ahead and craft your complicated, engineering-focused analysis for the technically-savvy users. Augment that with less technical, more operationally-focused advisories for the moderately-technical users who make up most of an average company.
Finally, craft analogies for your most non-technical users that clearly convey the importance of the situation without bogging the conversation down in unnecessarily frustrating details. Strive to convey situational awareness rather than technical understanding for everyone other than the engineers who absolutely need the nuts-and-bolts version.
Sure, the “EVERYTHING IS COMPLICATED!” approach is, in and of itself, complicated. That’s to be expected. This approach isn’t about “dumbing things down” for a non-technical audience; that would be a gross mistake, not to mention condescending. Organisations are staffed with a tremendous range of talented people with all sorts of degrees, specializations, and experiences. Our role in cyber security is to reach everyone where they are; we make the organisation stronger and more resilient through education and awareness. That means teaching people – as best we can – in whatever fashion achieves the desired result.
 Also, the last option in a list presented by a biased columnist is probably the one that they personally endorse.