Why it’s crucial for security awareness people to employ clear, direct, and unambiguous language

Why it’s crucial for security awareness people to employ clear, direct, and unambiguous language

Every organisation has its own coded internal language. Learning your new office culture’s unique keywords and phrasing is a crucial part of assimilating. That said, security awareness professionals must avoid using language that’s easily misunderstood when teaching security processes and concepts.

One of the most frustrating parts of joining a new company (or joining a new team within a company) is learning the new group’s impenetrable jargon. Picking up the tribal tongue is a critical aspect of inculturation: the process by which a new member in a group comes to understand the expectations and taboos of their new tribe. Learning “how things are done here” involves a lot more than just memorizing the locations of the conference rooms. Recognizing and parsing in-group language in essential to understanding how one’s new teammates think (and, therefore, how one must behave in order to fit in).

This idea resonated for me this summer. The COVID-19 pandemic eliminated my usual commute, giving me an extra hour each workday that – finally! – allowed me to resume leisure reading. Our family tradition has always been to snap up interesting books whenever an opportunity presents, then to stash them on a “ready rack” to consume when time permits. Mine to-be-read stack has gotten a bit out of control. So much so that I had to open a second bookshelf in the living room after the two-metre double-stacked shelf in my bedroom couldn’t handle any more paperbacks.

Fortunately, the isolation requirement during the pandemic has given me enough quiet time each evening to devour C. S. Forester’s Horatio Hornblower series. I’d heard about these stories for decades but I’d never actually read any of them. I found a nearly-new copy of Midshipman Hornblower at a used bookstore a dozen years ago and added it to my “ready rack” … where it sat, untroubled, until this April when it resurfaced during a rearrangement of books by height. This title caught my eye while I was re-stacking my living room shelf and I resolved to finally give it a go.

I’m glad that I did. I only have three books left to read in the twelve-book series because I decided to read them in chronological order (rather than original publication order). This meant waiting on shipments from small bookstores. Also, behind because Forester’s historical and functional nautical jargon has been kicking my tail.

Pride be damned, I freely admit that some of Forester’s more intense ship combat scenes left me feeling dazed from his unrelenting use of new language. I imagine it felt a bit like how all of his sailors were deafened by the roar of the broadsides and blinded by the wall of obscuring gun smoke.

To be clear, I’m greatly enjoying the verisimilitude. Forester’s detailed description of chaotic and desperate naval battles in the Age of Sail is delightfully immersive. Unfortunately, Forester’s attention to detail in his writing regularly forced me to pause and look up terms. I eventually had to study a twelve-page alphabetized series dictionary just to be able to visualize some of the words and phrases Forester assumed his readers already understood. Here’s an example from page 219 of 1938’s Ship of the Line:

“The topmen went running up the rigging and out along the fore-topsail yard; standing on the swaying foot ropes with the gale howling round them, holding on by their elbows over the yard, they struggled with the reef points. The sail shook itself out with a loud flap, and the Sutherland heeled sharply over under the increased pressure. Hornblower noticed the flat catenary curve of the heavy cable astern flatten itself a trifle more, but the rope gave no sign of breaking under the strain. Despite the increased heel of the ship the men at the wheel were actually finding their task a little easier, for the leverage of the big fore-topsail forward tended to balance the eternal drag of the tow aft.”

True, you don’t have to be a sailor to pick up enough clues from the context of the scene to figure out what’s happening. The problem is, without a grounding (pun intended) in nautical terms, a tremendous amount of nuance and importance is lost. I can grasp that Forester is explaining in that paragraph that Captain Hornblower’s decision to change which sails were used somehow improved how his small ship could tow a badly-damaged and larger one. Beyond that … I’m lost without multiple Google searches on what “closely hauled” and “reefed top’sils” refer to.

I don’t resent the difficulty; if anything, I appreciate because it’s so different from the sort of writing I do at work. We experience the exact same translation problem in the office when we assimilate into a new workplace culture. A worker who lacks fluency in the local culture’s unique language and shared stories loses most – if not all – of the critical meaning of what they hear. Often, attempts at translation using one’s prior office culture’s unique language leads to significant misunderstandings. This is compounded when you add culture-specific tone, tenor, and nuance attributes to the challenge of translating cultural interpretations of key words and phrases.

At one of places I used to work, our department would all attend “mandatory all-hands meetings” in a conference room so our director could immediately explain critical masked words and phrases since he knew our newest colleagues lacked the insiders’ fluency in the executives’ coded language.

As in the Hornblower books, I can eventually figure out (with the help of a glossary) what “close-hauled” sailing means; whereas, without the aid of institutional context from doctrine, best-practices, or characters’ past demonstrated preferences, I can’t understand why Hornblower sailing his ship this way is important (e.g., good, bad, daring, suboptimal, etc.). That same loss of meaning happens in office conversations: it’s one thing to learn that an executive’s use of the word “synergy” in a meeting has a unique local meaning that signals important changes in direction. It’s quite another to understand why the use of that term in a specific context might signal an auspicious change in direction or a dire omen. Only someone who understands the local coding of words and phrases will recognize that the CEO’s choice of the word “synergy” is code for “imminent layoffs” and will respond correctly to the obfuscated signal.

This is why it’s crucial for security awareness people to employ clear, direct, and unambiguous language in our training content and mass communications. I can enjoy a Hornblower adventure just fine without understanding why the good captain chose to be rowed ashore in his gig instead of his longboat, barge, or pinnace. If I understand that the protagonist went from the big ship to shore or to another ship, I’m following the main plot just fine. Whereas, when I’m teaching phishing defence skills to employees, the use of a new, undefined, or ambiguous word can mean the difference between a preventable breach and a deflected cyberattack. We absolutely cannot assume that our users will recognize or will properly interpret our intent when our words allow for multiple correct interpretations. Our instructions must be precise, accurate, and direct.

Admittedly, this imperative makes it quite difficult to be entertaining. If we accept that brevity is the soul of wit, then we must acknowledge that precise language is the natural enemy of artistic expression. Yes, stories and anecdotes have their rightful place in our arsenal, but such artistically indulgent tools serve to explore, explain, and reinforce concepts; security practice instructions, meanwhile, must be explicit and unequivocal. The shorter the better.

That’s fair. Nobody saves an old security training video to relax with on a rainy summer’s evening. Different products serve different purposes. If we’re to be effective delivering our security awareness content, we must set aside out artistic ambitions in favour of utilitarian bluntness. Regrettably, our raison d’être is to educate our users, not to entertain them.

Copyright Lyonsdown Limited 2021

Top Articles

Carnival Cruises hit by fourth data breach in 18 months

Carnival Cruises, one of the world’s largest cruise ship operators, has confirmed that it suffered another data breach in mid-March.

NHS Test & Trace Consolidates Cyber Security

NHS Test and Trace has teamed up with cybersecurity company Risk Ledger to proactively manage its supply chain cybersecurity risks.

The expert view: Accelerating the journey to the cloud

At a virtual seminar on 9 June 2021, sponsored by managed IT service provider Sungard Availability Services, eight senior IT decision makers gathered to discuss how organisations can accelerate their…

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]