Overcoming the Curse of Cyber Security Knowledge

What prevents Cyber Security from breaking the Curse of Knowledge?

Imagine this: You’ve just tripped over your kid’s iPad; now your ring finger is swelling up like a balloon. You go to your doctor who announces, x-ray in hand, that you have a dorsal dislocation of the metacarpophalangeal joint with local erythema. He needs to stabilize it at 90 degrees and apply traction.
Say what?

The Curse of Knowledge

What your doctor wanted to convey is that you have a dislocated ring finger with pain and redness. He’ll need to put it back into place and then stabilize and splint it. The problem is that he was unable to transfer that knowledge to you in an understandable and practical manner. He knows so much about dislocated bones that he cannot possibly comprehend that you don’t have the faintest clue what he is talking about.

Welcome to the Curse of Knowledge.

The Curse of Knowledge is the cognitive bias innately held by topic experts that causes them to assume that others are just as knowledgeable about that topic. In Dan and Chip Heath’s 2007 business-psychology bestseller Made to Stick: Why Some Ideas Survive and Others Die, they equate the Curse of Knowledge with the death knell of creating ideas that resonate. Since the expert can’t possibly unlearn what he or she already knows so well, it’s near-well impossible for him or her to understand that others don’t have that same knowledge. Because they mistakenly ascribe an inflated level of knowledge to the listeners when communicating, they use industry-specific jargon, gloss over critical points and in short, alienate their listeners.Phishing Awareness Curse of Knowledge

The CISO as the Expert

Like any expert, you may be falling prey to the Curse of Knowledge too.

You need to give over critical messages regarding security to your staff like: How to avoid phishing threats, how to create secure passwords and the importance of not sharing information. But just like our dear doctor, you may be so immersed in your own language that you use terms and concepts your listeners can’t comprehend, you skip key information and ultimately, lose your audience. Considering the potential costs of alienating your listeners, this Curse could end up putting the security of your organization at risk.

A big barrier to communication is using language that you are familiar with but may not mean anything to your intended audience…it makes for a one-directional conversation and often one that ultimately causes the receivers to shut down and tune out. It makes communications complicated, can leave the receiver feeling foolish because they don’t understand and may be afraid to ask for clarification.” – Gartner Inc.
To start creating messages that your staff can understand and absorb, you have to break out of the Curse of Knowledge and move into effective communication. This means that the message that your listeners get is the exact message you meant to give over. It sounds easy to do, but the reality is that it means undoing the Curse of Knowledge.

Breaking the Curse – Communicating Cyber Security Effectively

Let’s look at one of the most common messages you’re probably telling your employees day in, day out: “Malware that leads to data breaches often makes it’s way onto corporate networks because employees click links in emails or open attachments that they shouldn’t. Therefore, don’t click any links or open any email attachments if you’re not sure who sent it.”

Sounds simple enough, right? How could anybody with half a brain mess this one up? But if we examine this seemingly simple command, we’ll begin to see that even though it makes sense to you, it’s true meaning isn’t being understood by your staff.

Let’s put this example under the microscope:

Just yesterday, you held a security awareness workshop.

Now it’s but one day later; Thom in HR gets an email with an attached resume from a Marketing Manager candidate. Knowing that the team over in Marketing is looking for someone to fill in for Jen on maternity leave, he opens the attached resume — this is just another responsibility of his job; if he didn’t open that email, he’d be acting negligent — even though he isn’t entirely sure if the sender is legitimate. So this directive, while it makes sense in your own head, doesn’t really make sense in the context of your staff and their responsibilities — and therefore, cannot be followed.

To get your message across, to impart information in a way that your staff can understand, relate to and ultimately absorb and put to use, implement the following:
Give step-by-step, context-based instructions: By merely saying “don’t open suspicious emails” you’re not saying very much. Give the procedural tools to classify a suspicious email, based on the context of the situation.

For example, you can tell your staff “Each time you get an email do the following:

  • A) Look at the sender’s email address and see if it matches the display name.
  • B) If it’s a match, think about whether you were expecting the email or not.
  • C) If so, it’s probably safe to at least read.
  • D) Now that you have decided it’s safe to read, does the email sound normal?
  • E) Is it all within the context of your relationship with this person or company?
  • F) Are there any other glaring spelling or grammatical mistakes that might make you think twice?

Encouraging this type of thinking allows your staff to adjust their knowledge to any current situation.

  • Cut out the jargon: When it comes to two-way communication, both the speaker and the listener must be speaking the same basic language for there to be any understanding. Using industry-specific terms leaves listeners feeling lost and turned off; speak in as simple terms as possible to get your ideas across successfully.
  • Make no assumptions: Don’t assume that your listeners are at all computer-literate, that they know anything about security-awareness or that they understand phishing threats.
  • But don’t dumb it down! While it’s true that you shouldn’t be making any assumptions, don’t be condescending or speak as if your audience isn’t intelligent — Make sure to speak respectfully and in a manner that’s appropriate for their level of knowledge on the given topic.
  • Use the “Your Mother Test”: Before each presentation, make sure to run it by a layperson to check that you’re implementing all of the above. If your mom can understand it (assuming that your mom isn’t a CISO or security analyst herself) then you will most likely be able to reach your audience.
  • Extra Credit: Use stories and anecdotes to convey your message. If you want to create messages that really stick {to borrow a term straight from the Brothers Heath}, pepper your messages with short, interesting personal stories. This will go a long way to make sure your messages stay with your listeners.

Getting the Message Loud and Clear

When it comes to giving over the importance of cyber security to your staff, make sure you’re actually communicating and not alienating. Using these principles, you can provide information that can be put to use even when the context has changed. With step-by-step, jargon-free, effective communication, your staff will finally get the messages you need them to hear.

Share this post: