Overcoming the Curse of Cyber Security Knowledge

By Mike Polatsek
image September 17, 2017 image 5 MIN READ

What prevents Cyber Security from breaking the Curse of Knowledge?

Imagine this: You’ve just tripped over your kid’s iPad; now your ring finger is swelling up like a balloon. You go to your doctor who announces, x-ray in hand, that you have a dorsal dislocation of the metacarpophalangeal joint with local erythema. He needs to stabilize it at 90 degrees and apply traction.
Say what?

The Curse of Knowledge

What your doctor wanted to convey is that you have a dislocated ring finger with pain and redness. He’ll need to put it back into place and then stabilize and splint it. The problem is that he was unable to transfer that knowledge to you in an understandable and practical manner. He knows so much about dislocated bones that he cannot possibly comprehend that you don’t have the faintest clue what he is talking about.

Welcome to the Curse of Knowledge.

The Curse of Knowledge is the cognitive bias innately held by topic experts that causes them to assume that others are just as knowledgeable about that topic. In Dan and Chip Heath’s 2007 business-psychology bestseller Made to Stick: Why Some Ideas Survive and Others Die, they equate the Curse of Knowledge with the death knell of creating ideas that resonate. Since the expert can’t possibly unlearn what he or she already knows so well, it’s near-well impossible for him or her to understand that others don’t have that same knowledge. Because they mistakenly ascribe an inflated level of knowledge to the listeners when communicating, they use industry-specific jargon, gloss over critical points and in short, alienate their listeners.


The CISO as the Expert

Like any expert, you may be falling prey to the Curse of Knowledge too.

You need to give over critical messages regarding security to your staff like: How to avoid phishing threats, how to create secure passwords and the importance of not sharing information. But just like our dear doctor, you may be so immersed in your own language that you use terms and concepts your listeners can’t comprehend, you skip key information and ultimately, lose your audience. Considering the potential costs of alienating your listeners, this Curse could end up putting the security of your organization at risk.

A big barrier to communication is using language that you are familiar with but may not mean anything to your intended audience…it makes for a one-directional conversation and often one that ultimately causes the receivers to shut down and tune out. It makes communications complicated, can leave the receiver feeling foolish because they don’t understand and may be afraid to ask for clarification.” – Gartner Inc.
To start creating messages that your staff can understand and absorb, you have to break out of the Curse of Knowledge and move into effective communication. This means that the message that your listeners get is the exact message you meant to give over. It sounds easy to do, but the reality is that it means undoing the Curse of Knowledge.

Breaking the Curse of Cyber Security Knowledge- Communicating Cyber Security Effectively

Let’s look at one of the most common messages you’re probably telling your employees day in, day out: “Malware that leads to data breaches often makes it’s way onto corporate networks because employees click links in emails or open attachments that they shouldn’t. Therefore, don’t click any links or open any email attachments if you’re not sure who sent it.”

Sounds simple enough, right? How could anybody with half a brain mess this one up? But if we examine this seemingly simple command, we’ll begin to see that even though it makes sense to you, it’s true meaning isn’t being understood by your staff.

Let’s put this example under the microscope:

Just yesterday, you held a security awareness workshop.

Now it’s but one day later; Thom in HR gets an email with an attached resume from a Marketing Manager candidate. Knowing that the team over in Marketing is looking for someone to fill in for Jen on maternity leave, he opens the attached resume — this is just another responsibility of his job; if he didn’t open that email, he’d be acting negligent — even though he isn’t entirely sure if the sender is legitimate. So this directive, while it makes sense in your own head, doesn’t really make sense in the context of your staff and their responsibilities — and therefore, cannot be followed.

To get your message across, to impart information in a way that your staff can understand, relate to and ultimately absorb and put to use, implement the following:
Give step-by-step, context-based instructions: By merely saying “don’t open suspicious emails” you’re not saying very much. Give the procedural tools to classify a suspicious email, based on the context of the situation.

For example, you can tell your staff “Each time you get an email do the following:

Encouraging this type of thinking allows your staff to adjust their knowledge of cyber security to any current situation.

Getting the Message Loud and Clear

When it comes to giving over the importance of cyber security to your staff, make sure you’re actually communicating and not alienating. Using these principles, you can provide information that can be put to use even when the context has changed. With step-by-step, jargon-free, effective communication, your staff will finally get the messages you need them to hear.