Conveying accurate information is implicit for the publisher, but getting it through the “noise” of information across to your audience and then having them receiving it without distortion is a profession. The science of communication provides knowledge to be visited when addressing the users of information and communication technology. There seems to be a significant portion of the users, globally, who are not heeding the potential danger which comes from digital technology and whereby basic rules of Do’s and Don’ts should be followed. Furthermore, cybersecurity is an interdisciplinary subject and collaboration and communication with other disciplines is necessary to design secure digital environments with the needs and knowledge of the end users in mind.
This interview is with Dr. Nicole van Deursen, which is timely as her forthcoming book, “Visual Communication for Cybersecurity” will be published in May 2020 and she brings communication science to cybersecurity and suggests more optimal mode for doing this.
Cybersecurity Magazine: Nicole, who are not listening? or do they not understand?
Dr. Nicole van Deursen: Cybersecurity is often associated as something that has to to with technology. As such, senior managers in businesses expect the IT department to solve all problems and to prevent incidents. And while there are many actions that the IT department can take to improve basic security levels in networks and systems, these actions do not prevent that people within the organization make mistakes, create workarounds around the security controls because these are inconvenient, or are able to use the systems securely. Senior managers nowadays become more and more aware of this, but many still expect the IT department to train and inform the users. However, most IT staff are not educated in how to train people and how to communicate to different audiences, and they don’t always have the possibility to involve a communication professional or behavioral psychologist. I believe it is important that cybersecurity staff that is tasked with communication to different audiences, should have at least a basic level of knowledge of communication science. It helps to understand why it is sometimes so hard to get their message across to managers and end users alike, and it helps to find alternative approaches when one type of message or medium does not deliver the results they were hoping for.
Cybersecurity Magazine: The immediate question that arises when thinking of visualisation in cybersecurity is, how does one effectively communicate the threats to users, so who are the users?
Dr. Nicole van Deursen: We are all users of digital technology. We all use different systems for different purposes. Therefore, the cybersecurity risks that we run differ in each situation but still potentially affect us all. I don’t believe there is a one-size-fits-all solution for cybersecurity and nor is there for communication and teaching about the topic. We should use mixed methods to reach different audiences in a range of situations.
Cybersecurity Magazine: Is visualisation a better global format for communication?
Dr. Nicole van Deursen: Communication means & media should be adapted to the audience. Visualization does not neccesarily involve using (moving) pictures. Storytelling is also a means to stimulate an audience to visualize a situation inside their heads. Some people process and remember information better with a story, others with text only and others prefer doing and touching as a means to learn. Many security awareness programmes in organizations still use only the most common types of media that they hope will reach a wide range of audiences. Examples are e-learning modules, intranet sites, newsletters, flyers, or brief presentations from a CISO. These are cheap and easily available options, but content wise, these approaches do not connect enough to the people to make them take action and tell it on to their peers.
Cybersecurity Magazine: Why are the users not listening to the warnings?
Dr. Nicole van Deursen: I personally do not believe in an approach of scare mongering, warnings, punishments and threats. Cybersecurity is not about doomsday coming and locking everything up. Most people are more than capable to make their own risk taking decisions. However, many people are not yet educated enough about the possibilities of digital technology and, as a consequence, the risks involved. When we include cybersecurity as a topic in education from primary schools onwards, we will be able to create a future where different users will be able to make educated risk decisions. Until that time we need our experts to improve their connection to their audiences in order to activate more influencers and advocates for cybersecurity from within those audiences.