Especially in recent weeks and months, information security (infosec) has become an issue of interest to a lot of different people. Over the last several years, more people have started paying attention to infosec issues, which means the audience of infosec communication has drastically grown and changed. Effective communication is audience-dependent. You have to adapt your message to your audience, so let’s examine some different audiences of infosec communication and how the messaging should change to be effective for them.

For this discussion, I’m thinking of infosec communication as a persuasive effort. The goal is to convince people to change their behavior to be more secure or to just think about security more. So, who are we trying to persuade, and how should communication change to achieve that behavior change? There’s no form or style of communication that’s going to convince everyone so we have to tailor it.

Getting people to engage with infosec communication is a challenge all on its own, but I’m going to focus on situations in which people are listening. So, why might people listen to infosec communication?

  • Affinity – they like you and trust you and would probably listen to anything you say
  • Required to listen
    • Structural reasons – you outrank them
    • Check box – there is a regulation, standard, or social pressure, and the audience wants to be able to point and say “we did the thing”
    • Someone else told them they had to – most common in lower-level employees or end-users when security training is required
  • Fear – they saw something in the news, heard a story from a friend, and are afraid that they are vulnerable, so they wanted to talk to you
  • Legitimate interest – the holy grail that frequently goes along with affinity; the person speaking to you is legitimately (Read more...)