European Cybersecurity Month is upon us, and that can be a good hook for awareness-raising campaigns. But are the messages hitting home as effectively as they could? Several experts believe we need to take a fresh look at the language we use in security. Otherwise, we risk failing to help messages reach, and resonate with, their intended audiences.

Most importantly of all, is it really helping them to change their security behaviour security for the better?

Victoria Baines has literally written the book about the language we often find in the industry, ‘Rhetoric of Insecurity’. In a lecture this year for Gresham College, she pointed out similarities between the language used by politicians and law enforcement, the security industry’s marketing teams, and even cybercriminals who use phishing and scams. (The video and the transcript of the lecture are both online.)

Catastrophising cyber threats

“All use similar techniques to catastrophise cyber threats to make being a victim of cybercrime look and feel like being the worst thing in the world. They all portrayed digital technology as dark and anonymous and cyber threats as colossal, deadly threats – and all used mystifying technical jargon to do so,” she said.

Professor Baines is far from a lone voice. Dr Eric Cole, a former CIA hacker, raised the same issue two years ago. “The problem is that world-class security engineers naturally use language that they’re comfortable with, which is technical and not business-led,” he wrote.

Michelle Levesley is a former teacher who later moved into security education and is currently cyber awareness lead at Channel 4. On her excellent ‘Beyond the phish’ Substack, she made a plea to stop inventing new terms for scams. The deserving target of her ire was ‘quish’, a new term for bad QR code scams. “I wish we could just say scam or criminal activity using text/ voice call etc. I have yet to hear anyone in the public groups I work with say vish smish or phish. It is unhelpful to create constant new terminology that just alienates the people we need to reach,” she wrote.

Stop saying ‘user’

Dr Jess Barker of Cygenta is a longstanding commentator on security awareness. In a recent blog, she made a persuasive case for security teams and IT professionals to stop referring to ‘users’. Dr Barker, who’s a sociologist by training, said this language reinforces an unhelpful ‘us and them’ approach to security. Calling someone a ‘user’ is dehumanising, she said. It can also lead to security professionals thinking they’re superior when, in reality, we’re all technology users.

Instead, she suggested changing to a more “simpler, friendlier and more accurate” word like ‘people’, ‘colleagues’, or ‘customers’.

BH Consulting CEO Brian Honan has also bemoaned the industry’s language as “too macho, too militaristic”. In a presentation at IRISSCON 2021, he contrasted it with the public health messages during Covid-19. By using language that was simple, clear, effective and empowering, health groups successfully changed many people’s behaviour to keep them safe. “Social distancing; wear masks; wash hands. They’re repeated messages,” he said.

Talking pictures: the hooded hacker cliché

The problem doesn’t just stop at words. It’s the same story with the stock imagery we often see associated with security products and marketing. You know the type: dark rooms, hooded figures, head-spinning patterns of computer code. As Professor Baines pointed out, they portray a technical sophistication beyond the grasp of everyday citizens. “These images shout that cybersecurity is not for you,” she said.

It might not be the intention, but the effect is to make people feel powerless, helpless and hopeless. “Imagery like this is hugely disempowering, and does nothing to make [people] feel safer than pushing them towards buying a product,” she said.

So, what’s the answer? One powerful way to reframe messages differently is to start with the audience in mind. A recent edition of the Audience 1st podcast, did exactly this. Although it’s primarily aimed at security marketers, it has many valuable tips for security awareness. The guest, Andra Zaharia, is a content marketer and champion of ‘cyber empathy’. She said too many security vendors focus on their technology and fail to connect with buyers in a meaningful way. In other words, they don’t take the time to explain why someone should buy their product.

Start with why

“We think that prescriptive, patronising training and advice will help people. And we forget about the ‘why’ and the ‘so what’,” she said. Zaharia suggests asking some questions to clarify purpose and meaning for content, and they’re equally valid for security awareness training. Ask: who is it for? What is it for? Why are we doing this? Are our assumptions true?

Another good reason to reflect on planned awareness campaigns is because European Cybersecurity Month will no longer be limited to October. Starting from this year, it will deliver cybersecurity messages all year round. “As cyber-attacks have no time boundaries, we all need to be alert all the time,” the campaigners say.

So, here are some quick tips to guide your next awareness initiatives.

• Is the language and terminology clear to someone who isn’t a technology expert?
• Are you framing the message to help the audience feel empowered to take action?
• Is the action you want the audience to take easy to understand, and carry out?
• Are you giving people a reason to care about changing their behaviour?
• Can you phrase the message more simply?

At BH Consulting, we’ve always believed the industry’s cliché of “the user is the weakest link” just isn’t true. Like this engineer who spotted a phishing email and prevented a security incident, or this bank worker whose quick thinking foiled a scam, an organisation’s people are its first line of defence.