In our lives as security professionals, we worry about software acting as a Trojan Horse, sneaking malware past our system defenses and on to vulnerable devices. What if I told you that I’m a big fan of Trojan Horses? It’s true; but I’m a fan of a different kind of Trojan Horse. I’m a fan of finding Trojan Horses for the mind. Here’s what I mean: when designed well, our messaging can sneak past mental defenses and noise. In other words, the way we design and deliver our messages can become a Trojan Horse.
There are several Trojan Horses that we can summon to help with our awareness campaigns. Today, let’s focus on emotion.
People tend to make decisions based on emotion and then build a case for their decision based on logic. This is hugely important for us to keep in mind when developing security awareness messaging. People will experience emotion when interacting with messages, even if we don’t intentionally put it there. So, we are at a disadvantage when we aren’t actively engaged in bridging our audience to an emotion that will be helpful to our cause. When developing messaging, you have to develop for both the information and the emotion that we want to convey with the message.
Now, I’m not saying that I want you to make your security messages sad, or fearful, or angry. But you owe it to yourself and your people to connect your security messages with emotions that will add context to, and enrich the meaning of, the information that you are trying to get across. Once someone can intellectually and emotionally place themselves within the context of a situation, they are more likely to appreciate the meaning. And emotion allows the meaning to become rooted within the person’s memory.
Consider both the positive and negative outcomes of the security value or behavior that you are promoting. And do this across several levels. Think through (or better yet, list out) any positive and negative outcomes that someone may have if they internalize and act upon the information contained in your message. Once you’ve listed the positive and negative outcomes associated with the security value or behavior, link each of these outcomes to positive and negative emotions. What emotions can be discovered? What is the juxtaposition of emotions associated with the outcomes for someone who would follow your security message verses someone who doesn’t? What stories emerge?
One of the most useful states we can induce within our audience is curiosity. Curiosity isn’t an emotion, it’s a feeling. Curiosity emerges when our interest is piqued by a stimulus (like a loud noise from the other room) and we lack sufficient data to fill in the knowledge gap caused by the stimulus (thus making you ask yourself what caused the noise).
You’ve probably heard the term clickbait – it refers to many of the headlines that you see in your social media and newsfeeds. The headline is often written in such a way as to hint at some bit of information that will be provided in the underlying article; but the headline intentionally leaves out a critical piece of the puzzle. After reading the clickbait headline, your mind urges you to fill in that piece of the puzzle. The only way to scratch the mental itch is to click the headline and engage with the content. An example would be:
“5 Things you Need to Know about Security Behavior. # 4 will Change Your Program Forever!”
And now your brain is drawn-in. It’s curious as to what the five things are. This mental itch is called a curiosity gap. The reason that curiosity can be useful is because, when used well, curiosity motivates a person to seek out and engage information to fill the gap in their knowledge. That volitional aspect of the engagement makes a big difference in how they internalize the content.
Source: infosec island