Picture the scene. You’re running a workshop at a university to improve, say, understanding of data privacy. Or you’re on site at an organisation experiencing a security incident.
How can you maximise the likelihood of people understanding and retaining the key messages and information you need to give them?
Effectively explaining cyber security information to people with limited knowledge of IT or cyber security can be challenging. But it is a vital skill for security professionals.
Jessica Schumacher, a security engineer at SWITCH, the Swiss NREN, is well-known by her colleagues for her ability to explain technical topics to non-technical audiences.
Here, Jessica offers six tips to make it easier for your audience to understand and apply the security information you need to give them. While some tips are more relevant to security awareness activities than to incident response, many apply to both scenarios.
1. Put yourself in the other person’s shoes
First, you need to assess the person’s existing level of knowledge, and shape your explanation to fit.
“Put yourself in their shoes,” says Jessica. If this feels difficult, think of a specific person you know well who has a similar level of IT knowledge. Then, explain the topic as you would to that person.
“For example, my parents know what the internet is, more or less. My mother has a smartphone, my dad doesn’t,” Jessica says. “So, if the person I’m speaking to has a similar level of knowledge to my parents, then I try to explain as if I were explaining to my parents.”
2. Make it fun
“Making things fun is really effective for getting your message across,” says Jessica.
“Not only does having fun make the whole experience much more memorable, but people also remember the specific things they learned more clearly. In our training games, one of our main goals is that participants leave with a smile.”
SWITCH has developed a series of security awareness adventures to help people learn about serious topics, such as security and data privacy, in a fun, interactive way. Following a short talk to explain the topic, participants put their new knowledge into practice by playing a game, such as an escape room.
But don’t worry, you don’t need specially designed games to increase the fun quota. Other ways to make a learning experience more enjoyable and engaging include:
- Tell a joke (Jessica reports that even bad jokes work)
- Share a relevant story about something that happened in your own life or work
- Ask learners to share their own opinions and experiences
- Show your enthusiasm for the topic – enthusiasm is contagious
- Compliment people on what they did well (most people like to receive compliments)
3. Use clear, simple language and concepts
Use straightforward, everyday words and concepts as much as possible. Try not to use technical jargon unless it’s unavoidable.
“It’s better that people understand a concept in a simplified way, even if it’s less precise, than not understanding it at all,” says Jessica. “People can be afraid of a topic if you use too many technical words.”
Analogies can be helpful. A common example is saying ‘every computer has an address’ rather than ‘every computer has an IP address’.
Strictly speaking, the first statement is less accurate, because a computer has multiple addresses. However, referring simply to ‘an address’ helps many people to quickly grasp how an IP address functions.
“If I say ‘address’, rather than ‘IP address’, everyone can imagine that it’s like a street address. So you know exactly in which city and on which street the computer lives.”
Say only what’s necessary and relevant for the audience to know at that time. It can be tempting to keep talking and share further details or background information – especially if it’s a topic you find interesting – but this often confuses the key message.
Stay focused and succinct!
4. Be humble and approachable
“Often, people don’t like asking for help or admitting they don’t know something. If you’re humble and approachable, people will find it easier to ask questions. Or if they have a problem in the future, they will be less afraid to ask for help,” Jessica says.
“The end goal is that you want people to learn something, because it’s an interesting topic and it’s important. So you want to create an environment which reassures them that no question is a stupid question. After all, no one knows everything. We all have to ask questions sometimes.”
Jessica’s approach here is informed by her personal experiences.
“When I started in IT over 10 years ago, I didn’t know a thing about computers – just barely how to switch one on. And back then I didn’t know anyone who worked in IT. So I had to look up lots of things because I was afraid to ask questions.
“Now, it’s a passion for me that everyone gets a chance to have their questions answered, so they can understand how technology actually works.”
5. Repeat, repeat, repeat
If we hear something only once, we’re much less likely to remember it. Especially if it’s in the middle of several other new pieces of information.
To help people retain what you’re telling them, Jessica recommends repeating yourself often.
“Also, summarise at the end, especially if you’re giving a fairly long presentation: ‘Today, we learned X, and this helped us with Y.’ It all makes it easier for people to remember what they’ve learned.”
6. Don’t blame the user
Jessica also identifies a vital thing to avoid doing.
“Unfortunately, it’s quite common for people who work in IT to blame the user for everything that goes wrong. I find this approach quite harmful. It doesn’t help anyone.”
To avoid this mindset, tips 1 and 4 above are especially relevant.
Firstly, put yourself in their shoes:
“We all make mistakes. I certainly do!” says Jessica. “When someone makes a mistake, blaming them doesn’t help. You have to try and put yourself in their shoes. Focus on how to solve the problem and improve in future, instead of blaming someone.
“You don’t know what kind of situation that person was in. Maybe they were under stress, or hadn’t slept well, or had just received some bad news – think about this before you act.”
Secondly, be humble:
“I know about cybersecurity because that’s my job, but many people outside of computer science don’t know much about it. So, if someone doesn’t know much about, say, phishing, then how can we blame them for making a mistake and clicking on a phishing link? If someone was to blame it should be us for not teaching them properly.”
Follow these tips to improve how you communicate
To recap (tip 5!), here’s how to make it easier for your audience to understand and apply the information you give them:
- Put yourself in the other person’s shoes
- Make it fun
- Use clear, simple language
- Stay humble and approachable
- Repeat and summarise
- Don’t blame the user
Apply these tips, and you’ll find your ability to explain even complex technical information to colleagues or members of the public will improve.
And when someone takes on board what you’ve said and adopts more secure behaviours, it’s a fantastic feeling.
“During security awareness sessions, we encourage participants to use password managers. And even though people say they will, you can never be sure.” says Jessica. “So we are always very pleased to learn when they do. It’s such a great outcome of our work.”
Jessica Schumacher is a security officer at SWITCH, the Swiss national research and education network. She mostly works to improve universities’ security via penetration testing and network security monitoring. You can also find her on site during a major incident or back in the lab during forensic investigations. Jessica loves everything related to DNS and security awareness. Before working in IT security, she gained experience in system administration and networking. Jessica is passionate about (almost) everything related to information security and really enjoys sharing this passion with others.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on connect.geant.org/csm2022