Evidence-Based message framing for effective cybersecurity communication

By Zoë Fischer, Junior Project Manager in Security at GÉANT

Are you a security professional within an NREN? Chances are you’ve sat through a security awareness presentation where, early on, a big percentage flashes on the screen, emphasising the critical role the human factor plays in most security breaches. Indeed, it’s a widely acknowledged fact that the human element is the most vulnerable link in the cybersecurity chain (de Bruijn & Janssen, 2017). For instance, IBM reported that over 95% of their security incidents were attributed to human error as a key contributing factor (IBM, 2014).

So, if this fact is well known, why do many cybersecurity campaigns still fail to effectively raise awareness and motivate action? The answer may lie in how the message is communicated. Traditionally, the field of cybersecurity has been dominated by technical specialists and experts who are not always trained to effectively communicate to broader audiences (de Bruijn & Janssen, 2017). As such, there is a need to rethink our approach to cybersecurity communication.

The need for change in cybersecurity communication

The first step towards more effective communication is acknowledging the need for change. The traditional methods, which often involve technical jargon and complex explanations, can alienate non-experts.

The second step involves tackling the communication issue from a different angle, by incorporating expertise from fields outside of cybersecurity. Psychologists, communication experts and behavioural scientists for example, can offer insights into how messages are received and processed by different audiences.

Finally, it’s essential to adopt new communication techniques. One way to improve communication is through evidence-based message framing. This strategy focuses on presenting complex issues clear and in an engaging way, using scientific facts to ensure they’re easy to understand without losing their meaning.

The challenges of cybersecurity communication

But why is it so challenging to communicate the importance of cybersecurity to a broader audience? There are several reasons:

1. Complexity: Cybersecurity is a multifaceted issue involving technical concepts, legal frameworks and socio-economic implications. Explaining these concepts in a way that’s understandable to a diverse audience can be difficult.
2. Intangibility of cyber threats: Unlike physical threats, the damage caused by cyber incidents is often not immediately visible. Data breaches, for example, may not have immediate consequences that individuals can perceive directly. This makes the threat seem less urgent or relevant to many people (de Bruijn & Janssen, 2017).
3. Psychological Distance: Related to the intangible impact of cyber threats is the psychological distance from the topic. Individuals and organisations often perceive cybersecurity as a distant problem that doesn’t directly affect them. This psychological distance can cause people to ignore the issue and be less proactive.
4. Negative Framing: It is a common practise to emphasise the risks and dangers of cyber threats in communication campaigns. However, this strategy can sometimes lead to fear and avoidance rather than encouraging people to take preventative action.

Overcoming the challenges: using evidence-based message framing

So, how can we overcome these challenges? Communication scientists have identified message framing as an effective tool for conveying complex messages to a broader audience (de Bruijn, 2019). Message framing involves carefully selecting words, phrases and metaphors to shape how the message is interpreted. A well-framed message can make even the most complex topics accessible and convincing. In addition, de Bruijn and Janssen (2017) emphasised the importance of basing complex messages on scientific facts. Relying solely on emotions or personal beliefs can lead to mistrust if the message proves inaccurate, and regaining trust is challenging.

One good example of effective evidence-based message framing in cybersecurity can be seen in the UK’s National Cyber Security Centre (NCSC). Instead of focusing solely on the dangers of cyber threats, the NCSC’s campaigns advise on positive actions that individuals and organisations can take to stay secure online. For example, last year’s “Cyber Aware” campaign encouraged simple and practical behaviours online to help shoppers protect themselves online in the run up to the festive period (NCSC, 2023). By framing the message around actionable advice rather than fear and the arguments being based on scientific facts, the campaign is more likely to motivate behaviour change.

Effective Framing in the Context of NRENs

For NRENs, effective message framing is particularly important because of the diversity of the audience. NRENs often include a mix of technical and non-technical staff, all of whom play a role in maintaining cybersecurity. To frame cybersecurity messages effectively in this context, consider the following strategies:

1. The key strategy to tackle the complexity of the topic, is to simplify the message without oversimplifying. It’s important to reduce complexity, but this doesn’t mean dumbing down the message. Use analogies, metaphors and examples that people can understand and relate to.
2. Address the intangibility with real-world examples. To make cybersecurity more tangible, provide real-life examples that illustrate the potential consequences of cybersecurity breaches and the benefits of strong cybersecurity practices. For example, you could discuss how a recent data breach at another NREN resulted in financial losses, and use that example to organise internal security training. By making these examples relatable and specific, you’ll help bridge the gap between the abstract idea of cybersecurity and its practical impact on your staff’s everyday work in the company (von Solms et al., 2023).
3. To overcome psychological distances to the topic, tailor the message to the audience. Different groups within NRENs may require different messages. For IT staff, the focus might be on the technical aspects of cybersecurity. For the administrative staff, the message might centre on how cybersecurity practices protect the integrity of the administrative environment. Remember: one size does not fit all. Additionally, create a sense of shared responsibility. Frame cybersecurity as a collective effort where everyone has a role. Highlight that even small actions can make a big difference.
4. Frame your message in a positive light (Mayer et al., 2018). Instead of focusing on what could go wrong, emphasise what can be done to make things go right. For example, highlight the benefits of good cybersecurity practices, such as the protection of valuable research data and the prevention of service disruptions. Moreover, shift the focus from reacting to cyber threats to preventing them by encouraging staff to think ahead and take proactive steps to secure their data and systems. In essence, promote proactive behaviour.

To conclude, the key of using message framing to communicate the importance of cybersecurity is to simplify the message without losing its meaning, to frame cybersecurity as a positive, manageable and collective responsibility, and to communicate in a way that resonates with the audience’s values and experiences. By doing so, we can raise the awareness that cybersecurity becomes not just a technical concern, but a shared commitment across all levels of an NREN and everyone should be motivated to take action.

For a deeper dive into effective cybersecurity communication, please read the article Building Cybersecurity Awareness: The need for evidence-based framing strategies by de Bruijn and Janssen (2017). They outline seven specific strategies to communicate the importance of cybersecurity; 1) Do not exacerbate Cybersecurity 2) Make it clear who the villains are 3) Give cybersecurity a face by putting the heroes in the spotlight 4) Show its importance for society  5) Personalise for easy recognition by the public 6) Connect to undercurrent

Literature:

• De Bruijn, H., & Janssen, M. (2017). Building Cybersecurity Awareness: The need for evidence-based framing strategies. Government Information Quarterly, 34(1), 1–7. https://doi.org/10.1016/j.giq.2017.02.007
• IBM Global Technology Services. (2014). IBM Security Services 2014 Cyber Security Intelligence Index. https://i.crn.com/sites/default/files/ckfinderimages/userfiles/images/crn/custom/IBMSecurityServices2014.PDF
• Mayer, P., Schwartz, C., & Volkamer, M. (2018). On The Systematic Development and Evaluation Of Password Security Awareness-Raising Materials. Proceedings of the 34th Annual Computer Security Applications Conference, 733–748. https://doi.org/10.1145/3274694.3274747
• National Cyber Security Centre. (2023, November). Black Friday bargain hunters warned of enhanced online scams after millions lost last year
• Von Solms, S. H., Du Toit, J., & Kritzinger, E. (2023). Another Look at Cybersecurity Awareness Programs. In S. Furnell & N. Clarke (Eds.), Human Aspects of Information Security and Assurance (Vol. 674, pp. 13–23). Springer Nature Switzerland. https://doi.org/10.1007/978-3-031-38530-8_2

About the author

Zoë Fischer is a Junior Project Manager in Security at GÉANT, where she supports the security team with organisational and communication tasks. Her responsibilities include managing the ISO certification process, coordinating GÉANT’ annual security conference ‘Security Days’ and serving as the product owner for the vulnerability management service. Zoë holds a Master’s degree in Communication Science with a focus on Political Communication from the University of Amsterdam. She has a strong interest in combining her expertise in communication with the technical field of cybersecurity.

Also this year GÉANT joins the European Cyber Security Month, with the campaign ‘Your brain is the first line of defence‘. Read articles from cyber security experts within our community, watch the videos, and download campaign resources on connect.geant.org/csm24