SPRITE+ Community Building Event: Communicating Cybersecurity

Findings from a Workshop held in January 2022.

This workshop was organised by SPRITE+, the UK NetworkPlus for Security, Privacy, Identity and Trust in the Digital Economy. SPRITE+ is funded until 31 August 2023 under the Engineering and Physical Science Research Council (EPSRC) Digital Security and Resilience Theme (grant reference EP/S035869/1).

The workshop

In January 2022, SPRITE+ held an online community-building workshop focused on communicating cyber security. The aim of this workshop was to facilitate the building of potential collaborations and to explore opportunities for academics to partner with non-academic organisations to identify and explore the challenges of communicating cybersecurity from multiple disciplinary perspectives. The workshop featured the following context-setting talks:

'Communicating cyber threats: problems, responses, recommendations' - Emma Moreton, Lecturer of Applied Linguistics at the University of Liverpool
'A Morphology of the Cyber Security Tale' - Genevieve Lively, Professor of Classics at the University of Bristol
'Hoping for the best but expecting the worst: how can we talk about security of emerging technologies?' - Ola Michalec, Social Scientist at the University of Bristol

Following the presentations, participants were placed in breakout groups at random for interactive discussion. A total of 45 SPRITE+ members attended including researchers from STEM, humanities, arts and social science disciplines and non-academic members from regulators, government departments, businesses and third sector organisations. At least 32 individual organisations were represented.

Feedback from breakout discussions

Participants in breakout rooms were encouraged to discuss relevant issues and add to a virtual notes board. The contents of the notes have been transcribed below. They have been lightly edited to remove identifying particulars and for clarity. Some notes captured an emerging group view and others reflected the views of a single participant.

Discussion 1: Identifying the key challenges

Based on the presentations they heard and their own work, participants were asked to identify the most important research questions and key challenges for communicating cyber security.

Narratives and language

Narrative form assists communication – it is more relatable than other forms? NCSC has lots of audiences – some communications have to be general, others have to be targeted at specific groups.
How do we adapt narratives to suit different reader groups? Are narratives the best way to structure/communicate threats?
How does the way cyber security is framed influence the decisions people take in cyber security practice?
Are we promoting learned helplessness in the way that some threats are framed?
Military metaphors are really pervasive in professional cybersecurity organisations – they can be very exclusionary.
Cyber fatigue: how do we avoid over communicating to individuals/organisations to avoid reaching the point where we hit cyber apathy?
There is a gulf between the language of officials and technical experts and the language used/understood by the general public.
Narrative forms are a shaping/representation of reality and so are not objectively true – and can leave out a lot of nuance and detail.
When we discuss language/communication we must not forget to consider how we listen to the non-experts, not just talk at them.
How can we ensure everyone’s cyber security stories get told and acted upon?
Where can you go to find out the current advice? Language preferences and meaning change over time.
If people are not the targeted victim but may be a point of vulnerability do they care? Can language make them care?
Can we move away from appealing to the fear factor, and instead bring health language across to change the way we talk about cyber?
Cyber security is about tackling threats but it is also about ensuring freedoms and these are different narrative structures with different actors and messaging.
Some advice is very technical, which brings about an assumption that someone else is taking care of it within your organisation.
Some of the relationships are based on trust and that reflects how we respond to the messaging when it arrives.
There is lots of talk about messaging depending on the audience, but how much does that depend on the originator of the message (the teller), with Government messaging vs In House notes as an example?
Is there a culture of blaming the users rather than changing the mind-set to support users?

Understanding stakeholder requirements

How are policies received by stakeholders and are they communicated in an effective way?
We need to identify the various senders/receivers (e.g. via a mind-map of different groups).
Are we really reaching out all relevant users? What about users who have no interest and just want to get on with what they need to do with computers?
We need an understanding what drivers the user (e.g. organisational drivers for companies) – how could security tie to the key drivers of organisations?
One size fits all doesn’t tend to work, but how can we know what tailoring to do for specific audiences?
Linking knowledge and the need – cyber security experts don’t always understand what user needs, how do we change that?
There’s been a shift towards influencing the board and these communication approaches work well there – do they work at the individual employee level?
How do you communicate what citizens need from cyber security back to system designers or practitioners?

Teaching, outreach and engagement

When teaching across disciplines (psychology to computer scientists and vice versa), how do we tailor our teaching and convey information effectively?
What’s the best way to gain outreach and engage with schools and further education colleges about cyber security?
Could we build up a story bank that everyone could draw on to help education?
Is Netflix (other media channels are available) dominating the challenge in getting a general understanding of cyber security?
87% of respondents to one cyber security survey had not heard of NCSC – is that a problem?
Can you use self-affirmation in a cyber context to encourage people to change their behaviours and activity?

Measuring impact

How do you measure whether specific communications campaigns have had effect on stakeholders in changing behaviour?
How does “good practice” in cyber security communication change over time?
How do you to monitor and measure change without excessive surveillance?

Education and Knowledge of the Policy Makers

There is a perceived lack of understanding and motivation by policymakers to meaningfully engage with discussions.
Given the complexity and timescales of emerging technologies, how do policymakers consume (a) a relevant understanding of the technology and (b) understand the challenges and trade-offs?
We must recognise that policy makers have highly divergent interests, incentives, objectives. For instance, We can’t even apply Excel spreadsheets to solve national crisis-level events, why are we even considering (for example) effective use of Artificial Intelligence?

Expectations of end users

What should people (the user?) be expected to do?
How do we avoid putting the ‘blame’ onto the people that are victims of badly designed systems?
Are we asking people to behaving ‘securely and safely’ to protect themselves, another or society as a whole?

Security professionals

How is the nature of security professions changing? In the past one-off consultants were hired and now it’s more about embedding good practice within all teams.
Are people too focused on compliance/ticking boxes rather than thinking how to protect people?
Are we obsessed with protecting people by the proxy of data protection?

Discussion 2: Next steps

Participants were asked to note their ideas for next steps and opportunities for collaboration when it comes to communicating cyber security.

Education and training

How do we get into schools? E.g. issues with teachers using technology to communicate with pupils.
Are there opportunities to provide training earlier in the education process, to make communciating cyber security principles easier later in life?
How do we train people in cybersecurity? What are the ethics? How do we look for unintended consequences?
Teaching cybersecurity has historically been based on a compliance model, rather than trying to understand the context.
Anything ‘technical’ – e.g. standards – is almost immediately out-of-date.
There is a lot of ‘learning by rote’ – how do we give people the tools to think?
It’s more important to know the right question than it is to answer the question.

Evaluating communications

There are difficulties with communicating to people with non-STEM backgrounds.
Use of stories.
Use of technical languages within the different cyber domains.
Conduct some institutional ethnography, including an analysis of some of the key texts and how we interact with them on a societal level.
Funding for research into evaluating communications campaigns.
How can threat intelligence reports be more accessible?
We don’t think about cybersecurity (knowledge/practice) as a journey – which hinders how well we can support that journey.
How might design thinking be applied to this problem? For instance, looking at a problem from the user’s perspective, empathising with end users. Not making assumptions about their needs and skills. Making the pathway clearer – in particular where they start from.
Tiktok seems to be an effective way of getting cyber security information across – how is that developing, how well does it communicate messages and to whom?

Events/workshops

Critical friend circle/mini peer-review.
A workshop on new media formats and how well they work. This could prompt new research directions and engage an ECR audience.
Workshops could be an interesting opportunity for students to attend and develop project ideas.
“Thinking time” in workshops is valuable, it provides an opportunity to chat with others about the problems.
Forums involving practitioners – likened to cybercafe.
Some type of event(s) that can elicit the need of the audience/user groups to see if communications are effective.
Event to start to distil the information that exists in this space (there is so much out there – where should we start?).

Interdisciplinary/cross-sector collaboration

More opportunities to develop co-creation and collaborate with partners to respond to tenders.
Making cyber more accessible and attracting different disciplines to come together for common goals.
Opportunity to write papers together – especially working between people form tech and social science backgrounds.
Working directly with organisations to understand their cultural/organisational barriers to adopting technology (perhaps talks from the industry about their innovation/tech adoption/ security journeys).
There seems an interesting possibility of combining work on communication, digital literacy and behaviour change.
Is collaboration over/wrongly used? Do we need to be asking what is effective/impactful collaboration – resulting in behavioural change across disciplines/sectors/levels of expertise?
Interdisciplinary/cross-sector collaboration is done well by a certain ‘type’ of person. When you investigate what is behind successful collaborations the constant tends to be that there are people behind it with a track record of collaboration and who enjoy collaborating. The really tricky bit is bringing in those who don’t have this natural enthusiasm/skill.
Look at different disciplinary perspectives on the same topics and concepts.

Stakeholder mapping

Who are the stakeholders? What is their interest? What should their role be? How is that role more effectively emphasised?
Look at how we communicate with different demographic groups.
Comparative analyses – look at different domains.
Personas – who are the under-served groups?
What is good / best practice (for different types of activities)?