Looks like your hacker wants to have a chat with you
Let's cut to the chase; we humans think we are rational beings. We really, really do. However we rely heavily on our emotions when making decisions. What's fascinating is that we're seeing scientifically how this part of our brain works through behavioral sciences- but the fact that it happens has been known for ages. Aristotle's “Rhetorical Triangle” teaches how to persuade through rhetoric, and as you see.... Pathos is a big part of the equation.
So, how much does emotion matter? According to Spiralytics, companies who have recently implemented emotional rhetoric have had their sales and brand awareness increased by over 31%, with a 306% increase in lifetime value, mixed with high recommendations from previous customers.
Salespeople know this. Marketing and advertising rely fundamentally on leveraging Pathos. Tapping into our hopes, desires, frustrations, … relating to our emotional state and teeing up another... “we know you’re angry about your car insurance bill”.
Part of the reason we're so passionate here at Cybermaniacs about changing the way cyber 'awareness' is done is that we've seen too much pathos used poorly and to rather terrible outcomes. Fear, guilt, shame to name a few. Too many hackers in hoodies thank you very much. But to understand how this works, where we are, and how we can do better- we needed to pick this apart more fully. For more than just used cars. How is rhetoric and pathos used in used in cyber security?
Let’s start with how non technical people actually feel about cyber security.
I’m Feeling (Insert Emotion Here) About Cyber Security
Cyber security discussions always include heavy amounts of robust, highly technical keywords and phrases. Negative consequences, risks, possible terrible outcomes, while all very true, are highlighted, repeated, and almost beat to death. Tones of severity, concern, criticality, compliance, are all used liberally to hopefully elicit a higher state of alertness. (which, as a 'state' for humans, is actually exhausting to our brains, so we literally avoid it as a neurological response). We also, very rationally, lay out the facts (Logos) hoping that caring will naturally follow. Funny, humans don't always work like that.
In a study run on Nature.com, an experiment was held in an office that asked employees to discuss how they felt about the importance of Cyber Security AND how important it is to them.
Some questions that were asked:
“When I think about CyberSecurity, I feel…”
“My Opinion on Cyber Security is that…”
“In terms of Cyber Security, my suggestion would be that…”
Our research has proved similar findings:
While the shared answers were dispersed, from reading through the responses, the elicited emotions remained the same:
Ignorance. “It’s not my job to worry about it.”
Concern. “I’ve noticed there’s a lack of securing our data”
Fear. “I’m scared I’ll be a part of a breach and I’ll feel like it’s my fault.”
Relief. “Knowing that our networks are secured with trustworthy systems makes the workday a little easier.”
Is there any other research on cyber safety feelings ??
There is no one audience here, according to Aristotle, we have a few groups divided on how they feel about cyber security. If I may steal the thunder a bit, I think it is MORE important to consider these facts when looking to implement cyber awareness programs and messaging- we're rather obessed with role based risks (logically important) but to get people to listen and change, have you ever thought about grouping around their perceptions and sentiment instead? (Shameless plug: Call us to talk about our Digital Tribes Model & Human Cyber Baselines.)
Let’s put it in a different way:
Marvel VS. DC VS. Downton Abbey
Let me explain…*
*These viewpoints on said entities are my own, so please, NO DEBATES
I’m understanding of this approach and I will do my best to keep up. I’m glad to see the higher-ups know what we want and they’re dedicated to putting out worthy content. Sometimes, I’m worried if they’ll be able to keep up and if I’ll always feel safe or will they begin to teeter and I’ll feel hesitant.
What is being delivered makes me a little fearful, as there are many inconsistencies and things seem to be completed on their own timeline, without the worry of the indulgers. I understand that a lot of people don’t really care and whatever happens, happens, but I want to make sure I understand what’s going on and essentially, be a part of the process and not constantly crossing my fingers on feeling secure.
Downton Abbey (All jokes aside, PLEASE DO NOT HEAD DOWN THIS ROUTE):
The old school feel is the best approach. I love the idea of using typewriters and essentially staying offline, that way there is no sense of weariness. We will have no concerns, except for when tea time occurs.
Phew! Are you exhausted? Because I'm exhausted. Is it clear that I've never seen an episode of Downton Abbey?
best Ways To measure and use the feels for your awareness program
Let's start with your working environment, your company, and the employees you want to protect.
Do you know how they feel? Are there different groups who have similar or different emotional responses to the subject of cyber security?
What is their consensus on security training itself? How I think about myself needing to be secure and HOW I am trained within security are two different things!
Traditional Cyber Awareness (circa 2010-2021/2) is a top-down, one-size-fits-all, low feedback approach. How would you go about influencing, training, convincing, connecting, and collaborating with your workforce for more security behaviors if you don’t *really* know what's going on in your people's hearts and heads?
The good news? There are ways to measure and illuminate who your people are. The recipe of Logos, Ethos, Pathos will follow once you define how they feel, and what you want them to know. As always, we fundamentally believe in always using ethical, positive messaging to achieve your aims.
Here at The Cybermaniacs, we put our mission to create millions of happy, cyber-safe humans right out front as a way to communicate what’s most important to us. Safety and Happiness. Traditional approaches of fear, guilt, and shame, while done with good intentions (our industry really doesn't want people and companies to get hacked) have not, to date, had much, if any real or lasting success in substantially changing behaviors and influencing organizational cultures.
Through our cyber-secure human baseline assessment and culture mapping, we’ll be able to help guide you and your team on an easier journey into understanding the Who's, What’s, and Why’s of Cyber Security culture, all without packing in an overwhelming amount of information. The only emotion we want you to feel is jubilation, which is like happiness but peppered with the feeling of waking up on Christmas morning.