Overcoming the Curse of Knowledge in Cybersecurity

Last month, I received a curious hand-written letter in the mail from a woman named Carol. She explained that we had met before at a writer’s conference and that she had been very impressed with my work. I probably had trouble remembering our interaction, she explained, since it was such a whirlwind of an event.


Either way, she was eager to start coordinating a lucrative project in which I would co-author a book with a well-known author she had reached out to on my behalf. If I wanted to view the portfolio of my work that she had compiled and presented to the author, I was welcome to take a look by typing in a short link on my computer.


I’m indeed a writer, but I’ve never been to a writer’s conference. And Carol wasn’t an enthusiastic fan, either. She was a hacker.


Hey Carol, you suck


“Carol” had clearly done her research on me, personalizing the letter as much as possible. I had also recently signed up for a subscription to a writers’ trade magazine, whose database may have been hacked (re: she had my home address). I reported the incident immediately to the magazine and to the proper authorities, but the unfortunate reality is that someone is likely to eventually fall for “Carol’s” trick.


There are several lessons we can learn from my personal story, including:


1. Hackers may do extensive research on a potential victim to “tailor” their attack

2. Compelling stories about cybersecurity can be told without resorting to jargon

3. A cyberattack can happen to any citizen

It’s the World We Live in.

Most of us assume a cyberattack won’t happen to us, although it’s something we hear about in the news almost every day: The malware attack that breached the U.S. federal government and elite security firms that went undetected for months (SolarWinds). The hackers who used a compromised password to breach the largest fuel pipeline in America, leading to shortages across the east coast (Colonial Pipeline). A 157-year-old school in rural Illinois that was permanently shut down after a ransomware attack (Lincoln College).


Cyberattacks can have real life consequences


There is no security threat facing America that has grown so fast and affected so many of us at once. While larger organizations are more likely to be targeted by sophisticated nation-state hackers, small businesses and average citizens are regularly targeted, too (per my example above). According to a recent Kaspersky’s incident response analyst report, approximately 10 percent of these cyberattacks are easily preventable—meaning, with the right communications, delivered through the right channels, security professionals have the ability to deliver guidance to help Americans protect themselves more effectively.


But the Curse of Knowledge May Be Standing in the Way.


As a communications strategist who works in the defense industry, this dilemma of speaking to audiences in the right way through the right channels is top of mind (not to mention that my colleagues and I tend to be targeted by cyberattacks more frequently than other citizens, due to our access to sensitive databases). But how can we ensure that we’re speaking in a way that our audiences can understand?


According to the SANS Institute in their 2021 report about security awareness, the “curse of knowledge” is one of the main reasons that awareness programs fail. The curse of knowledge is a cognitive bias that occurs when an individual who is communicating with others assumes that the other individuals have the same background knowledge. For example, in a classroom setting, if teachers are unable to put themselves in the shoes of their students, they risk teaching at a level that the students are unable to grasp.


In a nutshell, the “curse of knowledge” means you know too much. You can't unknow what you know.


I’ve been thinking about this issue ever since a colleague recently sent me a presentation titled “Defeat Your ‘Curse of Knowledge’ & Make Your Security Messaging More Impactful” by veteran cyber news reporter Kerry Tomlinson at the RSA Conference. Her presentation focused on properly clarifying your communication so it has the impact you intended. “We often forget that most people need building blocks to get to a certain point of knowledge,” explained Tomlinson. “Part of the problem is terminology. If we use jargon to just give definitions, then we’ve already lost most of the population.”


Here is an example from her presentation:



Knowing your audience is obviously key when honing your messaging. People need to understand about 98% of text to read for pleasure. Meaning, one-directional conversations that leave receivers even slightly in the dark can cause them to shut down and tune out. If you make your communications complicated, receivers will feel foolish, and instead of asking for clarification they’re more likely to keep their mouths shut.


So What Can We Do to Overcome the Curse of Knowledge?


If we know that jargon results in greater resistance to persuasion and lower support for tech adoption, how can we ensure that we, as communicators, are not accidentally falling into the trap of the curse of knowledge?


Below are the top 10 recommendations to check yourself:


1. Put yourself in your audience’s shoes

2. Tell a story with real-life, relatable examples

3. Avoid the jargon

4. Break down a high-level directive into step-by-step directions

5. Talk about concepts, as opposed to terminology

6. Clarify complex topics with brief summaries and strong visuals

7. Get people excited (meaning, emotionally connected)

8. Don’t overwhelm people; just include main points with interesting details

9. Don’t scare the hell out of people without offering a solution

10. Test your messaging on a non-techie friend, before releasing your communication to the public


When in doubt, simplify (but without talking down to your audience). As Tomlinson quipped at the end of her presentation, recycling an old Albert Einstein quote, “If you can’t explain it to a six-year-old, you don’t understand it yourself.”


Extra Credit: Employ Storytelling


I tell my engineers all the time that when it comes to communications, we should aim to entertain, then educate so that our messaging hooks interest and keeps people listening. Story, of course, is one of the best ways to achieve this since people naturally want to know what happens next. As story guru Lisa Cron said, “We think in story, which allows us to envision the future.” (To learn more about this concept, check out my article “The 3 Cognitive Secrets Behind Storytelling.”)


Cyber and story mix better than you think


Slowly but surely, cybersecurity leadership is recognizing the power of story in their industry as well. According to Mike Polatsek, the Chief Strategy Officer at CybeReady in Israel, “Use stories and anecdotes to convey your message. If you want to create messages that really stick, pepper your messages with short, interesting personal stories.”


Let’s go back to the beginning of this article. Note how I didn’t start with statistics or even specific examples in the news about large corporations. I told you my story. Were you curious from the first sentence? I hope so. I also made it specific and easy to remember. I made it relevant and relatable. I reminded you that I’m a regular citizen, just like you.


So, the next time you’re crafting your cybersecurity messaging, remember to keep it simple, to cut the jargon, and employ storytelling tactics that hook interest. Confusion leads to alienation, but connection leads to comprehension. Our daily life and economic vitality depend on all of us contributing to a resilient cyberspace. With the right story, we can get the message across.

60 views0 comments