Horror stories can be great fun, but they have their place. Business Reporter’s resident U.S. ‘blogger Keil Hubert argues that exaggerating cyber criminals’ prowess to sound as threatening as movie monsters is counterproductive … and insults users’ intelligence.
Most horror movies are awful. That’s not to say that they aren’t fun (for people who enjoy such things), but a fun movie isn’t the same thing as a good movie. If we’re being honest, lots of the movies we love aren’t particularly good stories and sometimes aren’t even well made. That’s just fine; you don’t have to be an award-winning auteur to create a well-loved schlocky film. I’d argue that a lot of the ‘scary’ films and television shows that we enjoy are beloved in spite of their obvious flaws because of great characters, great dialogue, a skewed sense of humour, or a great monster design. There’s no law saying that we can’t adore a piece of art if it’s not officially acknowledged by whatever passes as authorities as ‘great art.’
That being said, it’s bloody wonderful  when what should by rights be a campy, throwaway scary movie turns out to be a damned good piece of cinema. Take 1979’s Alien, for example, or its 1986 sequel Aliens. Those were brilliant films, scary as hell, and extremely well-made. I’d argue that the original Blade Runner really ought to be considered a horror movie  given its bleak existential themes and the sense of dread it inspired about the Very Near Future. These films still hold up years later because of how well they were made and how strongly the resonate with audiences.
I bring all this up today for three reasons. First, because it’s Halloween. Traditionally, this is the best time of the year to dim the lights and re-watch your favourite scary movie(s). Second, because a really great scary story will sear itself into your memory. Our favourite stories never leave us; they lurk just below the surface and influence how we perceive and grapple with future situations. Finally, because today marks the end of Cyber Security Awareness Month. I’ve spent all thirty-one days of October trying to get people’s attention focused on understanding security threats and countermeasures. The absolute best way to do that – as you’d expect – is through storytelling.
We’re hard-wired for this; oral folklore exchange was our more effective method for synchronising culture for thousands of years.
Rules and warnings are all well and good, but they often failure to register with your audience. People are busy; they have dozens or hundreds of external forces vying for their attention all day, every day. If you want your message to stick, you have to craft it in such a way that it breaks through all the mundane noise and grabs your listener by the metaphorical lapels. Just like with a movie or television show, you have a very limited window to grab your audience’s attention and get them invested in where your story is going next.
The trouble is, many of the security awareness practitioners that I’ve met are awful storytellers.
First off, loud doom-saying is not storytelling. It’s fearmongering, and it’s largely self-defeating. You can’t appeal to people’s natural sense of self-preservation without delivering evidence of an actual, tangible, and near-term threat. Those of us working in security field understand just how horrible the recent Equifax breach was. Unfortunately, it might take months or years for a cybercriminal to exploit a given user’s compromised credentials, and that gap vastly undermines the credibility of our warnings. Remember: we just went through a ‘mega-breach’ like this two years ago when the U.S. government’s Office of Personnel Management was compromised … and we haven’t experienced nearly the amount of devastation that security pundits warned us about back then. These breaches will eventually affect hundreds of thousands of people … but the gap between the breach being reported the logical consequences manifesting is so large that a normal user can’t wrap his or her head around the extent of the threat. So, they don’t take it seriously as a threat … and we sound like a bunch of hyperbolic fools for ranting about it.
Second, making cyber criminals out to be superhuman boogeymen is not good storytelling. It’s not even believable. Yes, there are a lot of bad guys out there with amazing technical talent; the elite threat actors deserve to be respected for their skills. That being said, making cyber criminals out to be megalomaniacal supervillains with genius intellects, ninja skills, and the ability to rain destruction on our helpless cities is ridiculous. Real hacking doesn’t involve super-fit MMA fighters employing gravity-defiant gun-fu against hopelessly-outclassed security mooks while programming artificially intelligent viruses in mid-backflip. That’s movie malarkey. It’s delightful fun, but it’s utterly unrealistic … and users recognize that. Most sane people realize that The Matrix was not a documentary.
Um … spoilers?
Unfortunately, these are the sort of ‘stories’ that get trotted out every year to give audiences a good scare. I understand why security practitioners do this. If they can convince their users that ‘l33t h@x0r$’ are terrifyingly deadly, then maybe those same users will tighten up their security compliance out of raw, primal fear. Oooh! Fear the deadly hacker-ninjas! They’ve breached a credit bureau, and now they’re coming to DISMEMBER YOU WHILE YOU SLEEP! AIEEEEEE!
Ugh … I have to be the party pooper, but we need to face facts: exaggerating a real-world threat doesn’t change how people perceive it or how they’ll react to it. Over-selling an event or an adversary is not the same thing as telling a compelling story about that event or adversary. All it does is undermine your credibility and bore the socks off of the people you’re gibbering at.
I get why people do this, though: it works in movies! Once a writer or director chances on to a monster that frightens and entertains audiences, they want to capitalize on the discover. So, they make tell the same story again, only they make the monster more powerful in the second telling. If that sells reasonably well, they make the monster even stronger in the third telling, and will repeat that cycle endlessly (until they reach the direct-to-video stage). The trouble is, you can only exaggerate a monster so much in a series of films until it becomes so outlandish that it transforms irreversibly from ‘frightening’ into ‘self-parody.’ See the Friday the 13th and Nightmare on Elm Street franchises for some truly painful examples of this principle in action.
The same thing goes for cyber criminals. In the beginning, people were afraid of being ‘hacked’ by mysterious strangers, the way one might have one’s house burgled, but from across the vast Internet. Computer viruses were unsettling because they spread much like sexually transmitted diseases. People listened to horror stories about their friends, co-workers, and neighbours getting PWND and obediently installed anti-virus software, started using passwords, and even flirted with encryption. As cyber threats evolved, though, the tasks required to protect your data got increasingly abstract and hard to explain. Rather than struggle to teach people the complex world of adversary Tactics, Techniques, and Procedures, it became easier to exaggerate the threat such that people’s buffers overflowed from irrational fright so that they’d comply with whatever we wanted them to do.
All that effort, and people still write their passwords on sticky notes right next to their PC.
That worked … sometimes. For a while. Like any cheap theatrical trick, it quickly burned itself out and users stopped taking our messages seriously. Foreign hackers can turn off your pacemaker with an iPhone app if you post your dog’s photo on Facebook? Uh huh. Sure. Whatever.
A much more effective approach at getting users to change their behaviour is to tell them realistic stories involving real people facing real threats under realistic circumstances. Give them a plot, a setup, and a resolution that make sense. Talk about characters that they can relate to. They’re far more likely to listen and remember your lessons if you tell them stories about real bad things that actually happened to people they know than anything else. That’s why real-world lessons-learned are the most effective form of storytelling.
Security Awareness isn’t about scaring people away from bad behaviour; that rarely ever works. Instead, it’s about encouraging people to embrace better behaviour. You can reduce your organisation’s exposure to adversary action by stimulating your user community to consistently practice good cyber hygiene. Cheerfully reward your users for swiftly reporting indicators of compromise (especially their own errors). Convince everyone that they’re crucial players in a comprehensive communal defence plan: more Battle of Britain than Slumber Party Massacre. They’re both captivating stories, but only one is credible … and, therefore, useful for our purposes.
 Pun very much intended, thank you.
 Rather than a ‘sci-fi thriller,’ which doesn’t do the script or the cinematography justice.
POC is Keil Hubert, firstname.lastname@example.org
Follow him on Twitter at @keilhubert.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.