If someone watches a TV show, visits a website or a opens a book which they don’t understand, they move on to something else. Participants of IT Security Awareness training programmes however are a much more captive audience. If they don’t understand the content, they might pretend to understand it to please the instructor or their boss. But in reality, their brains have already tuned out. Whether you like it or not, you’ve lost them. This might of course be due to unengaging content or simply because the language used does not fit into their existing mental models or schemas.
Avoid Brain Tune-Out…
Think back for a moment to the teachers you had in school or college. The good ones delivered the syllabus in a really engaging way. They probably also used simple everyday language. They didn’t feel the need to use obtuse and abstract language, because they instinctively knew that sort of language makes it harder for people to understand us and remember what they’re saying.
Technical Language Alienates
Technical language alienates users and impedes understanding. IT Security Awareness training should avoid jargon and overly technical terms as much as possible. While technical terms might be part of your daily vernacular – they are usually not part of the world of your participants.
Use the “Pub Test” to see Check whether your Language is Appropriate
There are loads more examples of how technical IT terms can be simplified to aid understanding. As a rule of thumb, look at your training content and ask yourself “Is this really the language participants would use if they were describing a hacking incident down the pub with their colleagues and friends?”. I call this the “Pub Test”. If the answer is “no”, maybe you need the change the language.
Here are some terms which should be avoided with suggested alternatives.
Bad Actors – Please don’t use term “bad actors”. In fact, some participants might think you’re referring to some extras which have appeared on Fair City or Home and Away. Use a more relatable term such as “hackers” or “cyber criminals” instead.
Credentials – For some, credentials are what you get when you finish college. The terms “username” and “password” are more concrete terms.
Malware – “Malware” can be a very nebulous term which means different things to different people. When using this term, I strongly suggest you preface it with the function it performs. So instead of just saying “malware”, refer to it as “data stealing malware” or “password stealing malware”. This gives participants a better understanding of what malware actually does. You need to convey the message that malware is much more pernicious than “pop-ups” or “bad software that makes your PC go slow”.
SSID – When discussing the insecurity of public Wi-Fi networks -- avoid the term “SSID”. Most users don’t know what an SSID is. Instead, use the term “wireless network name”.
Domain – When talking about compromised, spoofed or malicious websites, please don’t use the term “domain”. A phrase like “hijacked website” will resonate much more powerfully than “hijacked domain”. Likewise, the term “fake website” will be more widely understood than “spoofed domain”.
Social Engineering – For lots of people, this term is still strongly associated with nefarious governments or rogue states trying to coax their citizens into performing to certain behaviours. Good IT security awareness training should inform participants that social engineering in a cyber security context can mean anything designed to trick somebody into performing a specific action.
Threat Attribution – While this term might make the instructor feel very smart when discussing case studies of real -life hacks, using such a term will not always aid user understanding. Why not just say “how the hackers go in”? Nice, simple and clear.
URL- URL should not be used. A lot of people are still a bit fuzzy on this term. Use the terms “weblink” or “link to a website instead”. Much clearer and easier to understand.