Did you notice? As B2B cybersecurity content writers, we love telling our readers what they “should” do.
As in, “Organizations should…” or “CISOs should…” or “You should…”
Sometimes, we push that urgency pedal to the “must” metal. We exclaim that readers or their companies “have to” or “need to” or “must” take certain steps.
As in, “Financial institutions have to…” or “As a compliance leader, you need to…” or “Enterprises must…”
Sounds a bit helpless, doesn’t it?
So, does it work? Science confirms: it doesn’t (more on that below).
If it did, the world would be a safer place.
We’d be fat and happy, because our readers “should” love whatever product or service we highlight in our whitepapers, blogs, or drip mails.
The truth is: we can’t mandate love - or total security. Most readers are pro-choice, thank you very much.
People don’t want to be told what to do or not to do. Scientists even have a term for it: psychological reactance.
Does your cybersecurity content cause psychological reactance?
Here’s a test.
Next time you read B2B content that stresses what you “should” do, ask yourself:
“What’s my gut reaction to that?”
If the writer or the company she represents is your go-to authority on the subject matter, you may take action.
Or you let it slide, like that unsolicited and non-applicable advice from a friend who means well and only wants to help.
Yet, in many more cases, you’ll not even consider it and simply move on without hesitation. I know I do. This usually happens for mainly three reasons:
- because the writer has failed to establish authority;
- because the content doesn’t speak to the reader’s specific cybersecurity needs, situation, restraints, budget, or priorities;
- because of basic human psychology: who wants to be told?
B2C and B2B content writers underestimate this subconscious pushback at their own peril.
Does psychological reactance explain, at least in part, why we have failed as an industry to increase cybersecurity awareness in a meaningful way over the past years?
Perhaps cybersecurity writers are co-responsible for this failure.
Blame the “must-erbation” approach in poor cybersecurity content:
Meet the cybersecurity content musterbators
The term “musterbation” was coined by cognitive-behavioral science pioneer Albert Ellis (1913-2007). It describes a particular way that people place absolute and unrealistic demands on themselves and others.
“There are three musts that hold us back,” the famous psychologist wrote. “I must do well. You must treat me well. And the world must be easy.”
The language of “must”, “have to”, and “should” people use to that effect is a language of black and white.
Such wording doesn’t take into account the complexities and many shades of gray in how humans interact with each other and the world.
As a result, it weakens the desired outcome or prevents it altogether.
“Should may occasionally give good guidance. More often, it sets unrealistic expectations,” wrote clinical psychologist Susan Heitler in Psychology Today (Should You Use This Word? It Decreases Your Effectiveness):
“Should induces guilt, and decreases your desire to do what you otherwise might want to do.”
That’s an empowering insight to share in a marriage counseling or management coaching session, you may think - but in cybersecurity?
What IT security content writers can learn from marriage counselors
Don’t get me wrong, infusing our message with Snuggle-Plus Language Softener isn’t the solution either.
I’ve been writing about IT, and about information security in particular, for several decades now, first as a journalist and book author, then as a ghostwriter, blogger, and editor.
Considering how little the messaging has changed, all I’m saying is that it may be time to upgrade our communication skills as an industry the same way other security and safety-focused fields continue to improve theirs.
The good news is that we seem to be catching on to the problem. Slowly, but better late than never.
Steve Durbin, the chief executive of the UK-based Information Security Forum (ISF), has noticed this change, too. He pointed out the underlying problem in a recent ISF podcast episode on Influencing Security Behaviour:
“People don’t respond well to being told,” said Steve. “You get my buy-in much better by explaining to me than by telling me.” (TC 08:59 min)
His prediction: “We’re going to see a need for a very much deeper understanding of some of the psychological elements of why people do what they do.”
Until then, what’s the solution? Abandon “should” and “must” and “have to” in cybersecurity content, such as How-to and best practices blog posts, altogether?
Let’s be real. Most of us, including yours truly, use these words on occasion (even if we know better) to signal urgency and create a sense of obligation. We do so on a deadline, to save time, or simply because research says it works in headlines.
A more practical and effective solution than quitting “shoulds” and “musts” altogether in cybersecurity content is to use them sparsely. Can you think of an alternative? Deploy it. More often than not, it will make your content better.
Let’s look at a few such alternatives next.
From “should” to “show”
Instead of dispensing “should” advice or similar, we can choose from several alternatives, depending on the type of content. Here a three of my personal preferences:
- Show how an industry peer solved the problem. In a short customer story or case snapshot, describe why that person or organization took the desired action. One additional advantage of this method is that it provides social proof for what you are recommending.
Enterprise digital rights management company Fasoo used this approach in a blog post about insider threats in tech manufacturing (last four paragraphs).
- Can’t name customer names? It’s a common challenge many are facing in our space. One solution here is to apply a generalization. “Should” betrays wishful thinking - state facts instead.
Talk about those peers or leaders as a group who already took the step you suggest and describe the outcome.
A basic example: Instead of writing “IT security leaders in financial services should deploy [our product or service here], because... As a result, …”, we can use “Throughout the financial services sector, IT security leaders are now deploying [ditto], because… As a result, ...”
- Reframe instances of “CISOs should...” or “Threat hunters must...” (Google search examples) - or whatever the onus is you put on your specific audience persona - to minimize psychological reactance.
A straightforward way is to write in the second person and use verbs in the imperative mood when rendering advice or urging action. This particular method has three additional advantages: 1) It is shorter, 2) it’s assertive, thus reinforces (subject matter) authority, and 3) it removes ambiguity.
Yes, if you are a B2B cybersecurity writer who entered the field from marketing or journalism, the latter style may take getting used to. Military veterans who transitioned to creating IT security content, for example, seem to be more comfortable with it.
That’s at least my experience as an editor. As an aircraft pilot, I’ll use an example from the left seat to show the difference that particular communication style makes.
Short and to the point avoids ambiguity
Let’s say Air Traffic Control (ATC) told the Pilot Flying “You should turn left heading two-six-zero for traffic avoidance, after which you have to descend and maintain six thousand.“ (In the real world, they would use the FAA-conform “Turn left heading two-six-zero for traffic avoidance, descend and maintain six thousand.”)
That could lead to some serious head-scratching in the cockpit. “Should we? What happens if we don’t, and when? How urgent is this anyway? ATC is really long-winded and nice today. Who’s that chatty intern? Whatever it is, they don’t seem to be so sure either. ”
The point is, you don’t want to find out.
Like with ransomware. This is where words do matter.
The case for cybersecurity content that matters
Granted, words won’t stop ransomware. But as cybersecurity writers, we can make our content more credible and effective with help from science. Credibility, as B2B content marketing research shows, is key to engaging especially new site visitors.
Too many “shoulds” and “musts” in a blog post, email, or whitepaper indicate insecurity. In combination with other tell-tell signs, they can also signal that the content was cranked out by a beginner or a content mill (or by a beginner in a content mill).
It’s one cybersecurity content weakness among many that can reflect poorly on a company. I’ve written about some of the others here. Our communication capabilities as an industry are lagging behind the massive and rapid progress information technology has made over the past three decades, research confirms.
One could argue that B2B content quality, in general, has declined significantly during the same period. And one would be correct.
That’s not a new insight, though. I recommend reading Doug Kessler’s seminal rant Crap: the single biggest threat to B2B content marketing from 2013.
It’s also a lousy excuse if we compare our industry to other sectors where security and safety play a big role. The military and regulated fields like healthcare or aviation learn from each other.
They also draw on interdisciplinary research for continuous communication improvement. Surgeons and nurses, for example, now follow some of the same communication guidelines developed for airline cockpits.
Isn’t it time for information security thought leaders and content creators to follow their example and look at behavioral and communication research for guidance?
So let’s get serious about the words we use or don’t use to influence cybersecurity behavior.
The alternatives presented above make it easy to nip the “shoulding and musting” in the bud, before it can blossom into the unhealthy writing style that is a hallmark of bad cybersecurity writing.