Storytelling to Improve Your Organization's Security Culture [PODCAST]

The latest podcast episode of Security Masterminds features our special guest Jim Shields, Creative Director at KnowBe4. He sat down with our hosts, Erich Kron and Jelle Wieringa to discuss storytelling to improve an organization's security culture. Listen to a quick snippet of the conversation with Jim below, and catch the full episode on Buzzsprout.


Storytelling To Convey Cybersecurity Concepts for Training & Awareness Programs


Throughout our lives, we remember the happy times of adopting a pet or the birth of a child, the sadness of a child leaving home or the passing of a loved one, or even scary times of a car accident or natural disaster. We can remember these events vividly and most times end up retelling the story repeatedly to friends, family and colleagues. 


However, we have trouble remembering what we had for lunch yesterday or possibly where we left our car keys. Why is that? What is it about the emotional times that make us remember and the everyday issues not so much? There are hundreds of studies on emotions and their impact on learning and memory. One study explains that emotional stimuli can consume more attentional resources in our brains than non-emotional events, linking physiological and behavioral responses that are personally significant.


Using stories makes it easier to pass on the information and tend to get an emotional response so people can remember better.


Within an organization's cybersecurity awareness training programs, storytelling can be a way to get people to become more aware of various concepts by using comedy or drama to emphasize that topic. From a personal experience, when I fell for a phishing attack, it was 11:59 a.m. on a Wednesday, and I was waiting on a customer to connect on a Zoom call. We were going to discuss an upcoming presentation, and as usual, I had my email closed on my work laptop. However, my phone was on a cradle in front of me, and it popped up with a preview of an email that came into my inbox. The email stated I had somebody waiting on a Zoom call. I was already in the Zoom call, so I knew something was wrong. My initial thought was, "Oh no, my customer has connected to the wrong call." So, I opened my email, and of course, the Zoom email was right there at the top. I clicked on the link to connect to the Zoom call. 


What happened next was puzzling and the beginning of a frustrating series of moments. A window that opened was a login window for the organization asking for my user credentials. It was at this point I realized that something was very wrong. It should have automatically opened the new Zoom meeting because I was logged into Zoom. The only explanation was that it was an internal phishing assessment. And so, as a cold sweat ran down my back and my level of anger and frustration started to rise, I went back and looked at the email. I hovered over the link, and sure enough, it was not a Zoom link, but it was one of our internal simulated phishing links. I was frustrated and angry and realized "Yep, they got me." 

The learning moment was certainly ALWAYS to check the links in emails because you never know when you will fall for a real phishing scam. That phishing attempt happened about ten months ago, and I can recount that story because of the emotional impact that occurred within me in those short few minutes. This story is also shared in my presentations regarding phishing attacks because even cybersecurity professionals fall for them too!


People will tell you when they fell for a phishing scam because of the initial emotional impact of shock or fear when they clicked and discovered it was an internal phishing test. Ironically, if it was a real phishing scam, the user might not realize it as the cybercriminal wants to steal their credentials or gain access to their machine.


Whether it is telling a horrible dad joke (check out my YouTube for some good tech dad Jokes), we hear a sad story about losing a loved one or someone having a fun experience, these emotional reactions and linking them to remembering provides an excellent link to using stories with emotions to get users to remember a particular cybersecurity concept. 


In the full episode, Jim discusses the importance of storytelling, how comedy and drama impact your stories and the success behind a successful marketing campaign for your security awareness program.


Listen to the Latest Episode of Security Masterminds Now!

Listen Now!

Don’t like to click on redirected URLs? The episode is available on all your favorite podcast platforms, by searching for Security Masterminds, or access it via this direct link:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews