The Curse of Cybersecurity Knowledge

Curse of Cybersecurity KnowledgeThe curse of knowledge is a cognitive bias that occurs when someone is trying to communicate information to another person, but falsely assumes that the other person has the same level of knowledge or understanding of the topic. This can lead to the communicator overestimating the other person's understanding of the subject, and thus not providing enough detail or explanation. As a result, the message may not be understood or interpreted correctly, leading to confusion and frustration.

In 1990, Elizabeth Newton earned a Ph.D. in psychology at Stanford by studying a simple game that was music to her ears. She assigned people to two roles: “tappers” or “listeners.” Tappers received a list of twenty-five well-known songs, such as “Happy Birthday to You” and “The Star-Spangled Banner.” Each tapper was asked to pick a song and tap out the rhythm to a listener (by knocking on a table). The listener’s job was to guess the song, based on the rhythm being tapped – kind of like a game of musical charades.

Before beginning, Newton asked the tappers to predict the odds that the listeners would guess correctly. They predicted that the odds were 50 percent. However, surprisingly, only 1 in 40 times was the listener able to guess, a mere 2.5%.

When a tapper taps, that person is basically playing a game of 'Name That Tune' in their head. Go ahead and give it a whirl – tap out “Happy Birthday.” It is almost impossible not to hear the tune in your head. But unfortunately for the listeners, all they can hear is a bunch of seemingly random taps, like a strange version of Morse Code.

This caused much frustration among the tappers, who often said such phrases as, “Is the song not obvious?” “How can you be so stupid?” 

Tappers have been blessed with knowledge, but cursed with the inability to understand what it is like to not know what they know. It is like they have the Curse of Knowledge – once they know something, it is hard to imagine what it was like before they knew it. This makes it difficult for them to share their knowledge with others, since they cannot easily put themselves in the shoes of their listeners. Ah, the woes of being a tapper!

I am sure you can see where I am going with this and how this is relevant to cybersecurity. How many times have you heard a cybersecurity colleague bemoan a stupid user, or how something was obvious, or even how they have been trying to teach them something for years, but they just do not understand? 

The problem is that they are cursed with cybersecurity knowledge. What has become common knowledge for them, is not so common for others. Even worse, we sometimes make recommendations with underlying assumptions that the people hearing the message will understand the context, which is a bit like telling someone the punchline, but without the joke. 

So how do we rectify this? 

  1. We need to acknowledge that the curse of knowledge exists in every communication, especially in cybersecurity. 
  2. Have empathy for your users, put yourself in their shoes and address their needs. 
  3. Simplify the message and make it as concrete as possible. Measure the success or not, adapt, and then repeat. 

The more we can make our cybersecurity messaging with excellent production values, engaging delivery and relevant audience-centric topics, we can lessen the curse of our knowledge. 

Start by reducing the curse of your knowledge by implementing new-school security awareness training. KnowBe4's ModStore has thousands of engaging and awesome pieces of content which will have your users coming back for more, and understanding the topics they really need to.

Request A Demo: SecurityCoach


SecurityCoach enables real-time security coaching of your users in response to risky security behavior. Based on the rules in your existing security software stack, you can configure your real-time coaching campaign to determine the frequency and type of SecurityTip that is sent to users at the moment risky behavior is detected.

SecurityCoach is an optional add-on for KnowBe4 customers with a Platinum or Diamond level security awareness training subscription. Request a Demo today!

Request a Demo

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Free Phishing Security Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews