How using tactical literacy makes it harder for cybercriminals to fool end users

End users just want to do their job, not become cybersecurity experts. When providing users with cybersecurity help, keep these tips in mind.

Internet and online network security system. Laptop computer with lock icon on screen and application programming interface icons

Image: Getty Images/iStockphoto

For many years, IT professionals have been trying to turn everyone who uses a computing device into a tech-savvy superuser who understands precisely what's needed to stay safe while traversing the internet. People have indeed become superusers, but not necessarily super secure. To make matters worse, if users are concerned about cybersecurity, the solution they need is likely buried on some tech speak website and impossible to decipher. 

For example, parents wanting to know about smartphone security and privacy, do not need to know the difference between a stateful and stateless firewall. 

SEE: Shadow IT policy (TechRepublic Premium)

How can tactical literacy help?

George Finney, chief security officer at Southern Methodist University and author of several books on cybersecurity, believes he has a solution. To eliminate the glut of information, Finney, in the Forbes article Tactical Literacy: How We Can Overcome Ignorance In Cybersecurity, suggests we embrace "tactical literacy." As to what that means, let's start by defining tactical and literacy with regards to cybersecurity.

  • Tactical is defined as being of or relating to a maneuver or plan of action designed as an expedient toward gaining a desired end or temporary advantage.

  • Literacy is defined as a person's knowledge of a particular subject or field; for example, to acquire computer literacy.

"The definition of literacy is that you can recognize the words on a page and be able to connect them to understand the greater meaning," writes Finney. "Tactical literacy means having a foundation of knowledge and a framework to be prepared to understand how risk and technology fit together."

Finney suggests a user should beef up their understanding of cybersecurity. This advice might be okay for someone in the IT department, though it's doubtful an employee who works in the shipping department or the parents concerned about their child's online security while using a smartphone will direct any of their valuable time to perusing cybersecurity websites. It's a good idea to share cybersecurity best practices with users and offer them security training.

SEE: Security Awareness and Training policy (TechRepublic Premium)

Next, Finney suggests locating a coach or mentor who can explain what is needed. This is a good suggestion, but beware, there is this psychological quirk we humans have called the curse of knowledge, and it often comes into play when dealing with cybersecurity. Everyone has bumped into it. For example, when a computer issue comes up, who do you prefer to ask for help, and why do you choose to work with that person? 

See if the following sounds familiar: Let's say you would prefer working with Karen and not Michael. Karen understands this is not your field of expertise and explains what happened and what to do in comprehensible terms. While Michael may be thoroughly familiar with what's wrong, he usually explains why and what to do in language that only computer technicians understand. 

It is easy to see that Karen avoids the curse of knowledge, whereas Michael does not. Karen would explain what is required--nothing more, nothing less--because she understands tactical literacy.

Chip Heath and Dan Heath, in their Harvard Business Review article, The Curse of Knowledge, suggest that concrete language and storytelling defeat the curse of knowledge, making what is to be done more understandable and improves retention. This helps all involved to speak from a common platform and language.

Final thoughts

Finney appears to be on the right track. Computing and internet technologies are not going to get less complex anytime soon. That means we will continue to be plagued by cybercriminals who can exploit vulnerable devices and software because they understand both, and we do not. 

Also see