- Affinity – they like you and trust you and would probably listen to anything you say
- Required to listen:
- Structural reasons – you outrank them
- Checkbox – there is a regulation, standard, or social pressure, and the audience wants to be able to point and say "we did the thing"
- Someone else told them they had to – most common in lower-level employees or end-users when security training is required
- Fear – they saw something in the news, heard a story from a friend, and are afraid that they are vulnerable, so they wanted to talk to you
- Legitimate interest – the holy grail that frequently goes along with affinity; the person speaking to you is legitimately curious about security and wants to learn more
AffinityThis will likely be framed as "tell me about what you do" rather than "tell me what I need to do." Affinity is great to start a conversation, but it can lead to polite listening rather than active listening. This type of audience won't necessarily be thinking about how what you're saying applies to their lives, so you have to draw that picture very clearly for them.
Someone else told them they had to listenIn some ways, this can be your best case scenario because it's structured and planned. You have time to prepare and can follow an outline or script. Also, these are typically mandated trainings, so you know that people will actually show up. The downside to this is that your audience probably isn't psyched to be there. With a reluctant or captive audience, your first step should be to build affinity or trust. Building one or both of these will increase the chances they’ll pay attention and that they’ll take your recommendations.
Fear"I saw such and such on the news, could that happen to us?," or even better, "Do we have a blockchain?" The key to this sort of conversation is that they're talking to you to assuage their fears. They want to hear "we're good, no need to worry." A key to persuasion is to move from a negative emotion to a positive one. You can start the conversation by saying “yes, we are at risk,” but you can’t keep it there. Move the conversation to a more positive, maybe hopeful, place – “we are at risk, but here’s how we can be more secure.” If they feel worse after speaking to you, they won't do it again. Encourage this sort of behavior regardless of who is doing it – end-users, executives, family and friends. Anytime someone shows an interest in security, they should be encouraged. Try to think about their motivations for asking to tailor your response. If they heard about a new technology, that's totally inappropriate for the situation. Redirect to something actually useful – "Yes, that's super cool. Have you heard about this though?" Match enthusiasm with enthusiasm; reassure them if they're afraid. These are just some basics for tailoring infosec communication to different audiences. I go into a lot more detail here.