Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Condescending Corporate Communication

advertisement 
Condescending Corporate
Communication
How to stop talking down to people
Blogs
• Credible but not convoluted
Write with confidence and refinement but not
too technical
• Conversational but not casual
Genuine and clear without being too casual
• Understanding but not sentimental
Use language that is empathetic and helpful
• Stay away from the acronyms
ComplianceWeek does it right
Paragraphs with no
more than a few
sentences
Use dashes to
draw attention
Use contractions
for easy
accessibility
Paper
ISACA Jonline 2014 Volume 2:
Security Policy—Keys to Successful
Communication
Success
• To be successful:
– Know your reader
– Write for that audience
– Remember that comprehension varies – culturally,
educational range, age, interest level
Remember that the onus is on you to write for
the reader
Why this is important
• ISO 27002: an adequate level of
awareness, education, and training
in security procedures must be
provided and that employees,
contractors and third parties are
properly briefed on their
information security roles and
responsibilities prior to being
granted access to sensitive
information or information
systems.
Too often the reality is different
The employee is left to
his/her own devices to
discover the relevant
portions of a policy, read
and then understand the
contents lest he/she suffer
the consequences of
noncompliance.
This effort would be largely successful if policies were
written in such a way as to facilitate understanding from
the policy audience at large. Instead, many are written at
reading levels that surpass the ability of the average
employee to comprehend.
Recurring Theme: Reading Level
Key study (School Renaissance Institute and
Touchstone Applied Science Associates, 2010)
showed that that readers comprehend written
information best when it is written at their reading
level.
Studies show that people
comprehend at two grade
levels lower than the
highest grade level attained
US Census Bureau – all surveyed regardless of working status
Reading Level
Reading Level for working population
65%-75% read at 10th grade level
(National Center for Higher Education Management Systems)
NCHEMS Workforce Study
74.9% of all population in the active US
workforce graduated from high school
37% achieved an Associates or better
Results
Only one quarter to one third of workers read at a high school graduate or higher level
Grade
9
Grade
9
Grade
9
Grade
10
Grade
7
If only 25%-35% of the workforce will
understand and comprehend the policies you
write, doesn’t it make sense when they fail?
Should we hold people accountable to policies
that they can’t understand?
Roadblocks to Comprehension
• Research has shown that Acronyms and
abbreviations are barriers to understanding
• Fluency is an important and potentially
independent factor that contributes to
comprehension skills
– This applies to language (ESL)
– Fluency in technical jargon, such as acronyms and
industry concepts, cannot be assumed
Practical Example
• My company employs around 1,400 staff
– 65% are machine operators and other unskilled workers with no
requirement for post-secondary education
– The other 35% have at least some post-secondary education
– Staff are scattered across the US
• Policies are hosted on an intranet site (wiki) and training is
conducted annually (CBT)
• Hyperlinks used to:
– connect policies to standards and baselines
– define terms and point to other resources
– show connections between policies
• The intranet portal allows each employee to search the
policies
Intranet Cont’d
• Policies are written at a 12-13 grade level
– Procedures that support the policy are written at
9-10 grade level and associates are trained on
them
– Standards and Baselines are full of terminology
and acronyms which are referenced via hyperlink
How do you tell at what grade level
you write?
Flesch-Kincaid
•
•
•
•
•
System was developed for the United States Navy in 1975 to test the electronic
authoring and delivery of technical information
Used by the United States Army for assessing the difficulty of technical manuals in
1978
Became the Department of Defense standard
Used in common word processors like MS Word
The Commonwealth of Pennsylvania was the first state in the United States to
require that automobile insurance policies be written at no higher than a ninth
grade level
– This is now a common requirement in many other states
•
Two measurements used: Reading ease (chart below) and Grade Level (American
grades)
Reading Ease Score
Notes
90-100
Easily understood by an average 11-year-old student
60-70
Easily understood by 13- to 15-year-old students
0-30
Best understood by university graduates
Gunning fog index
• Developed by Robert Gunning in 1952
• Designed to determine the years of formal
education needed to understand text on a first
reading
• Due to limitations in the formula, FleschKincaid is generally preferred over Fog
Coleman–Liau index
• Designed by Meri Coleman and T. L. Liau
• Relies on characters instead of syllables per
word
• Advantage is that it is easier to automate the
count of characters over syllables
Automated Readability Index
• Was designed for real-time monitoring of
readability on electric typewriters
• Like Coleman-Liau, uses characters not
syllables
PHP Readability Test Tool
Readability results from the ComplianceWeek Blog post:
Test
Score/Grade
Flesch-Kincaid Reading Ease
44.3
Flesch-Kincaid Grade Level
12.3
Gunning-Fog Score
15.8
Coleman-Liau Index
13.9
Notes
L = avg # letters/100 words
S = avg # sentences/100 words.
SMOG Index
11.8
Automated Readability Index
12.8
Average Readability Level
13.3
http://vanamburggroup.com/tool-readability-test.php
Word Lists
• Oldest method used to determine reading
comprehension
• Top 1,000 words list (Wikipedia maintains)
• Approach recorded as early as 2,000 years ago
• Experimentally validated in early 1900s
• Word lists are used to define writing styles for
authors of Readers Digest and other
magazines designed to be read by the largest
audience
Examples
Georgia Technology Authority: Information Security
Technology Risk Management Policy
PURPOSE
“Risk” is the net negative impact of the exploitation of a vulnerability, considering both the probability
and the impact of occurrence. “Risk management” is the process of identifying risk, assessing risk,
and taking steps to reduce risk to an acceptable level. An effective risk management process is an
important component of a successful IT security program and an essential management function of
the organization.
The principal goal of an organization’s risk management process is to protect the organization and its
ability to perform their mission. It fosters informed decision making, allowing the security
management organization to balance the operation and economic costs of protective measures and
achieve gains in mission capability.
This policy requires agencies to take a risk-based approach to securing their information systems.
POLICY
Each agency shall institute an organization-wide risk management approach to information security
that assesses the risks (including the magnitude of harm that could result from the unauthorized
access, use, disclosure, disruption, modification, or destruction) to information and information
systems that support the operations and assets of the organization.
Each agency shall develop policies, procedures and select cost-effective controls (based on the risk
assessment) that reduce information security risks to an acceptable level and ensure information
security is addressed throughout the lifecycle of each organization’s information systems.
Item
Notes
Reading Ease
Best understood by university graduates
Grade Level
Post Doctorate
Make it more readable
Original text
“Risk” is the net negative impact of the exploitation of a
vulnerability, considering both the probability and the impact
of occurrence. “Risk management” is the process of identifying
risk, assessing risk, and taking steps to reduce risk to an
acceptable level. An effective risk management process is an
important component of a successful IT security program and
an essential management function of the organization.
Reading Ease
Best understood by university graduates
Grade Level
Post Doctorate
Slight modification
“Risk” is the possibility that something bad or unpleasant (such
as an injury or a loss) will happen because of being vulnerable.
The amount of risk is determined by figuring out how likely the
possibility is to occur and how bad it will be. “Risk
management” is how we identify risk, assess risk, and figuring
out how to make it less likely that something bad will
happen. It is important for us to have a risk management
program as a part of our IT security program and it is essential
to have it in the organization.
Reading Ease Best understood 17-18 year old students
Grade Level
12th
More from GTA
Definition of “Access Management”
Access Management - The process responsible for allowing users to make use
of IT Services, data or other assets. Access Management helps to protect the
confidentiality, integrity and availability of assets by ensuring that only
authorized Users are able to access or modify the assets. Access Management
is sometimes referred to as Rights Management or Identity Management.
Reading Ease
Best understood by university graduates
Grade Level
Post secondary degree
Definition of “Malware”
Malware, malicious code, malicious software - refers to a program that is
inserted into a system, usually covertly, with the intent of compromising the
confidentiality, integrity, or availability of the victim’s data, applications, or
operating system or otherwise annoying or disrupting the victim. Major forms
of malware include but are not limited to: viruses, virus hoaxes, worms, Trojan
Horses, malicious mobile code, blended attacks, spyware, attacker backdoors
and toolkits.
Reading Ease
Best understood by university graduates
Grade Level
Post secondary degree
SunTrust Privacy Policy
Your privacy is our priority
SunTrust understands that financial information protection is
important to you, especially in today’s online environment. With
SunTrust's Privacy Policy, you can be assured that we use information
responsibly to provide you with the services you request, and to make
doing business with SunTrust easier and more convenient.
Three things to know about financial information protection at
SunTrust:
•Because trust is critical to a solid financial relationship, SunTrust
outlines exactly how and when your personal information is used in
our SunTrust Privacy Policy. (Note: Adobe Reader is required to view
the privacy policy documentation. Click here if you need to download
Adobe Reader.)
•You may have different ideas and expectations about privacy, which is
why our consumer privacy preferences make it easy to further limit
how your information is shared.
•Privacy and security are a must when banking online. Our online
privacy practices explain exactly how SunTrust collects, uses and
protects information about your online activity.
•The most effective privacy protection is the precautions you take to
guard your account and personal information. Review our privacy
resources to learn how to protect your information.
Item
Notes
Reading Ease
Best understood by university graduates
Grade Level
Freshman in college
Google memo
This Tuesday (1/21), the San Francisco Municipal
Transportation Agency (SFMTA) Board will meet to vote on
the proposed shuttle regulations we told you about last
week. The hearing will take place on January 21 at 1pm PT
at San Francisco City Hall (room 400). While we recognized
that many of you won't be able to make it during the
workday, we encourage any interested Googlers who live in
San Francisco to speak in favor of the proposal (please
RSVP here if you are planning to attend). While you are not
required to state where you work, you may confirm that
Google is your employer if you are so inclined.
If you do choose to speak in favor of the proposal we
thought you might appreciate some guidance on what to
say. Feel free to add your own style and opinion.
*I am so proud to live in San Francisco and be a part of
this community
*I support local and small businesses in my neighborhood
on a regular basis
*My shuttle empowers my colleagues and I to reduce our
carbon emissions by removing cars from the road
*If the shuttle program didn't exist, I would continue to
live in San Francisco and drive to work on the peninsula
*I am a shuttle rider, SF resident, and I volunteer at…..
*Because of the above, I urge the Board to adopt this pilot
as a reasonable step in the right direction
Item
Notes
Reading
Ease
13- to 15-year-old students
Grade Level
Sophomore in High School
Conclusion
• When we use terms and concepts that cannot
be understood, and we demand compliance,
we appear to be condescending
• Empathy is as important a skill when writing
policies or other corporate communication as
is a large vocabulary
• It is important to know your audience
Related documents
“Contrasting the early 19th versus early 21st Centuries”
“Contrasting the early 19th versus early 21st Centuries”
Central Missouri Cardiovascular Associates P
Central Missouri Cardiovascular Associates P
Privacy Confidentiality Minor
Privacy Confidentiality Minor
Product Comparison Template
Product Comparison Template
IAPP presentation - International Association of Privacy Professionals
IAPP presentation - International Association of Privacy Professionals
Maintaining Privacy and Dignity in Care (Fiona Throp)
Maintaining Privacy and Dignity in Care (Fiona Throp)
Download
advertisement