Security Communications: Lessons from the National Weather Service

Security communicators can learn some lessons from national disaster communication. Motherboard interviewed Eli Jacks, chief of the National Weather Service’s Fire and Public Weather Services branch in The National Weather Service Wants You to Be Scared of This Blizzard, and Jacks shared many important elements of their communication strategy.

“We want people to notice and take action.”

This is a key goal of the NWS, and clear action items are necessary to fulfill this goal.

“the average person doesn’t always know how to interpret the warnings and think it’s like some of our other ones.”

Communicating the appropriate level of risk is a key challenge, because it helps people decide whether taking action is a high priority for them.

“Overhyping this potential storm and having it underwhelm is less of a risk than not adequately warning people.”

The NWS also must make this intentional choice when communicating because storms can cause death, injury, and massive power outages. It is better for people to overprepare and be unaffected than underprepare and die.

“It’s almost less important that we actually get the call perfectly right than the public responds to it and perceives it as being dangerous.”

Alongside overhyping a storm, the NWS chooses to focus on getting a message out rather than making it perfect. Storms are time-sensitive, and it is often most important to get the message out, and fast.

“better targeting our messaging so that we’re reserving dire warnings for when they’re really going to occur.”

Since weather is all about forecasting, this is perhaps a natural future goal of the NWS. Overhyping a storm is okay once in awhile, but accurate predictions are vital to get people to trust and consistently take action when they should.

To distill these lessons, there are three main challenges when communicating threats, whether they are security vulnerabilities that threaten cyber security or weather patterns that threaten people’s lives.

  1. Get people’s attention. It’s important to reach as many as possible who might be threatened by a weather pattern, just like the first step in helping people stay safe in the face of a security vulnerability is getting the attention of those who are affected and need to take action. The urgency of a message (if the weather system is growing in power, or if criminals are actively exploiting a severe vulnerability) is key to assess when your message needs to reach a lot of people.
  2. Write accurate and easy-to-understand calls to action.
    • Use clear language to accurately express the severity of the situation. The more accurate your communications, the more you will be seen as a trustworthy and reliable source.
    • Avoid histrionics when writing calls to action, but don’t be too conservative when describing the risk. Help people understand the severity of the situation by including risk factors. For example, you would be more at risk during a hurricane if you live near the coast or in a flood-prone region. Similarly, you would be more at risk for heartbleed if you reuse passwords across accounts and websites.
    • Make it clear what people can do to protect themselves and prepare for future threats.
  3. Avoid alert fatigue. If you notify people too often about dangerous weather patterns (or security vulnerabilities) that in the end, don’t turn out to have much of a noticeable effect, you may lose the trust of your audience, or they may lose the energy to react properly in the face of constant security (or weather) threats.

The first challenge, attention-getting, helps explain why so many serious security vulnerabilities are communicated to the public with catchy names, dedicated websites, and even logos. Names, websites, and logos make it easier to get the attention of an affected audience and the media. As message targeting improves, this challenge may be simpler to address.

The second challenge is the most difficult to address. Security communications exist solely to drive remediation of security vulnerabilities. Whether people must patch systems, take them offline, or implement a workaround, that information must be shared as quickly, accurately, widely, and simply as possible. Not easy to do.

Higher-profile security vulnerabilities also help provide a risk gauge for future vulnerabilities, easing the effect of the third challenge, alert fatigue. While the quantity of alerts is still important to monitor and restrain when possible, providing a risk factor (even a relative one based on higher-profile vulnerabilities) makes it easier to process the severity of a security issue.

Names for security vulnerabilities are valuable when addressing the three primary security communication challenges above, but naming carries risks that you must be aware of when communicating.

  • Naming something gives it power. A name is a lot easier to track than an archaic set of technical terms or a string of letters and numbers. For example, the FREAK attack, has both a scary (and thus memorable) name and is much easier to remember than “Factoring RSA Export Keys,” the more technical description of the vulnerability. CVE identifiers are necessary, but not easily to remember.
  • Names encourage media attention. This can lead to more attention than a vulnerability warrants, and overblown fear. Because of this, it’s important to gauge the severity and the impact of a security vulnerability before naming it. Any awareness is usually better than none when it comes to computer security, but avoiding alert fatigue is key.
  • Names must be intentionally chosen. What you choose to name something is important, because if the words in the name are frightening (like FREAK), they will provoke a different reaction than you might want or need. A name should prompt recognition and response, rather than fear and panic.

Whether you are the protecting the nation from severe weather patterns or alerting your community to security vulnerabilities in your product, the National Weather Service provides a good model for effective threat communication. It’s difficult, but possible with careful consideration of the challenges and risks involved.