Language Shapes Security Culture

Most security awareness programs fail not because of bad content, but because of bad language. The words we choose when communicating security policy determine whether people internalize the message or tune it out.

The Problem with Compliance Language

When we write security communications the way compliance documents read — dense, passive, full of jargon — we signal that this information is for auditors, not humans. The result is predictable: people click through training, ignore the email, and go back to reusing passwords.

A Different Approach

Robert Cialdini’s principles of influence offer a framework. Authority works when the messenger is credible. Social proof works when people see peers adopting the behavior. Commitment works when people make small, voluntary changes that compound.

Applied to security: instead of “All employees must complete phishing awareness training by Friday,” try “87% of your team completed phishing training this week — here’s what they learned.”

The Takeaway

Security culture isn’t a training module. It’s the accumulated effect of thousands of small communications that either build trust or erode it. Choose words that respect the reader’s intelligence and make the secure path the easy path.