Language makes us tick – how do we make security training stick?

Today, the world speaks about 6,500 different languages. English and French are often considered world languages, but the languages of India and China are by far the most spoken languages due to the large population in these countries. While English remains a dominating language for science and business in the Western world, in reality, it is most speakers’ second language. But, what even is language, and why does that matter for the cybersecurity profession and security awareness training industry?

The Encyclopedia Britannica defines language as

a system of conventional spoken, manual (signed), or written symbols by means of which human beings, as members of a social group and participants in its culture, express themselves. The functions of language include communication, the expression of identity, play, imaginative expression, and emotional release.

Language is more than just communication, and communication is more than just language. We know this. Any spoken word is spoken in context, and any quote out of context might carry a meaning different from the originally intended message altogether. If that is the case, then the language of business, decision-making, and security training matters.

Speaking the Language

But, what is the right language to train employees and make decisions? The judgment on whether that is English, a local language, or something between is still up for discussion.

Communication and messaging are key for successful security awareness training. The communicator must find the appropriate voice to position, plan and execute a program. Help is available from plenty of resources that explore effective communication and messaging. This is also true for a lot of content on security awareness training. These resources use ideas conceptualized in English, many people’s second, not first, language.

Vendors translate training and information materials. Consideration of multilingual business environments beyond translated content and product offerings is lacking. But, is that enough? And, how do you make best use of multilingual content?

Many people use both – their first language in their everyday life and English as their business language.  Business leaders make important decisions after having discussed relevant information in English. When it comes to learning, English terms and acronyms are not always translated. After all, English is the dominant business and scientific language.

What are the implications of multilingual contexts on learning and decision-making? Read on to learn about the effect of English as a foreign language on people in business. We will explore risk perception, decision-making and team building. These are all aspects of an organization’s cybersecurity posture.

The Role of Language

Language influences power dynamics at work. Employees routinely report on their progress to those in charge, their managers. The opinion of a project manager weighs differently than that of a project member. A senior software architect’s input is more important than that of a junior engineer.  Employees might also hold unofficial roles that contribute to a team’s social dynamic. Their ability to do so depends on their language skills. Most of those who speak multiple languages have seen or experienced this at some point. The opinion of someone less eloquent could be quickly disregarded.

Difficulties in communication between employees can also be more subtle. Stress, rhythm and intonation differ between languages and even speakers of the same language. Linguists call these pragmatic and prosodic aspects of a language. Features of a speaker’s language matter. Their emotional state, the form of utterance (question, statement or command), and the presence of irony or sarcasm shape the message. Many of us have experienced the importance of these features. Once, I found myself in a meeting room in London (UK) that had “no figurative speak” signs on the walls.

Establishing a shared language is key. Leaders must raise awareness for global communicative competence among all English speakers.  Is it not more important to get a message across than speaking in a grammatically correct way? Good communicators are empathetic of their communication partners’ practices. They foster trustful relationships and increase productivity through communicative competence.

Global communicative competence is most important for executives. Without it, negative effects on decision-making and work progress are likely. For example, disagreements might not be articulated as their contribution in meetings suffers. Effective communication creates trust. Trustful relationships make productive teams.

The Limits of Language?

Communicating in your second language affects your risk perception and your decision-making. The influence reaches beyond the ‘classical’ language barrier of misunderstandings and misinterpretations. Some research suggests a disconnect of emotional processes from moral considerations. Imagine yourself trying to enter a museum. Instead of kindly asking you to buy a ticket, the personnel might swear at you. How insulted would you feel? Some years ago, I found myself in a comparable situation. I realized later that I had not reacted as I would have in my first language. I had been far less impulsive and blunt. This disconnect may stem from “unemotional” learning environments, e.g. a classroom.  It occurs to a different extent in different people.

This disconnect is important. One behavior researchers investigate is indiscriminate risk taking. People take more risky decisions when deliberating in their second language. Yet, studies only showed marginal effects. Other studies suggest strategic risk-taking as an alternative hypothesis. Imagine you are playing a round-based game of accumulating wealth. Each round, you either need to pay $1, or you toss a coin to either lose nothing or $1.50. Your expected value for the second option would be a loss of $0.75. People in this scenario are more likely to take beneficial risks than risks with a safe alternative. Neither theory has been accepted so far.

One fact emerges, though. People facing problems in their second language make more unbiased judgments than people facing problems in their first language. There are moderating factors that intuitively apply. Think of language proficiency, bilingualism, or social context. Still, the language used for deliberation influences risk perception.

Let us assume language affects risk perception and decision-making in the ways described above. Then, there is a benefit to training and educating people in their second language. There is also value in approaching business decisions using a foreign language.

Shaping Training and Making Smart Decisions

Implications result for communicating with executives and employees alike. We suggest the following considerations for the delivery of training.

  • Use localized rather than translated content. Localization addresses cultural and non-textual factors of your region. Be aware of your employees’ first languages and their cultural contexts. For example, something that is appalling to a person from the UK is not appalling in the same way to someone from the U.S. Differences will be even starker between languages.
  • Raise awareness for the phenomenon of emotional disconnect among your employees. Prepare your employees by offering multilingual training. A phishing email in someone’s first language will be perceived differently than an email in their second language.
  • Prepare your employees to do the right thing when emotionally triggered in either language. Emotions are strong triggers for actions. Use them ethically and avoid adverse action, e.g. not reporting an incident out of shame
  • Vary the language and use continuous training. There is a benefit of training users in different languages. More mindful decision-making leads to better outcomes.
  • Be pragmatic about establishing a company-wide communicative competence for security awareness. This extends beyond your business language and can include terms from various languages.

No security awareness program can be successful without executive support. Obtaining that support is a key task. Think about the story you are telling to convey the need for a security awareness program. It also matters in what language you are telling this story. I would offer the following suggestions.

  • Use an executive’s first language to check their understanding of important concepts and related risks. Make sure there is no emotional disconnect. This will challenge executives to work through language transfer in their head. It invokes varied evaluation and decision-making processes.
  • Get your executives to define company-wide communicative competence for security awareness. Decision makers must establish and become well-versed in a shared language. This language is the foundation for competence building in the organization.
  • Establish a shared language for security awareness training. Learning outcomes across the organization will be higher. This common language is a prerequisite for establishing a security culture approach.
To top