Stories: your organization’s best (evolutionary) defence against cybercrime

25 Oct 2017 02:54 PM

Blog posted by: Jerome Vincent, 25 October 2017.

Ship in a bottle on top of a stack of leather-bound books

Jerome VincentCybercrime is a lucrative business. And not just for the hackers. The figures of how much the cyber security market is worth – and will be worth – vary, but they’re all huge. It’s said that $75 billion was spent in 2015. That by it’ll be $155.4 billion in 2019. Maybe $231.94 billion by 2022. Any advance on $231.95 billion?

Apart from the fact that those forecasts seem way too precise, the figures hide a simple problem: organizations of all kinds are focusing too much time on technology. Cybercrime isn’t only a technical problem. Anti-virus software and elaborate technical defences can’t get around the simple fact that most cyber breaches are down to people making mistakes. Clicking on the wrong thing. Falling for social engineering. Being curious.

There’s little emotional context to organizational resilience. Sure, we worry about our personal devices – a little – but we’re still careless with how we access and share sensitive information. I know I am. I bet you are too.

Writing AXELOS' Whaling for Beginners

When I was asked to write a story about a man who fell for a ‘whaling’ attack (phishing targeted at a high-ranking executive) I imagined there would be a lot of stories in a similar vein. There weren’t. Most cyber security training for ordinary employees (i.e. non-IT people) was a series of do’s and don’ts and technical explanations that were either a little patronizing or too technical to be engaging.

I wrote Whaling for Beginners – a four-part series of short books, three of which have been published by AXELOS RESILIA, with the last one forthcoming – to try and ground the whole issue of cyber resilience in human experience and emotion. All crime is, for the victim at least, emotional. Loss of goods or information hurts our egos, our very souls. We feel duped or stupid. We feel violated. That’s true of a burglary as well as a raid on your private data inside a computer or a device.

The importance of stories in cyber awareness training

But, stories are rarely used in the training that people get on the subject. There should be more of them. Not just because I tell stories, but because stories are what make us human. We spend our lives immersed in them: from our families, on TV, in newspapers, magazine and novels, and, increasingly online. We binge-watch Netflix series, we stream movies, download episodes of programmes we were too tired to watch the night before so we can catch-up with them on the commute into work... We never stop seeking out stories. And it’s not just entertainment. It gives us an evolutionary advantage.

Brian Boyd, Distinguished Professor in the Department of English at the University of Auckland, agrees with me. Well, I agree with him. His book, On the Origin of Stories: Evolution, Cognition and Fiction, shows how stories bring us together – think campfires on the savannah in prehistoric times – to form stronger groups that follow rules and mores inculcated by communal stories about good and evil. Stories are fundamental to way we learn – not just language but social relations and hierarchies, how to think through problems, what to do and what not to do, and how to face the world as we find it.

How telling stories can help fight cybercrime

All those elements make up most of the plots you can think of. Some people say there are only seven stories anyway. Stories rouse our emotions, teach us how to engage with people who want to help us, and those who threaten us as individuals, families or social groups.

Cybercrime touches on all those things. Even if we’re not that attached to the organization we work for, we understand that a threat to its wellbeing is, ultimately, a threat to ours. A story gets that across much more effectively than a memo or a PowerPoint presentation.

So, you can use evolution to help defend your business and empower your staff by telling them stories.

About Jerome Vincent

Jerome Vincent has been a script and copy writer for many years and has written widely about corporate technology issues for many of the world’s leading multinationals. He has also written copy and films for heritage sites and museums, including Hampton Court Palace, The House of Commons, and The Tower of London, amongst others.

Want to read the Whaling for Beginners series?

You can find out more about our first three books on our Whaling for Beginners page.

You can also visit to download our free brochure with more information on our cyber security awareness training modules.