Cyber attacks are on the rise, but individuals and organizations often fail to implement basic security practices and technologies. Cybersecurity advocates are security professionals who encourage and facilitate the adoption of these best practices. To be successful, they must motivate their audiences to engage in beneficial security behaviors, often by overcoming negative perceptions that security is scary, confusing, and dull/not relevant. However, there has been little prior research to explore how they do so. To address this gap, we conducted an interview study of 28 cybersecurity advocates from industry, higher education, government, and non-profits. Findings reveal a variety of real-world techniques that cybersecurity advocates employ to reach their audiences, overcome negative perceptions, and encourage good security practices. The research also permits an investigation into how advocates leverage general risk communication practices and where they have security- specific innovations. These practices may help inform approaches to security awareness and education.
cybersecurity, adoption, advocacy, usability