Condescending Corporate Communication How to stop talking down to people
Blogs Credible but not convoluted Write with confidence and refinement but not too technical Conversational but not casual Genuine and clear without being too casual Understanding but not sentimental Use language that is empathetic and helpful Stay away from the acronyms
ComplianceWeek does it right Paragraphs with no more than a few sentences Use dashes to draw attention Use contractions for easy accessibility
Paper ISACA Jonline 2014 Volume 2: Security Policy—Keys to Successful Communication
Success To be successful: – Know your reader – Write for that audience – Remember that comprehension varies – culturally, educational range, age, interest level Remember that the onus is on you to write for the reader
Why this is important ISO 27002: an adequate level of awareness, education, and training in security procedures must be provided and that employees, contractors and third parties are properly briefed on their information security roles and responsibilities prior to being granted access to sensitive information or information systems.
Too often the reality is different The employee is left to his/her own devices to discover the relevant portions of a policy, read and then understand the contents lest he/she suffer the consequences of noncompliance. This effort would be largely successful if policies were written in such a way as to facilitate understanding from the policy audience at large. Instead, many are written at reading levels that surpass the ability of the average employee to comprehend.
Recurring Theme: Reading Level Key study (School Renaissance Institute and Touchstone Applied Science Associates, 2010) showed that that readers comprehend written information best when it is written at their reading level. US Census Bureau – all surveyed regardless of working status Studies show that people comprehend at two grade levels lower than the highest grade level attained
Reading Level Results Only one quarter to one third of workers read at a high school graduate or higher level NCHEMS Workforce Study 74.9% of all population in the active US workforce graduated from high school 37% achieved an Associates or better Reading Level for working population 65%-75% read at 10 th grade level (National Center for Higher Education Management Systems)
Grade 9 Grade 10 Grade 7
If only 25%-35% of the workforce will understand and comprehend the policies you write, doesn’t it make sense when they fail? Should we hold people accountable to policies that they can’t understand?
Roadblocks to Comprehension Research has shown that Acronyms and abbreviations are barriers to understanding Fluency is an important and potentially independent factor that contributes to comprehension skills – This applies to language (ESL) – Fluency in technical jargon, such as acronyms and industry concepts, cannot be assumed
Practical Example My company employs around 1,400 staff – 65% are machine operators and other unskilled workers with no requirement for post-secondary education – The other 35% have at least some post-secondary education – Staff are scattered across the US Policies are hosted on an intranet site (wiki) and training is conducted annually (CBT) Hyperlinks used to: – connect policies to standards and baselines – define terms and point to other resources – show connections between policies The intranet portal allows each employee to search the policies
Intranet Cont’d Policies are written at a grade level – Procedures that support the policy are written at 9-10 grade level and associates are trained on them – Standards and Baselines are full of terminology and acronyms which are referenced via hyperlink
How do you tell at what grade level you write?
Flesch-Kincaid System was developed for the United States Navy in 1975 to test the electronic authoring and delivery of technical information Used by the United States Army for assessing the difficulty of technical manuals in 1978 Became the Department of Defense standard Used in common word processors like MS Word The Commonwealth of Pennsylvania was the first state in the United States to require that automobile insurance policies be written at no higher than a ninth grade level – This is now a common requirement in many other states Two measurements used: Reading ease (chart below) and Grade Level (American grades) Reading Ease ScoreNotes Easily understood by an average 11-year-old student 60-70Easily understood by 13- to 15-year-old students 0-30Best understood by university graduates
Gunning fog index Developed by Robert Gunning in 1952 Designed to determine the years of formal education needed to understand text on a first reading Due to limitations in the formula, Flesch- Kincaid is generally preferred over Fog
Coleman–Liau index Designed by Meri Coleman and T. L. Liau Relies on characters instead of syllables per word Advantage is that it is easier to automate the count of characters over syllables
Automated Readability Index Was designed for real-time monitoring of readability on electric typewriters Like Coleman-Liau, uses characters not syllables
PHP Readability Test Tool TestScore/GradeNotes Flesch-Kincaid Reading Ease44.3 Flesch-Kincaid Grade Level12.3 Gunning-Fog Score15.8 Coleman-Liau Index13.9 L = avg # letters/100 words S = avg # sentences/100 words. SMOG Index11.8 Automated Readability Index12.8 Average Readability Level Readability results from the ComplianceWeek Blog post:
Word Lists Oldest method used to determine reading comprehension Top 1,000 words list (Wikipedia maintains) Approach recorded as early as 2,000 years ago Experimentally validated in early 1900s Word lists are used to define writing styles for authors of Readers Digest and other magazines designed to be read by the largest audience
Examples
Georgia Technology Authority: Information Security Technology Risk Management Policy PURPOSE “Risk” is the net negative impact of the exploitation of a vulnerability, considering both the probability and the impact of occurrence. “Risk management” is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. An effective risk management process is an important component of a successful IT security program and an essential management function of the organization. The principal goal of an organization’s risk management process is to protect the organization and its ability to perform their mission. It fosters informed decision making, allowing the security management organization to balance the operation and economic costs of protective measures and achieve gains in mission capability. This policy requires agencies to take a risk-based approach to securing their information systems. POLICY Each agency shall institute an organization-wide risk management approach to information security that assesses the risks (including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction) to information and information systems that support the operations and assets of the organization. Each agency shall develop policies, procedures and select cost-effective controls (based on the risk assessment) that reduce information security risks to an acceptable level and ensure information security is addressed throughout the lifecycle of each organization’s information systems. ItemNotes Reading EaseBest understood by university graduates Grade LevelPost Doctorate
Make it more readable Original text Slight modification “Risk” is the possibility that something bad or unpleasant (such as an injury or a loss) will happen because of being vulnerable. The amount of risk is determined by figuring out how likely the possibility is to occur and how bad it will be. “Risk management” is how we identify risk, assess risk, and figuring out how to make it less likely that something bad will happen. It is important for us to have a risk management program as a part of our IT security program and it is essential to have it in the organization. “ Risk ” is the net negative impact of the exploitation of a vulnerability, considering both the probability and the impact of occurrence. “ Risk management ” is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. An effective risk management process is an important component of a successful IT security program and an essential management function of the organization. Reading EaseBest understood by university graduates Grade LevelPost Doctorate Reading EaseBest understood year old students Grade Level12th
More from GTA Definition of “Access Management” Access Management - The process responsible for allowing users to make use of IT Services, data or other assets. Access Management helps to protect the confidentiality, integrity and availability of assets by ensuring that only authorized Users are able to access or modify the assets. Access Management is sometimes referred to as Rights Management or Identity Management. Reading EaseBest understood by university graduates Grade LevelPost secondary degree Definition of “Malware” Malware, malicious code, malicious software - refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or otherwise annoying or disrupting the victim. Major forms of malware include but are not limited to: viruses, virus hoaxes, worms, Trojan Horses, malicious mobile code, blended attacks, spyware, attacker backdoors and toolkits. Reading EaseBest understood by university graduates Grade LevelPost secondary degree
SunTrust Privacy Policy Your privacy is our priority SunTrust understands that financial information protection is important to you, especially in today’s online environment. With SunTrust's Privacy Policy, you can be assured that we use information responsibly to provide you with the services you request, and to make doing business with SunTrust easier and more convenient. Three things to know about financial information protection at SunTrust: Because trust is critical to a solid financial relationship, SunTrust outlines exactly how and when your personal information is used in our SunTrust Privacy Policy. (Note: Adobe Reader is required to view the privacy policy documentation. Click here if you need to download Adobe Reader.) You may have different ideas and expectations about privacy, which is why our consumer privacy preferences make it easy to further limit how your information is shared. Privacy and security are a must when banking online. Our online privacy practices explain exactly how SunTrust collects, uses and protects information about your online activity. The most effective privacy protection is the precautions you take to guard your account and personal information. Review our privacy resources to learn how to protect your information. ItemNotes Reading EaseBest understood by university graduates Grade LevelFreshman in college
Google memo This Tuesday (1/21), the San Francisco Municipal Transportation Agency (SFMTA) Board will meet to vote on the proposed shuttle regulations we told you about last week. The hearing will take place on January 21 at 1pm PT at San Francisco City Hall (room 400). While we recognized that many of you won't be able to make it during the workday, we encourage any interested Googlers who live in San Francisco to speak in favor of the proposal (please RSVP here if you are planning to attend). While you are not required to state where you work, you may confirm that Google is your employer if you are so inclined. If you do choose to speak in favor of the proposal we thought you might appreciate some guidance on what to say. Feel free to add your own style and opinion. *I am so proud to live in San Francisco and be a part of this community *I support local and small businesses in my neighborhood on a regular basis *My shuttle empowers my colleagues and I to reduce our carbon emissions by removing cars from the road *If the shuttle program didn't exist, I would continue to live in San Francisco and drive to work on the peninsula *I am a shuttle rider, SF resident, and I volunteer at….. *Because of the above, I urge the Board to adopt this pilot as a reasonable step in the right direction ItemNotes Reading Ease 13- to 15-year-old students Grade LevelSophomore in High School
Conclusion When we use terms and concepts that cannot be understood, and we demand compliance, we appear to be condescending Empathy is as important a skill when writing policies or other corporate communication as is a large vocabulary It is important to know your audience