Security Education Through the Art of Storytelling

In today's digital world, cybersecurity isn't just a technical issue, it's a human one. At Okta, we've taken a fresh approach to security education by leveraging a tool as old as humanity itself - storytelling. We aim to make security education effective, engaging, and memorable by weaving narratives into our training sessions.

What is Storytelling?

Storytelling is more than just a method of communication; it is a profound way to connect with people, share experiences, and influence thoughts and emotions. As Jimmy Neil Smith, Director of the International Storytelling Center, puts it: “We are all storytellers. We all live in a network of stories. There isn’t a stronger connection between people than storytelling.”

This connection is why storytelling is such a powerful tool in education. We aren't just relaying information when we tell a story - we create an emotional experience. This emotional investment helps people better remember the lessons long after the session is over.

The Elements of a Good Story

A compelling story has several key elements:

1. Characters: Every story needs a hero and, often, a villain. In the context of cybersecurity, the hero could be the employee who spots a vulnerability during a code review. At the same time, the villain might be the adversary trying to breach the system.

2. The Hero’s Journey: This is the narrative arc where the hero faces a challenge, overcomes obstacles, and emerges victorious (or learns a valuable lesson in defeat).

3. Conflict and Resolution: At the core of any good story is conflict. It might be a breach attempt, a security flaw, or risky behavior that needs correcting. The resolution is how the characters (or the audience) learn to address and resolve these issues.

4. Lessons Learned: What should the audience take away from the story? This could be practical advice, a change in perspective, or a call to action.

At Okta, we apply these elements to our security education by crafting relatable scenarios that resonate with our audience. We don’t just list the Open Source Foundation for Application Security (OWASP) Top 10 vulnerabilities; we tell the story of the "Okta Top 10” – the Top 10 vulnerabilities we see through code reviews and other methods. We weave in real-world examples and metaphors that bring these abstract concepts to life.

How to Tell a Story in Security Training

1. Know Your Audience: Understanding your audience's background, expertise, and interests is crucial. At Okta, we avoid generic examples that don’t resonate with our employees. Instead, we use examples found in our codebase to make security concepts relatable.

2. Pull Them in with Emotional Connections: Start with a relatable scenario. Use personal stories, show empathy for their challenges, and highlight how security issues impact them directly.

3. Make Them Care: To drive the point home, it’s essential to illustrate the real-world consequences of security lapses. Show both the adverse outcomes of ignoring best practices and the positive results of adhering to them.

4. Give Them Something to Remember: Whether it’s a humorous anecdote, a dramatic story arc, or a surprising twist, the goal is to leave the audience with a memorable takeaway. This helps reinforce the lessons learned and encourages better security practices.

Storytelling in Action at Okta

When I joined Okta, one of my first tasks was overhauling our secure code training. We decided to shift our focus from traditional lectures to storytelling, using elements from gaming, sci-fi, and fantasy to create a narrative that would resonate with our tech audience.

We created fictional characters, like "The Devs," representing our product development team members and placing them in scenarios that mimic real-world security challenges. These diverse characters and grounded-in-reality scenarios made them more relatable and effective in conveying the importance of security practices.

For instance, one of our training modules depicted a hacker attempting to infiltrate a secure area, like trying to gain unauthorized access to a club. Using this metaphor, we could visually demonstrate authentication issues and privilege escalation in an engaging and educational way.

Why Storytelling Works

Good stories surprise us, make us think and feel, and stick in our minds long after we've heard them. In cybersecurity training, this means our employees are more likely to remember the lessons we teach and apply them in their daily work.

We are continuously building on this approach, integrating storytelling deeper into our security culture, making our educational materials informative, and reflecting our unique culture at Okta.

By embracing storytelling, we transform our security training from a mundane task into a memorable experience that fosters a culture of security awareness throughout the organization.

Conclusion

Storytelling is a powerful tool in security education. It makes training more engaging, relatable, and memorable, helping employees not just learn about security best practices but also internalize them. At Okta, we have heard from our employees that they find the training relatable and enjoyable. We are also seeing a higher level of on-time completion rates than we did with previous trainings. We're committed to using storytelling to create a stronger security culture - one that empowers every team member to live our company value of Aways Secure, Always On.

Learn More

The Security Education team will present at Oktane on “Building a Robust Security Education Program” in October. 

For more on storytelling, please watch my keynote address at the CloudNative SecurityCon in July. I will also be leading two sessions on Security Education Through the Art of Storytelling at the EWF (Executive Women's Forum) Annual Conference on October 23, 2024.