DNS, VPN, SQL … Help!
“And this is how DNS works.” I blink once. Then twice. The person in front of me waits expectantly for a sign that I understood the explanation he had delivered so patiently. Instead, he is met with a giant question mark plastered across my face. D-N-S. How was I supposed to teach people about digital risks if I barely understood how the internet worked myself? “In short, DNS – or Domain Name System – is like your phone’s contacts. You call your friend Anna by selecting her name, not by memorising her phone number. The internet works the same way. Instead of remembering a lengthy IP address such as 142.250.80.46, you simply type example.com. The DNS system translates that easy-to-remember name into the correct numerical address through a chain of servers and directs your computer to the right website.” Hearing it explained that way, it finally clicked. A short story about calling Anna had succeeded where technical explanations had failed. The concept had not become more accurate – it had become more accessible.
Of course, every simplification leaves out details. Critics could rightly point out that DNS is more nuanced than a contacts list, and they would be correct. Yet accessibility and rigour are not always competing goals. As usability expert Lorrie Faith Cranor famously observed, “Security that isn’t usable isn’t security.” The same applies to security communication: information that people cannot access, understand, or act upon is no awareness at all.
At the time, I dismissed the experience as a lucky explanation. Years later, I would discover that there is an entire craft dedicated to making complex ideas understandable through stories.
The Curse of Knowing Too Much
The importance of accessibility became even clearer through an eye-opening encounter a colleague had with a Swiss Army general. Upon learning that my colleague’s background was in meteorology rather than computer science, the general responded with visible relief: “Thank God.” He was not dismissing technical expertise. Quite the opposite. He was expressing a frustration many non-specialists share: cybersecurity was finally being explained in language he could understand.
His story brought back a memory from my first year at university, drowning in my introductory statistics class for social scientists. Like many of my classmates, I struggled with concepts such as standard deviation, variance, and correlation. Everything changed when I discovered a statistics textbook by Andy Field, Professor of Quantitative Methods at the University of Sussex. Written in plain language and filled with humour, stories, and real-world examples, it transformed a subject I found intimidating into one that felt inviting and – may I dare say – genuinely fun.
Although some statisticians criticised the book for being too casual, it became enormously popular among students and even won a British Psychological Society book award. Its success illustrated an important lesson: accessibility is often what unlocks understanding for non-specialists.
Examples like these made me question an assumption I had carried into cybersecurity: could not having a technical background also be an advantage? Cognitive scientists describe a phenomenon known as the “curse of knowledge,” where expertise makes it difficult to remember what it felt like not to know something. The deeper our expertise, the harder it can become to explain a topic from a beginner’s perspective. As we learn the complexity of a subject, we tend to overestimate what others can reasonably be expected to know about it.
So how do we communicate cybersecurity in a way that people genuinely want to engage with? That question eventually led me to the work of tech journalist Eva Wolfangel.
Why Facts Alone Don’t Land
“You need to think in scenes.”
Eva Wolfangel
When discussing her craft, Eva often emphasises that stories are built from a sequence of moments – each with its own setting, characters, emotions, and actions. Having specialised in topics such as cybersecurity, artificial intelligence, and virtual reality, Eva is an independent, award-winning journalist whose work demonstrates the power of narrative communication. Rather than presenting technical concepts as abstract facts, she brings them to life through scenes, characters, and lived experiences. Her goal, as she explains, is simple: “I want to inform people so that they can participate in the democratic discourse about emerging technologies.”
If you have ever found yourself emotionally invested in the fate of a fictional character, you already understand why this approach works. Stories reach something fundamental in us. As usability researcher Dr. Karen Renaud observed: “Humans are feeling beings who think – not thinking beings who feel.” Storytelling speaks to our emotions before it speaks to our intellect. Unsurprisingly, narrative approaches to risk communication have been associated with greater commitment, a stronger sense of purpose, and more accessible knowledge (Kampmann, 2020, pp. 23, 103–104).
When asked how facts can be taught through storytelling, Eva’s answer is surprisingly practical: “After each scene, you can insert relevant facts or background information. So you will have a sequence of scene, fact, scene, fact, and so on.” She adds an important caveat: “Make sure facts are delivered in the same tone and style as the scenes – otherwise, they appear as two separate stories.” For security awareness professionals, this insight is invaluable. Facts do not have to interrupt a narrative. When integrated thoughtfully, they become part of it – informing without alienating, educating without overwhelming, and engaging without sacrificing accuracy.
Putting the Lessons Learned Into Practice
From these experiences, six practical principles emerged that now guide how I design cybersecurity stories.
1. Focus on the right target behavior and audience. Before writing, define the behavior you want to influence and identify the right audience. If the goal is to improve knowledge and motivation, employees are often the right target. But if the real barrier is organizational – such as limited resources, unclear priorities, or lack of leadership buy-in – the story must address decision-makers. True impact often comes from a combination of changes in management and employee behavior.
2. Be clear about your core message. Always know what you want the reader to take away. It is tempting to pack a story with information – but this dilutes the message and weakens its impact. Identify your core message and let it serve as a red thread: every scene, character, and detail should support that central theme. A story trying to say everything ends up saying nothing.
3. Capture and sustain attention. People rarely finish stories that fail to create curiosity in the opening paragraphs. So, use hooks, cliffhangers and other techniques to keep them reading while keeping it as short and concise as possible.
Melanie Knieps
4. Show, don’t tell. Use vivid scenes instead of abstract descriptions. Let readers experience moments directly. Adding quotes and dialogue can also make characters and situations feel much more immersive and authentic. Integrate the relevant facts you want to teach in between your scenes.
5. Develop your protagonist credibly. Make sure readers understand both the external challenge and the internal struggle your protagonist faces. The tension often arises from like meeting business objectives while keeping data safe. In cybersecurity, redemption arcs are particularly effective: the protagonist makes a mistake, faces consequences, learns from the experience, and ultimately changes their behavior. Such stories work because they mirror how people learn in real life. A protagonist who changes too easily teaches nothing; one whose struggle feels genuine takes the reader with them.
6. Aim for closure. Strong stories are ultimately stories about transformation. The most memorable stories leave readers with a sense that something has changed – whether it is knowledge, perspective, or motivation to act. In redemption arcs, closure comes when the protagonist successfully applies what they have learned. The problem may not be completely solved, but the character is no longer the same person who began the journey.
Why Storytelling Should Be a Core Security Competency
Having worked with storytelling in cybersecurity for a few years now, I can look back on that confused me, staring blankly at the acronym “DNS” with some appreciation. That moment taught me an important lesson: understanding does not begin with technical precision. It begins when people can connect new information to something they already know.
And perhaps that is the most encouraging insight of all: storytelling is not a gift reserved for journalists, authors, or charismatic speakers. It is a skill that can be learned.
In my experience, however, storytelling works best when it is built on the right foundation: a team that combines technical expertise with the ability to speak the language of the people it is trying to reach. A security specialist who deeply understands the risks, technology or regulation. A communicator who never lost sight of what it feels like not to. Together, they bring the best of both worlds – the rigor of one and the accessibility of the other.
Because in the end, security awareness that people cannot access, understand, or act upon is no awareness at all.