The Abstract Language Trap: Why Your Security Recommendations Disappear Into Fog

Yesterday we established that InfoSec Advice Fatigue is real, documented, and threatening our influence across all levels of our organizations.

Today we confront one of the primary reasons our messages fail to penetrate that fatigue—and it's hiding in plain sight.

It's the language we use.

Let me show you exactly what I mean.

The Email That Got Ignored

A CISO sends this to the executive team:

"We need to strengthen our security posture across the organization. Our current approach has gaps that expose us to evolving threats. I'm recommending we implement additional controls and enhance our defensive capabilities to reduce our risk profile."

Perfectly reasonable. Technically accurate. Completely abstract.

And completely ignored.

Now watch what happens when the same CISO rewrites it:

"Last quarter, our remote access systems were scanned 2,847 times by unauthorized users. Our audit identified three specific vulnerabilities that let attackers move from remote access to our customer database. I'm requesting $180K to enable multi-factor authentication on all remote connections, which closes these three paths and reduces unauthorized access attempts by approximately 75%."

Same core message. Completely different impact.

One gets budget. One gets filed under "we'll discuss this later."

Here's what makes this even more critical: this isn't just about executive communication.

Watch the same pattern with employee-facing guidance:

Abstract (ignored): "All employees should practice good password security and remain vigilant about suspicious activity."

Concrete (followed): "Create passwords with at least 12 characters using a mix of uppercase, lowercase, numbers, and symbols—or use a passphrase of 20+ characters. If you see an email asking you to click a link and enter your credentials, forward it to security@company.com before clicking anything."

Notice something?

The same principle applies whether we're communicating to the front line or the C-suite. Because clear, concrete language isn't about talking down to employees or strategizing up to executives.

It's about respecting everyone enough to communicate clearly.

The Dual Disasters of Abstract Language

Here's why this matters so urgently:

When employees tune out our security guidance, vulnerabilities stay open. They click the phishing link because our training was too abstract to be memorable. They reuse passwords because "practice good password security" doesn't tell them what that actually means. They bypass controls because they don't understand why those controls exist.

When executives tune out our budget requests, we can't get the resources to close those vulnerabilities. They deny funding because "strengthen our security posture" doesn't justify a specific investment. They deprioritize our initiatives because "reduce risk" doesn't connect to business outcomes they care about.

Same communication failure. Dual disasters.

And we're trapped in the middle—unable to get resources from above and unable to get compliance from below, both caused by the same problem: advice fatigue triggered by our abstract language.

The difference between abstract and concrete isn't just about better communication. It's about whether we can actually do our jobs.

Why Fatigued Audiences Can't Process Abstract Language

Remember yesterday's research on advice fatigue? Here's the brutal connection:

Abstract language requires enormous mental effort. Concrete language doesn't.

When someone says "strengthen our security posture," the brain has to:

1. Decode what "strengthen" actually means
2. Figure out what "security posture" encompasses
3. Imagine what that would look like in practice
4. Estimate what it might cost
5. Determine if it's actually important

That's cognitive work. And fatigued audiences—whether they're employees who've sat through fifteen phishing trainings or executives who've heard fifteen quarterly risk presentations—have already hit their cognitive budget for security advice.

When someone says "enable multi-factor authentication on all remote connections for $180K," the brain immediately:

1. Knows exactly what's being proposed
2. Understands the specific scope
3. Sees the concrete cost
4. Can evaluate whether it's worth it

Zero cognitive work to understand the ask. All cognitive work goes to evaluating whether to say yes.

The Psychology Behind Concrete vs. Abstract

The research that explains this comes from psychological distance theory—specifically how our brains process information differently based on how distant or proximate it feels.

Here's the mechanism:

Abstract language creates psychological distance. When we hear "improve our security," our brains process it as something far away, theoretical, not urgent, and not personally relevant. It's a future concern for someone else to worry about.

Concrete language creates psychological proximity. When we hear "enable MFA by March 15," our brains process it as something immediate, specific, actionable, and relevant right now.

Distance = disengagement. Proximity = attention.

And in a fatigued environment where people are already looking for reasons to disengage, abstract language hands them the perfect excuse.

There's also a second factor: fluency.

Fluency is the subjective feeling of ease or difficulty in processing information. Fluent information feels familiar and easy—and we're more likely to trust it and act on it.

Concrete language is fluent: "Enable MFA" is easy to process.

Abstract language is not fluent: "Strengthen security posture" requires mental work to decode.

Research consistently shows that fluent messages are more persuasive than non-fluent messages—especially when the audience is tired, busy, or overwhelmed.

Which describes every employee, every manager, and every executive we're trying to influence.

The Tragic Irony of Expertise

Here's what makes this particularly painful for security professionals:

We've been trained to think in systems, frameworks, and architectures. We talk about "defense in depth," "zero-trust models," "threat surface reduction," and "security maturity levels."

All abstractions.

And the research on advice malabsorption—one of the two root causes of fatigue we discussed yesterday—shows exactly what happens: "Security advice uses a lot of big words."

Our expertise, which should be our greatest asset, becomes a barrier when we translate our technical understanding into abstract language that creates distance and requires enormous mental effort to decode.

Whether that audience is an employee trying to create a strong password or a CFO trying to evaluate a security investment.

Communicate to Everyone Like They're the CEO

Here's the principle that changes everything:

Communicate to everyone—from front-line employees to the C-suite—with the same clarity, respect, and business enablement focus you'd use if you were speaking to your CEO.

Not talking down with compliance-speak. Not talking up with strategic abstractions. Just clear, concrete, business-focused communication.

Because here's what happens when you don't:

When we talk down to employees in compliance-speak:

• They tune out (advice fatigue)
• Leadership sees we're disconnected from the people we're supposed to protect
• We lose credibility at both levels

When we use abstract jargon with executives:

• They tune out (advice fatigue)
• We signal we don't understand business outcomes
• We lose the resources we need

When we communicate clearly to everyone:

• Security becomes a business enabler, not a gatekeeper
• Trust builds across all levels
• We position ourselves as partners, not obstacles

The Translation Framework

So how do we fix this systematically?

Here's the four-step framework for converting abstract language into concrete language:

Step 1: Identify Abstract Language

Review your presentation, email, or training material. Look for phrases that require the audience to decode meaning:

Abstract red flags:

• "Strengthen," "improve," "enhance," "optimize"
• "Security posture," "risk profile," "threat landscape"
• "Capabilities," "controls," "measures," "protocols"
• "Appropriate," "sufficient," "adequate"
• "Going forward," "in the future," "eventually"

The test: If a 12-year-old couldn't follow your instruction, it's too abstract.

Step 2: Ask "What Specifically?"

For every abstract phrase, ask yourself: "What specifically am I actually recommending?"

• "Strengthen security" → What specifically? → "Enable multi-factor authentication"
• "Improve password hygiene" → What specifically? → "Require 12-character passwords with password manager"
• "Enhance monitoring" → What specifically? → "Deploy endpoint detection on all laptops"
• "Reduce risk" → What specifically? → "Block .exe attachments in email"

Step 3: Add Numbers, Names, and Deadlines

Concrete language includes specific details:

• Numbers: "75% reduction," "$180K," "2,847 scans," "15 minutes response time"
• Names: "Office 365," "Duo MFA," "customer database," "finance team"
• Deadlines: "by March 15," "within 90 days," "before Q2," "starting next week"

Step 4: Test with the SMART-Security Framework

Before you send any security communication, check it against these criteria:

• Specific: Not "improve security" but "enable MFA on remote access"
• Measurable: Not "reduce risk" but "75% reduction in unauthorized access attempts"
• Actionable: Not "be vigilant" but "look for mismatched sender domains"
• Relevant: Not "industry best practices" but "based on OUR audit findings"
• Timely: Not "eventually" but "by March 15"

If it doesn't pass all five, it's still too abstract.

Real-World Transformations

Let me show you how this works across different types of security communication:

Budget Request to Executive Team

Abstract (fails): "We need to invest in our security infrastructure to address emerging threats and improve our defensive capabilities."

Concrete (succeeds): "I'm requesting $240K to implement three specific controls identified in our Q3 audit: MFA for remote access ($80K), endpoint detection for all laptops ($100K), and automated patching for servers ($60K). These three controls address 80% of our actual security incidents from last year."

Notice: Same request. Different language. One gets budget because it's clear what we're buying and why it matters.

Policy Communication to Employees

Abstract (ignored): "Employees should practice good password security and be vigilant about suspicious activity."

Concrete (followed): "Create passwords with at least 12 characters using a mix of types—or use a passphrase of 20+ characters. If you see an email asking you to click a link and enter your credentials, forward it to security@company.com before clicking."

Notice: Same guidance. Different language. One gets followed because it's clear what to do.

Risk Briefing to Senior Management

Abstract (glazed eyes): "The threat landscape continues to evolve with increasingly sophisticated attacks targeting our industry. We need to maintain vigilance and ensure our security posture remains strong."

Concrete (attention): "Last month, three companies in our industry experienced ransomware attacks. All three had the same vulnerability we identified in our audit: unpatched VPN servers. We patched ours two weeks ago, and we're now scanning weekly instead of monthly to catch issues faster."

Notice: Same situation. Different language. One maintains attention because it's clear what happened and what we did about it.

Security Training

Abstract (forgotten): "Be aware of phishing attempts and verify sender authenticity before responding to requests."

Concrete (remembered): "Last week, someone impersonating our CFO emailed the finance team requesting an urgent wire transfer. The email address was CFO@company.co instead of CFO@company.com. That one-character difference cost another company $2.1M last month. Always check the full email address, not just the display name."

Notice: Same training objective. Different language. One gets remembered because it's a specific story with concrete details.

Why Concrete Language Breaks Through Fatigue

Remember the four dimensions of advice fatigue from my previous post?

• Perceived overexposure
• Perceived redundancy
• Exhaustion
• Tedium

Concrete language addresses all four:

1. Reduces perceived redundancy: When you use YOUR organization's specific data ("2,847 scans of OUR systems," "last week someone impersonated OUR CFO"), it doesn't sound like the generic advice everyone else is giving.

2. Cuts through exhaustion: Concrete language requires less mental effort to process, so it doesn't add to cognitive fatigue.

3. Fights tedium: Specific details and real examples are inherently more interesting than abstract principles people have heard a thousand times.

4. Feels less like overexposure: "Enable MFA by March 15" feels like a specific, actionable request, not another generic security reminder that blends into the noise.

Concrete language differentiates your message from the saturation.

The Neuroscience Connection

Here's something that makes this even more powerful:

When someone hears a concrete, specific story—"Last week, someone impersonating our CFO..."—their brain activates mirror neurons. They're not just passively receiving information; they're mentally simulating the experience.

When someone hears an abstract concept—"Be aware of phishing attempts"—those mirror neurons don't fire. The brain stays in passive processing mode.

And mental simulation creates the kind of engagement that breaks through fatigue.

This is also why concrete language builds trust more effectively. Trust requires connection—and connection requires the neurological activation that only concrete language triggers.

Abstract language keeps the conversation in the analytical brain. Concrete language engages the emotional brain where trust and decisions actually live.

The Common Objections (And Why They're Wrong)

"But won't being too concrete feel prescriptive? Don't executives want strategic thinking?"

No. Executives want clarity. They can always ask you to zoom out if they want more context. But they can't extract concrete meaning from abstract language.

Being concrete isn't about being controlling. It's about being clear.

You can be concrete AND ask for their input: "I recommend enabling MFA for all remote access. What concerns do you have about this approach?"

That's concrete + collaborative. That's the sweet spot.

And the same applies to employees. When you're concrete about what you're asking them to do and why it matters for the business, you're respecting their intelligence, not insulting it.

"But security is complex—how can I make everything concrete?"

Security is complex. But that's exactly why your communication can't be.

Your job isn't to make them understand the complexity. Your job is to make them understand what action to take despite the complexity.

Concrete doesn't mean oversimplified. It means translated.

"Won't this make me sound less senior or strategic?"

Actually, the opposite.

When you say "improve our security posture," people hear: "I don't actually know what to do."

When you say "enable MFA on all remote access using Duo, with rollout completing by March 15," people hear: "This person has done the analysis and has a clear plan."

This is true whether you're presenting to the CEO or training new employees.

The Implementation Challenge

Find your last three security communications (emails, presentations, training materials—mix of employee-facing and leadership-facing).

Run them through the Framework:

1. Highlight every abstract phrase
2. Ask "what specifically?" for each one
3. Rewrite with numbers, names, and deadlines
4. Check against SMART-Security criteria
5. If a 12-year-old can't follow it, revise again

Then compare:

• Original version vs. concrete version
• Which would YOU be more likely to act on?
• Which requires less mental effort to understand?
• Which feels more urgent and relevant?

I guarantee you'll find that your concrete version is more persuasive—even though it's the same underlying message.

And notice whether your abstract language was different when talking to employees vs. executives. If it was, ask yourself: why?

The best communicators use the same principles of clarity and respect regardless of their audience's position.

Tomorrow: The Fear Calibration Problem

Today we tackled what we say. Tomorrow we tackle how we say it—specifically, the emotional intensity we use.

Because it turns out there's a "Goldilocks zone" for fear in security communication. Too little fear and people ignore us. Too much fear and people shut down.

The research reveals the exact calibration that works—and it's probably not what you're currently doing.

Especially since many of us have been defaulting to high fear for fifteen years, which helped create the fatigue we're now fighting.