The Complete Framework: Your Pre-Communication System for Every Audience

Those came from four different domains:

Day 1: InfoSec Advice Fatigue—documented patterns that cause audiences to mentally shut down.

Day 2: Construal Level Theory—concrete language creates psychological proximity; abstract language gets filtered out.

Day 3: Protection Motivation Theory—there's a narrow Goldilocks zone for fear; too little gets ignored, too much triggers defensive shutdown.

Day 4: Cognitive filtering research—differentiation strategies defeat the pattern-matching mechanisms that filter out even excellent messages.

But before we integrate these into a framework, let's be crystal clear about something:

This Applies to Every Communication, Every Audience, Every Level

This isn't just about security awareness campaigns or employee training.

This framework applies when you're:

• Emailing an employee about a password policy
• Presenting to your management team about quarterly priorities
• Requesting budget from the CFO
• Briefing the CEO on an incident
• Presenting risk posture to the board of directors
• Training new hires on security basics
• Negotiating with a vendor about security requirements
• Collaborating with engineering on secure design
• Explaining compliance requirements to the legal team

Whether you're communicating up, down, or sideways in the organization, you're facing the same challenges:

• Information overload (they've heard a lot)
• Pattern-matching (they categorize your message automatically)
• Cognitive load (they're busy and tired)
• Filtering mechanisms (they tune out what sounds familiar)

What changes is the application of the principles—and that's what this framework addresses.

The 4-D Framework

The research principles organize into four sequential steps:

1. DIAGNOSE → Assess Audience State

Before you craft any message, understand the fatigue level and filtering mechanisms you're facing.

2. DESIGN → Build Message Content

Apply concrete language principles and fear calibration to the message itself.

3. DIFFERENTIATE → Stand Out from Noise

Use personalization, framing, prioritization, and acknowledgment to defeat pattern-matching.

4. DELIVER → Execute Strategically

Choose timing, frequency, and format that maximize impact and minimize overexposure.

Each step builds on the previous one. You can't effectively differentiate if your message uses abstract language. You can't design well if you haven't diagnosed the audience's fatigue level.

STEP 1: DIAGNOSE

What other messages has this audience received recently?

• From IT, HR, Compliance, vendors, media?
• Similar topics or different?

Decision prompts:

• Multiple recent similar messages → High fatigue → Use acknowledgment technique
• Regular messages on different topics → Moderate fatigue → Strengthen differentiation
• New information for them → Low fatigue → Focus on clarity

Context-specific indicators:

• Board: Quarterly presentations, post-breach news cycle → High fatigue likely
• Management: Monthly updates, recurring topics → Moderate fatigue
• Employees: Security Awareness Month, training campaigns → High fatigue

STEP 2: DESIGN

Concrete Language (Day 2)

Replace abstract with specific:

• "Strengthen security" → "Enable MFA on Office 365 by March 15"
• "Reduce risk" → "Block .exe attachments, reducing malware by 70%"

Include:

• Numbers: "75% reduction," "$180K," "47 attempts"
• Names: "Duo MFA," "finance team," "customer database"
• Deadlines: "by March 15," "within 90 days"

The 12-year-old test: Could they follow this without asking questions?

Fear Calibration (Day 3)

Calculate Emotional Intensity:

• Count negative words: threat, risk, attack, critical, urgent, vulnerable
• EI% = (negative words ÷ total words) × 100

Target ranges:

• Board/Executive presentations: 2-3%
• Management communications: 2-3%
• Employee training: 2-3%
• Crisis communications: 4-5%

Fear + Efficacy Formula: Every threat needs a solution (minimum 1:1 ratio)

STEP 3: DIFFERENTIATE

Personalization

Replace "industry statistics" with "OUR audit findings" and "OUR team's actual incidents"

Novel Framing

Frame from THEIR priorities:

• Finance → Cost reduction, audit efficiency
• Operations → Uptime, productivity
• Sales → Customer trust, deal velocity
• Legal → Regulatory exposure, liability

Prioritization

• Narrow to 3 things maximum
• Justify why these matter most
• Give permission to deprioritize the rest

Acknowledgment (when fatigue is moderate-to-high)

1. Acknowledge the noise: "I know you've heard a lot about..."
2. Differentiate: "What's different today..."
3. Personalize: "For our organization specifically..."
4. Prioritize: "Instead of covering everything..."

STEP 4: DELIVER

Timing

• Tied to recent event/audit/incident → Deliver soon
• Not tied to anything specific → Question if needed

Frequency

• Board: 2-4 times per year
• Executives: Quarterly for strategic; event-driven for tactical
• Management: Monthly maximum for recurring topics
• Employees: Quarterly comprehensive; event-driven for urgent

Channel

• Email: Quick, actionable items
• Presentation: Complex topics requiring discussion
• In-person: High stakes, relationship-building
• Written report: Comprehensive analysis, board review

The Final Insight: Why This Framework Works Across All Levels

Board members, executives, managers, and employees all:

• Experience information overload and develop filtering mechanisms
• Process concrete language more easily than abstract language
• Respond to calibrated fear better than extreme fear
• Notice when messages are personalized vs. generic

What changes is the application:

• Board needs strategic framing, employees need "how this affects me" framing
• Board presentation uses 2-3% EI, crisis communication can use 4-5% EI
• Board gets quarterly communication, employees get event-driven communication

Let me show you this in practice with one security initiative communicated to three different audiences:

Multi-Level Application: Same Initiative, Three Audiences

SCENARIO: Implementing MFA on remote access to customer database

TO BOARD OF DIRECTORS

"I know you receive quarterly security briefings covering numerous topics. Today I'm focusing on one finding from our Q4 audit.

Our audit identified three vulnerabilities in remote access systems. Two industry peers with identical vulnerabilities experienced breaches last quarter—combined losses of $8.3M.

I'm requesting $240K for three controls that close these vulnerabilities. Implementation: 90 days. Risk reduction: 75% fewer unauthorized access attempts."

Framework applied: Acknowledgment (high fatigue), concrete ($240K, 90 days, 75%), calibrated fear (~3%), personalized (OUR audit), prioritized (three controls)

TO MANAGEMENT TEAM

"Our Q4 audit found vulnerabilities in remote access to the customer database—35 employees access it with passwords only. Two competitors with this configuration were breached last quarter.

We're implementing Duo MFA for these 35 users. Cost: $80K. Timeline: 30 days. This also closes the repeated audit finding in our SOX documentation."

Framework applied: Concrete (35 employees, $80K, 30 days), calibrated fear (~2.5%), novel framing (addresses SOX finding), personalized (OUR audit, specific users)

TO EMPLOYEES

"Quick heads-up: Starting March 15, when you log into the customer database remotely, you'll use your phone to confirm it's you—takes 5 seconds.

Why: Our audit showed password-only access creates risk. This protects customer data and your account.

IT will send setup instructions March 10. Setup takes 2 minutes."

Framework applied: Concrete (March 15, 5 seconds, 2 minutes), very low EI (~1%), solution-focused, personalized (YOUR account)

Notice: Same underlying initiative. Same framework principles. Different application based on audience.

This is why the framework works whether you're emailing an intern or presenting to the board—the psychology is constant, the application adapts.

Your Implementation Plan

This Week:

Before your next communication (any level, any audience), walk through the 4-D Framework:

1. Diagnose their fatigue level
2. Design with concrete language and calibrated fear
3. Differentiate with personalization and acknowledgment if needed
4. Deliver with strategic timing

Compare your revised version to what you would have sent before. Notice the differences. Track the outcomes.

This Month:

• Apply the framework to communications at different levels (board, executive, employee)
• Notice which step you tend to skip—that's your development area
• Track outcomes: More specific commitments? Faster decisions? Better engagement?

This Quarter:

• Reduce communication frequency by 30-50% while maintaining impact
• Teach this framework to your team
• Measure: Are more recommendations being implemented?

What's Next

Tomorrow's newsletter goes deeper with exclusive content:

• Three complete case studies with full framework application
• The Measurement Toolkit for tracking breakthrough effectiveness
• Common failure modes and diagnostic guidance
• 30-day implementation challenge with specific exercises
• Downloadable templates for different communication types

This series gave you the research and the framework. The newsletter gives you the advanced implementation tools.

This is Part 5 of a 5-part series on science-backed approaches to breaking through InfoSec Advice Fatigue.

Subscribe to my newsletter for tomorrow's deep dive: case studies, measurement tools, templates, and the 30-day implementation roadmap.

This series taught you the framework. The newsletter shows you how to master it at every level.