The mandatory security session starts at ten in the morning. Thirty people in a room. Slides full of bullets, a voice repeating last year’s rules, lukewarm coffee. By ten-fifteen, most attendees are answering emails on their phones under the table.
Change the scene. Same room, same time, but now someone projects the first page of a comic: a dark city, an imposing tower, a bank teller who has just watched his company collapse after a cyberattack. The room falls silent. People want to know what happens next.
Same topic. Same educational goal. Very different outcomes. The question is why.
Comics in security awareness activate, at the same time, three well-studied cognitive mechanisms that traditional training rarely fires together. That overlap is what explains the difference. It is worth looking at the three one at a time.
What makes a comic slip past the “I already know this” reflex?
The first mechanism is called narrative transportation: the mental state in which a person is pulled inside a story, loses track of time, and lowers their critical guard against the message. Melanie Green and Timothy Brock described it in a seminal 2000 paper in the Journal of Personality and Social Psychology, and it has since been replicated in dozens of contexts, including health persuasion, civic education, and, more recently, security training.
The core idea is counterintuitive. When a person hears a direct argument (for example, “do not click on suspicious links”), the mind activates what cognitive psychology calls counterarguing: it looks for reasons to dismiss the message, compares it with prior beliefs, labels it as “obvious” or “not relevant to me”. The familiar outcome in awareness programs: the person nods, signs the attendance sheet, and goes back to their inbox without having changed anything.
A story works differently. A well-built narrative absorbs attention before the mind has time to raise its defenses. While the reader wants to find out whether Will will dare to act after the attack on the bank, they are processing, without noticing, ideas like social engineering, attacker pressure, and the real consequences of a single click. The “I already know this” wall is not broken down by force: it is circumvented.
This explains why a six-panel comic can install an idea that a hundred slides failed to. And why formats that resemble a story (comics, narrative video, game-based learning) tend to outperform purely declarative formats in medium-term retention tests.
Why do text and image retain more than either of them alone?
The second mechanism is dual coding, a theory Allan Paivio started developing in the 1970s and still one of the foundations of multimedia learning. The idea, in a quotable sentence: human memory processes verbal language and visual information in two separate but complementary channels, and information encoded in both channels is recovered with higher probability than information encoded in only one.
A paragraph of instructions is stored, if it gets stored at all, as a verbal sequence. A standalone image is stored as a visual representation, but loses the conceptual detail. A comic panel, however, forces the brain to integrate both: the character’s expression, the rendering of the suspicious email on the screen, and the text of the speech balloon commenting on what is happening. That integration creates two retrieval paths. Weeks later, when a real phishing message arrives, only one of the two paths has to fire for the person to recognise the scene.
Richard Mayer extended this line with his principles of multimedia learning, a series of experimental studies on how the combination of words and images maximises comprehension. Two of his findings are particularly relevant to awareness: images work best when they are integrated with the text in the same scene, and textual overload reduces the effectiveness of visual reinforcement. It is the exact opposite of a slide with bullets and a piece of clip-art in the corner.
For teams producing awareness content, the implication is clear: the comic does not compete with the written manual or the sober explainer video. It serves a function neither of them does well on its own, which is why it deserves a place in the catalogue of awareness formats alongside the rest, not as a replacement.
Why does rehearsing someone else’s dilemma change your own decisions?
The third mechanism is the most subtle and, in security, possibly the most important. It is called character identification and was conceptualised by Jonathan Cohen in an influential 2001 article. Identifying with a character means, in cognitive terms, temporarily adopting their perspective: seeing the world through their eyes, feeling their emotions, anticipating their decisions.
This matters because most security mistakes do not happen due to lack of information. They happen because, at the critical moment, the person is rushed, distracted, or emotionally activated (curiosity, urgency, fear of an upset boss). Studying lists of best practices does not train the mind to recognise that moment. Living the dilemma, even vicariously, does.
When someone watches Will hesitate before clicking, they are rehearsing that hesitation in their own head. When they watch Sara realise she was on the wrong side, they are rehearsing the feeling of uncovering a deception. Modern cognitive psychology calls this mental simulation: using the brain’s imaginative system to run scenarios that were never physically lived. And mental simulation, when repeated, leaves traces that closely resemble those of direct experience.
This connects with something we have already discussed on this blog when we talked about how Nudges and Educational Moments shape behaviour: educational moments work because they catch the person at the exact instant of the error. The comic adds a different and earlier piece: it lets people rehearse the moment of the error in a safe environment, before it happens in production.
How does all of this show up in a real awareness campaign?
The three mechanisms do not operate in the abstract. When a security team swaps a generic slide for a comic with recognisable characters, three concrete changes tend to appear: people actually finish the content (completion rates rise), the comic’s language starts showing up in hallway conversations (“careful, that looks like one of the cyber-ninjas”), and reports of suspicious emails increase in the following months.
A study published by Lain and colleagues at the ACM CCS 2024 conference (Content, Nudges and Incentives: A Study on the Effectiveness and Perception of Embedded Phishing Training) measured, in a large organisation, the comparative effects of different embedded training formats in phishing simulations. Narrative and contextualised formats consistently outperformed purely informative ones, both in reducing later clicks and in increasing reports. The conclusion: narrative format produces a different kind of learning from the purely informational format.
At SMARTFENSE we produce our own comics (the first season of The League of Cyberjustice remains in the catalogue) precisely because they combine the three mechanisms in a single format: the plot transports, the panels activate dual coding, and the characters enable identification. It is the only format in which we have seen, with consistency, the same message land across very different profiles inside the same organisation.
What is worth taking away
The comic is not a catalogue whim or a concession to make training feel lighter. It serves a cognitive function that linear training does not, and it serves it in three simultaneous dimensions:
- Narrative transportation: it circumvents the defences the mind raises against direct messages.
- Dual coding: it leaves two retrieval paths to memory instead of one.
- Character identification: it lets people rehearse dilemmas before living them.
Mixing formats remains the best recipe for a serious awareness programme. But if the comic has not yet entered the mix, the three mechanisms above are a good reason to start thinking about where it belongs.
Leave a Reply