Fear appeals: what are they good for?
Fear can be a great motivator but it can also be paralyzing. Scholars have examined the use of fear appeals in advertising and public information campaigns quite thoroughly and achieved mixed results. While experimental studies have supported the motivating effect of fear appeals, the limitations of that type of research and the uncertain repercussions of their application do call into question whether fear appeals are worth it.
Existing studies of fear appeals primarily use university student samples, force exposure to messages, and only measure short-term impacts (Hasting, Stead, & Webb, 2004). In the real world, appeals must be effective on a diverse population, the audience has the option to ignore messages, and the goal is long-term behavior change. However, research design isn't the only problem. Fear appeals impact people differently and the responses to these appeals can't be predicted with any certainty. In addition to the desired behavior change, fear appeals can trigger anxiety or complacency if the audience doesn't feel capable of alleviating the threat (Hasting et al., 2004).
Fear appeals can also create bad brand association. Several big brands won't advertise during the nightly news to avoid being associated with the negative emotions felt during the broadcast (Hasting et al., 2004). Making customers or stakeholders feel afraid can push them away from your organization. They may disregard any recommendations because they have be turned off by the fear appeal.
Fear appeals can work. Many public health and safety campaigns have been based on fear appeals and we see these types of appeals everyday. Hasting, Stead, and Webb's (2004) question the use of fear appeals on ethical grounds but focus on graphically explicit materials. Fear appeals can be less extreme and that is more likely for information security applications.
Application in InfoSec
I reviewed two studies that tested fear appeals for information security (Johnston & Warkentin, 2010; Boss, Galletta, Lowry, Moody, & Polak, 2015). Both indicated that fear appeals may have a place in infosec communication. However, they suffered many of the limitations common to fear appeal research. Both projects used university populations which is extremely common in experimental research but still limits the application of findings. Johnston and Warkentin (2010) also found that the impact of fear appeals was not uniform across user groups. Based on their findings, they call for more study of how efficacy and threat perception impact end user compliance.
Boss et al. (2015) examined two different protective actions and found that perceived cost was the most important predictor when it came to backing up data and that fear appeals were more influential to installing malware protection. Both studies examined specific risks and involved very specific recommendations. Installing software is a one-time act which is easier to motivate than repeated or long-term behaviors.
These studies begin the process of testing the application of fear appeals to information security risks. Johnston & Warkentin (2010) used their project to develop a model for that application. However, the question remains whether the risks of emotional harm, customer alienation, and brand damage are worth the potential behavior change. These risks are likely lower for infosec issues but they still must be considered because reactions to fear appeals can be varied and negative.
Boss, S. R., Galletta, D. F., Lowry, P. B., Moody, G. D., & Polak, P. (2015). What do users have to fear? Using fear appeals to engender threats and fear that motivate protective security behaviors. MIS Quarterly, 39(4), 837-864.
Hastings, G., Stead, M., & Webb, J. (2004). Fear appeals in social marketing: Strategic and ethical reasons for concern. Psychology & Marketing, 21(11), 961-986.
Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information security behaviors: an empirical study. MIS quarterly, 549-566.