top of page
  • Claire Tills

Positive and Proactive: Benefit frames for infosec persuasion

I've spoken before about the need for infosec communication and persuasion to move in a more positive and proactive direction. (This isn't an original argument. @iMeluny and @jessysaurusrex have been saying this for a long time now, among others.) Fear isn't an effective way to motivate action in infosec. To effectively persuade people to be more secure, we need to move away from dark, scary, sky is falling narratives.

In the last post we learned that framing is about focusing on a specific aspect of a situation to influence perception and motivation. For gain-loss framing, you're selecting - out of all of the many pieces - to focus on what can be gained by taking an action or lost by failing to act.

Health Communication

Gain-loss framing is another staple of health communication. This area of research asks: Do messages focused on what someone will gain by taking a given action motivate people more than those about what they will lose by failing to act? The big names in this area are Tversky and Kahneman. They discussed the psychology of choice in their 1985 paper and are cited in pretty much every paper written on gain-loss framing (it has over 16,000 citations 😵). Tversky and Kahneman trace how people evaluate options. How do we make decisions? With their 1985 study, they established a key component of gain-loss framing research: changing the framing of a problem (what aspects of the problem are focused on) causes "predictable shifts of preference." Our perception of a situation changes based on what information is brought to the forefront by communication (made more salient). Many framing-based perception changes have been found to lead to behavior change.

You can get very detailed and complicated with examinations of gain-loss framing. It can be tested in relation to self efficacy, perceived probability of outcomes, prevention versus detection, prevalence and severity of outcomes. All of these are fascinating but a little to deep for our current needs. Baby steps. For many different situations, studies have found that gain frames are more effective in motivating people to take actions that they had previously intended not to take, or hadn't thought to take. I've included in the references below a study about sunscreen usage by beach-goers. It's a good example of what gain-loss studies commonly look like. These studies examine four main frames:

  1. Gain: avoid an undesirable outcome

  2. Gain: obtain a desirable benefit

  3. Loss: incur an undesirable outcome

  4. Loss: forego a desirable benefit

Detweiler et al. (1999) presented beach-goers with informational pamphlets based on one of the four frames listed above. After reading the pamphlet and answering a questionnaire, participants were given a coupon for free sunscreen. Those who read pamphlets based on gain frames were more likely to use the coupons and also reported that they planned to use sunscreen more in the future. Importantly, those who hadn't planned to use sunscreen were more likely to change their minds in reaction to the gain-framed messages and use sunscreen.

Applying to Infosec

Health communication (both in research and practice) focuses on either gain or loss - only one is more effective in a particular situation. After gain or loss is selected, you might narrow it down to one of the more specific types of gain/loss. However, I think the specifics of infosec make options 2 and 4 on the list better.

  1. Gain: avoid an undesirable outcome

  2. Gain: obtain a desirable benefit

  3. Loss: incur an undesirable outcome

  4. Loss: forego a desirable benefit

Even approach 1 - avoid an undesirable outcome - while technically a gain frame, has a negative focus. It can be perceived by the audience as doom and gloom or fear mongering. "If you don't do this, something terrible will happen." Tone and delivery can balance this out to an extent but you are still building negative associations in the audience - with you and with the topic. Given the choice, focus on the positive and make people feel good about engaging with you and the issue. Build positive rapport and positive associations.

We should focus on benefit frames. What sort of benefits will your audience get from doing the recommended behavior? I still think the gain side is better than the loss. Maybe if gain-benefit doesn't work, loss-benefit can be a next step.

What your audience might gain: (shout-out to my Tweeps for these!)

  • Gain a sense of control over their lives and accomplishment for being proactive about their security and privacy

  • Less worry, which = more cognitive resources for other things, less stress and more enjoyment; Freedom to be creative & experiment

  • Opportunity/time to do other things, control, choice

  • Control and empowerment. If a person understands/is aware of security then they don’t feel as helpless or at the mercy of companies.

Sensing a theme here? Some others to consider:

  • Competitive edge (more for an organization/executive)

  • Bragging rights or value add for product

  • Ability to help those around you be more secure (learn one, do one, teach one)

Think about a possible ego boost or other ways you can make your audience feel good about themselves. This will help you build a relationship with your audience which will increases the chance that they'll come back for more information in the future. Warm fuzzies are the way to go.

Next time, I'll get more into the how of this. What do you need to consider when putting together messages for infosec based on benefit framing? What are some potential pit falls? etc.


Detweiler, J. B., Bedell, B. T., Salovey, P., Pronin, E., & Rothman, A. J. (1999). Message framing and sunscreen use: gain-framed messages motivate beach-goers. Health Psychology, 18(2), 189.

Rothman, A. J., & Salovey, P. (1997). Shaping perceptions to motivate healthy behavior: the role of message framing. Psychological bulletin, 121(1), 3.

Tversky, A., & Kahneman, D. (1985). The framing of decisions and the psychology of choice. In Environmental Impact assessment, technology assessment, and risk analysis (pp. 107-129). Springer, Berlin, Heidelberg.

bottom of page