There are a few more things you might want to consider when you're using benefit framing for infosec. These are slightly more advanced considerations but they're at least worth having on your mind.
This is the idea that certain people won't respond to your messaging because they're already doing the recommended behavior. It's also from that sunscreen study I keep talking about (citation below) and I think it might apply to infosec, especially with certain audiences. More specifically, people who've topped out think that they're already doing enough to mitigate their risks. With sunscreen and infosec, this belief probably isn't true for most people. Even if you're using sunscreen at the beach, you probably don't wear it everyday which you should. Most people think they're doing enough to be secure - maybe because they think their behavior is good or maybe because they don't think their risk is very high. Whatever the reason for this perception, how do we get people over the hump and convince them that they need to be doing more?
As with most of our stumbling blocks, this comes down to risk perception. Why won't people just perceive their risk properly?! People don't think their risk is high enough to justify further action, or they think that their current action brings their risk down to an acceptable level. Remember, it isn't about reducing risk to zero, it's about reducing it to a level you can tolerate. So what you have to do is prove that, with their current behavior, their risk hasn't been reduced to a tolerable level.
You cannot make them feel bad for their inaccurate risk perception or they'll totally disengage. Re-educate them about their risk in a way that makes it okay that they've been wrong. Give them a reason why their current risk perception is inaccurate - "Here's brand new information you wouldn't have had access to before now." or "You're a special case in which that basic risk assessment is inaccurate" - bonus points for making them feel special.
One finding of the sunscreen study was that the specific setting or context of the message might limit the context in which the recommended action is performed. People who said they were more likely to use sunscreen at the beach weren't more likely to use sunscreen during other outdoor activity. The protective behavior was associated only with the beach in their minds. They didn't think about using sunscreen anytime they were in the sun, only when they were at they beach. Being more specific can improve the persuasive power of your message but you have to decide if you're try to persuade people to do a single specific behavior or just trying to make them think about being more secure generally.
I would advise going more specific in most cases. Persuasion to change general worldview - "I should be more secure" - is very difficult. You're better investment is in smaller attempts at specific persuasion. If you can give them multiple situations in which to use the specific behavior, all the better.
Basically - "you don't know my life. Don't tell me what to do, man!"
People don't like being told what to do. In scholarship, this is referred to as reactance. If we feel like our freedom is being constrained, we will resist that by "derogating the source" of the message (Rains, 2013, p. 47) or adopting the opposite position of the persuasion, to name a few styles. "Oh you're telling me not to do X, watch me do X with gusto and flair!"
One key to avoiding reactance is to make your audience think they came to the decision on their own. You didn't tell them what to do; you gave them information and they decided to act. This tactic is used all the time - parents use it on their children, children use it on their parents, people use it on their bosses, etc.
If you don't manage to avoid reactance altogether, you can work to counteract it. If your audience starts challenging you with "I don't need to do this because I'm so special that the risks don't apply to me - or - you haven't thought about this which means I don't have to do what you say." Tell them exactly why these risks apply to them - why they aren't special.
Also ask them why they are so resistant to the behavior. This will help determine if they have legitimate issue with your recommendation (low self or response efficacy, perhaps?) or if they're just being reactive. Be nice about it though, they might not consciously realize they're just being contradictory for the sake of it. In a curious, not frustrated or accusatory tone, as them: What are you going to lose from doing this? or What do you lose from being more secure? Listen to their responses and try to address them. If they keep coming up with new reasons no matter what you say, you're definitely dealing with reactance.
A good thing to remind them is that:
"An ounce of prevention is worth a pound of cure"
- Benjamin Franklin
Or, if you prefer the empirically supported academic version:
"Prevention behaviors, in contrast, are less risky than detection behaviors. For example, sunscreen use directly reduces future risk of skin cancer while offering little or no current risk to the individual."
Detweiler et al. p. 190
It's easier to prevent something than it is to fix it once it's broken. Taking a preventative action poses less risk than waiting and relying on tests or scans to detect a problem after its occurred. It gains you some peace of mind and allows you to worry less when you do detection - you're much more anxious when you haven't prepared for a test of any kind.
Including data on prevalence and severity of outcomes
In the sunscreen study, and most other gain-loss framing research, the messaging includes information about the potential outcomes from failure to act - sun burn, skin damage, cancer. The information is kept objective and tells the audience the likelihood and severity of these outcomes. I don't think that this information is neutral. It will be perceived by many audiences as threatening no matter how objectively it is presented. Making the audience aware of the risk is important and using prevalence and severity statistics is a key tactic but it should be used sparingly to avoid the perception of fear mongering.
This is very much at the hypothetical stage. Empirical testing is required to determine whether this is actually the best approach or not. We know from health communication that different types of risks and protective actions require different framing. Some are better served by loss framing but only an experimental study can tell us which is better for particular security behaviors.
We have finally reached the end of this series on gain-loss framing (for now). I explored what gain-loss framing is, how it has been examined in disciplines liked health and emergency preparedness, and how it can be applied to infosec persuasion. I see this as a useful approach to moving infosec communication more proactive and positive - hopefully allowing us to build relationships with our audiences.
Detweiler, J. B., Bedell, B. T., Salovey, P., Pronin, E., & Rothman, A. J. (1999). Message framing and sunscreen use: gain-framed messages motivate beach-goers. Health Psychology, 18(2), 189.
Rains, S. A. (2013). The nature of psychological reactance revisited: a meta‐analytic review. Human Communication Research, 39(1), 47-73.