3 Alternatives to Using Fear In Your Security Awareness Training for Employees

Overusing fear in security training and awareness may undermine efforts to build trust and strengthen your security culture. Here are three alternatives.

Is Fear Useful in Security Awareness Training for Employees?

When was the last time someone tried to scare you?

Was it a politician trying to get you to vote for him or his cause?

A salesperson trying to get you to use her product?

A parent trying to get you to go to bed?

Or was it someone running a security training and awareness program for employees, trying to convince you that the world is full of bad guys out to get your data?

No matter which it was, they were all using a tried-and-true technique to get you to act the way they wanted. They were using a “fear appeal”—an attempt to motivate you using fear.

Well, I’m here to argue that if you overdo the “Fear Factor” in your awareness program, you may accidentally undermine your efforts to build trust and strengthen your security culture. You may demotivate your employees, fostering a misunderstanding of the real nature of security threats and ultimately undermining all the hard work you’ve put into developing your program. It’s time for security awareness alternatives to fear.

Fear Is Part of the Culture of Cybersecurity

Now you may say, you’re darned right we’re using fear to motivate people! There’s a vast cybercriminal effort afoot in the world and we need to use fear to shake people out of their complacency and into action.

Fear is everywhere when it comes to cybersecurity. Popular shows like Black Mirror and Mr. Robot (and even the advertising series The Wolf) use fear to generate thrills, and the industry is full of the use of statistics about cybercrime and phishing catch rates to demonstrate that no one is immune from the threat of cybercrime.

Moreover, fear, especially combined with uncertainty and doubt to make FUD, is part of the culture of cybersecurity.

“FUD was originally coined in the 1970s in reference to IBM’s marketing technique of spreading scary rumors about a competitor’s new product to dissuade customers from taking a “risk” by buying it,” wrote Daintry Duffy in CSO.

Ever since, it’s been a mainstay—some would say a crutch—used by security practitioners to try to win budget AND to scare employees into following the rules laid down by IT. (Of course Dan Lohrmann described FUD as a “risky addiction” that can lead to security apathy, and Duffy notes that it can destroy the security team’s credibility in the long run.)

How Fear Makes You Feel

But the fact that fear appeals are everywhere doesn’t make it right. Or effective. Let’s consider why.

Think for a minute about how you respond to attempts to scare you. Your immediate reaction is fairly predictable: you feel fear.

The human response to a fear-based prompt—the fight-or-flight response—is deeply seated and instinctual. Your heartbeat quickens; you breathe faster; your body tenses.

Ever get spooked so bad at a haunted house that you nearly jump out of your skin? This is the feeling I’m talking about.

Even when the response is not so physical, fear creates an instinctual response that is nearly impossible to avoid.

The Science of Fear

Academic research on fear appeals, summarized by Karen Renaud and Marc Dupuis in Cyber Security Fear Appeals: Unexpectedly Complicated, shows that if you’re looking for a sharp reaction or a one-time change of behavior, fear can be quite useful, especially if there is a direct connection between the fear appeal and the recommended behavior change.

Think of hearing a rattlesnake when you’re out hiking. That rattle immediately triggers you to look around and watch your step. Fear = getting bitten. Behavior change = being more cautious.

But, Dupuis and Renaud warn: “we should not unthinkingly reach for a fear appeal when we are confronted with an ill-advised or absent cyber security behavior.”

When the connection between the fear and the behavior change is indirect, or when the desired behavior change is long-term and conceptual, the use of fear may lead people to ignore the advice or actively act against it.

If the long-term goal is to seek a trusted relationship between employees and information security, fear appeals may backfire. Such appeals can make people feel manipulated and distrustful, and—according to researchers writing in Frontiers in Human Neuroscienceforce people into “threat appraisals, anxiety, and disengagement.”

In an as-yet-unpublished article titled Scoping the Ethical Principles of Cybersecurity Fear Appeals, Dupuis and Renaud suggest that the use of fear appeals may lead the recipients of such appeals to distrust the motives of those delivering the message.

“Cybersecurity fear appeals should be used with caution,” they write. Their advice is to use philosopher Emmanuel Kant’s Golden Rule—“only do to others what you would like others to do to you”—to judge the right time to use a fear appeal.

Alternatives to Fear

If you’ve grown used to using fear as your primary motivator, you may wonder what to use in its place. Here are three ideas to avoid fear and focus on the positive reasons for adopting secure behaviors:

1. Focus on resilience to encourage feelings of strength and stability:

  • An appeal to fear says: “Alert security whenever you see suspicious activity. Just one mistake could cause a data breach that threatens our entire company … including your job.”
  • But an appeal to resilience says: “Even if you don’t have all the details, we’re counting on you to speak up. Your report could be vital to helping us minimize an incident’s impact.”

2. Focus on optimism to encourage creativity and innovation:

  • An appeal to fear says: “Cybercriminals use sophisticated techniques to launch undetectable phishing attacks that penetrate our firewalls and other defenses. And you are the target!”
  • But an appeal to optimism says: “With the knowledge and acumen, you have the power to stop phishing attacks.”

3. Focus on self-regard to make people feel more empowered:

  • An appeal to fear says: “Legally-binding regulations require that the information of data subjects be kept safe from unauthorized access, collection, and disclosure.”
  • But an appeal to self-regard says: “Treat customers’ personal data with the same care you’d want for your own.”

All this is not to say you can’t ever use a little fear. After all, sometimes the world is a scary place. But as experienced CSO Dan Lohrmann puts it, you should make FUD part of a balanced cyber diet: “Make FUD an appetizer, not the main course.”

All of these positive options turn the focus away from fear, uncertainty, and doubt, and turn it toward engagement—the affirmative sense that employees are in control when it comes to protecting data, both customer and their own.

With security awareness training for employees that puts people first, you’ll stand a real chance of building a strong, resilient security culture.

CONFESSIONS OF AN AWARENESS NERD

Like What You Read?

Check out more content from Tom Pendergast on his blog Confessions of an Awareness Nerd.

Explore the Blog

Share this Post

;