Scaring People is Not Enough: An Examination of Fear Appeals within the Context of Promoting Good Password Hygiene

Abstract

Fear appeals have been used for thousands of years to scare people into engaging in a specific behavior or omitting an existing one. From religion, public health campaigns, political ads, and most recently, cybersecurity, fear appeals are believed to be effective tools. However, this assumption is often grounded in intuition rather than evidence. We know little about the specific contexts within which fear appeals may or may not work. In this study, we begin to examine various components of a fear appeal within the context of password hygiene. A large-scale randomized controlled experiment was conducted with one control and three treatment groups: (1) fear only; (2) measures needed and the efficacy of such measures, and (3) fear combined with measures needed and the efficacy of such measures. The results suggest that the most effective way to employ a fear appeal within the cybersecurity domain is by ensuring that fear is not used on its own. Instead, it is important that information on the measures needed to address the threat and the efficacy of such measures is used in combination with information about the nature of the threat. Since many individuals that enter the information technology profession become the de facto security person, it is important for information technology education programs to distill in students the inadequacy of fear, on its own, in motivating secure actions.