well-consent
Abstract
Fear appeals have been used for thousands of years to scare people
into engaging in a specific behavior or omitting an existing one.
From religion, public health campaigns, political ads, and most recently, cybersecurity, fear appeals are believed to be effective tools.
However, this assumption is often grounded in intuition rather
than evidence. We know little about the specific contexts within
which fear appeals may or may not work. In this study, we begin to
examine various components of a fear appeal within the context of
password hygiene. A large-scale randomized controlled experiment
was conducted with one control and three treatment groups: (1) fear
only; (2) measures needed and the efficacy of such measures, and
(3) fear combined with measures needed and the efficacy of such
measures. The results suggest that the most effective way to employ
a fear appeal within the cybersecurity domain is by ensuring that
fear is not used on its own. Instead, it is important that information
on the measures needed to address the threat and the efficacy of
such measures is used in combination with information about the
nature of the threat. Since many individuals that enter the information technology profession become the de facto security person,
it is important for information technology education programs to
distill in students the inadequacy of fear, on its own, in motivating
secure actions.
