It’s all too common to see “fear appeals” used to motivate users to keep their guards up against the vast amount of cybercriminal activity that occurs online daily. The term FUD (Fear, Uncertainty, and Doubt) was originally coined in the 1970s in reference to IBM’s marketing technique of spreading scary rumors about a competitor’s new product. Ever since, it’s been a mainstay used by security practitioners to try to win budget and to scare employees into following the rules laid down by IT. As cybersecurity research Karen Renaud put it in a recent Wall Street Journal piece, “Companies often turn to a powerful emotion to get employees to be vigilant about cybersecurity. They scare them.”
These days, security is everyone’s responsibility. And it should be: after all, even seemingly harmless behaviors or small mistakes can have big consequences. Security awareness training helps get everyone in an organization on the same page, reduces risks and incidents, and helps the entire workforce protect their organization and themselves. But, when we talk about security, leadership teams often use common scare tactics, and not everyone responds well to fear, particularly in a business setting.
Research shows that using fear may lead people to ignore advice, or worse, actively act against it. If you overdo the “Fear Factor” in your awareness program, you may accidentally undermine your efforts to build trust and strengthen your security culture. You may demotivate your employees, fostering a misunderstanding of the real nature of security threats and ultimately undermine all the hard work you’ve put into developing your program. Instead, organizations who are looking to motivate their employees to practice good cyber hygiene should focus on resilience, optimism, and self-regard in order to make users feel more empowered. It’s time for security awareness alternatives to fear.
Alternatives to Fear
If you’ve grown used to using fear as your primary motivator, you may wonder what to use in its place. Here are three ideas to avoid fear and focus on the positive reasons for adopting secure behaviors:
1. Focus on resilience to encourage feelings of strength and stability:
An appeal to fear says: “Alert security whenever you see suspicious activity. Just one mistake could cause a data breach that threatens our entire company … including your job.”
But an appeal to resilience says: “Even if you don’t have all the details, we’re counting on you to speak up. Your report could be vital to helping us minimize an incident’s impact.”
2. Focus on optimism to encourage creativity and innovation:
An appeal to fear says: “Cybercriminals use sophisticated techniques to launch undetectable phishing attacks that penetrate our firewalls and other defenses. And you are the target!”
But an appeal to optimism says: “With the knowledge and acumen, you have the power to stop phishing attacks.”
3. Focus on self-regard to make people feel more empowered:
An appeal to fear says: “Legally-binding regulations require that the information of data subjects be kept safe from unauthorized access, collection, and disclosure.”
But an appeal to self-regard says: “Treat customers’ personal data with the same care you’d want for your own.”
All this is not to say you can’t ever use a little fear. After all, sometimes the world is a scary place. But as experienced CSO Dan Lohrmann puts it, you should make FUD part of a balanced cyber diet: “Make FUD an appetizer, not the main course.” (I might go further and recommend it as a condiment!)
All of these positive options turn the focus away from fear, uncertainty, and doubt, and turn it toward engagement—the affirmative sense that employees are in control when it comes to protecting data, both customer and their own. With security awareness training for employees that puts people first, you’ll stand a real chance of building a strong, resilient security culture.
