It’s all too common to see “fear appeals” used to motivate users to keep their guards up against the vast amount of cybercriminal activity that occurs online daily. The term FUD (Fear, Uncertainty, and Doubt) was originally coined in the 1970s in reference to IBM’s marketing technique of spreading scary rumors about a competitor’s new product. Ever since, it’s been a mainstay used by security practitioners to try to win budget and to scare employees into following the rules laid down by IT. As cybersecurity research Karen Renaud put it in a recent Wall Street Journal piece, “Companies often turn to a powerful emotion to get employees to be vigilant about cybersecurity. They scare them.”
These days, security is everyone’s responsibility. And it should be: after all, even seemingly harmless behaviors or small mistakes can have big consequences. Security awareness training helps get everyone in an organization on the same page, reduces risks and incidents, and helps the entire workforce protect their organization and themselves. But, when we talk about security, leadership teams often use common scare tactics, and not everyone responds well to fear, particularly in a business setting.