Fear Appeals and Information Security Behaviors: An Empirical Study

Information technology executives strive to align the actions of end users with the desired security posture of management and of the firm through persuasive communication. In many cases, some element of fear is incorporated within these communications. However, within the context of computer security and information assurance, it is not yet clear how these fear-inducing arguments, known as fear appeals, will ultimately impact the actions of end users. The purpose of this study is to investigate the influence of fear appeals on the compliance of end users with recommendations to enact specific individual computer security actions toward the mitigation of threats. An examination was performed that culminated in the development and testing of a conceptual model representing an infusion of technology adoption and fear appeal theories. Results of the study suggest that fear appeals do impact end user behavioral intentions to comply with recommended individual acts of security, but the impact is not uniform across all end users. It is determined in part by perceptions of self-efficacy, response efficacy, threat severity, and social influence. The findings of this research contribute to information systems security research, human-computer interaction, and organizational communication by revealing a new paradigm in which IT users form perceptions of the technology, not on the basis of performance gains, but on the basis of utility for threat mitigation.

[1]  M MarakasGeorge,et al.  The Multilevel and Multifaceted Character of Computer Self-Efficacy , 1998 .

[2]  K Witte,et al.  Predicting risk behaviors: development and validation of a diagnostic scale. , 1996, Journal of health communication.

[3]  R. Lennox,et al.  Conventional wisdom on measurement: A structural equation perspective. , 1991 .

[4]  H. Leventhal,et al.  Findings and Theory in the Study of Fear Communications , 1970 .

[5]  R. Stablein Data in Organization Studies , 1999 .

[6]  Irving L. Janis,et al.  Effects of Fear Arousal on Attitude Change: Recent Developments in Theory and Experimental Research1 , 1967 .

[7]  Cheryl Burke Jarvis,et al.  A Critical Review of Construct Indicators and Measurement Model Misspecification in Marketing and Consumer Research , 2003 .

[8]  R. W. Rogers,et al.  A Protection Motivation Theory of Fear Appeals and Attitude Change1. , 1975, The Journal of psychology.

[9]  Merrill Warkentin,et al.  IT Security Governance and Centralized Security Controls , 2006 .

[10]  D. O’Keefe Persuasion , 1990, The Handbook of Communication Skills.

[11]  Jane M. Howell,et al.  Personal Computing: Toward a Conceptual Model of Utilization , 1991, MIS Q..

[12]  Michael A. Sayette,et al.  Cognitive theory and research. , 1999 .

[13]  Detmar W. Straub,et al.  A Practical Guide To Factorial Validity Using PLS-Graph: Tutorial And Annotated Example , 2005, Commun. Assoc. Inf. Syst..

[14]  S. Folkman,et al.  Stress, appraisal, and coping , 1974 .

[15]  Martin P. Loeb,et al.  CSI/FBI Computer Crime and Security Survey , 2004 .

[16]  Merrill Warkentin,et al.  Behavioral and policy issues in information systems security: the insider threat , 2009, Eur. J. Inf. Syst..

[17]  Merrill Warkentin,et al.  Introducing the Check-Off Password System (COPS): An Advancement in User Authentication Methods and Information Security , 2004, J. Organ. End User Comput..

[18]  K. Witte Putting the fear back into fear appeals: The extended parallel process model , 1992 .

[19]  M. Gordon,et al.  The “Science of the Sophomore” Revisited: from Conjecture to Empiricism , 1986 .

[20]  Gerardine DeSanctis,et al.  Understanding the effectiveness of computer graphics for decision support: a cumulative experimental approach , 1986, CACM.

[21]  David J. Kavanagh,et al.  Mood and self-efficacy: Impact of joy and sadness on perceived capabilities , 1985, Cognitive Therapy and Research.

[22]  Merrill Warkentin,et al.  Virtual Teams versus Face-to-Face Teams: An Exploratory Study of a Web-based Conference System* , 1997 .

[23]  Donald Voet,et al.  Time flies when you're having fun , 2009, Biochemistry and molecular biology education : a bimonthly publication of the International Union of Biochemistry and Molecular Biology.

[24]  Robin L. Snipes,et al.  Don't be afraid to use fear appeals: an experimental study , 1996 .

[25]  H. Leventhal,et al.  Fear appeals and persuasion: the differentiation of a motivational construct. , 1971, American journal of public health.

[26]  G. DeSanctis,et al.  The Impact of a Structured-Argument Approach on Group Problem Formulation* , 1995 .

[27]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[28]  Henri Barki,et al.  Explaining the Role of User Participation in Information System Use , 1994 .

[29]  Xin Luo,et al.  A framework for spyware assessment , 2005, CACM.

[30]  Richard D. Johnson,et al.  The Multilevel and Multifaceted Character of Computer Self-Efficacy: Toward Clarification of the Construct and an Integrative Framework for Research , 1998, Inf. Syst. Res..

[31]  Ronald W. Rogers,et al.  Effects of threatening and reassuring components of fear appeals on physiological and verbal measures of emotion and attitudes , 1979 .

[32]  Mark B. Schmidt,et al.  Busting the ghost in the machine , 2005, CACM.

[33]  Elena Karahanna,et al.  Time Flies When You're Having Fun: Cognitive Absorption and Beliefs About Information Technology Usage , 2000, MIS Q..

[34]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[35]  R. Power CSI/FBI computer crime and security survey , 2001 .

[36]  Mark B. Schmidt,et al.  Spyware: a little knowledge is a wonderful thing , 2005, CACM.

[37]  K. Witte Fear control and danger control: A test of the extended parallel process model (EPPM) , 1994 .

[38]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[39]  Detmar W. Straub,et al.  Diffusing the Internet in the Arab world: the role of social norms and technological culturation , 2003, IEEE Trans. Engineering Management.

[40]  D. Campbell,et al.  Convergent and discriminant validation by the multitrait-multimethod matrix. , 1959, Psychological bulletin.

[41]  Leona E. Tyler,et al.  Scales for the Measurement of Attitudes. , 1967 .

[42]  Tamera R. Schneider,et al.  Visual and Auditory Message Framing Effects on Tobacco Smoking1 , 2001 .

[43]  Joseph E. McGrath,et al.  Dilemmatics: The Study of Research Choices and Dilemmas , 1981 .

[44]  A. Frankel,et al.  A conceptualization of threat communications and protective health behavior. , 1981, Social psychology quarterly.

[45]  W. Shadish,et al.  Experimental and Quasi-Experimental Designs for Generalized Causal Inference , 2001 .

[46]  R. W. Rogers,et al.  Protection motivation and self-efficacy: A revised theory of fear appeals and attitude change , 1983 .

[47]  Jordan Shropshire,et al.  The IT Security Adoption Conundrum: An Initial Step Toward Validation of Applicable Measures , 2007, AMCIS.

[48]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[49]  Izak Benbasat,et al.  Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation , 1991, Inf. Syst. Res..

[50]  Wolfgang Stroebe,et al.  The Impact of Fear Appeals on Processing and Acceptance of Action Recommendations , 2005, Personality & social psychology bulletin.

[51]  A. A. Lumsdaine Communication and persuasion , 1954 .

[52]  M. Sherer,et al.  The role of vivid information in fear appeals and attitude change , 1984 .

[53]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[54]  Sirkka L. Jarvenpaa,et al.  Communication and Trust in Global Virtual Teams , 1999, J. Comput. Mediat. Commun..

[55]  David R. Roskos-Ewoldsen,et al.  Fear appeal messages affect accessibility of attitudes toward the threat and adaptive behaviors , 2004 .

[56]  Detmar W. Straub,et al.  Trust and TAM in Online Shopping: An Integrated Model , 2003, MIS Q..

[57]  Kregg Aytes,et al.  Computer Security and Risky Computing Practices: A Rational Choice Perspective , 2004, J. Organ. End User Comput..

[58]  Detmar W. Straub,et al.  Security concerns of system users: A study of perceptions of the adequacy of security , 1991, Inf. Manag..

[59]  Detmar W. Straub,et al.  Validation Guidelines for IS Positivist Research , 2004, Commun. Assoc. Inf. Syst..

[60]  Fred D. Davis,et al.  A Theoretical Extension of the Technology Acceptance Model: Four Longitudinal Field Studies , 2000, Management Science.

[61]  J. Michael Pearson,et al.  The Changing Demographics: The Diminishing Role of Age and Gender in Computer Usage , 2005, J. Organ. End User Comput..

[62]  R. Rogers Cognitive and physiological processes in fear appeals and attitude change: a revised theory of prote , 1983 .

[63]  Michael S. LaTour,et al.  There are Threats and (Maybe) Fear-Caused Arousal: Theory and Confusions of Appeals to Fear and Fear Arousal Itself , 1997 .

[64]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[65]  H. Winklhofer,et al.  Index Construction with Formative Indicators: An Alternative to Scale Development , 2001 .

[66]  S H Croog,et al.  Health beliefs and smoking patterns in heart patients and their wives: a longitudinal study. , 1977, American journal of public health.

[67]  Vallabh Sambamurthy,et al.  Sources of Influence on Beliefs about Information Technolgoy Use: An Empirical Study of Knowledge Workers , 2003, MIS Q..

[68]  I. Ajzen The theory of planned behavior , 1991 .

[69]  Earl R. Babbie,et al.  The practice of social research , 1969 .