Fear appeal is a common tactic to highlight the dangers of unsafe cyber behaviour in many cybersecurity awareness campaigns.
A dramatic scene shows an employee opening an innocent-looking email. Bam! Malicious software spreads like wildfire through the company’s network and all screens turn black. Operational chaos and massive financial losses result from that one simple yet effective phishing email. Now that should scare people straight, right?
Fear appeal is a common tactic in many security awareness campaigns to highlight the dangers of unsafe behaviour. By painting the most terrifying doom scenarios, we expect to get employees to comply with security rules and policies. Or maybe you hope to shake people up with the latest hyperrealistic phishing test. But does fear appeal really work? Let’s dive into the science behind fear appeal and how it does or does not change people’s behaviour.
What is Fear Appeal?
Fear appeal is a communication tactic that aims to change people’s behaviour by confronting them with a threatening or scary consequence. Think of anti-smoking ads with graphic images of lung disease or car safety campaigns depicting horrific accidents to discourage texting while driving. At first sight, it feels like these fear appeal tactics should work. If the risks and consequences are severe enough, anyone should want to avoid them, surely?
But if fear alone were enough, nobody would smoke, and texting while driving would be unthinkable. After all, it’s hard to imagine a more severe consequence than your own death. Compared to that, the potential fallout of ignoring a company’s security policy – even if it leads to ransomware – seems almost trivial. And yet, people still engage in these risky behaviours. Is it because they’re unaware of the dangers? Not exactly. It’s because we are missing something more fundamental about how people actually make decisions.
The myth of rationality
The effectiveness of fear appeal has been extensively studied through a scientific theory called protection motivation theory (Maddux & Rogers, 1983). This theory explains that people respond to fear by weighing two things: how severe and personally relevant the threat feels, and how capable they believe they are of countering it with protective actions. If a threat feels overwhelming, or if people don’t believe an action will effectively protect them, they won’t take protective action. Instead, they will deny or avoid the issue.
The fact that we sometimes turn away from danger, even when we know better, shows that we’re not as rational as we like to think. For example, take the work by Nobel-prize winner Daniel Kahneman and Amos Tversky (1979) on how people make decisions under uncertainty. Studies drawing on their theory, called prospect theory, showed that when people feel they are losing ground and the status quo is threatened, they actually start showing more risky behaviour (Scholer et al., 2010). In other words, instead of being naturally averse to risk, people become risk-seeking under specific circumstances. Similarly, inducing fear of some type of threat does not necessarily make people take action.
How fear appeal can backfire
In 2013, the fictional National Geographic Channel docudrama “American Blackout” aired, exploring a national power outage in the United States caused by a cyberattack. The film showed the devastating societal impacts and chaos that could follow. Researchers Lawson et al. (2016) jumped at the chance to study the impact of such a doom scenario by analysing real-time responses on Twitter.
The analysis showed that while some people expressed heightened concern and urgency about implementing cybersecurity measures, many others felt a sense of fatalism and helplessness. This latter group seemed paralysed by fear, showing less motivation to take protective actions. In other words, instead of spurring protective actions, fear appeal sometimes leads to fatalism and inaction.
So, while heightened fear can spark concern, it can also lead to inaction or avoidance behaviours if the threat seems too big to handle. In other words, fear can lead to paralysis. And that’s the last thing you want when talking about the importance of information security.
How to use fear appeal effectively
But let’s not throw the baby out with the bath water. Research in the field of behaviour change and persuasive communication shows that fear appeal can work – under certain conditions. Therefore, here are three things to keep in mind when using it in information security communication:
1. Combine it with a Clear Call to Action: Fear without action is just a horror movie. Always pair fear-inducing messages with straightforward, actionable steps people can take to protect themselves. For example, don’t just talk about the dangers of unsafe passwords – take them through the specific steps to enable multifactor authentication.
2. Limit the fear dose: Don’t crank the fear dial up to eleven. Your messages should spark concern, not panic or paralysis. For example, Tannenbaum et al. (2015) reviewed over a hundred studies and found that fear appeals generally increase compliance, but the effects level off as the intensity of fear rises. In other words: more fear is not always better – use enough to raise attention, but keep it proportionate and combine it with actionable, realistic steps.
3. Stimulate a sense of efficacy: Show how effective the recommended actions are to reassure people they can successfully mitigate the threat. If possible, provide examples of how these actions have worked in similar situations. When people are confident their efforts will have positive results, they’re more likely to follow through consistently and diligently. This boosted sense of effectiveness can be a strong motivator in sticking to rules and policies.
Getting the Balance Right
In conclusion, while fear appeal can be effective in communication around information security risks, it must be used with caution. Overwhelming people with fear can lead to paralysis and inaction – outcomes that are counterproductive to improving safe behaviour in your organisation. However, fear appeal can be useful for raising concern when it matters most, like board meetings. Just ensure that you limit the fear-dose and combine it with actionable and realistic steps that your audience can take to reduce risks.
About Tünde van Hoek
Drs. Tünde van Hoek has worked in the field of behaviour change for nearly ten years. During this time, she has supported numerous Dutch ministries and other large-scale organisations in designing effective campaigns and interventions by applying behavioural science. After gaining experience across diverse areas such as sustainability, health, and road safety, she turned her focus to cybersecurity in 2022. In November 2024, she founded the cybersecurity start-up BehaviorBirds, with the mission of moving beyond awareness and advancing cybersecurity by applying behavioural science to bespoke programmes, campaigns, and interventions.
About BehaviorBirds: BehaviorBirds bridges the gap between security awareness and real behaviour change. They apply behavioural science to help organisations protect themselves against cybercrime through tailored programmes campaigns and interventions. Rather than relying on traditional awareness training, BehaviorBirds focuses on the underlying drivers of behaviour – such as risk perception social norms and resistance – and translates these insights into practical strategies. Its services include researching security behaviours, designing evidence-based solutions and equipping cybersecurity professionals to influence behaviour from within.
HORIZON Risk Thought >> Fast Forward
The complexity of today´s risk environment is changing at an accelerating pace, making risk management even more challenging. We have created HORIZON, firstly as a print publication and now as a page for sharing the latest insights about ongoing transformations. Our risk specialists will continue to provide their expertise and knowledge to shine a light on the challenges of the future.
Tünde van Hoek
Founder
BehaviorBirds
