article

Fear appeals and information security behaviors: an empirical study

Authors:

Allen C. Johnston,

Merrill WarkentinAuthors Info & Claims

MIS Quarterly, Volume 34, Issue 3

Pages 549 - 566

Published: 01 September 2010 Publication History

Abstract

Information technology executives strive to align the actions of end users with the desired security posture of management and of the firm through persuasive communication. In many cases, some element of fear is incorporated within these communications. However, within the context of computer security and information assurance, it is not yet clear how these fear-inducing arguments, known as fear appeals, will ultimately impact the actions of end users. The purpose of this study is to investigate the influence of fear appeals on the compliance of end users with recommendations to enact specific individual computer security actions toward the mitigation of threats. An examination was performed that culminated in the development and testing of a conceptual model representing an infusion of technology adoption and fear appeal theories.

Results of the study suggest that fear appeals do impact end user behavioral intentions to comply with recommended individual acts of security, but the impact is not uniform across all end users. It is determined in part by perceptions of self-efficacy, response efficacy, threat severity, and social influence. The findings of this research contribute to information systems security research, human-computer interaction, and organizational communication by revealing a new paradigm in which IT users form perceptions of the technology, not on the basis of performance gains, but on the basis of utility for threat mitigation.

References

[1]

Agarwal, R., and Karahanna, E. 2000. "Time Flies When You're Having Fun: Cognitive Absorption and Beliefs about Information Technology," MIS Quarterly (24:4), pp. 665-694.

Digital Library

[2]

Ajzen, I. 1991. "The Theory of Planned Behavior," Organizational Behavior and Human Decision Processes (50:2), pp. 179-211.

[3]

Arnett, K. P., and Schmidt, M. B. 2005. "Busting the Ghost in the Machine," Communications of the ACM (48:8), pp. 92-95.

Digital Library

[4]

Aytes, K., and Connolly, T. 2004. "Computer Security and Risky Computing Practices: A Rational Choice Perspective," Journal of Organizational & End User Computing (16:3), pp. 22-40.

[5]

Babbie, E. 2004. The Practice of Social Research, Belmont, CA: Wadsworth/Thomson Learning.

[6]

Bagozzi, R. P., and Fornell, C. 1982. "Theoretical Concepts, Measurement, and Meaning," in A Second Generation of Multivariate Analysis, C. Fornell (ed.), New York: Praeger.

[7]

Beck, K. H., and Frankel, A. 1981. "A Conceptualization of Threat Communications and Protective Health Behavior," Social Psychology Quarterly (44:3), pp. 204-217.

[8]

Bollen, K. A., and Lennox, R. 1991. 'Conventional Wisdom on Measurement: A Structural Equation Perspective," Psychological Bulletin (110:2), pp. 305-314.

[9]

Campbell, D. T., and Fiske, D. W. 1959. "Convergent and Discriminant Validation by the Multi-Trait--Multi-Method Matrix," Psychological Bulletin (56:2), pp. 81-105.

[10]

Campbell, D. T., and Stanley, J. 1963. Experimental and Quasi-Experimental Designs for Research, Chicago, IL: Rand McNally.

[11]

Cook, T. D., and Campbell, D. T. 1979. Quasi Experimentation: Design and Analytical Issues for Field Settings, Chicago, IL: Rand McNally.

[12]

Croog, S. H., and Richards, N. P. 1977. "Health Beliefs and Smoking Patterns in Heart Patients and Their Wives: A Longitudinal Study," American Journal of Public Health (67:10), pp. 921-930.

[13]

Diamantopoulos, A., and Winklhofer, H. 2001. "Index Construction with Formative Indicators: An Alternative to Scale Development," Journal of Marketing Research (38:2), pp. 269-277.

[14]

Dickson, G. W., DeSanctis, G., and McBride, D. J. 1986. "Understanding the Effectiveness of Computer Graphics for Decision Support: A Cumulative Experimental Approach," Communications of the ACM (29:1), pp. 40-47.

Digital Library

[15]

Fishbein, M., and Ajzen, I. 1975. Belief, Attitude, Intention and Behavior, Reading, MA: Addison-Wesley.

[16]

Fornell, C., and Larcker, D. F. 1981. "Evaluating Structural Equations with Unobservable Variables and Measurement Error," Journal of Marketing Research (18:1), pp. 39-50.

[17]

Gefen, D., Karahanna, E., and Straub, D. W. 2003. "Trust and TAM in Online Shopping: An Integrated Model," MIS Quarterly (27:1), pp. 51-90.

Digital Library

[18]

Gefen, D., and Straub, D. W. 2005. "A Practical Guide to Factorial Validity using PLS-Graph: Tutorial and Annotated Example," Communications of the AIS (16:25), pp. 91-109.

[19]

Goodhue, D., and Straub, D. W. 1991. "Security Concerns of System Users: A Study of Perceptions of the Adequacy of Security Measures," Information and Management (20:1), pp. 13-27.

Digital Library

[20]

Gordon, M. E., Slade, L. A., and Schmitt, N. 1986. "The 'Science of the Sophomore' Revisited: From Conjecture to Empiricism," Academy of Management Review (11:1), pp. 191-207.

[21]

Gutek, B. A., and Winter, S. J. 1990. "Computer Use, Control Over Computers, and Job Satisfaction," in People's Reactions to Technology, The Claremont Symposium on Applied Social Psychology, S. Oskamp, and S. Spacapan, (eds.), Newbury Park, CA: Sage Publications.

[22]

Hartwick, J., and Barki, H. 1994. "Explaining the Role of User Participation in Information System Use," Management Science (40:4), pp. 440-465.

[23]

Hoffer, J. A., and Straub, D. W. 1989. "The 9 to 5 Underground: Are You Policing Computer Crimes?," Sloan Management Review (30:4), pp. 35-43.

[24]

Hoog, N. D., Stroebe, W., and Wit, J. B. 2005. "The Impact of Fear Appeals on Processing and Acceptance of Action Recommendations," Personality and Social Psychology Bulletin (31:1), pp. 24-33.

[25]

Hovland, C., Janis, I. L., and Kelly, H. 1953. Communication and Persuasion, New Haven, CT: Yale University Press.

[26]

Janis, I. L. 1967. "Effects of Fear Arousal on Attitude Change: Recent Developments in Theory and Experimental Research," in Advances in Experimental Social Psychology, L. Berkowitz (ed.), New York: Academic Press, pp. 166-225.

[27]

Jarvenpaa, S., and Leidner, D. 1999. "Communication and Trust in Global Virtual Teams," Organization Science (10:6), pp. 791-815.

Digital Library

[28]

Jarvis, C. B., Mackenzie, P. M., and Podsakoff, P. M. 2003. "A Critical Review of Construct Indicators and Measurement Model Misspecification in Marketing and Consumer Research," Journal of Consumer Research (30:2), pp. 199-218.

[29]

Kavanagh, D. J., and Bower, G. H. 1985. "Mood and Self-Efficacy: Impact of Joy and Sadness on Perceived Capabilities," Cognitive Theory and Research (9), pp. 507-525.

[30]

Knight, M. B., and Pearson, J. M. 2005. "The Changing Demographics: The Diminishing Role of Age and Gender in Computer Usage," Journal of Organizational & End User Computing (17:4), pp. 49-65.

[31]

LaTour, M. S., and Rotfeld, H. J. 1997. "There are Threats and (Maybe) Fear-Caused Arousal: Theory and Confusions of Appeals to Fear and Fear Arousal Itself," Journal of Advertising (26:3), pp. 45-59.

[32]

LaTour, M. S., and Snipes, R. L. 1996. "Don't be Afraid to Use Fear Appeals: An Experimental Study," Journal of Advertising Research (36:2), pp. 59-67.

[33]

Lazarus, R. S., and Folkman, S. 1984. Stress, Appraisal, and Coping, New York: Springer Publishing.

[34]

Leventhal, H. 1970. "Findings and Theory in the Study of Fear Communications," in Advances in Experimental Social Psychology, L. Berkowitz (ed.), New Yorik: Academic Press.

[35]

Leventhal, H. 1971. "Fear Appeals and Persuasion: The Differentiation of a Motivational Construct," American Journal of Public Health (61), pp. 1208-1224.

[36]

Lewis W., Agarwal, R., and Sambamurthy, V. 2003. "Sources of Influence on Beliefs about Information Technology Use: An Empirical Study of Knowledge Workers," MIS Quarterly (27:4), pp. 657-678.

[37]

Loch, K. D., Carr, H. H., and Warkentin, M. E. 1992. "Threats to Information Systems: Today's Reality, Yesterday's Understanding," MIS Quarterly (16:2), pp. 173-186.

[38]

Loch, K. D., Straub, D. W., and Kamel, S. Kamel. 2003. "Diffusing the Internet in the Arab World: The Role of Social Norms and Technological Culturation," IEEE Transactions on Engineering Management (50:1), pp. 45-63.

[39]

Maddux, J. E., and Rogers, R. W. 1983. "Protection Motivation and Self-Efficacy: A Revised Theory of Fear Appeals and Attitude Change," Journal of Experimental Social Psychology (19), pp. 469-479.

[40]

Marakas, G. M., Yi, M. Y., and Johnson, R. D. 1998. "The Multilevel and Multifaceted Character of Computer Self-Efficacy: Toward Clarification of the Construct and an Integrative Framework for Research," Information Systems Research (9:2), pp. 126-163.

Digital Library

[41]

McGrath, J. 1982. "Dilemmatics: The Study of Research Choices and Dilemmas," in Judgement Calls in Research, J. McGrath, J. Martin, and R. Kulka (eds.), Beverly Hills, CA: Sage Publications, pp. 69-103.

[42]

McGuire W. J. 1968. "Personality and Susceptibility to Social Influence," in Handbook of Personality Theory and Research, E. Borgatta and W. Lambert (eds.), Chicago: Rand McNally, pp. 1130-1187.

[43]

McGuire W. J. 1969. "The Nature of Attitudes and Attitude Change," in The Handbook of Social Psychology, G. Lindzey and E. Aronson (eds.), Reading, MA: Addison-Wesley, pp. 136-314.

[44]

Mewborn, C. R., and Rogers, R. W. 1979. "Effects of Threatening and Reassuring Components of Fear Appeals on Physiological and Verbal Measures of Emotion and Attitudes," Journal of Experimental Social Psychology (15:3), pp. 242-253.

[45]

Moore, G. C., and Benbasat, I. 1991. "Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation," Information Systems Research (2:3), pp. 192-222.

Digital Library

[46]

Niederman, F., and DeSanctis, G. 1995. "The Impact of a Structured-Argument Approach on Group Problem Formulation," Decision Sciences (26:4), pp. 451-474.

[47]

O'Keefe, D. J. 1990. Persuasion: Theory and Research, Newbury Park, CA: Sage Publications.

[48]

Petter S., Straub, D. W., and Rai, A. 2007. "Specifying Formative Constructs in Information Systems Research," MIS Quarterly (31:4), pp. 623-656.

Digital Library

[49]

Richardson, R. 2007. "2007 CSI/FBI Computer Crime and Security Survey," Computer Security Institute (http://www.gocsi.com/ press/20070913.jhtml).

[50]

Rogers, R. W. 1975. "A Protection Motivation Theory of Fear Appeals and Attitude Change," Journal of Psychology (91), pp. 93-114.

[51]

Rogers, R. W. 1983. "Cognitive and Physiological Processes in Fear Appeals and Attitude Change: A Revised Theory of Protected Motivation," in Social Psychophysiology: A Sourcebook, J. T. Cacioppo, and R. E. Petty (eds.), New York: The Guilford Press.

[52]

Roskos-Ewoldsen, D. R., Yu, H. J., and Rhodes, N. 2004. "Fear Appeal Messages Affect Accessibility of Attitudes Toward the Threat and Adaptive Behaviors," Communication Monographs (71:1), pp. 49-69.

[53]

Schmidt, M. B., and Arnett, K. P. 2005. "Spyware: A Little Knowledge is a Wonderful Thing," Communications of the ACM (48:8), pp. 67-70.

Digital Library

[54]

Schneider, T. R., Salovey, P., Pallonen, U., Mundorf, N, Smith, N. F., and Steward, W. T. 2001. "Visual and Auditory Message Framing Effects on Tobacco Smoking," Journal of Applied Social Psychology (31:4), pp. 667-682.

[55]

Shadish, W. R., Cook, T. D., and Campbell, D. T. 2001. Experimental and Quasi-Experimental Designs for Generalized Causal Inference, New York: Houghton-Mifflin Publishers.

[56]

Shaw, M. E., and Wright, J. M. 1967. Scales for the Measurement of Attitudes, New York: McGraw Hill.

[57]

Sherer, M., and Rogers, R. W. 1984. "The Role of Vivid Information in Fear Appeals and Attitude Change," Journal of Research in Personality (18:3), pp. 321-334.

[58]

Siponen, M. T. 2000. "A Conceptual Foundation for Organizational Information Security Awareness," Information Management and Computer Security (8:1), pp. 31-41.

[59]

Stablein. R. 1999. "Data in Organization Studies," in Studying Organizations: Theory and Method, S. Clegg and C. Hardy (eds.), London: Sage Publications, pp.255-271.

[60]

Straub, D. W., Boudreau, M. C., and Gefen, D. 2004. "Validation Guidelines for IS Positivist Research," Communications of AIS (13), pp. 380-427.

[61]

Straub, D. W., and Welke, R. J. 1998. "Coping with Systems Risk: Security Planning Models for Management Decision Making," MIS Quarterly (22:4), pp. 441-469.

Digital Library

[62]

Sutton, S. R. 1982. "Fear-Arousing Communications: A Critical Examination of Theory and Research," in Social Psychology and Behavioral Medicine, J. R. Eiser (ed.), London: Wiley, pp. 303-337.

[63]

Thompson, R. L., Higgins, C. A., and Howell, J. M. 1991. "Personal Computing: Toward a Conceptual Model of Utilization," MIS Quarterly (15:1), pp. 125-143.

Digital Library

[64]

Venkatesh, V., and Davis, F. D. 2000. "A Theoretical Extension of the Technology Acceptance Model," Management Science (46:2), pp. 186-204.

[65]

Venkatesh, V., Morris, M. G., Davis, G. B., and Davis, F. D. 2003. "User Acceptance of Information Technology: Toward a Unified View," MIS Quarterly (27:3), pp. 425-478.

Digital Library

[66]

Warkentin, M., Davis, K., and Bekkering, E. 2004. "Introducing the Check-Off Password System (COPS): An Advancement in User Authentication Methods and Information Security," Journal of Organizational & End User Computing (16:3), pp. 41-58.

[67]

Warkentin, M., and Johnston, A. C. 2006. "IT Security Governance and Centralized Security Controls," in Enterprise Information Assurance and System Security: Managerial and Technical Issues, M. Warkentin, and R. Vaughn (eds.), Hershey, PA: Idea Group Publishing, pp. 16-24.

[68]

Warkentin, M., and Johnston, A. C. 2008. "IT Governance and Organizational Design for Security Management," in Information Security: Policies, Processes, and Practices, D. W. Straub, S. Goodman, and R. L. Baskerville (eds.), Armonk, NY: M. E. Sharpe, pp. 46-68.

[69]

Warkentin, M., Luo, X., and Templeton, G. F. 2005. "A Framework for Spyware Assessment," Communications of the ACM (48:8), pp. 79-84.

Digital Library

[70]

Warkentin, M., Sayeed, L., and Hightower, R. 1997. "Virtual Teams Versus Face-to-Face Teams: An Exploratory Study of a Web-Based Conference System," Decision Sciences (28:4), pp. 975-996.

[71]

Warkentin, M., Shropshire, J. and Johnston, A. C. 2007. "The IT Security Adoption Conundrum: An Initial Step Toward Validation of Applicable Measures," Proceedings of the 2007 Americas Conference on Information Systems, Keystone, CO, August 9-11.

[72]

Warkentin, M., and Willison, R. 2009. "Behavioral and Policy Issues in Information Systems Security: The Insider Threat," European Journal of Information Systems (18:2), pp. 101-105.

[73]

Witte, K. 1992. "Putting the Fear Back into Fear Appeals: The Extended Parallel Process Model," Communication Monographs (59), pp. 329-349.

[74]

Witte, K. 1994. "Fear Control and Danger Control: A Test of the Extended Parallel Process Model (EPPM)," Communication Monographs (61), pp. 113-134.

[75]

Witte, K., Cameron, K. A., McKeon, J. K., and Berkowitz, J. M. 1996. "Predicting Risk Behaviors: Development and Validation f a Diagnostic Scale," Journal of Health Communication (1), pp. 317-341.

Cited By

Wakefield RWakefield L(2024)How Do Job Seekers Respond to Cybervetting? An Exploration of Threats, Fear, and Access ControlACM SIGMIS Database: the DATABASE for Advances in Information Systems10.1145/3645057.364506455:1(136-155)Online publication date: 6-Feb-2024
https://dl.acm.org/doi/10.1145/3645057.3645064
Burns ARoberts TPosey CLowry PFuller B(2023)Going Beyond DeterrenceInformation Systems Research10.1287/isre.2022.113334:1(342-362)Online publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1287/isre.2022.1133
Khern-am-nuai WHashim MPinsonneault AYang WLi N(2023)Augmenting Password Strength Meter Design Using the Elaboration Likelihood ModelInformation Systems Research10.1287/isre.2022.112534:1(157-177)Online publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1287/isre.2022.1125
Show More Cited By

Index Terms

Fear appeals and information security behaviors: an empirical study

Recommendations

What do systems users have to fear? using fear appeals to engender threats and fear that motivate protective security behaviors

Because violations of information security (ISec) and privacy have become ubiquitous in both personal and work environments, academic attention to ISec and privacy has taken on paramount importance. Consequently, a key focus of ISec research has been ...
An enhanced fear appeal rhetorical framework: leveraging threats to the human asset through sanctioning rhetoric

Fear appeals, which are used widely in information security campaigns, have become common tools in motivating individual compliance with information security policies and procedures. However, empirical assessments of the effectiveness of fear appeals ...
Employees' adherence to information security policies: An exploratory field study

The key threat to information security comes from employees who do not comply with information security policies. We developed a new multi-theory based model that explained employees' adherence to security policies. The paradigm combines elements from ...

Comments

Information & Contributors

Information

Published In

cover image MIS Quarterly

MIS Quarterly Volume 34, Issue 3

September 2010

261 pages

ISSN:0276-7783

Issue’s Table of Contents

Publisher

Society for Information Management and The Management Information Systems Research Center

United States

Publication History

Published: 01 September 2010

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

110
Total Citations
View Citations
32
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Wakefield RWakefield L(2024)How Do Job Seekers Respond to Cybervetting? An Exploration of Threats, Fear, and Access ControlACM SIGMIS Database: the DATABASE for Advances in Information Systems10.1145/3645057.364506455:1(136-155)Online publication date: 6-Feb-2024
https://dl.acm.org/doi/10.1145/3645057.3645064
Burns ARoberts TPosey CLowry PFuller B(2023)Going Beyond DeterrenceInformation Systems Research10.1287/isre.2022.113334:1(342-362)Online publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1287/isre.2022.1133
Khern-am-nuai WHashim MPinsonneault AYang WLi N(2023)Augmenting Password Strength Meter Design Using the Elaboration Likelihood ModelInformation Systems Research10.1287/isre.2022.112534:1(157-177)Online publication date: 1-Mar-2023
https://dl.acm.org/doi/10.1287/isre.2022.1125
Ifinedo PMengesha NBekele R(2022)Effects of Personal Factors and Organizational Reinforcing Tools in Decreasing Employee Engagement in Unhygienic Cyber PracticesJournal of Global Information Management10.4018/JGIM.29932430:1(1-27)Online publication date: 14-Jul-2022
https://dl.acm.org/doi/10.4018/JGIM.299324
Ogbanufe OBaham C(2022)Using Multi-Factor Authentication for Online Account Security: Examining the Influence of Anticipated RegretInformation Systems Frontiers10.1007/s10796-022-10278-125:2(897-916)Online publication date: 19-Apr-2022
https://dl.acm.org/doi/10.1007/s10796-022-10278-1
Attili VMathew SSugumaran V(2022)Information Privacy Assimilation in IT OrganizationsInformation Systems Frontiers10.1007/s10796-021-10158-024:5(1497-1513)Online publication date: 1-Oct-2022
https://dl.acm.org/doi/10.1007/s10796-021-10158-0
Wall JPalvia PD’Arcy J(2022)Theorizing the Behavioral Effects of Control Complementarity in Security Control PortfoliosInformation Systems Frontiers10.1007/s10796-021-10113-z24:2(637-658)Online publication date: 1-Apr-2022
https://dl.acm.org/doi/10.1007/s10796-021-10113-z
Zhou ZJin XHsu CTang Z(2022)User empowerment and well‐being with mHealth apps during pandemicsJournal of the Association for Information Science and Technology10.1002/asi.2469574:12(1401-1418)Online publication date: 20-Jun-2022
https://dl.acm.org/doi/10.1002/asi.24695
Chen YGalletta DLowry PLuo XMoody GWillison R(2021)Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process ModelInformation Systems Research10.1287/isre.2021.101432:3(1043-1065)Online publication date: 1-Sep-2021
https://dl.acm.org/doi/10.1287/isre.2021.1014
Yu XZaza SSchuberth FHenseler J(2021)CounterpointACM SIGMIS Database: the DATABASE for Advances in Information Systems10.1145/3505639.350564752:SI(114-130)Online publication date: 28-Dec-2021
https://dl.acm.org/doi/10.1145/3505639.3505647
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents