No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
A Quantitative Textual Analysis of Three Types of Threat Communication and Subsequent Maladaptive Responses
Abstract
Much research attention has been given to the behavioral outcomes of warning computer users about potential threats to their information security, primarily through the use of fear appeal messaging. This study explores not only the use of other types of external threat information (including vivid messaging and observational learning) but also the textual responses of computer users receiving the information, opening up the “black box” to their threat appraisal processes. Results indicate that maladaptive perceptions can appear throughout the appraisal process and that the type of external threat information can differently influence user attitudes.
... Hopelessness is a factor associated with the failure to take action when faced with threats (Marett et al., 2019). Faced with the threat of identity theft, some individuals may simply give up rather than take protective measures because they do not believe those measures will be effective. ...
... Research has shown that increased perceptions of threat increase behavior change and adaptive coping behaviors, such as compliance with the recommended behavior (Floyd et al., 2000). However, they also are thought to cause individuals to cope with emotions rather than the source of threat, possibly resulting in maladaptive coping behaviors, such as inaction (Marett et al., 2019). ...
... Adaptive and maladaptive coping are broad constructs and merit study in a wide range of more narrowly defined behaviors (Marett et al., 2019). In the specific context of this research, we focus on adaptive coping in the form of Behavioral Intention, defined as "the individual's intention to enact recommended protective measures" (Arthur & Quester, 2004;Johnston & Warkentin, 2010;McMath & Prentice-Dunn, 2005;Rippetoe & Rogers, 1987;Sturges & Rogers, 1996;Witte, 1992 As a form of maladaptive coping in the context of identity theft, we introduce Hopelessness (McMath & Prentice-Dunn, 2005;Rippetoe & Rogers, 1987;Witte, 1994), defined as "the absence of belief in possible solutions to a threat." ...
... It may be similar for perceived vulnerability as personal relevance is a core requirement of fear appeals (Witte, 1994). Research on fear appeal rhetoric indicates that fear appeals are more effective (i.e., arouse more fear) when persuasive messages are more personally relevant to the recipients (Jansen and van Schaik, 2019;Jensen et al., 2020;Johnston et al., 2019Johnston et al., , 2015Junger et al., 2017;Marett et al., 2019;Pienta et al., 2020;Witte, 1994;Xu and Warkentin, 2020). Messages failing to achieve adequate levels of personal relevance may be downplayed or completely ignored by their recipients (Johnston et al., 2019(Johnston et al., , 2015. ...
... Fear is an emotional response to a perceived threat with a feedback loop affecting perceived threats (Moody et al., 2018;Mousavi et al., 2020;Witte, 1994). Fear is therefore an emotion but individuals utilize cognitive strategies instead of emotions when considering self-protective behavior further supporting this distinction (Johnston et al., 2019;Kanduč, 2019;Marett et al., 2019;Ormond et al., 2019;Wall and Buche, 2017;Witte, 1994). The intermixing seems to be a consequence of how perceived threats are measured as only a few studies measure perceived threats directly while the rest shape them from perceived severity and vulnerability. ...
... For example, high fear-appeal manipulations in (Boss et al., 2015) arouse an adequate level of fear. A high level of aroused fear is reached at some critical point and backfires by triggering the fear control process in individuals (i.e., dealing with the emotion fear instead of the threat) (Marett et al., 2019;Witte, 1994). This happens especially if individuals realize that they cannot prevent a serious threat from occurring (Marett et al., 2019;Witte, 1994). ...
... Cybersecurity fear appeal studies In the cybersecurity fear appeal studies we examined, it was more of an exception than a rule for a study to indicate that informed consent was obtained from research participants, with only the following doing so (Boss et al. 2015;Marett et al. 2019;Vance et al. 2013;van Bavel et al. 2019). However, the description of the methods employed strongly suggested that consent was obtained. ...
... Cybersecurity fear appeal studies Most of the fear appeal studies we examined did include a recommended action (Boss et al. 2015;Johnston et al. 2015;Johnston and Warkentin 2010;Jansen and van Schaik 2019;Albayram et al. 2017;Marett et al. 2019;Mwagwabi et al. 2018;Jenkins et al. 2014;Wall and Warkentin 2019;Johnston et al. 2019;Du et al. 2013;van Bavel et al. 2019). Given the central importance of providing a recommended action in the wake of a fear appeal, this is encouraging. ...
... ;Herath and Rao 2009;Johnston and Warkentin 2010;Mwagwabi et al. 2018;Wall and Warkentin 2019;Du et al. 2013), encouraging backups(Boss et al. 2015;Crossler 2010), engendering organizational commitment(Posey et al. 2015), improving organizational security(Warkentin et al. 2016), phish detection (Jansen and van Schaik 2019), warnings about ransomware(Marett et al. 2019), using a PIN on their mobile phones(Albayram et al. 2017), improving online security behavior (van Bavel et al. 2019), discouraging password reuse(Jenkins et al. 2014), improving employee security behavior(Johnston et al. 2019), and improving password selection(Vance et al. 2013). ...
Fear appeals are used in many domains. Cybersecurity researchers are also starting to experiment with fear appeals, many reporting positive outcomes. Yet there are ethical concerns related to the use of fear to motivate action. In this paper, we explore this aspect from the perspectives of cybersecurity fear appeal deployers and recipients. We commenced our investigation by considering fear appeals from three foundational ethical perspectives. We then consulted the two stakeholder groups to gain insights into the ethical concerns they consider to be pertinent. We first consulted deployers: (a) fear appeal researchers and (b) Chief Information Security Officers (CISOs), and then potential cybersecurity fear appeal recipients: members of a crowdsourcing platform. We used their responses to develop an effects-reasoning matrix, identifying the potential benefits and detriments of cybersecurity fear appeals for all stakeholders. Using these insights, we derived six ethical principles to guide cybersecurity fear appeal deployment. We then evaluated a snapshot of cybersecurity studies using the ethical principle lens. Our contribution is, first, a list of potential detriments that could result from the deployment of cybersecurity fear appeals and second, the set of six ethical principles to inform the deployment of such appeals. Both of these are intended to inform cybersecurity fear appeal design and deployment.
... Further, threat communication should only instil a moderate amount of fear in the intended recipient. Should the amount of fear become overwhelming, people tend to ignore the details and, instead of rationally determining how to manage the potential threat (i.e., danger control processes), opt to become defensive and deny the threat exists (i.e., fear control processes) (Marett, Vedadi & Durcikova, 2019). ...
... Therefore, according to the EPPM, threatening communications only appear to work when the amount of fear produced is not insurmountable and efficacy of recommendations to avert the threat, and reduce fear, is high in the relevant behavior-population combination, either at baseline or introduced by the message. If not, or when mere recommendations at best enhance response efficacy, but without high self-efficacy, threatening communication will have no effect, or worse, it may backfire diverting attention automatically from the message (Carrera, Muñoz & Caballero, 2010;Chen et al., 2019;Kessels, Ruiter & Jansma, 2010;Marett, Vedadi & Durcikova, 2019;Peters, Ruiter & Kok, 2013). ...
A study was designed in order to analyze the effects of fear appeals on psychophysiological, subjective and behavioral responses on the target audience. Three messages on breast cancer, promoting regular mammography screening, elaborated in a similar way to those used by health promotion programs, were presented to ninety-eight women aged 49-50. Messages were of equal length, format and structure but varied in specific clues which distinguished their character (Threat, Surprise, and Standard/control). Psychophysiological reactions (heart rate and frequency of non- specific skin conductance responses) were recorded continuously during message exposure. Self-report measures and personality traits (STAI and EPQ-A) were obtained after viewing the stimulus. There were significant responses to the messages for all psychophysiological measures. The pattern of psychophysiological response, independent of the eliciting message, was significantly related to cancer preventive/detection behavior.
Se diseñó un estudio para analizar los efectos que tienen las apelaciones al miedo sobre las respuestas psicofisiológicas, subjetivas y conductuales en la población diana. Para ello, se presentaron, a 98 mujeres de 49-50 años de edad, tres mensajes sobre el cáncer de mama promoviendo la realización de mamografía regularmente. Los mensajes fueron elaborados de manera similar a los utilizados por los programas de promoción de la salud. Los tres tenían la misma longitud, formato y estructura, pero variaban en determinadas claves que diferenciaban su carácter (Amenaza, Sorpresa y Estándar/control). Durante la exposición a estos mensajes, se registraron, de manera continua, las respuestas psicofisiológicas (frecuencia cardíaca y frecuencia de respuestas electrodérmicas inespecíficas). Después de ver los estímulos, se tomaron medidas de autoinforme y de personalidad (STAI y EPQ-A). Se encontraron respuestas significativas a los mensajes para todas las medidas psicofisiológicas. Independientemente del mensaje presentado, el patrón de respuesta psicofisiológica se relacionó significativamente con la conducta preventiva de detección del cáncer.
... Maladaptive behaviours are responses to threats that do not directly manage the threat, and which are generally intended only to decrease fear by discounting the danger, rather than reducing the danger posed by the threat. Maladaptive behaviours can include denying that the threat exists, engaging in wishful thinking about the likelihood of being subjected to the threat, displaying feelings of hopelessness, and continuing to behave in a risky manner ( Marett et al., 2019 ). The potential role of maladaptive behaviour has been acknowledged in several theoretical models from health behaviour research that have also been used in information security research. ...
... Further conceptualisation of the construct is needed to ensure that it is measured well to ensure content validity. Measurement should encompass a broader range of the types of possible maladaptive behaviour to ensure content validity; for example, the focus of many of the items used in this study was continuation of risky behaviour and denying the threat exists, but greater consideration should be given to measuring when users are engaging in wishful thinking about the likelihood of being vulnerable to threats, and display feelings of hopelessness ( Marett et al., 2019 ). Further work on measurement of maladaptive behaviour would be of value not only for research on responses to phishing, but also in other information security contexts. ...
Email users are vulnerable to phishing threats and a greater understanding of how to protect them is needed. This research investigates how response costs and rewards influence users’ protective and maladaptive security behaviours in the domain of phishing by testing a model that extends Protection Motivation Theory to more explicitly consider the role of maladaptive behaviour. The results show that rewards influence maladaptive behaviour rather than protective behaviour in response to email phishing threats, and that response costs influence both maladaptive and protective behaviours. That is, any perceived benefits from not performing protective behaviours against email phishing threats will result in an increase in the performance of maladaptive behaviours. Similarly, any increases in costs perceived to be incurred for performing protective behaviours against email phishing threats will result in a decrease in protective behaviour and an increase in maladaptive behaviour. These findings have both practical implications and implications for future research into protections against phishing threats.
... • Facebook privacy settings are too difficult to use and are therefore avoided. Dickinson and Holmes (2008) found that individuals are likely to become more evasive and adopt maladaptive coping responses if the threat level is high, as opposed to proactively reducing the effect of the threat (Marett, Vedadi & Durcikova 2019). Often, fear motivates action in these cases, which may take the form of self-protective or avoidant responses (Witte & Allen 2000). ...
... The authors also argue that that the adoption of protective behaviour goes beyond merely making users aware. They posit that the acquired knowledge (via awareness) has to be personally relevant if individuals are to respond appropriately (Marett et al. 2019). Additionally, the individual should be willing and able to respond effectively. ...
Background: The ineffective use of Facebook privacy settings has become commonplace.
This has made it possible for corporates not only to harvest personal information but also
to persuade or influence user behaviour in a manner that does not always protect
Facebook users.
Objectives: The objective of this article was to develop a research model that could be used to evaluate the influence of subjective norms, information security awareness and the process of threat appraisal on the intention to use Facebook privacy settings.
Method: In this article, the authors made use of a qualitative approach. Literature pertaining to subjective norms, information security awareness and threat appraisal was thematically analysed using Atlas.ti. Through a process of inductive reasoning, three propositions were developed.
Results: This study found that it is likely that an individual’s intention to use Facebook privacy settings will be influenced by subjective norms, information security awareness and the process of threat appraisal. To evaluate the behavioural influence of these selected constructs and relationships, a research model was developed based on both the theory of planned behaviour and protection motivation theory.
Conclusion: In this article, it is argued that the ineffective use of Facebook privacy settings may be because of the behavioural influence of subjective norms. This is compounded by the fact that most users are unaware of privacy threats. This makes these users vulnerable to Facebook-based privacy threats because the process of threat appraisal is conducted with incomplete, inaccurate or missing information.
... In cyber security, some advocate the use of fear appeals [82,83,169] while others consider them counter-productive [95,109]. Over the past decade, voices have been raised to warn against the use of fear in behavioral interventions [19,102,127]. ...
... This may include providing information on a recommended action without the fear component of the fear appeal. Given the lack of clarity related to which components of a fear appeal (i.e., the fear trigger or the recommended action) are the most effective in causing a change in behavior [36,37] and the limited number of instances (e.g., [79,109]) in which cyber security fear appeal studies have examined recommended actions (apart from the fear component), efforts should continue. This is especially true in light of evidence that suggests that the recommended action, by itself, has been both highly effective and more effective overall than presenting threatening information to an individual [152]. ...
Cyber security researchers are starting to experiment with fear appeals, with a wide variety of designs and reported efficaciousness. This makes it hard to derive recommendations for designing and deploying these interventions. We thus reviewed the wider fear appeal literature to arrive at a set of guidelines to assist cyber security researchers. Our review revealed a degree of dissent about whether or not fear appeals are indeed helpful and advisable. Our review also revealed a wide range of fear appeal experimental designs, in both cyber and other domains, which confirms the need for some standardized guidelines to inform practice in this respect. We propose a protocol for carrying out fear appeal experiments, and we review a sample of cyber security fear appeal studies via this lens to provide a snapshot of the current state of play. We hope the proposed experimental protocol will prove helpful to those who wish to engage in future cyber security fear appeal research. CCS CONCEPTS • Security and privacy → Social aspects of security and privacy ; Usability in security and privacy; • Applied computing → Psychology; Sociology.
... Wishful thinking should be taken into consideration as an emotion-focused coping strategy while examining a particular coping strategy, according to Chen and Liang (2019). On the other hand, wishful thinking is seen as maladaptive behavior according to Marett et al. (2019), expressing feelings of powerlessness and continuing to act in a harmful manner. To the best of our knowledge, this is one of the first studies to take into account wishful thinking as a form of coping in the context of cyberbullying. ...
Purpose: Cyberbullying has yet to be thoroughly investigated from the perspective of Gen-Z women, and it is vital to determine how this law influences these young women to avoid cyberbullying. Consequently, the purpose of this study is to fill a knowledge vacuum by confirming the technology threat avoidance theory utilizing both adaptive (avoidance motivation) and maladaptive (wishful thinking) approaches. Design/methodology/approach: To gather data from Gen-Z women in Dhaka, we employed a purposive sampling strategy, which yielded 252 valid replies. After that, there were three steps to the evaluation: a measuring model, a structural model, and a mediation analysis. Findings: Seven out of ten hypotheses were found to be significant, with variances of 73.4% and 10.5% for avoidance motivation and wishful thinking, respectively. Furthermore, rather than having a direct influence on coping approaches, the perceived threat had an indirect effect through the mediation effect of perceived avoidability. Practical implications: This study takes into account Gen-Z women's motivation to be protected from cyberbullying, paving the way for the passage of the digital security act 2018. The data also reveal how to teach these young ladies about the threats of cyberbullying and how to defend themselves. Originality/value: This is one of the first studies to look at the factors that influence Gen-Z women's motivation to use the digital security act 2018 to address cyberbullying. In addition, wishful thinking has been newly included as an emotional coping strategy in this context, along with the present avoidance motivation of TTAT.
... Governments should motivate users to reduce use by exposing them to persuasive messages that contain information about the threats and recommendations to mitigate the threats. Social media are effective channels for making these persuasive messages publicly accessible (Marett et al., 2019;Matook et al., 2022). For example, governments can make Facebook posts or YouTube videos to inform users that problematic use is prevalent and may have severe effects on their wellbeing. ...
This study is a conceptual replication of Chen et al.'s (2020) study that examines factors influencing the intention to decrease problematic Information Systems (IS) use. In contrast with Chen et al.'s smartphone gaming context, we apply their theoretical model to the context of digital streaming services. Aligned with the original study, we tested the model using a scenario-based survey. Results are largely consistent with the original study, albeit with several exceptions. Our findings support that protection motivation theory (PMT) is useful in explaining decreasing problematic use in situations of threats. Threat is the negative consequences caused by problematic streaming service use. Users experience fear when they believe the negative consequences are likely to occur, and the consequential harm will be serious if they occur. When threatened, users are more motivated to decrease use if they believe decreasing use is effective in mitigating the threat and they have confidence in executing it. However, such motivation is not influenced by costs incurred by decreasing use. Further, we validate that invoking fear can break users' viewing habits, which promotes their intention to decrease use. Yet, such effect is limited. Future research might explore other factors that are effective in breaking users' viewing habits.
... It can be summarized as "This threat is severe, you are vulnerable, but this response works, and you can do it." An effective persuasive message must include details addressing all four constructs in a balanced presentation to avoid a maladaptive response [64,74]. When individuals receive a persuasive message, they evaluate both the threat and the recommended response. ...
Current information security behavior research assumes that lone individuals make a rational, informed decision about security technologies based on careful consideration of personally available information. We challenge this assumption by examining how the herd behavior influences users’ security decisions when coping with security threats. The results show that uncertainty about a security technology leads users to discount their own information and imitate others. We found that imitation tendency has a more substantial effect on security decisions than the personal perceived efficacy of the security technology. It is essential for researchers and managers to consider how the herd behavior effect influences users' security decisions.
... Yet, our finding that affect arousal does not reliably inform perceived risk suggests that such arousal-based appeals might not be particularly effective in reality. Marett et al. (2019) tested the impact of fear appeals regarding ransomware and discovered that too-vivid messages could lead to maladaptive rather than protective responses, which seems to confirm our finding. ...
Risk perception is an important driver of netizens’ (Internet users’) cybersecurity behaviours, with a number of factors influencing its formation. It has been argued that the affect heuristic can be a source of variation in generic risk perception. However, a major shortcoming of the supporting research evidence for this assertion is that the central construct, affect, has not been measured or analysed. Moreover, its influence in the cybersecurity domain has not yet been tested. The contribution of the research reported in this paper is thus, firstly, to test the affect heuristic while measuring its three constructs: affect, perceived risk and perceived benefit and, secondly, to test its impact in the cybersecurity domain. By means of two carefully designed studies (N = 63 and N = 233), we provide evidence for the influence of the affect heuristic on risk perception in the cybersecurity domain. We conclude by identifying directions for future research into the role of affect and its impact on cybersecurity risk perception.
Increasingly sophisticated cyberattacks often systematically target organizational insiders. Their motivation for self-protection has therefore an important role in cybersecurity of organizations. Protection motivation studies in information security literature are largely based on the protection motivation theory (PMT) without proper adaptation to the organizational context. Additionally, only few studies consider the role of fear in protection motivation although PMT itself is based on fear appeals. This paper aims to revise PMT to better fit the organizational context of organizational insiders. A survey was conducted among academics (N = 255) at six Slovenian universities to reexamine threat appraisals of organizational insiders, and the mediating and moderating roles of fear of cyberattacks in protection motivation. CB-SEM analysis of survey data supports the distinction between appraisals of threats to the individual and to the organization. It also supports differentiating between perceived threats and fear of cyberattacks. Although we did not find support for the mediating role of fear of cyberattacks, perceived threats may mediate the association between perceived severity and vulnerability, and protection motivation. Only perceived vulnerability of the individual and perceived severity of consequences for the organization affect perceived threats. Perceived threats and measure efficacy influence protection motivation. Fear of cyberattacks dampens the positive relationship between self-efficacy and protection motivation. Self-efficacy influences protection motivation only when fear of cyberattacks is low. Interventions aiming to increase protection motivation need to focus on raising the perceived vulnerability of individuals, emphasizing the consequences for the organization, and increasing the efficacy of self-protective measures. Interventions aiming to improve self-efficacy may be effective only when there is low fear of cyberattacks and can be avoided when high fear of cyberattacks is expected.
This study examined the effects of financial incentives on security policy compliance. Participants were recruited for a computerized in-basket job simulation and randomly assigned to one of three groups: (1) control group with no financial incentives for compliance; (2) positive frame (gain) group where participants could gain up to 5, but would lose a portion with each compliance failure. Incentives increased individuals’ vigilance toward phishing emails and decreased likelihood of clicking on links, with the negative frame incentive having the strongest effects. Incentives worked better for non-contextualized emails.
In order to improve the traditional analytic hierarchy process method, information entropy and interval fuzzy number are introduced to AHP respectively on the weight of the hierarchy and the weight of the index. The effectiveness of the improved method is tested by a Simulation example which is based on risk assessment index system of miniature Internet of things system. Meanwhile, 5G as the fifth generation of mobile communication technology, will be widely used in entertainment, health care, education and autonomous driving. It will extend the capabilities of various applications on our personal devices and wearable devices will fill every corner of our lives by the application with miniature Internet of thing systems. At the same time, 5G also faces the threat of information security risk, which is our paper concerned.
In contemporary organizations, the protection of an organization's information assets is reliant on the behavior of those entrusted with access to organizational information and information systems (IS). Because of this reliance, organizations increasingly prioritize the training and education of employees through security education, training, and awareness (SETA) initiatives. Through expectancy theory and its central components of valence, instrumentality, and expectancy (VIE), we investigate the role of insiders’ awareness of organizational SETA efforts on two similar, yet distinct, security-related intentions: intention to comply with information security policies (ISPs) and intention to protect the organization's information assets from their threats. Not only do we show how distinct these two concepts are from a quantitative standpoint, we also demonstrate differences between insiders’ compliance and protection intentions, as well as their motivational antecedents. Moreover, we demonstrate how our powerful, yet parsimonious, model based on expectancy theory explains a significant portion of the variance in these two important concepts: 52.7% in intentions to comply with ISPs and 68.1% in intentions to protect organizational information assets. We discuss the implications of our findings for research and practice and offer future research opportunities.
The purpose of this study was to explore the utility of protection motivation theory (PMT) in the context of mass media reports about a hazard. Content elements of a hazard's severity, likelihood of occurring, and the effectiveness of preventive actions were systematically varied in a news story about a fabricated risk: exposure to fluorescent lighting lowering academic performance. Results of this experiment (N = 206) suggest that providing information about the severity of a hazard's consequences produces greater information seeking. In addition, information about levels of risk, severity, and efficacy combined jointly to produce greater rates of willingness to take actions designed to avoid the hazard. Results are seen as providing general support for PMT and are discussed within the broader framework of information seeking and heuristic and systematic information processing.
Classical fear conditioning has been used as a model paradigm to explain fear learning across species. In this paradigm, the
amygdala is known to play a critical role. However, classical fear conditioning requires first-hand experience with an aversive
event, which may not be how most fears are acquired in humans. It remains to be determined whether the conditioning model
can be extended to indirect forms of learning more common in humans. Here we show that fear acquired indirectly through social
observation, with no personal experience of the aversive event, engages similar neural mechanisms as fear conditioning. The
amygdala was recruited both when subjects observed someone else being submitted to an aversive event, knowing that the same
treatment awaited themselves, and when subjects were subsequently placed in an analogous situation. These findings confirm
the central role of the amygdala in the acquisition and expression of observational fear learning, and validate the extension
of cross-species models of fear conditioning to learning in a human sociocultural context. Our findings also provides new
insights into the relationship between learning from, and empathizing with, fearful others. This study suggests that indirectly
attained fears may be as powerful as fears originating from direct experiences.
Summary Those who receive health education messages about specific risks do not always respond in a ‘rational’ manner by reducing
or eliminating thefr exposure to the risk. This paper explores an explanation for the apparent reluctance of people to change
their behaviour in response to information about health risks. It focuses on how people interpret the health warnings and
on how people perceive the risks involved. The rationality of taking risks with personal health is discussed in relation to
the values and the distribution of resources in contemporary Western society. It is argued that personal health constitutes
a commodity which people are willing to trade off against other benefits.