Cyber Security Fear Appeals: Unexpectedly Complicated Karen Renaud Marc Dupuis University of Abertay, Dundee, UK University of Washington, USA
[email protected] [email protected] ABSTRACT recommended action, and, second, that eliciting the fear emotion Cyber security researchers are starting to experiment with fear by highlighting unpleasant consequences is likely to make them appeals, with a wide variety of designs and reported efficaciousness. care. This makes it hard to derive recommendations for designing and Why not just tell people what to do? The problem is that knowl- deploying these interventions. We thus reviewed the wider fear edge does not reliably convert to behavior [98, 113]. Hence eliciting appeal literature to arrive at a set of guidelines to assist cyber emotion to prompt action seems worth considering [102, 180], and security researchers. Our review revealed a degree of dissent about fear is a powerful emotion. whether or not fear appeals are indeed helpful and advisable. Our Fear appeals have been used for decades [23, 58, 61, 133, 159], review also revealed a wide range of fear appeal experimental if not centuries [143]. Proponents of the use of fear appeals [12, designs, in both cyber and other domains, which confirms the need 159, 165], consider them efficacious in persuading people to change for some standardized guidelines to inform practice in this respect. their behaviors. Others consider the deployment of fear appeals We propose a protocol for carrying out fear appeal experiments, misguided, arguing that the belief in the efficacy of these is based and we review a sample of cyber security fear appeal studies via on intuition and weak evidence [2, 19, 86, 88, 90, 94].