Fear tactics in cybersecurity: Exploring their impact and advocating for real change with usable interventions and insights from Dr Jessica Barker
“We just need to scare people into better security.” I’ve lost count of the number of times I have been in meetings, or approached by a potential client, who has said this to me. Over the last 13 or so years working as a specialist in cybersecurity awareness, behaviour and culture, I have been called in to hundreds of organisations to help address the most important – and most misunderstood – area of cybersecurity: the human side. I say the human “side”, but it is more accurate to see people as the heart of cybersecurity.
The most impactful intervention is raising self-efficacy
People are central at every stage of the technology and information lifecycle, from an initial idea through to destruction and deletion of data, via design, creation, use, abuse – and, of course, impact.
Cyber criminals know this. They also know that, over the last few decades, we have made it much harder to hack into organisations via the technology. The cybersecurity industry is dominated by technology, and this is where most of an organisation’s security budget goes, too.
The human side of cybersecurity
This is why most ‘hacks’ involve at least some element of social engineering, with cyber criminals manipulating people to unknowingly click on phishing links, download malicious documents, share their credentials or transfer money into the wrong hands.
With huge advances in artificial intelligence in recent years, this is only becoming more pressing. Many warnings are hitting the headlines. It made news around the world when a Hong Kong company was recently the victim of a social engineering attack in which a member of staff was manipulated into transferring $25m to fraudsters who posed as company executives with the use of deepfake technology.
Exploiting fear: Cybercriminal tactics
As cyber threats become scarier, should we capitalise on fear to shock people into being more vigilant online?
After all, cyber criminals frequently use fear to their advantage. During Covid-19 lockdowns, phishing emails exploited heightened anxiety and distress to coerce us into clicking malicious links which promised to tell us where to get masks, vaccines and the latest information.
Phishing campaigns often capitalise on distressing topics, from large-scale political unrest and global conflicts, to the more everyday nuisance of speeding fines and security warnings (with added time pressure to up the ante: “click here to change your password or lose access to your account in 24 hours”).
So, if it works for the criminals luring us into clicking phishing links, can it work for us on the defensive side, helping people stay safe from such threats?
Fear vs long-term behaviour change
Decades of research in the psychology of fear indicates otherwise. When we use a scary message to try to influence behaviour, we are using what’s known as a ‘fear appeal’. If you want to influence an immediate, knee-jerk behaviour – such as pushing someone to click a link – a fear appeal can be very effective.
However, psychologists have shown us that influencing long-term behaviour change is not so easily achieved.
We can’t talk about cybersecurity and not address the threats. So, when we raise awareness of cybersecurity, we are inevitably talking about something scary. When people hear a scary message, they immediately decide two things: if the threat is real and whether they believe it applies to them.
Only if they are convinced that the threat is real and applies to them, will they even consider the behaviour change we are then asking for – moving on to decide if they believe that behaviour is going to tackle the threat and if they are capable of carrying it out.
So, we need people to know that threats online are real, that they are relevant, that practicing positive security behaviours does make a difference, and that they have the tools, time and capability to practice those behaviours.
If we lean in too heavily on the threat, we lose people. They move into denial (“hackers would never target me”), avoidance (“I just won’t click on any links”) or reactance (“they’re exaggerating the threat”).
The power of empowerment
The most impactful intervention is raising self-efficacy. We help people understand that the threat is real and relevant, for example with case studies they can relate to, and then we provide them with the tools, training, guidance and empowerment that they need to know they can carry out the secure behaviours we are advocating.
Passwords are a good example. In cybersecurity we endlessly bang the drum around passwords and how many weak passwords are being used to (at least theoretically) protect accounts.
But, I heard from people telling me that they had not understood how passwords can be cracked en masse by cyber criminals, shocked that it is not a lone criminal hacker sitting at home trying to guess your password.
They had not thought about what motivates these criminals to access our online accounts – the data we keep in our emails (such as bank account numbers and copies of passports), or the way they can imitate us and manipulate our contacts by sending emails from our accounts.
Once they understood that, they were interested in learning about password managers: how they work, what keeps them secure and ways they take the password headaches away from us.
Moving beyond fear
When it comes to cybersecurity, we’ve been trying to use fear for decades to get people to listen to us and practice more secure behaviours. It doesn’t work and it’s time we embraced a new approach: understanding, empathy and empowerment over fear, uncertainty and doubt.
Dr Jessica Barker MBE is the author of Hacked: The secrets behind cyber attacks