To Fear or Not to Fear: How to Create an Optimal Security Culture

In today’s digital age, information security is more important than ever. With the ever-increasing threat of cyberattacks, organizations must do everything they can to protect their data. One effective way to do this is to create a culture of security within the organization. This means that employees need to be aware of the risk of information security breaches and understand the importance of following security policies.

One of the most important factors in creating a culture of security is to address employee fear of being reprimanded for violating information security rules. Employee fear is a complex issue that can have a significant impact on an organization’s security posture. Employees who are afraid of being punished for making mistakes are less likely to report security incidents or come forward with information about potential threats.¹ This can create a dangerous situation in which security vulnerabilities are not identified and addressed in a timely manner.

To create a culture of security within an organization, it is important to understand the different levels of employee fear, the factors that contribute to it at each level, and the implications for security to effectively manage fear.

The Model of Employee Fear

Figure 1 shows how organizational behaviors lead to varying levels of employee fear related to information security and the resulting outcomes attributed to the employee fear levels. One study found that employees are not intrinsically motivated to engage in security behaviors.² Therefore, organizations must exert influence on employees to promote compliance with security procedures. Previous research suggests that fear can be a good motivator for employee compliance.^{3, 4}

However, this model indicates that fear, in general, may not work as a motivator—that is, both too much fear and too little fear can produce undesirable results. Oddly enough, the same is true for anxiety and stress at work.⁵ Thus, organizations should strive to instill a moderate level of fear in their employees. Balance is the desired state.

Figure 2 shows that in the model presented, certain organizational behaviors cause a fear reaction within employees that could trigger certain behavioral outcomes. Employee fear related to information security can be categorized as high, moderate and low, often in response to organizational characteristics and behaviors that influence the way employees feel. Specifically, in the high fear category, organizational behaviors may include overly harsh punishments for minor security violations and engaging in petty tyranny by lording power over others in an arbitrary, self-aggrandizing manner.⁶ Further, abstract appeals (i.e., threats that do not relate directly to specific behaviors) may reinforce a culture of fear while being ineffective at influencing compliance.⁷ These organizational actions provoke a fear reaction, causing employees to ignore security procedures, at best, or to engage in deviant behaviors, at worst. Employees may take unnecessary risk, lie about observed risk and conceal undesirable reactions (possibly due to the fear of harsh punishment).

The low fear state is often the result of laissez-faire (do nothing) leadership.⁸ This is a situation in which the IT staff or top leadership do not prioritize creating a culture of security for the organization’s information systems.⁹ In this setting, security procedures are referenced in abstract terms, such as, “Watch for email scams.” This approach typically induces a state of low fear related to information security procedures, resulting in a lack of compliance.¹⁰ This often occurs in small and medium-sized organizations that lack the ability to dedicate substantial resources to information security efforts. On the plus side, with such a lax security culture, employees are not as likely to engage in retaliatory deviant behaviors in response to what they see as an overly harsh security environment. However, the overall result is a very passive security environment in which employees do not change their behaviors and may engage in misbehavior (most likely acts of omission) such as using weak passwords, sharing passwords, not locking computers, and succumbing to phishing and other email-related scams.

These organizational actions provoke a fear reaction, causing employees to ignore security procedures, at best, or to engage in deviant behaviors, at worst.

Finally, the middle of figure 2 shows the moderate fear level, which is optimal in the context of information security. This is a middle ground where consistently used concrete appeals—that is, those that appeal to employees in a personally relevant fashion—are likely to be accepted as reasonable.¹¹ This assumption of reasonableness should lead to social pressure (sometimes including shaming those who engage in risky behaviors), resulting in positive employee behavioral outcomes. In such a culture, employees will, in theory, be more likely to follow security procedures outright. Further, when subjected to consistent appeals that are personally relevant, employees typically will be more likely to report potential threats as a self-preservation instinct. If an incident does occur, they will not cover it up (as in the high-fear state) because they know that there may be a reward for reporting it instead of an overly punitive consequence.

How to Address Employee Fear

Fear appeals do sometimes work, but they do not work uniformly for all. To achieve the desired results, organizations must understand the different levels of employee fear and how to address them.¹² By creating a security culture in which employees are fearless in reporting incidents or coming forward with information about potential threats, organizations can help to protect their data and mitigate the risk of cyberattacks.¹³

Continuous communication with employees is imperative to improve security culture; failure to communicate results in policies losing their effectiveness.¹⁴ In an effective security culture, employees are aware of the risk of information security breaches and understand the importance of following security policies.

Another way to address employee fear is security awareness training. Awareness training can be used to educate people, which is necessary because individual users are the predominant weaknesses in information security. Awareness training can help separate deviant behavior (intentional with malicious intent) from misbehavior (unintentional without malicious intent).¹⁵

In addition, organizations must hold employees accountable for following security policies.¹⁶ Rewards work when coercive controls with sanctions do not work. Instead of focusing on punishment, organizations should focus on using positive reinforcement to encourage employees to follow security policies.¹⁷ Some examples of this approach include publicly recognizing employees who follow security policies; offering rewards for employees who report security incidents, thereby creating a culture of trust and respect in which employees feel comfortable coming forward with information about potential threats; and ensuring that security policies are fair and reasonable. Employees are more likely to understand security intentions, adopt compliance attitudes, and follow security policies if they believe those policies are fair and reasonable.¹⁸

Organizations should review their security policies regularly to ensure that they are up to date and reflect the organization’s current needs. Information system security research, related to best practices, needs to incorporate consideration of all people within an organization to be effective.¹⁹ This information provides employees with the necessary resources to follow security policies, including access to security training, tools and support. Security policies also create a sense of ownership among employees, who are more likely to follow them if they feel they have a stake in the organization’s security.

By creating a culture of security in which employees are comfortable in reporting security incidents or coming forward with information about potential threats, organizations can help protect their data and mitigate the risk of cyberattacks.

Information security research findings suggest a need to incorporate more than just technical considerations when looking at security policies.²⁰ Organizations can create a sense of ownership among employees by involving them in developing security policies, allowing them to contribute to security awareness training, and recognizing those who help protect the organization’s security.

Conclusion

In today’s digital age, information security is more important than ever. By creating a culture of security in which employees are comfortable in reporting security incidents or coming forward with information about potential threats, organizations can help protect their data and mitigate the risk of cyberattacks. Still, an adequate amount of fear can motivate employees (in part through the fear of negative consequences) to engage in secure behaviors. Therefore, both the lack of fear and excessive fear are unproductive, and a moderate amount of fear (related to cybersecurity behaviors) is optimal to elicit the desired employee cybersecurity and security culture responses.

Endnotes

¹ Chu, A.; M. So; “Organizational Information Security Management for Sustainable Information Systems: An Unethical Employee Information Security Behavior Perspective,” Sustainability, vol. 12, iss. 8, 14 April 2020, http://doi.org/10.3390/su12083163
² Ruighaver, A.; S. Maynard; S. Chang.; “Organisational Security Culture: Extending the End-User Perspective, Computers and Security, vol. 26, iss. 1, February 2007, http://doi.org/10.1016/j.cose.2006.10.008
³ Schuetz, S.; P. Lowry; B. Pienta; J. Thatcher; “The Effectiveness of Abstract Versus Concrete Fear Appeals in Information Security,” Journal of Management Information Systems, vol. 37, 18 November 2020, http://doi.org/10.1080/07421222.2020.1790187
⁴ Johnston, A.; M. Warkentin; “Fear Appeals and Information Security Behaviors: An Empirical Study,” MIS Quarterly, vol. 34, iss. 3, September 2010, http://dl.acm.org/doi/10.5555/2017470.2017478
⁵ Campbell, et al.; Preventive Stress Management in Organizations, American Psychological Association, USA, 2013
⁶ Ashforth, B.; “Petty Tyranny in Organizations,” Human Relations, vol. 47, iss. 7, July 1994, http://doi.org/10.1177/001872679404700701
⁷ Op cit Schuetz et al.
⁸ Judge, T.; R. Piccolo; “Transformational and Transactional Leadership: A Meta-Analytic Test of Their Relative Validity,” Journal of Applied Psychology, vol. 89, iss. 5, October 2004, http://doi.org/10.1037/0021-9010.89.5.755
⁹ Wall, D.; “Cybercrime and the Culture of Fear: Social Science Fiction(s) and the Production of Knowledge about Cybercrime,” Information, Communication and Society, vol. 11, iss. 6, 11 September 2008, http://doi.org/10.1080/13691180802007788
¹⁰ Siponen, M.; A. Vance; “Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations,” MIS Quarterly, vol. 34, iss. 3, September 2010, http://doi.org/10.2307/25750688
¹¹ Posey, C.; T. Roberts; P. Lowry; “The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets,” Journal of Management Information Systems, vol. 32, iss. 4, 13 April 2016, http://doi.org/10.1080/07421222.2015.1138374
¹² Op cit Johnston and Warkentin
¹³ Op cit Ruighaver et al.
¹⁴ Puhakainen, P.; M. Siponen; “Improving Employees’ Compliance Through Information Systems Security Training: An Action Research Study,” MIS Quarterly, vol. 34, iss. 4, December 2010, http://doi.org/10.2307/25750704
¹⁵ Crossler, R. et al.; “Future Directions for Behavior Information System Research,” Computers and Security, vol. 32, February 2013, http://doi.org/10.1016/j.cose.2012.09.010
¹⁶ Op cit Siponen and Vance
¹⁷ Chen, Y.; K. Ramamurthy; K. Wen; “Organizations’ Information Security Policy Compliance: Stick or Carrot Approach?” Journal of Management Information Systems, vol. 29, iss. 3, 9 December 2014, http://doi.org/10.2753/MIS0742-1222290305
¹⁸ Ifinedo, P.; “Understanding Information Systems Security Policy Compliance: An Integration of the Theory of Planned Behavior and the Protection Motivation Theory,” Computers and Security, vol. 31, iss. 1, February 2012, http://doi.org/10.1016/j.cose.2011.10.007
¹⁹ Dhillon, G.; G. Torkzadeh; “Value-Focused Assessment of Information System Security in Organizations,” Information Systems Journal, vol. 16, iss. 3, 26 May 2006, http://doi.org/10.1111/j.1365-2575.2006.00219.x
²⁰ Ibid.

JOHN H. BATCHELOR | PH.D.

Is a professor and department chair at the University of West Florida Business Administration Department (Pensacola, Florida, USA). He is a fellow of the Small Business Institute.

TIMOTHY D. SPIVEY

Is a Master of Business Administration student at the University of West Florida (Pensacola, Florida, USA).

TIMOTHY MCILVEENE | PH.D.

Is a visiting instructor at the University of West Florida (Pensacola, Florida, USA). He teaches undergraduate and graduate level courses in management and business analytics. His research interests include strategic management; corporate social responsibility; organizational citizenship behavior; and environmental, social and corporate governance.