What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors

Because violations of information security (ISec) and privacy have become ubiquitous in both personal and work environments, academic attention to ISec and privacy has taken on paramount importance. Consequently, a key focus of ISec research has been discovering ways to motivate individuals to engage in more secure behaviors. Over time, the protection motivation theory (PMT) has become a leading theoretical foundation used in ISec research to help motivate individuals to change their security-related behaviors to protect themselves and their organizations. Our careful review of the foundation for PMT identified three opportunities for improving ISec PMT research. First, extant ISec studies do not use the full nomology of PMT constructs. Second, only one study uses fear-appeal manipulations, even though these are a core element of PMT, and virtually no ISec study models or measures fear. Third, whereas these studies have made excellent progress in predicting security intentions, none of them have addressed actual security behaviors. This article describes the theoretical foundation of these three opportunities for improvement. We tested the nomology of PMT, including manipulated fear appeals, in two different ISec contexts that model PMT’s modern theoretical treatment more closely than do extant ISec studies. The first data collection was a longitudinal study in the context of data backups. The second study was a short-term cross-sectional study in the context of anti-malware software. Our new model demonstrated better results and stronger fit than the existing models and confirmed the efficacy of the three potential improvements we identified.