Appropriate use of fear: 5 lessons the cyber security industry can learn from the health industry
Originally published on LinkedIn 1st March 2019
When I started out in cyber security back in the early Noughties, I used to tell friends and family that I worked in IT. This was far more relatable than Information Security (as we called it back then), unless of course they had seen the 1995 movie Hackers, but even then it usually lead to confusion - “No I am not a hacker – the company I work creates technology that aims to stop them!”.
I remember the turning point a couple of years ago when a close family member reached out to me about the WannaCry ransomware outbreak that had hit the National Health Service in the UK – “Have you seen the news? It’s pretty scary what these hackers can do, I am worried I might be hacked – what should I do?”. I was of course delighted to assist them, not only because helping others is one of the key reasons I love working in cyber security, but also because I knew they were now highly motivated to learn and to change their online behaviour.
Fast forward to 2019 and WannaCry is old news but the headlines about ‘cyber attacks’, ‘hacks’ and ‘breaches’ have continued with Australia receiving a large share of attention in just the last few weeks. Whilst I am so glad that more and more people are talking about cyber security, in pretty much every conversation, I have noticed that people use the word ‘scary’ when discussing the latest headlines.
This got me thinking back to my conversation with my relative…..does fear have a role to play in driving people to take action when it comes to cyber security?
The cyber security industry has often been accused of inappropriate use of ‘fear, uncertainty and doubt’. A recent article by Tom Kranz in Computer Weekly provided a dose of reality for the industry. Kranz cautions that;
‘’Customers and, businesses – people – become immune to the constant avalanche of outlandish claims and equally outlandish fears”
In the field of cyber awareness, a 2014 working paper from the Global Cyber Security Capacity Centre, which reviewed cyber awareness campaigns and why they fail to change behaviour, stated that;
“Causing feelings of fear to people is not an effective tactic, since it will put off people who can least afford to take risks. To make the internet accessible, risks should not be exaggerated.”
Fear is a primal instinct and as outlined in this article in Psychology Today, fear is the most powerful motivator of all and nothing makes us more uncomfortable. It also keeps us alive, because when we survive a bad experience, we never forget how to avoid it in the future.
In order to explore potential answers to my question about the role of fear in cyber security, I decided to turn to the health industry, an industry with decades of experience in the use of fear in health campaigns. I found 5 potential lessons for the cyber security industry to consider.
1. Fear can be effective
Fear has been used in public health campaigns for decades and according to research, cited in this article in the NPR (an independent, non-profit media organization in the US) in 2015, which reviewed more than half a century of research and meta-analysis of 127 studies involving more than 27,000 people around this subject, it can be concluded that in the majority of situations, using fear based appeals was effective.
The study also found that fear appeals were even more effective when directed at women, at one-time behaviours like getting a flu shot and when combined with recommended solutions.
2. Ethics must be considered
The NPR article referenced above also cited a 2015 research article that looked at New York City’s Experience with fear-based public health campaigns. This research analysed the use of fear in public health campaigns for high rates of tobacco use, obesity and HIV infection and recommended that governments should apply caution when considering the use of fear on ethical and other grounds;
”State and local health departments will have to navigate how and whether to use fear in a context where it is possible to assert that it can serve the interests of public health. But this will not reduce the need to carefully balance efficacy, uncertainty, stigma, marginalization, emotional burdens, justice, community participation, and scientific credibility.”
This assertion is backed up by this debate by J. Keith Simpson, cited in Chiropractic & Manual Therapies 2017 which looked at the use of fear in health campaigns;
“Appeal to fear has been used in health promotion campaigns for sixty years or more with the intent of modifying behaviours. While there is evidence to suggest that appeal to fear may motivate some individuals to modify offending behaviour or adopt recommended behaviour there is growing resistance to the use of appeal to fear on ethical and psychological grounds”.
If the cyber security industry chooses to use fear as a communication tool, it would be wise to consider it's use together with an ethical lens. This may include ensuring that;
The use of fear is appropriate for the intended audience.
Is the message intended for peers in cyber security colleagues, staff, family, friends, the general public, children or adults?Could the use of fear potentially alienate or stigmatise a particular group in the population? For example if talking to cyber security peers using fear you may instantly frustrate/alienate them. If you are talking to children, fear may not be appropriate at all.
You have provided context to help people make sense of the threat.
For example, if you are talking to members of the public about nation state attacks, you could explain that the ability to target another country or group of people (called cyber offence) or defend a country from another country or group of people (cyber defence) is part of a nation’s cyber ‘toolkit’. Cyber offence is also used for both good and for bad. For example recently Jeremy Fleming, Director of GCHQ in the UK confirmed that disruptive online (offensive) techniques were used to help take down ISIS.If you are talking about data breaches there is some recent research by Kroll in the UK that found that 88% of data breaches were caused by human error, for example sending sensitive data to the wrong recipient, mostly over email and some by fax and only 12% were malicious cyber-attacks. This can help to provide some context around how breaches arise in the first place.
You have empowered your audience.
This may include providing details on where they can find more information and more importantly where they can get help. In Australia we are so lucky to have wonderful services including;
Stay Smart Online which provides simple, easy to understand advice on how to protect yourself online, as well as up-to-date information on the latest online threats and how to respond. The e-safety Office which provides a complaints service for young Australians who experience serious cyberbullying and can help with the removing illegal online content as well as tackling image-based abuse. The office also provides audience specific content to help educate all Australians about online safety including young people, women, teachers, parents, seniors and community groups.ID Care who are a not for profit and can connect the community to expert identity & cyber security Counsellors, who listen and provide the best advice on how to respond to data breaches, scams, identity theft, and cyber security.
3. The use of fear doesn’t necessarily lead to changes in behaviour
Simply scaring people doesn’t necessarily lead to a change in behaviour. According to Dolores Albarracin, professor of psychology and business at the University of Illinois, Urbana-Champaign cited in the 2015 NPR article above:
"Fear appeals can produce some movement, but long-term changes to behavior patterns are often produced by changes in skills….People don't continue to smoke because they are immune from fearing the consequences but rather because they don't know how to stop or can't. So inducing fear will be minimally useful relative to offering support, resources, teaching skills and techniques, or prescribing smoking-cessation aids like the nicotine patch,"
Most of us are familiar with the health campaigns that combine both hard hitting advertisements with follow up actions, where long term behavioural change is the goal. An example can be seen here in the 'Alcohol Think Again' campaign from Western Australia. In this example, a fear-based fact 'alcohol is a class 1 carcinogen, the same as tobacco and asbestos’ is delivered via an advertisement. However, it is then combined with messaging that empowers the public to make long term behavioural change (to limit intake to 1-2 standard drinks) as well as ongoing support resources available on the campaign website.
In cyber security, if considering using fear as a communication tool (if deemed ethical as outlined above), it should be combined with enough detail about the solution, backed by evidence and with ongoing support to help change behaviour in the long term.
4. If there is no way of controlling the threat, the use of fear may backfire
Public health authorities are advised to apply caution when relaying messages around threats to the general public. Albarracin cited in the earlier referenced NPR article, advises;
If public health officials think a message will cause panic and they have no way of controlling the threat, it makes little sense to deliver that message.
If a decision is made to use fear-based appeals, Albarracin says there are reasons against making the messaging too extreme. It can discourage the audience, setting the bar too high and while fear-based appeals don't usually backfire, when they do, Albarracin says it may be owing to an overly intense level of fear;
"When the facts are too extreme in an attempt to induce fear, they are just not believable and cast doubt on the whole enterprise,".
When it comes to cyber security, scaring people about the potential impact of an extremely unlikely threat that they can’t control may have the potential to cause panic or could also have the opposite effect distancing them – either because they don’t believe it (it’s highly unlikely) or the bar is too high. If it seems too hard to keep data secure for example, there is a risk that they won’t even try.
“In many of the cases (…).end users do know about the dangers. Security experts have warned them, confused them, and filled them with fear, uncertainty and doubt. People base their conscious decisions on whether they have the ability to do what is required and whether the effort will be worth it”
5. The importance of balanced messaging
Imagine if the healthcare profession addressed members of the public with a message like this;
“Red meat is really dangerous and you shouldn’t eat too much because it could kill you.”
Thankfully they don’t! instead what you will likely find is something similar to the statement on this government website:
“Lean red meat provides a very good source of nutrients, however consumption of greater than 100/120g per day of red meat, which is more than double the recommended amount, is associated with an increased risk of colorectal cancer and renal cancer. So remember to also eat other foods from this food group. Non meat options such as legumes provide many of the same nutrients as meats, poultry, fish and eggs. In fact, nuts and seeds may help reduce the risk of heart disease and are not associated with weight gain if total energy intake (kilojoules) is controlled”.
Of course, health guidance changes from time to time as the health industry learns more about particular threats and recommended risk reduction measures. However, generally the guidance is balanced (both positive and negative), has context and includes clear actions to reduce risk and is therefore more likely to lead to long term behavioural change.
In the cyber security world a parallel example may look like this:
“The internet is dangerous and full of cyber criminals who want to steal your data. At some point your data will be hacked so you should be careful what you do online”
Taking the lead from health, a more relevant and contextual message could be:
“The internet has created an amazing opportunity to connect humans and machines in the modern world. It enables us to stream our favourite TV shows, communicate with family on the other side of the world and to run a business entirely online. However, if not properly protected, our personal data can be vulnerable to being taken by cyber criminals, who sell this data for profit. We recommend following the government guidelines viahttps://www.staysmartonline.gov.au/ which will help you to protect your data and your family online, helping to reduce your risk"
To conclude, the health industry can be a useful reference point when considering the use of fear in communicating cyber security messages. However, it should be acknowledged that one of the key differences between health awareness campaigns and cyber security, is that health is a field where people generally have more knowledge of the threat and potential impact. Our knowledge of what is 'healthy' has been built up over a lifetime, potentially through our own experience of health issues or those of our families. It starts during childhood, often via our parents who teach us about good hygiene like brushing your teeth, washing your hands and eating your veggies and this is reinforced through health campaigns, throughout our lifetime. The threats and impacts in cyber security are often less familiar to those outside of the field and so the response to fear may be more extreme.
Some questions to ask ourselves in cyber security when planning our communications may be:
Is a fear based message necessary and if so is it ethical?Is the threat you are highlighting relevant to your audience and have you given it context to ensure you are not generating unnecessary fear? Are you unnecessarily exaggerating the threat, risk, likelihood or impact?Have you explained to your audience clearly what they can personally do about a particular threat so they feel empowered?Are you using fear to try to sell a cyber security product or service?
Noting that the use of fear in the context of the positioning of a product or service is highly inappropriate. It is something that CISOs find extremely frustrating, beautifully explained by David Spark of the CISO Vendor Security Relationship Podcast. The computer weekly article cited earlier also includes some great advice about how you can move away from ‘fear, uncertainty and doubt’ to sell or promote a product by getting 'back to basics'.
Do you think we should be using fear at all as an industry in any context? I would love to hear your comments - you can contact me directly on LinkedIn .
Have you checked out my podcast series with Beverley Roche The Cybersecurity Café? available on iTunes, GoogleHome, Spotify and directly on our website https://www.cybersecuritycafe.com.au/episodes