Security awareness training loves a good scare story. The research says fear without efficacy produces denial, not compliance.
I was reading through the cybersecurity and privacy section of my oral exam materials when I hit a trap warning that stopped me. The warning said: do not confuse fear control with danger control. I had to stop and think about what that distinction actually means, because most security awareness training I have ever seen gets it wrong.
The distinction comes from Boss et al. (2015), who applied Protection Motivation Theory to IS security and drew a line that should have changed how every company runs its security awareness program. Fear control is what happens when someone responds to a threat by managing their emotional fear. They deny the risk, they avoid the information, they tell themselves it will not happen to them. Danger control is what happens when someone responds to a threat by managing the actual danger. They install the software update, they follow the policy, they change their password. Only danger control produces security compliance. Fear control produces maladaptive responses that look like noncompliance but are something different and more stubborn.
Rogers (1975, 1983) built PMT on two appraisal processes. Threat appraisal combines perceived severity, how bad the consequences would be, with perceived vulnerability, how likely you think it is to happen to you. Coping appraisal combines response efficacy, your belief that the recommended action actually works, with self-efficacy, your belief that you can actually do it. The critical point is that fear appeals only motivate protective behavior when threat appraisal is accompanied by sufficient coping appraisal. High threat without high efficacy does not produce protection. It produces avoidance, denial, or fatalism.
This is not a minor academic point. Most security awareness programs work like this: show employees scary statistics about data breaches, display dramatic phishing simulations, maybe run a simulated attack that embarrasses people who click the wrong link. The operating assumption is that if employees are scared enough, they will behave more carefully. But PMT says the opposite happens when you raise threat without also raising efficacy. You scare someone into thinking breaches are inevitable and severe, but you do not give them a believable, doable response, and they shift into fear control. They stop reading your emails. They tune out during training. They develop a kind of learned helplessness about security that no amount of additional scary statistics will fix.
I wrote about how CARE reframes privacy as a dignity problem rather than a data control problem. This is the other half of the story. Where CARE asks what happens to a person's dignity when systems exploit their data, PMT asks what happens to a person's protective behavior when you bombard them with threats they feel powerless against. Both frameworks, in different ways, say that the standard approach mistreats the person at the center.
Then there is the privacy calculus, which resolves a problem that gets labeled as irrationality. The so-called privacy paradox goes like this: people say they care about privacy, then they hand over their data for a discount code. Researchers used to call this paradoxical behavior, evidence that people do not act on their stated preferences. Malhotra et al. (2004) give us IUIPC, which decomposes privacy concern into collection, control, and awareness dimensions, and their privacy calculus framework models information disclosure as a rational tradeoff between perceived benefits and perceived risks. When perceived benefits exceed perceived risks, people disclose. When perceived risks dominate, they withhold. The apparent paradox dissolves when you realize that context shifts the calculation. A discount code might genuinely be worth the data trade in that moment. That is not irrationality. That is a person weighing costs and benefits in a specific situation.
Smith et al. (2011) add a boundary condition that gets ignored too often. Privacy is a distinct construct from security, anonymity, secrecy, confidentiality, and ethics. When researchers conflate these, they create measurement error. When practitioners conflate them, they design interventions for the wrong problem. A confidentiality breach and a privacy violation are not the same thing, even though they can co-occur. Treating them as interchangeable muddies both the research and the solutions built on it.
The organizational level tells a different story again. Liang et al. (2025) show that mergers and acquisitions increase data breach risk through organizational complexity. When firms integrate, they connect previously separate systems, routines, and security practices. The expanded attack surface is a structural consequence of the merger, not a failure of individual employees clicking the wrong link. This is systems thinking applied to cybersecurity: risk grows from interdependence and complexity, not from individual laziness or ignorance.
What bothers me is how often the practical lessons from these papers get lost. A CISO runs mandatory phishing simulations and wonders why employees disengage. An IS researcher measures privacy concern and disclosure behavior separately, treats the gap as a paradox requiring behavioral nudges, and misses that the person made a perfectly rational calculus in context. A board asks why the merged company got breached and blames employee negligence when the real mechanism was structural complexity that no individual employee could have fixed.
The through-line is that people are not irrational. They are responding to the information and the options available to them. Fear without a believable, doable response produces denial, which is rational if you cannot actually protect yourself. Disclosing data for a benefit is rational when the benefit outweighs the risk in that context. And getting breached after a merger is a structural outcome, not a human failure.
If I were advising a company on security awareness, I would start by asking what efficacy information the program provides. Not what threat scenarios, not what scare stories, but what specific, achievable actions employees can take and why those actions work. Without that, the program is manufacturing fear control and calling it compliance.
About the author
Share
More notes
Related notes