Predicting attacks is useless if nobody acts on the warning. PMT explains why organizations stall on preemptive security.
I read a Gartner forecast last week that stopped me mid page. By 2030, half of all security software spending will go to preemptive solutions. A million plus documented vulnerabilities are expected every year by the same date. The industry is pivoting hard toward anticipating attacks before they happen, toward neutralizing threats that have not yet touched a network. And I kept thinking about Protection Motivation Theory, because the whole preemptive cybersecurity idea depends on an assumption that I am not sure organizations can meet.
Preemptive cybersecurity moves beyond detection and response. Instead of waiting for a breach and cleaning up afterward, the idea is to deceive attackers, deny them access routes, and disrupt their operations before they complete an objective. The three Ds, Deceive, Deny, Disrupt, are the emerging framework for this shift. Threat intelligence feeds predict what is coming. AI models flag anomalies that could be early indicators. Attack surface management tools map every exposed asset before anyone exploits it. The technology is real and it is getting better every quarter.
But preemptive action requires something that the security product market cannot sell: the organizational capacity to act on a threat that is predicted but not yet observed. This is where Protection Motivation Theory becomes relevant far beyond the individual user context where it usually sits.
Rogers developed PMT in 1975 and refined it through 1983 to explain how people decide to protect themselves from threats. The theory has two appraisal processes that run in parallel. Threat appraisal asks whether the danger is severe and whether I am vulnerable to it. Coping appraisal asks whether the recommended protective action will work and whether I can actually perform it. Fear motivates protective behavior only when both appraisals come back positive. High threat without high coping does not produce protection. It triggers what Boss and colleagues, applying PMT to IS security in 2015, called fear control: denial, avoidance, wishful thinking, or simply ignoring the warning.
I wrote about this dynamic before in a post about why fear alone does not make people secure. The mechanism is the same at the organizational level, but the stakes are higher. When a CISO sees a threat intelligence report predicting that a new ransomware variant will target their industry in the next quarter, both appraisals must fire. They must believe that the predicted threat is severe and likely to hit their organization. And they must believe that their team can effectively deploy the preemptive tools available to them. If either appraisal is weak, the response defaults to delay, outsourcing hope to the next vendor demo, or quietly deprioritizing the warning in favor of something more urgent.
The three Ds of preemptive cybersecurity only work if the security teams expected to deploy them have genuine self-efficacy about using them. Deceiving an advanced persistent threat actor requires confidence that your deception environment is convincing enough. Denying access routes requires believing that your segmentation and zero trust controls actually cover the paths attackers will take. Disrupting an in-progress attack requires trusting that your automated response will not cause more damage than it prevents. Every one of these is a coping appraisal question.
This brings me to the CrowdStrike outage. I wrote about it separately because I think it is one of the most instructive cybersecurity events of the decade. CrowdStrike is the archetype of a preemptive security provider. Their entire value proposition is about stopping breaches before they cause damage. And a routine sensor configuration update containing a logic error grounded airlines, froze hospitals, and took down 911 systems across the country. The outage was not caused by an attacker. It was caused by the ordinary machinery of preemptive security itself.
The CrowdStrike failure matters for PMT at the organizational level because it undermines coping appraisal. If the most sophisticated preemptive security vendor in the world can cause a global outage with a single configuration file, then every security team that asks itself can we deploy preemptive tools without causing harm? has a concrete reason to answer no. The threat appraisal side of PMT might be strong. Organizations believe predicted attacks are severe and likely. But the coping appraisal side, the belief that the organization can effectively respond, takes a hit every time a preemptive tool fails in a visible way.
I think this is the real gap that the cybersecurity industry is not talking about. Threat intelligence is abundant to the point of overload. Most medium and large organizations already subscribe to multiple threat feeds, run SIEM platforms, and employ analysts to triage alerts. The bottleneck is not information about what might happen. The bottleneck is organizational capacity to act on that information before damage occurs. This is PMT at the organizational level exactly.
A team that is understaffed, burned out, or lacks the authority to make fast defensive changes will not act on a preemptive warning no matter how severe the predicted threat is. The coping appraisal fails not because the tools are missing but because the organization has not built the routines, the decision rights, and the muscle memory to deploy those tools under uncertainty. Preemptive security is not a technology problem. It is an organizational design problem dressed up as a product category.
Boss and colleagues showed that fear control produces maladaptive responses that look like indifference but are actually psychologically distinct from it. When an organization receives a threat warning and does nothing, the instinct is to blame complacency or incompetence. But the PMT lens suggests a different explanation. The organization may be in fear control. The predicted threat is frightening enough that the response is to avoid thinking about it rather than to act. This is not laziness. It is a coping failure.
Baird and Maruping argued in 2021 that agentic systems require shifting the foundational IS construct from use to delegation because the relationship between human and artifact changes when the artifact has agency. Preemptive cybersecurity tools have a version of this problem. They operate autonomously, they make decisions about what constitutes a threat, and they sometimes act on those decisions without human approval. Delegating defensive authority to an AI system requires a different kind of coping appraisal than deploying a traditional signature based scanner. The question shifts from can we use this tool to can we trust this tool to act on our behalf without making things worse.
The organizations that will benefit from preemptive cybersecurity are not the ones with the most advanced threat intelligence subscriptions or the fanciest AI models. They are the ones that have done the organizational work to make coping appraisal succeed. They have practiced incident response until it is routine. They have built decision frameworks that let security teams act on incomplete information. They have tested their preemptive tools in controlled conditions until the team believes those tools will work when called on. They have created psychological safety so that acting on a predicted threat that turns out to be a false positive is rewarded rather than punished.
The technology to predict attacks before they happen is real and it is improving. I do not think the obstacle to widespread preemptive security is technical. It is organizational. Protection Motivation Theory gives us the language to say why. It separates the problem of believing a threat from the problem of believing you can respond. Preemptive cybersecurity solves the first problem beautifully and almost entirely ignores the second.
The internal links for this post are: Fear Does Not Make People Secure and The CrowdStrike Outage.
About the author
Share
More notes
Related notes