Protection motivation theory says fear without efficacy backfires. Most security training does exactly that.
Every year, millions of employees sit through mandatory security awareness training. They watch a video about phishing. They learn that hackers are sophisticated and breaches are expensive. They click through slides about password hygiene and multi-factor authentication. They pass a quiz at the end. And then, in study after study, their security behavior does not change in any meaningful way. Organizations do this anyway because it satisfies auditors. That is compliance theater, and protection motivation theory explains exactly why it fails.
Rogers (1975, 1983) built PMT on two parallel appraisal processes. Threat appraisal asks two questions: how severe would the consequences be, and how likely is this to happen to me? Coping appraisal also asks two questions: will the recommended action actually work (response efficacy), and can I actually do it (self-efficacy)? The model's key insight is that these two appraisals work together. High threat appraisal motivates protection only when coping appraisal is also high. If threat appraisal is high but coping appraisal is low, you get fear without a credible response. And fear without a credible response does not produce protective behavior.
Boss et al. (2015) made the behavioral consequence of this explicit by drawing on the extended parallel process model to distinguish fear control from danger control. Danger control is what the training program wants to produce: the employee assesses the threat, concludes there is a real risk, and takes the recommended protective action because they believe it will work and that they can do it. Fear control is what actually happens when threat appraisal is high but coping appraisal is low: the employee manages their emotional fear rather than the actual danger. They minimize the threat to themselves ("it will not happen to my account"), they avoid the information, they go through the motions without changing behavior. Only danger control produces security compliance. Fear control produces avoidance dressed up as attention.
Now look at what most security awareness training does. It raises threat appraisal by showing scary statistics about breach frequency, average breach cost, and the sophistication of current attacks. It tells employees they are the weakest link. It runs phishing simulations designed to catch people clicking the wrong thing and sends shame emails to those who fail. It may briefly mention that employees should use strong passwords and enable MFA, but it rarely devotes serious attention to making employees feel genuinely capable of doing these things well. The threat content is substantial. The efficacy content is minimal. This is a PMT failure by design.
Johnston and Warkentin (2010) applied PMT directly to IS security and found that both threat appraisal and coping appraisal predict compliance with security policies. That finding is not surprising given the theory. What is more useful for thinking about training programs is the directional implication: raising one component without raising the other is not just insufficient, it can be counterproductive. High threat with low coping efficacy produces the defensive avoidance pattern that Boss et al. described. You can make a training program worse by increasing the threat content without addressing the efficacy gap.
I think about this in terms of what a PMT-informed training program would actually look like. It would spend at least as much time on response efficacy and self-efficacy as on threat severity and vulnerability. Not "here is how bad it will be when you get breached" but "here is a specific action you can take, here is why it works, and here is exactly how to do it in the next ten minutes." The difference between "enable MFA" as a checkbox item in a slide deck and "enable MFA" as a walkthrough with screenshots where someone confirms they have done it is precisely the self-efficacy gap. One is information. The other is capability building.
The compliance industry has little incentive to build training programs that actually work. Auditors need evidence that training happened, not evidence that behavior changed. A completion rate and a quiz pass rate are easy to produce and easy to report. A measured change in security behavior is expensive to assess and often shows the training did not work. So the incentive structure produces training designed to satisfy audits, not to change behavior. That is not a cynical observation. It is a predictable outcome of how compliance requirements are written and enforced.
There is also a self-efficacy problem that goes beyond individual employees. The organizational context shapes whether efficacy is even plausible. If an employee is expected to use a legacy system where enabling MFA takes four support tickets and three weeks, the training program's message that MFA is easy and available rings false. When the recommended action is difficult, slow, or unreliable, self-efficacy suffers not because the employee lacks capability but because the system actually is difficult. Training programs that teach individual behaviors without addressing organizational barriers to those behaviors are asking people to internalize efficacy they cannot reasonably feel.
The IS security research applying PMT tends to find consistent results across different security behaviors, including password management, VPN use, software patching, and phishing response. In each case, coping efficacy, both response efficacy and self-efficacy, matters as much as perceived threat severity. The finding is stable enough across studies that I think it has moved past being an interesting research finding and into the category of things practitioners should actually be building around.
The annual security awareness training that most organizations run would score very low on coping efficacy by any measurement. Fixing that does not require inventing new content. It requires reorganizing the emphasis, spending real time on specific achievable actions, testing whether employees can actually do them, and addressing the organizational barriers that make compliance difficult. None of that fits the audit-driven compliance format, which is part of why the gap between what PMT says and what organizations actually do remains so wide.
About the author
Share
More notes
Related notes