Companies often turn to a powerful emotion to get employees to be vigilant about cybersecurity. They scare them.
If you do this, or don’t do that, something awful will happen. Click on phishing messages, and the company’s network will be exposed to hackers. Use simple passwords, and your personal files will get stolen.
The problem: Fear doesn’t work. Sure, it may get people to act in that moment. But scare tactics don’t get people invested in security over the long term, as Marc Dupuis of Washington University and I discovered in research last year.
In fact, it can do the opposite. That is because fear can leave employees in a constant state of anxiety, which makes them unable to think clearly about threats. Alternatively, such heavy-handed, scare messaging can make employees disgruntled and uninterested in security, thinking that the threats are exaggerated—and that bosses don’t trust them to do the right thing.
But fear not. Although scaring employees may not be an effective way to keep them vigilant, there are other tools that do work. First, let’s dig deeper into why fear doesn’t work.