These are my comments on the study “Neural correlates of protection motivation for secure IT behaviors: An fMRI examination” – Warkentin et al. (2016)
I thoroughly enjoyed reading this study. This study uses fMRI to investigate how individuals really experience fear appeals in a behavioral security context. A bit of context here; fear appeals is an established theory and concept that dates back at least five decades. It has a long lineage from previous theories that some have argued did not quite produce the expected results (e.g., fear-as-acquired drive mode, parallel response model). Fear appeals is a persuasive communication or message that presents a threat to elicit fear from the individual, which in turn, motivates a specific behavior. Fear appeal was introduced in the health context.
Message (a threat that one might die from smoking-related cancer) ==> Fear ==> Behavior (I will stop smoking).
An example is the TV commercial: “This is your brain. This is your brain on drugs. Any questions?”
Now this theory has been used in the behavioral security domain to elicit fear and a recommended behavior. Think:
Message (clicking on this link will infect your computer with malware ==> Fear (I am afraid of malware) ==> Behavior (I won’t click on link).
Researchers in this domain note that most applications of this theory have generated mixed results (… think sometimes it works very well, other times, not).
Back to the study. So, the Warkentin et al. (2016) study is trying to figure out (using neuroscience, specifically fMRI) if fear appeals really works in the same way it works in the health context (like when we are afraid of dying). They contend that health is more personal, has deep personal relevance. What they found after they plugged respondents up with fMRI machines and evaluated their responses is different from what the literature has been telling us about fear in behavioral security.
They find, in their words that, “fear appeals are not as effective as those in other fields, such as healthcare or public service”. Individuals did not experience fear related to security threats, instead they were thinking in terms of self (i.e., self-reference thinking) when they evaluated the security threats. In other words, I think they may have been thinking, “how does this even affect me personally?” Also, according to Warkentin et al., the respondents engaged in “action planning”. In other words, they may have been thinking of how they should respond, what to do with the threat information they have now been exposed to. They are thinking about “doing something”.
Although this is one study and there needs to be more using the same methods (fMRI) to validate the finding, it does seem to identify some of the issues inherent in using fear appeals to elicit security behaviors. In addition, it shows that researchers and practitioners should perhaps focus on the behavior aspect (since the individual responds more to “action planning”). Overall, Warkentin et al (2016) is saying “Instead of trying to make threats seem more threatening”…perhaps focus on “making recommended responses more appealing”.
Now, how about that? Let me know your thoughts...
Comentarios