TY - JOUR
T1 - HOW TO CONVINCE USERS TO PROTECT THEMSELVES AGAINST CYBERSECURITY THREATS
AU - Willison, Robert
AU - Galletta, Dennis
AU - Moody, Gregory
AU - Lowry, Paul
AU - Boss, Scott
AU - Chen, Yan
AU - Luo, Xin
AU - Pienta, Daniel
AU - Schultz, Sebastian
AU - Polak, Peter
AU - Thatcher, Jason
PY - 2024
Y1 - 2024
N2 - Despite technological advancements, cybersecurity breaches persist, with human actions often serving as the most vulnerable point of entry. Educational programs and policies have failed to curb threats, evident in the rising trend of data compromises and breach costs. From 2005-2023, U.S. data compromises and costs surged, averaging $9.48 million in 2023. Worsening threat situations do not seem to correlate with an abundance of tools and techniques that have been applied over that period, so a strategic shift seems to be needed. Based on interviews with CISOs as well as earlier experimental research, this paper advocates for using care in warning users about security dangers, yet providing them with the confidence they need to be more careful and to prevent problems. Effective risk containment demands a redefined dialogue on cybersecurity consequences for employees, consumers and stakeholders. Our main conclusion is that managers need to walk a fine line in security communications: It is important to instill just enough fear about potential consequences of carelessness, but there are many concerns about going overboard, instilling negativism or too much fear.
AB - Despite technological advancements, cybersecurity breaches persist, with human actions often serving as the most vulnerable point of entry. Educational programs and policies have failed to curb threats, evident in the rising trend of data compromises and breach costs. From 2005-2023, U.S. data compromises and costs surged, averaging $9.48 million in 2023. Worsening threat situations do not seem to correlate with an abundance of tools and techniques that have been applied over that period, so a strategic shift seems to be needed. Based on interviews with CISOs as well as earlier experimental research, this paper advocates for using care in warning users about security dangers, yet providing them with the confidence they need to be more careful and to prevent problems. Effective risk containment demands a redefined dialogue on cybersecurity consequences for employees, consumers and stakeholders. Our main conclusion is that managers need to walk a fine line in security communications: It is important to instill just enough fear about potential consequences of carelessness, but there are many concerns about going overboard, instilling negativism or too much fear.
KW - Cybersecurity, Data Breaches, User Actions, Management Interventions, Breach Costs, Technological Vulnerabilities and Security Awareness
M3 - Article
SN - 1540-1960
JO - MIS Quarterly Executive
JF - MIS Quarterly Executive
ER -