Fear vs. Anxiety in Cybersecurity: What We Can Do

There are differences between anxiety and fear in the way people experience and react to these conditions. We might find that addressing the fear of cybersecurity events is more practical than handling anxiety. It’s worth considering how we might shift people from the state of anxiety to that of fear, so we can ultimately address their concerns.

Anxiety vs. Fear

Lang, Davis and Ohman examined physiological effects of fear and anxiety on humans and found several distinctions. The authors also provided an explanation of how fear is different from anxiety:

“Fear is generally held to be a reaction to an explicit threatening stimulus, with escape or avoidance the outcome of increased cue proximity. Anxiety is usually considered a more general state of distress, more long lasting, prompted by less explicit or more generalized cues.”

In the context of cybersecurity, experiencing fear implies being concerned with a specific event, such as a particular threat agent compromising a specific set of data. We have a way of dealing with such concerns through threat modeling, which involves a structured approach to identifying and rating threats.

Handling Anxiety is Harder Than Dealing with Fear

Dealing with anxiety related to cybersecurity is much harder. Anxiety is a reaction to abstract concerns that are harder to identify, and, as the result, harder to address. For instance, a person might be anxious about the company experiencing a data breach.

Eilam, Izhar and Mort published a paper on behavioral practices associated with threat detection. They wrote:

“An animal that is anxious about the possibility of a nearby predator, might then come face to face with a predator, which will convert the anxiety into a real and perceptible danger that produces a fear response. Alternatively, the anxious animal might not encounter a predator, and the question is then one of when it will calm down and become less anxious. Relief from a state of anxiety is subjective and thus varies among individuals.”

Marketing and persuasion practices in cybersecurity often incorporate the principles of Fear, Uncertainty and Doubt (FUD). FUD isn’t always bad, as Dave Shackleford once suggested. The problem is that much of FUD is designed to induce anxiety, rather than fear. There are several categories of FUD tactics, as Mike Rothman outlined; some of them can incorporate fear and thusly persuade people to pay attention to relevant cyber threats.

Focus on Fear, Rather Than Anxiety

By focusing on specific threats tied to actual events and meaningful risks, we can focus people’s attention on specific “predators.” We can then consider how to alleviate the associated fears through risk management. Breach and threat reports put out by security vendors make this possible. In contrast, if we focus on inducing the state of anxiety, we might succeed at selling some security products, but we won’t actually address risks in a meaningful manner. It’s possible to react to fear. It’s hard to leave the state of anxiety.

Related: Don’t Underestimate the Importance of Feeling Secure.

Updated

About the Author

Lenny Zeltser develops teams, solutions, and programs that use information security to achieve business results. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more