Fear vs. Anxiety in Cybersecurity: What We Can Do

There are differences between anxiety and fear in the way people experience and react to these conditions. We might find that addressing the fear of cybersecurity events is more practical than handling anxiety. It’s worth considering how we might shift people from the state of anxiety to that of fear, so we can ultimately address their concerns.

Anxiety vs. Fear

Lang, Davis and Ohman examined physiological effects of fear and anxiety on humans and found several distinctions. The authors also provided an explanation of how fear is different from anxiety:

"Fear is generally held to be a reaction to an explicit threatening stimulus, with escape or avoidance the outcome of increased cue proximity. Anxiety is usually considered a more general state of distress, more long lasting, prompted by less explicit or more generalized cues."

In the context of cybersecurity, experiencing fear implies being concerned with a specific event, such as a particular threat agent compromising a specific set of data. We have a way of dealing with such concerns through threat modeling, which involves a structured approach to identifying and rating threats.

Handling Anxiety is Harder Than Dealing with Fear

Dealing with anxiety related to cybersecurity is much harder. Anxiety is a reaction to abstract concerns that are harder to identify, and, as the result, harder to address. For instance, a person might be anxious about the company experiencing a data breach.

Eilam, Izhar and Mort published a paper on behavioral practices associated with threat detection. They wrote:

"An animal that is anxious about the possibility of a nearby predator, might then come face to face with a predator, which will convert the anxiety into a real and perceptible danger that produces a fear response. Alternatively, the anxious animal might not encounter a predator, and the question is then one of when it will calm down and become less anxious. Relief from a state of anxiety is subjective and thus varies among individuals."

Marketing and persuasion practices in cybersecurity often incorporate the principles of Fear, Uncertainty and Doubt (FUD). FUD isn’t always bad, as Dave Shackleford once suggested. The problem is that much of FUD is designed to induce anxiety, rather than fear. There are several categories of FUD tactics, as Mike Rothman outlined; some of them can incorporate fear and thusly persuade people to pay attention to relevant cyber threats.

Focus on Fear, Rather Than Anxiety

By focusing on specific threats tied to actual events and meaningful risks, we can focus people’s attention on specific “predators.” We can then consider how to alleviate the associated fears through risk management. Breach and threat reports put out by security vendors make this possible. In contrast, if we focus on inducing the state of anxiety, we might succeed at selling some security products, but we won’t actually address risks in a meaningful manner. It’s possible to react to fear. It’s hard to leave the state of anxiety.

Related: Don’t Underestimate the Importance of Feeling Secure.


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more