Speak their Language: Designing Effective Messages to Improve Employees' Information Security Decision Making

Abstract

Employee disinterest in information security remains one of the greatest impediments to effective information security management programs. How can organizations enhance the persuasiveness of the information security messages used to warn employees of threats and encourage employees to take specific actions to improve their security? We use fear appeal theory and the elaboration likelihood model to argue that security messages presented using more personally relevant language are more likely to induce employees to engage in the recommended protective security behaviors. Our strategy uses organization identification theory to segment employees into two groups and then develops security messages that use language aligned with each of the two segments. We tested this strategy within a large U.S. organization, and found that employees were more likely to consider and act upon messages that used language aligned with their organizational identification than messages using language not aligned. The effect size was large. Our results show that subtly changing less than a dozen words in the way a security message was presented without changing its substantive content (e.g., using “our” instead of “your”) has both significant and meaningful effects on how employees think about and respond to it.