Journal of Management Information Systems

Volume 40 Number 4 2023 pp. 1099-1138

Examining the Differential Effectiveness of Fear Appeals in Information Security Management Using Two-Stage Meta-Analysis

Lowry, Paul Benjamin, Moody, Gregory D, Parameswaran, Srikanth, and Brown, Nicholas James

ABSTRACT:

Most of the information security management research involving fear appeals is guided by either protection motivation theory or the extended parallel processing model. Over time, extant research has extended these theories, as well as their derivative theories, in a variety of ways, leading to several theoretical and empirical inconsistencies. The large body of fragmented, and sometimes conflicting, research has muddied the broader understanding of what drives protection- and defensive motivation. We provide guidance to the security discourse by offering the first study in the literature to employ two-stage meta-analytic structural equation modeling (TSSEM), which combines covariance-based structural equation modeling and meta-analysis. Information systems (IS) researchers have traditionally used meta-analysis for structural equation modeling for such purposes—an approach that has several serious statistical flaws. Using 341 systematically selected empirical security articles (representing 383 unique studies) and TSSEM, we pool a large series of five datasets to test six models, from which we examine the effects of constructs and paths in the security fear-appeals literature. We compare and test six versions of models inspired by issues in the broader fear-appeals literature. We confirm the importance of both the threat- and coping-appraisal processes; establish the central role of fear and that it has greater importance than threat; show that efficacy is a stronger predictor of protection motivation than is threat; demonstrate that response costs as currently measured are ineffective but that maladaptive rewards have a strong negative effect on protection motivation and a positive effect on defensive motivation; and provide evidence that dual models of danger control and fear control should be used.

Key words and phrases: Security, information security management (ISM), two-stage meta-analytic structural equation modeling (TSSEM), protection motivation theory (PMT), extended parallel process model (EPPM)