Information & Management 56 (2019) 103157

Contents lists available at ScienceDirect

Information & Management

journal homepage: www.elsevier.com/locate/im

Perceived argument quality's effect on threat and coping appraisals in fear T

appeals: An experiment and exploration of realism check heuristics
Jeffrey D. Walla, Merrill Warkentinb,
⁎

a
Management Information Systems, School of Business and Economics, Michigan Technological University, United States
b
James J. Rouse Endowed Professor of Information Systems, College of Business, Mississippi State University, United States

ARTICLE INFO ABSTRACT

Keywords: Persuasion is key to encourage compliance with information security policies through fear appeals, though
Perceived argument quality research has not examined how the perceived quality of their arguments affects threat and coping appraisals.
Information security Because we know that perceived argument quality can influence attitudes and behavior, it may improve fear
Fear appeal appeal effectiveness. The results of a scenario-based field experiment suggest that perceived argument quality
Realism
increases response efficacy perceptions and compliance intentions. We also examine emerging heuristics about
Scenario
how to use realism checks in scenario-based research and find that current realism check heuristics in behavioral
information security research may be misguided, contributing to biased interpretation.

1. Introduction
Garnering employee compliance with information security policy
(ISP) is an important organizational endeavor, as security issues caused
by employee negligence and malice are costly and cause damage to
organizations and their clients [1,2]. Security controls, such as sanc-
tions [3], training [4], social influence [5], and security values [6],
permeate organizations [7–10]. Persuasion is key to many compliance-
gaining strategies [4,11,12]; nonpunitive strategies (e.g., education and
training programs) and punitive strategies (e.g., sanctions) may be
more effective when backed by persuasion [4,11,13]. Thus, under-
standing how persuasive messages influence security behavior remains
a crucial area of study in behavioral information security (InfoSec)
research.
The fear appeals model (FAM) and protection motivation theory
(PMT) are common persuasion-based theories employed in behavioral
InfoSec research and practice [11,12,14–17]. FAM and PMT rely on a
particular persuasive message, namely the fear appeal, to influence
behavior. A fear appeal is a persuasive message that identifies a threat
and, ideally, a coping mechanism to alleviate the threat [15]. In orga-
nizations, fear appeals may take the form of mechanisms as simple as an
email sent to employees after a security breach, or through intricately
designed training programs that identify security threats and coping
mechanisms. The use of fear appeals is ubiquitous in organizations. Fear
appeals motivate behavioral change by instilling fear of a threat and
presenting coping mechanisms to mitigate the threat. Fear appeals that
engender higher levels of fear through strong threat messages tend to
exert greater influence on behavioral intentions and subsequent beha-
vior than appeals that engender lower levels of fear [15].
Although fear appeal theories have gained traction in InfoSec re-
search, calls have been issued for a more complete examination of the
nomological network of FAM and PMT [12,15,18]. More particularly,
research has called for a closer examination of the message design of
fear appeals to develop more effective fear appeals [18]. Designing
stronger fear appeals is an important research endeavor, as fear appeal
research exhibits inconsistencies regarding the effectiveness of fear
appeals; poorly designed fear appeals may backfire [18]. In answer to
these calls, we seek to further extend the nomological network of fear
appeal research by considering characteristics of the fear appeal mes-
sage that may affect individuals’ threat and coping appraisals. Few
behavioral InfoSec studies examine how characteristics of a fear appeal
message influence threat and coping appraisals [15]. If managers un-
derstand the characteristics of fear appeal messages that promote pro-
tective behaviors, they may be able to increase compliance with ISP by
developing better appeals [18].
In this study, we consider the effect that perceived argument quality
exhibits on threat and coping appraisals in fear appeals. Herein, per-
ceived argument quality refers to an individual's belief that the content of
a message is accurate and complete. Perceived argument quality is a
concept discussed in research related to the elaboration likelihood
model, the heuristic-systematic model (HSM) of information proces-
sing, and other theories of persuasion and cognition [19–21].

⁎
Corresponding author.
E-mail addresses: jdwall@mtu.edu (J.D. Wall), m.warkentin@msstate.edu (M. Warkentin).

https://doi.org/10.1016/j.im.2019.03.002
Received 6 May 2017; Received in revised form 4 March 2019; Accepted 12 March 2019
Available online 21 March 2019
0378-7206/ © 2019 Elsevier B.V. All rights reserved.
J.D. Wall and M. Warkentin
Integrating FAM and PMT with core constructs from other persuasion
theories may provide new insight into the design of effective fear ap-
peals [18]. In this study, we ask how does the perceived argument quality
of a fear appeal message affect employees’ threat and coping appraisals? To
answer this question, we employ a scenario-based field experiment in
which we manipulate the arguments of three fear appeal messages. We
then measure respondents’ threat and coping appraisals.
Additionally, we also contribute to ongoing methodological dis-
cussions that have direct impact on theory testing. InfoSec scholars
have called for more and stronger experimental manipulations and
controls [15,22], particularly in fear appeal research [15], to ensure
that study claims are valid and truly support theoretical assertions.
Experimental controls, such as realism checks, enhance the validity of
claims made within experimental studies [12,23,24].
We draw particular attention to researchers’ heuristic use of realism
checks in behavioral InfoSec research, as they have received recent
attention in the literature as being important and underused study
controls [22,25]. Realism checks are used in scenario-based research to
ensure that the scenarios in the study are believable and contextually
relevant to respondents [22,25]. Realism perceptions refer to the extent
to which study respondents believe that experimental manipulations
represent situations that occur in practice. Failure to account for rea-
lism perceptions in theory testing efforts can lead to the study of topics
that are irrelevant to practice [22]. Further, respondents who do not
perceive a study to be realistic may answer study questions differently
than those who perceive the study to be realistic, which can lead to bias
in studies [22,25]. Appropriately accounting for realism perceptions is
necessary to achieve unbiased results in theory testing efforts.
Untested heuristics are arising in the literature about how realism
checks should be used in InfoSec studies [23–26]. Because study par-
ticipants’ realism perceptions influence how they respond to study in-
struments, it is crucial that these heuristics be tested to minimize sys-
temic bias across studies. Study participants’ realism perceptions
represent spurious theoretical explanations for study results, which
must be controlled to increase the validity of study results. To ensure
that current heuristics are appropriate, we empirically test some of the
untested heuristics used in the literature and provide direction for the
future use of realism checks in scenario-based research. We find that
existing heuristics may introduce some bias into studies by treating
neutral realism scores the same as high realism scores. Our study shows
that participants with neutral realism scores respond to study instru-
ments differently than those with high realism scores. We call for
modifications to existing heuristic research practices and further to
minimize bias.
2. Persuasion in behavioral InfoSec research
The use of persuasion in behavioral InfoSec research varies. Some
studies ignore persuasion, others discuss persuasion as a way to en-
hance other types of security controls, such as training [e.g.,4], and still
others examine persuasive appeals as a type of security control, such as
the fear appeal [e.g.,11].
Studies that discuss persuasion as a means of improving other se-
curity controls differ in the extent to which they use persuasion-centric
theory (e.g., ELM and fear appeals theory). Many studies discuss per-
suasion by implication only or without reference to persuasion-centric
theory. For example, Straub [27] found that disseminating messages
about appropriate information system (IS) usage and penalties for
misuse of IS resources may decrease computer abuse. This implies that
managers should persuade employees to adopt the organization's view
of appropriate security behavior by inducing fear of sanctions. Simi-
larly, research on security education training and awareness (SETA)
programs points to the importance of persuasion [28]. Research on
ethics training also highlights the need to persuade employees to align
their values and moral beliefs with secure information behaviors
[29,30]. These studies suggest or imply that persuasion is important to
2
Information & Management 56 (2019) 103157
security research; however, persuasion-centric theory and constructs
are not deeply embedded in the research models. Discussion of per-
suasion in these studies may, therefore, be tangential or speculative.
Other studies discuss persuasion as a means of improving other
types of security controls, such as training, by relying on persuasion-
centric theory. Puhakainen and Siponen [4] used ELM in the context of
organizational training to develop better security training programs.
They suggested that ELM can help to describe why and how security
training improves compliance with security policy. They also suggested
that security training should rely on methods that “enable the sys-
tematic cognitive processing of information” [4]. Similarly, Bulgurcu
et al. [31] used Rogers’ [32] model of the innovation-decision process
to explain how knowledge—represented as ISP awareness—influences
persuasion—represented as attitude toward ISP compliance. Wall et al.
[33] suggested that organizational goals and communication structures
can influence organizational and individual risk perceptions, thereby
affecting security behavior. Additionally, Barlow et al. [26] used
framing theory to suggest that security training may dissuade users
from engaging in neutralization techniques.
While many studies implicitly or explicitly show how persuasion
improves the effectiveness of security controls, other studies examine
persuasive appeals as a type of security control. Many of these studies
examine the fear appeal [11,12,15,18]. For example, Johnston and
Warkentin [11] examined the effect that fear appeals exert on security
behavior. They found that users’ reactions to fear appeals differ ac-
cording to the users’ perceptions of the threat used to induce fear, of
their self-efficacy to mitigate the threat, and of the efficacy of a pro-
posed solution to mitigate the threat. In an enhanced FAM model,
Johnston et al. [12] showed that including punitive threats to the em-
ployee in addition to conventional threats to information assets can
improve compliance intentions. A few studies also examine the direct
effect of ELM variables on security behavior. Johnston and Warkentin
[34] found that source credibility of someone sending a security mes-
sage influences employees’ security attitudes and intentions. Building
on these studies, we seek to understand some of the theoretical con-
nections between fear appeal theories and other theories of persuasion,
such as ELM and HSM. Table 1 provides a list of representative beha-
vioral InfoSec studies that examine persuasion through different theo-
retical perspectives.
Our study continues in the traditional way of theoretical extension
found in other persuasion-centric behavioral InfoSec research (see
Table 1). For instance, we continue to extend the most widely adopted
persuasion theory, PMT. We do so by combining PMT with other the-
ories (i.e., ELM and HSM) to show how perceived argument quality acts
as an antecedent to threat and coping appraisals. In doing so, we
identify new theories that may be compatible with PMT beyond the
technology adoption model [25] and self-determination theory [39].
We also answer calls for the exploration of antecedents to threat and
coping appraisals [18] beyond those that currently examined, namely
security habits [16].
3. Realism checks in behavioral InfoSec research
Behavioral InfoSec studies rarely employ experimental methods,
which has prompted recent calls for more experimental research
[40,41]. Designing an experiment requires careful attention to detail
and often calls for the use of a number of controls to ensure the validity
of the experiment results. For example, the realism of a study is a
concern in scenario-based research [24,42], leading to calls for more
realism checks in experimental research [22]. Scenarios that are not
perceived as real may not elicit the same psychological or sociological
responses as those perceived to be real. Thus, accounting for realism is
crucial.
In practice, realism checks have been used in different ways in be-
havioral InfoSec research. Some studies have conducted realism checks
and suggested that realism was acceptable because it met or exceeded
J.D. Wall and M. Warkentin Information & Management 56 (2019) 103157

Table 1
Use of persuasion in behavioral InfoSec research by theory/model.
Representative Studies Theory/model Description

[4,34] Elaboration likelihood ELM security studies examine the effect of argument quality [4] and source credibility [34] on security intentions and
model behaviors.
[35] Heuristic-systematic model Few security studies adopt HSM. Luo et al. [35] used HSM to show how argument quality, source credibility, and genre
conformity influence the likelihood of being victimized by phishing attacks.
[11,12] Fear appeals model The FAM examines coping appraisals as mediators between threat appraisals and behavioral intention [11]. Extensions
have included personal threats, namely sanctions, to the core model [12].
[14–16,18,36–39] Protection motivation PMT is the most widely adopted persuasion model in behavioral InfoSec research. It examines how fear inducing threat
theory appraisals combined with coping appraisals influence protection motivation and subsequence security behaviors through
fear appeals [14,15].
Many extensions of PMT exist in InfoSec literature, including: antecedents to threat and coping appraisals such as security
habits [16] and message framing [18]; a taxonomy of protection motivation behaviors [37]; comparisons of appraisals
across different groups [17]; and combinations of PMT with other theories, such as the technology adopt model [38] and
self-determination theory [39].

the neutral rating on the measurement scale (e.g., 4 or higher on a 7
point scale) [24,25]. In these studies, responses from all study partici-
pants were included. In other studies, if a respondent's realism score fell
below the neutral rating, the responses were dropped from the study
[23,26]. Although these approaches offer different solutions to deal
with realism, they both point to a heuristic that a realism score is ac-
ceptable when the score is neutral or higher. This heuristic clearly
suggests a difference between scores below the neutral mark and those
at or above the neutral mark. However, this raises a question that has
yet to be tested: do neutral realism scores differ in their influence on key
variables from higher realism scores?
Further, realism checks have only been used as a control variable on
the dependent variable, primarily behavioral intention [23–25]. Rea-
lism checks have not been included as a control on other endogenous
variables. Respondents’ perceptions of the realism of a study may in-
fluence how they perceive and respond to study questions [22]. Thus, it
may be important to control for realism on all endogenous variables,
such as mediating variables, to account for spurious explanations of
study results. This raises the question: should realism checks be used as
controls on all endogenous variables or just on the outcome variable? The
heuristics currently used in practice deserve testing to ensure that
realism checks are used appropriately in future research to minimize
bias and enhance the validity of study results.
4. Theoretical development
Building on previous PMT and FAM research, we seek to understand
how characteristics of the fear appeal message, namely perceived ar-
gument quality, influence threat and coping appraisals. To do so, we
draw on concepts from persuasion-centric theories.
and coping appraisals. Threat appraisals are often represented as in-
dividuals’ perceptions of threat severity (i.e., beliefs about the threats
potential to cause damage) and threat vulnerability (i.e., beliefs about
the likelihood that a threat will affect them). Coping appraisals are often
represented as individuals’ perceptions of the response efficacy of
coping mechanisms identified in the fear appeal and of the self-efficacy
of the individual to use the proposed coping mechanism [12,14,43].
Response efficacy refers to the extent to which an individual believes the
coping mechanism in a fear appeal will mitigate a threat presented in
the appeal. Self-efficacy refers to the extent to which an individual be-
lieves they are able to enact the coping mechanism to mitigate the
threat. Other threat and coping variables include maladaptive rewards
and response cost [15,16].
The nomology of fear appeal theories differs slightly across studies.
Some FAM studies suggest that threat appraisals (i.e., threat severity
and vulnerability) affect coping appraisals (i.e., response efficacy and
self-efficacy) and that coping appraisals affect behavioral intentions
[11,12]. Recent adaptations of FAM also explore the relationship be-
tween threat appraisals and behavioral intention, treating coping ap-
praisals as a partial mediator between threat appraisals and behavioral
intention [12]. Many PMT studies in InfoSec research are less con-
cerned with connections between threat and coping appraisals. Instead,
PMT models tend to examine how threat and coping appraisals affect
attitude, behavioral intention, and protection motivation [14–16].
Some PMT studies link threat appraisal with attitude but not with be-
havioral intention [14], and other studies do not include attitude at all
[15,16]. Although our study provides insight into the nomology of fear
appeal theories, as discussed later, our experiment primarily seeks to
establish causality between a few key constructs to link perceived ar-
gument quality with fear appeal theories.

4.1. Fear appeal theories 4.2. Perceived argument quality

Fear appeal theories, including FAM and PMT, seek to explain why
and how fear appeal messages lead to protective behavior. Fear appeal
theories identify two behavioral responses to fear appeal messages,
namely danger control and fear control [18]. Danger control refers to the
careful appraisal of threats and coping mechanisms identified in a fear
appeal and attempts to directly cope with the threats. Conversely, fear
control refers to attempts to manage fear that do not include direct
coping with the threat, such as avoiding threat messages [15,18]. Fear
control is a maladaptive response to fear appeals. Most behavioral In-
foSec studies do not measure fear control and focus instead on danger
control [18]. Following in this tradition, this study examines danger
control responses to fear appeals. Although future research should seek
to understand fear control better, examining danger control remains an
important research endeavor [18].
Two core constructs are found across fear appeal theories and are
crucial to the study of danger control. They include threat appraisals
Individuals examine and interpret arguments in communication
[19–21]. Theories of persuasion and cognition suggest that individuals
interpret the quality of messages in different ways. Several dual pro-
cessing route theories exist, such as ELM, HSM, and Kahneman's theo-
rizing of System 1 and System 2 thinking.
For example, ELM is concerned with the likelihood that an in-
dividual will cognitively elaborate on the arguments in a message. ELM
posits that individuals process messages through one of two routes—the
central route or the peripheral route [44]. When individuals are moti-
vated and feel capable of reasoning about the arguments in a message,
they are more likely to process the message through the central route.
However, when they are not motivated or able to reason about the
arguments in the message, they are more likely to process the message
through the peripheral route [20]. Motivation and ability are often
measured by variables such as an individual's involvement with the
topic of the message and an individual's expertise related to the topic of

3
J.D. Wall and M. Warkentin
the message [45].
In ELM, central route processing involves paying careful attention to
and reasoning about the arguments of a message [4,44]. Central route
processing is shown to affect both attitudes toward behavioral pre-
scriptions contained in messages [20,46] and intentions to engage in
the behavioral prescriptions [45]. When processing a message through
the central route, stronger arguments lead to larger changes in attitude
and behavior [20]. The effects of perceived argument quality on atti-
tude and behavioral change are empirically validated in many IS studies
[e.g., 45,46,47]. Conversely, peripheral route processing involves relying
on peripheral cues, such as source credibility and likeability or aspects
of the message such as message length, to form judgments about mes-
sage content and quality [34]. Thus, individuals may perceive an ar-
gument to be of high quality even without careful processing of the
message. Peripheral route processing can also lead to changes in atti-
tude and behavior [34]; however, central route processing is likely to
produce stronger and more stable attitude and behavior change [44].
Kahneman's theory of System 1 and System 2 thinking [21] and
HSM [19] also suggest that individuals process arguments and argu-
ment quality in different ways. Both theories argue that individuals
seek to conserve energy and that cognition, such as message processing,
requires energy. These theories, therefore, suggest that to conserve
cognitive resources, individuals often rely on heuristics to process and
evaluate messages rather than through careful systematic examination
of message content [21].
System 2 thinking from Kahneman's theory and systematic proces-
sing from HSM are similar to central route processing, in which in-
dividuals processing information through these systems pay careful
attention to the arguments and details of the message. Similarly, System
1 thinking and heuristic processing are similar to peripheral route
processing in ELM. System 1 thinking, heuristic processing, and per-
ipheral route processing seek to identify cognitive shortcuts to analyze
the quality of arguments. Despite the lack of careful processing, in-
dividuals may still develop strong perceptions of the quality of in-
formation and arguments in a message, leading to behavioral change
[21]. HSM also suggests that individuals may engage in both heuristic
and systematic processing of messages in an additive fashion [19,48].
These several theories of persuasion and cognition demonstrate that
individuals’ argument quality perceptions can lead to attitude and be-
havior change.
4.3. Integrating perceived argument quality with threat and coping
appraisals
Persuasive messages are subject to scrutiny, whether heuristically or
systematically, by those who receive them [19,21]. The idea that in-
dividuals may scrutinize the message or message cues in a fear appeal is
not fully explored in behavioral InfoSec research nor is it explicitly
theorized in PMT and FAM. Given the theoretical underpinnings of
ELM, HSM, and other theories of persuasion and cognition, perceived
argument quality may provide new insight to the study and design of
fear appeal messages. For example, in behavioral InfoSec research,
perceived argument quality is shown to improve the effectiveness of
messages presented in security trainings [4].
Following principles of ELM, HSM, and other theories of persuasion,
the effectiveness of a fear appeal should be partially explained by the
perceived argument quality of the message in the appeal. In FAM and
PMT, threat perceptions are often conceptualized as the perceived se-
verity of a threat and the perceived susceptibility to the threat. Based on
this logic, individuals’ perceptions of the quality of the message re-
garding the threat's severity and their own susceptibility to the threat
will prompt the individuals to change their attitudes toward the threat.
Thus, whether due to systematic cognitive processing or heuristic pro-
cessing of the message, we would expect threat perceptions to increase
when a fear appeal is perceived to exhibit strong arguments and de-
crease when perceived argument quality is low.
4
Information & Management 56 (2019) 103157
According to FAM and PMT, the effectiveness of a fear appeal is also
dependent on individuals’ coping appraisals [12,15]. We examine two
commonly studied coping appraisals—self-efficacy and response effi-
cacy [49,50]. According to tenets of HSM and other persuasion-centric
theories, individuals’ attitudes toward a topic or subject can be altered
through a message when individuals perceive the message to be of high
quality [19,20]. This is true for messages processed systematically and
heuristically [21]. Fear appeals are framed to convince individuals to
adopt a particular coping mechanism to mitigate a threat. Thus, argu-
ments that are perceived as high quality could positively alter in-
dividuals’ perceptions and attitudes about the coping mechanism.
Further, according to social cognitive theory, persuasive messages may
increase self-efficacy [51]. The effect of cognitive processing of mes-
sages on self-efficacy has been demonstrated in many studies [e.g.,
52,53]. Based on this reasoning, we propose:
Hypothesis 1. An increase in the perceived argument quality of a fear
appeal will increase perceptions of threat severity.
Hypothesis 2. An increase in the perceived argument quality of a fear
appeal will increase perceptions of threat susceptibility.
Hypothesis 3. An increase in the perceived argument quality of a fear
appeal will increase self-efficacy to engage in the coping behavior specified in
the appeal.
Hypothesis 4. An increase in the perceived argument quality of a fear
appeal will increase perceptions of the response efficacy of the coping
behavior specified in the appeal.
According to persuasion theories, when individuals perceive a
message to be of high quality, their attitudes and behaviors are likely to
change in a manner that is consistent with the arguments in the mes-
sage [19,44]. Weak argument perceptions do not lead to strong beha-
vioral change. The coping messages in a fear appeal represent the de-
sired attitude and behavioral adjustment requested of the reader. Thus,
an increase in the perceived argument quality of a fear appeal may
increase the likelihood that an individual will engage with the coping
mechanism (e.g., following ISP). In summary, we suggest:
Hypothesis 5. An increase in the perceived argument quality of a fear
appeal will increase intentions to comply with the coping behavior specified
in the appeal.
5. Improved research rigor through realism check heuristics
In addition to understanding how perceived argument quality af-
fects threat and coping appraisals, we also seek to understand whether
heuristics about the use of realism checks in InfoSec research are rea-
sonable. As previously noted, a number of studies have identified a
heuristic for determining whether a study is perceived as realistic by
respondents. For example, D’Arcy et al. [25] measured realism on a 7-
point Likert scale with four as a neutral point for five different sce-
narios. The mean realism scores for the scenarios ranged from 4.30 to
5.44. The study concluded that a mean of 4.30 is an acceptable level of
realism. Similarly, Johnston et al. [23] measured realism on a 7-point
Likert scale with four as a neutral point. Responses with a realism score
lower than four were dropped. A similar approach was used in Barlow
et al. [26]. Willison et al. [54] used a scale from zero to ten, with scores
below five being excluded. These studies point to a heuristic that rea-
listic scenarios are those with at least a neutral score (e.g., four or
higher on a 7-point Likert scale). Given that perceptions of realism can
influence the outcomes and validity of a study [22], a more nuanced
analysis of realism is needed. Although it is reasonable to believe that
neutral scores and positively rated scores are equivalent, this assump-
tion should be adequately tested to minimize bias in research studies.
Thus, we propose the following hypotheses related to the developing
heuristic about realism:
J.D. Wall and M. Warkentin
Hypothesis 6a. Neutral and positive levels of perceived realism do not exert
differential influence on study outcomes.
Hypothesis 6b. Positive levels of perceived realism exert different influence
on study outcomes than negative levels of perceived realism.
Hypothesis 6c. Neutral levels of perceived realism exert different influence
on study outcomes than negative levels of perceived realism.
Second, in practice, realism scores are only used as controls on the
outcome variable [23–25]. For example, realism perceptions are shown
to influence outcome variables, such as ISP violation intentions [24,25].
Realism perceptions may alter respondents perceptions of the questions
in a study and, therefore, alter how the respondent responds to the
questions [22]. Thus, understanding how realism influences a study is a
major research concern. To account for the effect of realism percep-
tions, research may need to include realism as a control variable on all
endogenous variables and not just on the outcome variable. In the
context of FAM and PMT, realism perceptions could reasonably affect
behavioral intentions as well as threat and coping appraisals. Under-
standing the influence of realism perceptions is of particular importance
for the coping appraisal constructs (i.e., self-efficacy and response ef-
ficacy), which are often modeled as endogenous variables (i.e., med-
iators) [11,12]. We thus propose:
Hypothesis 7a. Realism perceptions will influence perceptions of threat
severity in scenario-based research.
Hypothesis 7b. Realism perceptions will influence perceptions of threat
susceptibility in scenario-based research.
Hypothesis 7c. Realism perceptions will influence self-efficacy perceptions
in scenario-based research.
Hypothesis 7d. Realism perceptions will influence response efficacy
perceptions in scenario-based research.
Hypothesis 7e. Realism perceptions will influence compliance intentions in
scenario-based research.
6. Methods
To test the hypotheses, we identified a valid and operationalizable
experimental research design. We chose and developed a scenario-
based field experiment employing a manipulation and a subsequent
survey, in part because of its ability to elicit forthright responses from
study participants who might otherwise be subject to some degree of
social desirability bias. Scenario-based experiments are appropriate for
sensitive topics such as ISP compliance and noncompliance, where di-
rect lines of questioning may lead to insincere and acquiescent re-
sponses [16,22,23,54–56]. A rich tradition of using scenario analysis in
similar research was established in the criminology field, and it has
been applied frequently in IS research [23,24,26,56–58]. By asking the
respondents to read a scenario and imagine themselves in the context of
the scenario's character, the researcher can establish a reliable and valid
measure for behavioral intention as it relates to the various factors
found in the scenario, even though the behavior may be socially un-
desirable.
In the study, respondents were asked to examine a message that
contained a fear appeal. They were asked to imagine that the fear ap-
peal was a message sent by their manager. They were then asked to
answer questions related to the message in the fear appeal. Similar to
Johnston, Warkentin, and Siponen [12], we developed three distinct
fear appeals with different policy recommendations (i.e., the proposed
coping mechanisms) to determine how well the results generalized to
different types of security behaviors. Table 2 shows the content of the
three scenarios. Each respondent was also assigned to one of two
treatment groups—strong argument and weak argument.
Perceived argument quality has been manipulated in at least two
5
Information & Management 56 (2019) 103157
Table 2
Fear appeal scenarios.
Scenario Security behavior
Scenario 1 Connecting personal laptop to organizational network.
Scenario 2 Data loss and failure to backup data.
Scenario 3 Failing to logout of a computer.
different ways in previous studies. The first approach uses respondents’
subjective ratings of the arguments in a pre-test to identify weak and
strong arguments [59]. The second approach varies characteristics of
the messages, such as the specificity of the message or the number of
attributes related to the objects in the message [60–62]. We adopted
this second approach to manipulate argument quality and then used
respondents’ subjective ratings (perceptions) as a manipulation check to
ensure that the strong and weak argument manipulations influenced the
respondents’ perceptions of the argument quality as expected.
The strong argument group received a fear appeal with detailed
information about the threat and how the threat could cause harm. The
weak argument group received a fear appeal with fewer details about
the threat and how the threat could cause harm. The strong argument
was intended to elicit careful systematic processing by including ac-
curate detail about the threat and response. The respondents passed
attention checks, suggesting they were paying attention to the study,
which provides some evidence that they were processing the messages.
However, even if some or several respondents processed the message
heuristically, the strong argument manipulation should still increase
perceived argument quality perceptions. For example, Petty and
Cacioppo [63] found that message characteristics such as the number of
arguments in the message provided cues for individuals processing
through the peripheral route about the quality of the message. The
strong argument manipulation contains more arguments than the weak
argument manipulation. Therefore, the strong argument manipulation
should produce higher quality perceptions whether processed system-
atically or heuristically. Manipulation checks, described later, showed
that the manipulations altered argument quality perceptions as ex-
pected. The scenarios are presented in Appendix A. The three scenarios
and two levels of argument quality resulted in six unique scenarios.
Respondents were randomly assigned to one of the six scenarios.
Before conducting a full study, we first pre-tested the scenarios and
survey instrument by convening a review panel comprised of experts in
the subject matter and experts in instrument design. The panel pre-
testers examined the scenarios for consistency, readability, and realism.
Based on the feedback, changes were made to the scenarios to improve
consistency and realism. We then conducted a pilot study of 68 working
professional in the United States. No major issues were uncovered
during the pilot study. We distributed the full survey electronically to
employees working for municipal governments in the United States.
The municipalities were selected from the International City/County
Management Association's (ICMA) database of municipalities. Only
municipalities with a population greater than 5000 citizens were sam-
pled to increase the likelihood that the respondents would have contact
with information systems.
6.1. Measures
Previously validated instruments were adapted to test the relation-
ships in the model. Measures for the subjective rating of argument
quality were adapted from [45,64]. Measures for threat severity, threat
susceptibility, self-efficacy, and response efficacy were adapted from
[11,43]. Measures for behavioral intention were adapted from [28,45].
Measures for realism were adapted from [24]. All measures are pre-
sented in Appendix B.
All items were measured on a 7-point Likert scale. Some of the
original scales were measured on a 5-point scale. However, to be
J.D. Wall and M. Warkentin Information & Management 56 (2019) 103157

consistent in our presentation to the participants, we changed all items responses for the analysis.
to the same scale, so care must be taken when comparing our results
with studies that relied on a 5-point scale. We also controlled for other 7.1. Manipulation checks
important variables, including demographic factors such as gender,
education, and job position (manager vs. nonmanager and IT vs. non- To ensure that the manipulation of the strong and weak argument
IT). Realism scores were reduced to three groups, those in a high rea- groups actually impacted the perceived argument quality construct, we
lism rating (an average score of 4.5 or higher), a neutral realism rating asked each respondent to answer questions about the level of detail in
(an average score of 3.5 to 4.5), and a low realism rating (an average the message they received and to subjectively rate the quality of the
score less than 3.5). The low group was coded as 1, the neutral group argument in the message. The detail level was measured to ensure that
was coded as 2, and the high group was coded as 3. our manipulation of argument quality was perceived across the groups.
The high-quality message groups received a message with detailed ar-
gumentation explaining more about the threat and its potential harms.
6.2. Participants
The low-quality message groups received a message with few details
and little argumentation to explain why the coping mechanism should
We received 539 responses. Three hundred six responses were
be adopted. The subjective rating was used to determine whether there
mostly incomplete and were removed from the study, leaving 233 re-
was a difference in perceptions of argument quality across the strong
sponses (43.23 percent completion rate). Three attention checks were
and weak argument groups.
included in the study. The first was a manipulation check to ensure that
In the MANOVA, a Wilk's Lambda was calculated to determine
the respondents read the manipulation in the scenario. The question
whether differences existed among the message detail levels and ar-
asked which security policy was included in the scenario. The other two
gument quality ratings based on the argument quality manipulation.
attention checks asked respondents to select a specific answer, such as
The results showed that a difference exists (Wilk's Lambda = 0.804; F-
“select strongly disagree for this question.” Respondents who failed to
value = 4.81; p < 0.0001), suggesting the need to analyze the in-
answer the attention checks correctly were removed from the study.
dividual ANOVA results for the detail levels and perceived argument
Forty one respondents were dropped because they failed to answer
quality ratings. The ANOVA results for both manipulation checks
these attention checks correctly, leaving 192 valid responses.
showed that detail level (F-value = 36.46; p < 0.0001) and perceived
Respondents were well-educated. All respondents had completed
argument quality (F-value = 29.09; p < 0.0001) differ based on the
High School and nearly 80 percent of the respondents had earned a
argument quality manipulation.
bachelor's degree or higher. Approximately half of the respondents
The mean of detail level for the strong argument group was 4.98,
were female. Slightly more than 50 percent of the respondents held
and the mean for the weak argument group was 3.75. The mean of
management positions and less than 7 percent worked as IT employees.
perceived argument quality for the strong argument group was 5.33,
Because the scenarios asked respondents to imagine that the message
and the mean for the weak argument group was 4.50. These results
was sent by their manager, we also asked about the gender of their
suggest that respondents noticed different levels of specificity in the
manager. Nearly 70 percent of the respondents’ managers were male.
arguments across the groups and that the manipulation of argument
Table 3 presents the demographic data in more detail.
specificity resulted in different subjective argument quality ratings as
expected.
7. Analysis and results
7.2. Experimental results
A two-way MANOVA with PROC GLM in SAS (version 9.4) was used
to test for differences between the experimental manipulation of per- A two-way MANOVA was used to test the influence that the argu-
ceived argument quality, the three scenarios, the three levels of realism, ment quality manipulation, the three scenarios, the three levels of the
and the control variables on compliance intentions and threat and realism check, and the control variables exert on behavioral intention
coping appraisals. Manipulation checks were also included in the re- and threat and coping appraisals (i.e., threat severity, threat suscept-
sponse variables. Before conducting the MANOVA, a univariate analysis ibility, self-efficacy, and response efficacy). Table 4 presents the Wilk's
was conducted in SAS to ensure that the variables met normality as- lambda statistics from the MANOVA. The results suggest that the ar-
sumptions. Five responses were dropped because of outliers causing gument quality manipulation, the different scenarios, and the realism
high levels of skewness and kurtosis for the compliance intention levels exhibit differences in at least some of the variables, suggesting
variable [65], leaving 187 responses for the analysis. SAS also excluded the need to analyze the ANOVA results. The MANOVA results showed
six responses due to one or two missing values, leaving 181 usable that gender, education level, position (manager vs. non-manager and IT
vs. non-IT), and the gender of the respondents’ managers do not exhibit
Table 3 statistically significant differences in the variables, suggesting that the
Respondents’ Demographic Details. individual ANOVA results should not be examined for those variables.
Demographic Item Count Percent
7.3. Threat severity
Gender Male 98 51
Female 94 49
The results of the ANOVA suggest that threat severity differs for the
Education High school or equivalent 5 2.6
Some college 11 5.7 scenarios and realism perceptions but not for perceived argument
Trade/vocational 10 5.2 quality. Thus, the results do not provide support for hypothesis 1.
Associate's degree 13 6.8 Table 5 presents the results of the ANOVA.
Bachelor's degree 67 34.9
A Tukey's Studentized Range (HSD) test shows that threat severity
Master's degree 72 37.5
Doctoral or Professional degree 14 7.3 exhibits a mean difference between scenarios 1 and 2 of 0.6953
Position (manager) Manager 98 51 (p < 0.05; confidence interval between 0.1523 and 1.2382) and be-
Nonmanager 94 49 tween scenarios 2 and 3 of −0.6830 (p < 0.05; confidence interval
Position (IT) IT 13 6.8 between −1.2414 and −0.1247). The test does not show statistically
Non-IT 179 93.2
significant differences between scenarios 1 and 3. An HSD test shows
Manager gender Male 134 69.8
Female 58 30.2 that threat severity exhibits a mean difference between high and low
realism perceptions of 0.9564 (p < 0.05; confidence interval between

6
J.D. Wall and M. Warkentin Information & Management 56 (2019) 103157

Table 4
Wilk's Lambda MANOVA test results.
Variable Wilk's Lambda F-value Numerator DF Denominator DF p-value

Perceived argument quality 0.8042 4.81 8 158 < 0.001

Scenario 0.7156 3.60 16 316 < 0.001
Realism 0.7566 2.96 16 316 0.0001
Gender 0.9468 1.11 8 158 0.3588
Education 0.6966 1.24 48 781.49 0.1307
Position (manager) 0.9725 0.56 8 158 0.8106
Position (IT) 0.9531 0.97 8 158 0.4599
Manager gender 0.9368 1.33 8 158 0.2312

Table 5 Table 7
ANOVA results for threat severity. ANOVA results for self-efficacy.
Variable DF F-value p-value Variable DF F-value p-value

Perceived argument quality 1 0.81 0.3690 Perceived argument quality 1 4.09 0.0447
Scenario 2 3.67 0.0277 Scenario 2 18.63 < 0.0001
Realism 2 7.84 0.0006 Realism 2 1.96 0.3199

0.3989 and 1.5139) and between high and neutral realism perceptions
of 0.7147 (p < 0.05; confidence interval between 0.1899 and 1.2395).
The test does not show statistically significant differences between
neutral and low realism perceptions.
7.4. Threat susceptibility
The results of the ANOVA suggest that threat susceptibility differs
for the scenarios and realism perceptions but not for perceived argu-
ment quality. Thus, the results do not provide support for hypothesis 2.
Table 6 presents the results of the ANOVA.
An HSD test shows that threat susceptibility exhibits a mean dif-
ference between scenarios 1 and 2 of 0.7709 (p < 0.05; confidence
interval between 0.1592 and 1.3826) and between scenarios 2 and 3 of
−0.7982 (p < 0.05; confidence interval between −1.4273 and
−0.1692). The test does not show statistically significant differences
between scenarios 1 and 3. An HSD test shows that threat susceptibility
exhibits a mean difference between high and low realism perceptions of
1.0547 (p < 0.05; confidence interval between 0.4267 and 1.6828).
The test does not show statistically significant differences between high
and neutral and between neutral and low realism perceptions.
7.5. Self-efficacy
The results of the ANOVA suggest that self-efficacy differs for per-
ceived argument quality and the scenarios but not for realism percep-
tions. Providing initial support for hypothesis 3. Table 7 presents the
results of the ANOVA.
Although the ANOVA shows a statistically significant difference
between argument quality groups, an HSD test does not show a statis-
tically significant mean difference between strong and weak argument
groups (p > 0.05; confidence interval between −0.0454 and 0.7805)
but does at p < 0.10. An HSD test shows that self-efficacy exhibits a
mean difference between scenarios 1 and 2 of 1.8104 (p < 0.05; con-
fidence interval between 1.1726 and 2.4481), between scenarios 2 and
3 of −1.0477 (p < 0.05; confidence interval between -1.1014 and
-0.3919), and between scenarios 1 and 3 of 0.7627 (p < 0.05;
confidence interval between 0.1949 and 1.3304).
7.6. Response Efficacy
The results of the ANOVA suggest that response efficacy differs for
perceived argument quality, the scenarios, and realism perceptions.
Thus, the results provide support for hypothesis 4. Table 8 presents the
results of the ANOVA.
An HSD test shows that response efficacy exhibits a mean difference
between strong and weak argument groups of 0.5079 (p < 0.05; con-
fidence interval between 0.2124 and 0.8034). An HSD test shows that
response efficacy exhibits a mean difference between scenarios 1 and 2
of 0.8162 (p < 0.05; confidence interval between 0.3598 and 1.2725)
and between scenarios 2 and 3 of -1.0296 (p < 0.05; confidence in-
terval between -1.4989 and -0.5603). The test does not show statisti-
cally significant differences between scenarios 1 and 3. An HSD test
shows that response efficacy exhibits a mean difference between high
and low realism perceptions of 0.9535 (p < 0.05; confidence interval
between 0.4849 and 1.4220) and between high and neutral realism
perceptions of 0.7079 (p < 0.05; confidence interval between 0.2668
and 1.1490). The test does not show statistically significant differences
between neutral and low realism perceptions.
7.7. Compliance Intentions
The results of the ANOVA suggest that compliance intentions differ
for perceived argument quality, the scenarios, and realism perceptions.
Thus, the results provide support for hypothesis 5. Table 9 presents the
results of the ANOVA.
An HSD test shows that compliance intentions exhibit a mean dif-
ference between strong and weak argument groups of 0.5313
(p < 0.05; confidence interval between 0.2676 and 0.7950). An HSD
test shows that compliance intentions exhibit a mean difference be-
tween scenarios 1 and 2 of -0.7798 (p < 0.05; confidence interval
between 0.3725 and 1.1871) and between scenarios 2 and 3 of -0.6825
(p < 0.05; confidence interval between -1.1014 and -0.2637). The test
does not show statistically significant differences between scenarios 1

Table 6 Table 8
ANOVA results for threat susceptibility. ANOVA results for response efficacy.
Variable DF F-value p-value Variable DF F-value p-value

Perceived argument quality 1 0.04 0.8332 Perceived argument quality 1 7.23 0.0079
Scenario 2 5.52 0.0048 Scenario 2 7.38 0.0008
Realism 2 6.59 0.0018 Realism 2 8.83 0.0002

7
J.D. Wall and M. Warkentin Information & Management 56 (2019) 103157

Table 9 Similarly, the direct effect that perceived argument quality exerts on
ANOVA results for compliance intention. behavioral intention suggests that perceived argument quality may be
Variable DF F-value p-value another valuable construct to include in PMT research. Fig. 2 presents
the nomology of PMT adapted from [16] with perceived argument
Perceived argument quality 1 12.14 0.0006 quality included as an additional factor.
Scenario 2 8.38 0.0003
The lack of statistical evidence to support the effect of perceived
Realism 2 3.55 0.0309
argument quality on threat appraisals may be caused by a visceral re-
sponse to threat messages. It may be that threat messages, which are
Table 10 designed to promote fear [15], affect individuals on an emotional and
Support for hypotheses. affective level rather than on a cognitive level. Thus, a threat may act
more like a motivating factor in ELM that increases the likelihood that
Hypothesis Supported
individuals will elaborate on coping messages, namely response effi-
H1: Perceived argument quality → threat severity No cacy. Alternatively, it may be that perceived argument quality is best
H2: Perceived argument quality → threat susceptibility No used to explain attitudinal changes toward the coping mechanism and
H3: Perceived argument quality → self-efficacy Partial not toward threats. Further, HSM studies have found that excessive fear
H4: Perceived argument quality → response efficacy Yes
can limit careful cognitive processing [61]. It may be that threat mes-
H5: Perceived argument quality → compliance intention Yes
H6a: No difference between neutral and positive realism scores Partial sages are not processed in the same manner as coping messages. Finally,
H6b: Positive realism score ≠ negative realism score Partial HSM and ELM are often used to assess behavioral and attitudinal
H6c: Neutral realism score ≠ negative realism score No change toward an object or subject. In a fear appeal, the coping me-
H7a: Realism → threat severity Yes chanism represents the desired behavior and the object to which atti-
H7b: Realism → threat susceptibility Yes
H7c: Realism → self-efficacy No
tudinal change is desired. Thus, the perceived argument quality of the
H7d: Realism → response efficacy Yes threat message may be of secondary concern to the reader of a fear
H7e: Realism → compliance intention Yes appeal compared to the logic and argumentation about the importance
of the coping mechanism.
The tentative support for the effect of perceived argument quality
and 3. An HSD test shows that compliance intentions exhibit a mean on self-efficacy may be caused by the type of persuasion employed.
difference between high and low realism perceptions of 0.6170 Social cognitive theory suggests that persuasion may influence self-ef-
(p < 0.05; confidence interval between 0.1988 and 1.0352) and be- ficacy, but this persuasion refers to attempts to persuade individuals
tween high and neutral realism perceptions of 0.4798 (p < 0.05; that they are capable of accomplishing a task. Our manipulation of
confidence interval between 0.0861 and 0.8734). The test does not argument quality relied on altering the level of detail provided in the
show statistically significant differences between neutral and low rea- messages. Other types of argument quality manipulations, such as those
lism perceptions. Table 10 presents the support for the hypotheses. that provide support and encouragement regarding the adoption of
coping mechanisms, could strengthen the tentative relationship be-
8. Discussion tween perceived argument quality and self-efficacy.
Our findings are based on the logic of ELM, HSM, and other theories
This study examines the effect that a fear appeal's perceived argu- of persuasion, which posit that perceived argument quality promotes
ment quality exerts on ISP compliance intentions and on threat and attitudinal and behavioral changes consistent with a message [20]. This
coping appraisals. The study also examines two heuristics that are study shows the importance of developing fear appeals with arguments
emerging in the literature related to the use of realism checks in ex- that are likely to promote strong argument quality perceptions. We find
perimental scenario-based studies. The results of a scenario-based ex- that adding detail about the threat and potential harms is enough to
periment of working professionals in the United States provide im- alter perceived argument quality. Argument quality perceptions alter
portant insight into these important topics. response efficacy perceptions and increase behavioral intentions to
comply with ISP. Future research should continue to explore the in-
8.1. Research and Practical Implications fluence that argument quality and other characteristics of fear appeals
exert on threat and coping appraisals and on behavioral intentions.
The study provides theoretical and practical insights about how to
improve the quality of fear appeals and how to better implement rea- 8.3. Realism Perceptions
lism checks in research.
Research has identified the need to carefully address the realism of
8.2. Perceived Argument Quality scenarios in scenario-based research [22,24]. Realism perceptions re-
present a spurious variable that can explain variance in model con-
The results of the experiment suggest that perceived argument structs [25]. Failing to account for this spurious explanation of study
quality exerts influence on some of the variables in FAM and PMT. For results introduces bias into studies.
instance, we find that perceived argument quality influences response A number of studies have implemented realism checks to determine
efficacy and exhibits a tentative relationship with self-efficacy. whether the study scenarios were perceived as realistic [22,23,25,26].
Additionally, we find that perceived argument quality influences ISP A common perception that neutral realism scores (i.e., scoring 4 on a 7-
compliance intentions. However, perceived argument quality did not point Likert scale) and higher realism scores are equivalent is devel-
exert influence of threat severity or vulnerability perceptions. Even oping in the literature. For example, Johnston et al. [23] dropped re-
though perceived argument quality did not exert influence on threat sponses below 4, retaining scores from 4 to 7, and D’Arcy et al. [25]
appraisals, this provides important insight for future studies regarding suggested that average realism scores of 4.3 demonstrate adequate
the nomology of fear appeal theories. These findings suggest that per- realism. Realism perceptions influence how respondents interpret and
ceived argument quality may act like threat appraisals in FAM. That is, respond to study questions [22]. Thus, scholars engaged in future re-
threat appraisals and perceived argument quality affect coping ap- search efforts are advised to leverage this knowledge and understand
praisals, particularly response efficacy. Fig. 1 presents the likely no- how to use realism checks to minimize bias.
mology of FAM adapted from [12] with perceived argument quality We find that neutral realism scores are not statistically different
(i.e., argument quality) included based on the findings in this study. from high realism scores in some instances, namely for self-efficacy and

8
J.D. Wall and M. Warkentin
Fig. 1. Inferred Nomological Network for Future FAM Research.
Fig. 2. Inferred Nomological Network for Future PMT Research.
threat susceptibility, which supports the current heuristic use.
However, realism perceptions influenced threat severity, response ef-
ficacy, and ISP compliance intentions in a way that is inconsistent with
current heuristics. For threat severity, response efficacy, and ISP com-
pliance intentions, high realism scores differed from neutral realism
scores and low realism scores. However, neutral realism scores did not
differ statistically from low realism scores. These results suggest that
neutral realism scores may act more like low realism scores and less like
high realism scores. These results suggest that treating neutral levels of
realism as equivalent to high levels of realism may not be appropriate.
Care should be taken when deciding how to use realism scores. First,
researchers should include realism perceptions as a control variable on
all endogenous variables. Our finding that realism perceptions explain
variance in many fear appeal constructs suggests that failure to account
for realism perceptions on all endogenous factors could lead to erro-
neous conclusions about the strength of relationships between fear
appeal constructs. Second, researchers should not assume that neutral
scores behave similarly to high scores. Thus, if a researcher decides to
drop respondents from the study based on realism scores, it might be
advisable to first determining an appropriate cut-off point for the
scores. This determination might be as simple as conducting the test
performed in this study to determine whether neutral scores should be
included. Future research should continue to assess the developing
heuristics about the use of realism checks to ensure that future studies
are not biased by failing to account for spurious explanations of study
results, namely realism perceptions.
We also find that realism perceptions influence more than just the
outcome variable (i.e., behavioral intentions). We find statistically
significant mean differences for threat severity, threat susceptibility,
response efficacy, and ISP compliance intentions, whereas self-efficacy
did not exhibit a statistically significant difference. The results suggest
that realism should be included as a control variable for all endogenous
9
Information & Management 56 (2019) 103157
variables (i.e., outcome variables and mediating variables) to ensure
that the results accurately reflect the sources of change in the en-
dogenous variables. Failing to account for realism perceptions in sce-
nario-based fear appeal research could result in inaccurate interpreta-
tions of the results for mediating variables. This consideration is
particularly important for response efficacy, which is often modeled as
a mediating variable [12,34]. Recent research has also included fear as
a mediating factor in PMT models [15]. Research should test whether
realism also affects fear, given that fear was not measured in this study.
Future research should carefully control for realism to account for
spurious explanations of study results.
8.4. Managerial Implications
The results of this study suggest that managers should carefully craft
fear appeal arguments for maximum impact on employee acceptance of
the recommended response to information security threats. Poorly
crafted arguments in fear appeals could reduce employees’ response
efficacy perceptions of coping mechanisms and intentions to comply
with ISP. The manipulation used in this study suggests that managers
can improve the effectiveness of fear appeals by providing details about
threats and how threats cause harm to the organization. The detailed
messages about threats prompt employees to change attitudes toward to
the coping mechanism.
8.5. Limitations and Future Research
This study provides interesting insight for future research but ex-
hibits limitations of many experimental studies. First, experimental
research often cannot provide strong generalizability claims [42].
However, experiments also provide stronger support for causal re-
lationships due to the careful control exerted in experiments.
J.D. Wall and M. Warkentin Information & Management 56 (2019) 103157

Employees of municipal governments were sampled for this study, and
although millions of people work in the public sector, many more work
in the for-profit sector. Future research should examine the influence of
perceived argument quality on employees of diverse companies to test
the generalizability of the findings. The study also only focuses on a
U.S. sample. Cultural aspects might affect persuasion and threat and
coping appraisals. For example, national origin has been shown to af-
fect privacy coping behavior [66]. Future research should examine how
fear appeals operate in different cultures. A field study without ex-
perimental relationships could be used to assess the full nomology of
ELM, HSM, and fear appeal theories. In this study, we did not make a
strong distinction between different processing routes (e.g., central vs.
peripheral and heuristic vs. systematic). Future research can include the
full ELM and/or HSM nomologies to add further nuance to our findings.
Although such a study would not provide the same strength in terms of
causal claims, it could provide a more detailed examination of the
nomological network.
Second, we used only one of many possible manipulations of ar-
gument quality. We altered the detail of the strong and weak argument
messages to alter argument quality perceptions. Although the manip-
ulation checks showed that the manipulation altered subjective argu-
ment quality perceptions across the two groups, using a different ma-
nipulation for argument quality could lead to different results. For
example, future research could include statistics in the threat messages.
The strong argument could include strong statistical support in favor of
a threat or coping mechanism, and the weak argument could include
weak or no statistical support. Additionally, weak arguments could
include poor grammar, spelling errors, and poor logic. Future research
can also alter the argument quality of messages about coping me-
chanisms. The focus of this study was alterations of the threat message.
Altering the quality of the coping message could provide new and dif-
ferent insights.
Third, we only examined one possible antecedent (i.e., perceived
argument quality) of threat and coping appraisals. This inclusion builds
on to the existing list of antecedents in fear appeal research, namely
security habits [16]. However, many other antecedents to threat and
coping appraisals have yet to be explored. For example, individuals
possess different personality traits that influence security perceptions
[23] or may adopt different security personae or identities [67]. These
traits and identities relate to risk perceptions [23,67], which could af-
fect threat and coping appraisals. Similarly, organizational factors af-
fect risk perceptions within organizations that may influence employee
security perceptions [33,67]. These and other antecedent factors should
be considered in future fear appeal research.
Fourth, like many other studies we did not measure actual behavior
[68]. The focus of our study was on the antecedent portion of the no-
mological network, namely identifying how perceived argument quality
influences threat and coping appraisals. Although behavioral mea-
surements were not necessary to answer the study questions, there re-
mains concern about the link between behavioral intentions and be-
havior caused by inconsistent findings. These inconsistent findings
provide opportunities for future research to examine moderating effects
between behavioral intention and actual behavior, or to identify al-
ternate paths, besides behavioral intention, from threat and coping
appraisals to actual behavior.
Last, not all individuals process fear appeals cognitively in every
instance. In PMT, maladaptive responses to a fear appeal may lead to a
lack of cognitive processing of a threat [15]. That is, individuals do not
always process fear appeals through danger control as assumed in our
study; some individuals process fear appeals via fear control. Future
research could examine how fear control processing relates to the
processing routes in ELM and HSM. It may be that fear control leads to
peripheral or heuristic processing. However, it could also be that fear
control leads to neither central or peripheral route processing, but to a
different type of response, such as emotional processing.
9. Conclusion
Fear appeals possess characteristics and qualities beyond commonly
studied threat and coping messages. We show that the perceived ar-
gument quality of fear appeal messages influences the effectiveness of
fear appeals. We find that higher levels of perceived argument quality
improve response efficacy perceptions and ISP compliance intentions.
Future research should continue to identify characteristics of fear ap-
peals that enhance the effectiveness of these appeals. Understanding the
characteristics of fear appeals that influence threat and coping apprai-
sals and that influence behavior and behavioral intentions can assist
managers in the design of highly effective fear appeals.
We also find that common heuristics in the use of realism checks in
experimental research may be somewhat misguided. Current heuristics
use the midpoint of realism scales as a cut-off value for research deci-
sions, such as removing the responses of respondents with low realism
scores. We find that this cut-off point may be inappropriate in some
instances. In some cases, points that hover around the midpoint of the
realism scale may act more like low realism scores than high realism
scores. Grouping neutral realism scores with high realism scores could
lead to bias in research findings. Thus, further consideration of heur-
istics in the use of realism checks is warranted.

Appendix A. Survey Instructions and Scenarios

Instructions
Below, we present you with a mock email message. Following the message, we present you with a series of questions about the message and its
sender. We would like you to imagine that the message came from your actual manager at the organization where you currently work. Please read
carefully. We will ask questions about the email on the next page.
Scenario 1 (about connecting personal laptops) Strong Argument
Recently, a nearby organization had a security breach of its network because an employee brought a personal laptop from home and connected it
to the organization's system.
Connecting personal laptops to our system can have many negative effects on you and our organization. If sensitive or confidential information
were lost (e.g., social security numbers or credit card numbers), depending on the circumstances, you and the organization could potentially be liable
for millions of dollars in damages from lawsuits and fines from regulatory agencies. Stolen information could also lead to the identity theft of our
clients.
The following are some of the ways that attaching personal laptops to our system can affect our clients and network:

1) If sensitive data is downloaded to a personal laptop and the laptop does not contain the same security measures as our system, sensitive
information could be stolen. Most personal laptops do not contain the same level of security as our network.
2) If your laptop contains any spyware or other viruses, your laptop could potentially crash our entire system or allow others to collect confidential
information. Some newly created spyware and viruses are not easily detected by anti-virus software, and anti-virus software that is not up-to-date
can also miss viruses.

10
J.D. Wall and M. Warkentin Information & Management 56 (2019) 103157

Therefore, we have a policy that: “employees may not bring personal laptops from home and attach them to the organization's network without
prior authorization.”
Sincerely,
Your Manager
Scenario 1 (about connecting personal laptops) Weak Argument
Recently, a nearby organization had a security breach of its network because an employee brought a personal laptop from home and connected it
to the organization's system.
Therefore, we have a policy that: “employees may not bring personal laptops from home and attach them to the organization's network without
prior authorization.”
Sincerely,
Your Manager
Scenario 2 (about failure to backup data) Strong Argument
Recently, a nearby organization lost some important data because an employee forgot to backup the data.
Failing to backup important data can have many negative effects on you and our organization. If important information were lost (e.g., client
information or credit card numbers) and no backups were available, depending on the circumstances, the organization could potentially lose millions
of dollars in future revenue. Our clients might also fail to receive adequate service because of lost contact information.
The following are some of the ways that failing to backup important data can affect our clients and network:

1) If important client information were lost, we would be unable to adequately meet the needs of our clients. We would also need to inconvenience
our clients to collect the information again. If too much information were lost, we might be unable to easily locate our clients.
2) Data loss could require you and other employees to spend time collecting and re-entering the lost data. If the information loss were great enough,
failing to backup data could lead to hundreds or even thousands of hours of work for the organization. This could delay other important projects.

Therefore, we have a policy that: “employees must backup all important documents and data regularly.”
Sincerely,
Your Manager
Scenario 2 (about failure to backup data) Weak Argument
Recently, a nearby organization lost some important data because an employee forgot to backup their data.
Therefore, we have a policy that: “employees must backup all important documents and data regularly.”
Sincerely,
Your Manager
Scenario 3 (about failure to logout) Strong Argument
Recently, a nearby organization had a security breach because an employee forgot to logout of a computer connected to the organization's
network. Another employee accessed the computer and stole sensitive data.
Failing to logout of your computer can have many negative effects on you and our organization. If someone were to access your computer and
sensitive or confidential information were lost (e.g., social security numbers or credit card numbers), depending on the circumstances, you and the
organization could potentially be liable for millions of dollars in damages from lawsuits and fines from regulatory agencies. Stolen information could
also lead to the identity theft of our clients.
The following are some of the ways that failing to logout of your computer can affect our clients and network:

1) Disgruntled or dishonest employees with lower levels of authorization to sensitive information could use your computer to access sensitive
information for personal gain or retaliation.
2) An employee wishing to cover up his/her behaviors could use your computer to perform illegal actions against our clients or the organization.
This could require you to provide evidence that you were not the culprit of the illegal behaviors.

Therefore, we have a policy that: “employees must logout of their computers anytime they leave their workspace.”
Sincerely,
Your Manager
Scenario 3 (about failure to logout) Weak Argument
Recently, a nearby organization had a security breach because an employee forgot to logout of a computer connected to the organization's
network. Another employee accessed the computer and stole sensitive data.
Therefore, we have a policy that: “employees must logout of their computers anytime they leave their workspace.”
Sincerely,
Your Manager

Appendix B. Measures for Key Variables

Construct Instrument measurement items Measured on a partially anchored 7-point Likert

scale ranging from …

ISP compliance inten- If I were actually presented with the message, I would intend to follow the policy in the email message. Strongly disagree to strongly agree.
tion
If I were actually presented with the message, I would plan to follow the policy in the email message. Strongly disagree to strongly agree.
If I were actually presented with the message, to what extent would I intend to follow the policy presented No intention to follow to strong intention to
in the email message? follow.
Perceived argument How complete is the information presented in the email message? Incomplete to complete.
quality

11
J.D. Wall and M. Warkentin Information & Management 56 (2019) 103157

How consistent is the information presented in the email message? Inconsistent to consistent.
How accurate is the information presented in the email message? Inaccurate to accurate.
Threat severity If this security incident in the email message occurred at my organization, it would be severe. Strongly disagree to strongly agree.
If this security incident in the email message occurred at my organization, it would be serious. Strongly disagree to strongly agree.
If this security incident in the email message occurred at my organization, it would be significant. Strongly disagree to strongly agree.
Threat susceptibility My organization is at risk from the security incident in the email message. Strongly disagree to strongly agree.
It is likely that my organization will be affected by the security incident in the email message. Strongly disagree to strongly agree.
It is possible that my organization will be affected by the security incident in the email message. Strongly disagree to strongly agree.
Self-efficacy I believe that complying with the policy in the email will be ease to do? Strongly disagree to strongly agree.
I believe that complying with the policy in the email will be convenient to do? Strongly disagree to strongly agree.
I am able to comply with the policy in the email without much effort? Strongly disagree to strongly agree.
Response efficacy Complying with the policy presented in the email works for protection. Strongly disagree to strongly agree.
Complying with the policy presented in the email is effective for protection. Strongly disagree to strongly agree.
When complying with the policy presented in the email, our network is more likely to be protected. Strongly disagree to strongly agree.
Realism perceptions The scenario in the email message was realistic. Strongly disagree to strongly agree.
The email message is similar to messages about computer security that I receive at work. Strongly disagree to strongly agree.
The email message is like a message that my organization might send to me. Strongly disagree to strongly agree.

References
[1] R. Willison, M. Warkentin, Beyond deterrence: an expanded view of employee
computer abuse, MIS Quart. 37 (1) (2013) 1–20.
[2] CSI, 2010/2011 CSI computer crime and security survey, Computer Security
Institute, 2011.
[3] K.H. Guo, Y. Yuan, The effects of multilevel sanctions on information security
violations: A mediating model, Inform. Manag. 49 (6) (2012) 320–326.
[4] P. Puhakainen, M. Siponen, Improving employees’ compliance through information
systems security training: An action research study, MIS Quart. 34 (4) (2010)
757–778.
[5] P. Ifinedo, Information systems security policy compliance: an empirical study of
the effects of socialisation, influence, and cognition, Inform. Manag. 51 (1) (2014)
69–79.
[6] J.-Y. Son, Out of fear or desire? Toward a better understanding of employees’
motivation to follow IS security policies, Inform. Manag. 48 (7) (2011) 296–302.
[7] D.L. Goodhue, D.W. Straub, Security concerns of system users: A study of percep-
tions of the adequacy of security, Inform. Manag. 20 (1) (1991) 13–27.
[8] H. Cavusoglu, H. Cavusoglu, J.-Y. Son, I. Benbasat, Institutional pressures in se-
curity management: Direct and indirect influences on organizational investment in
information security control resources, Inform. Manag. 52 (4) (2015) 385–400.
[9] J.D. Wall, P. Palvia, J. D’Arcy, A review and typology of security-related corruption
controls: Setting an agenda for studying the behavioral effects of security coun-
termeasures, Proceedings of the Dewald Roode Workshop on IS Security Research,
IFIP WG 8.11/11.13, Niagara Falls, NY, 2013.
[10] M. Warkentin, A.C. Johnston, IT security governance and centralized security
controls, in: M. Warkentin, R. Vaughn (Eds.), In Enterprise Information Assurance
and System Security: Managerial and Technical Issues, Idea Group Publishing,
Hershey, PA, 2006, pp. 16–24.
[11] A.C. Johnston, M. Warkentin, Fear appeals and information security behaviors: An
empirical study, MIS Quart. 34 (3) (2010) 549–566.
[12] A.C. Johnston, M. Warkentin, M. Siponen, An enhanced fear appeal rhetorical
framework: Leveraging threats to the human asset through sanctioning rhetoric,
MIS Quart. 39 (1) (2015) 113–134.
[13] R.D. Arvey, J.M. Ivancevich, Punishment in organizations: A review, propositions,
and research suggestions, Acad. Manag. Rev. 5 (1) (1980) 123–132.
[14] T. Herath, H.R. Rao, Protection motivation and deterrence: A framework for se-
curity policy compliance in organisations, Eur. J. Inform. Syst. 18 (2) (2009)
106–125.
[15] S.R. Boss, D.F. Galletta, P.B. Lowry, G.D. Moody, P. Polak, What do users have to
fear? Using fear appeals to engender threats and fear that motivate protective be-
haviors in users, MIS Quart. 39 (4) (2015) 837–864.
[16] A. Vance, M. Siponen, S. Pahnila, Motivating IS security compliance: Insights from
habit and protection motivation theory, Inform. Manag. 49 (3) (2012) 190–198.
[17] C. Posey, T.L. Roberts, P.B. Lowry, R.T. Hightower, Bridging the divide: A quali-
tative comparison of information security thought patterns between information
security professionals and ordinary organizational insiders, Inform. Manag. 51 (5)
(2014) 551–567.
[18] J.D. Wall, M.W. Buche, To fear or not to fear? A critical review and analysis of fear
appeals in the information security context, Commun. AIS 41 (1) (2017) 277–300.
[19] S. Chaiken, Y. Trope, Dual-Process Theories in Social Psychology, Guilford Press,
New York, 1999.
[20] R.E. Petty, J.T. Cacioppo, The Elaboration Likelihood Model of Persuasion,
Academic Press, New York, NY, 1986.
[21] D. Kahneman, Thinking, Fast and Slow, Farrar, Straus and Giroux, New York, 2011.
[22] M. Siponen, A. Vance, Guidelines for improving the contextual relevance of field
surveys: The case of information security policy violations, Eur. J. Inform. Syst. 23
(3) (2014) 289–305.
[23] A.C. Johnston, M. Warkentin, M. McBride, L.D. Carter, Dispositional and situational
factors: influences on IS security policy violations, Eur. J. Inform. Syst. 25 (3)
(2016) 231–251.
[24] M. Siponen, A. Vance, Neutralization: New insights into the problem of employee
information systems security policy violations, MIS Quart. 34 (3) (2010) 487–502.
[25] J. D’Arcy, T. Herath, M.K. Shoss, Understanding employee responses to stressful
information security requirements: A coping perspective, J. Manag. Inform. Syst. 31
(2) (2014) 285–318.
[26] J.B. Barlow, M. Warkentin, D. Ormond, A.R. Dennis, Don’t make excuses!
Discouraging neutralization to reduce IT policy violation, Comput. Sec. 39 (Part B)
(2013) 145–159.
[27] D.W. Straub, Effective IS security: An empirical study, Inform. Syst. Res. 1 (3)
(1990) 255–276.
[28] J. D’Arcy, A. Hovav, D. Galletta, User awareness of security countermeasures and its
impact on information systems misuse: A deterrence approach, Inform. Syst. Res. 20
(1) (2009) 79–98.
[29] L. Myyry, M. Siponen, S. Pahnila, T. Vartiainen, A. Vance, What levels of moral
reasoning and values explain adherence to information security rules? An empirical
study, Eur. J. Inform. Syst. 18 (2) (2009) 126–139.
[30] H. Li, R. Sarathy, J. Zhang, X. Luo, Exploring the effects of organizational justice,
personal ethics and sanction on internet use policy compliance, Inform. Syst. J. 24
(6) (2014) 479–502.
[31] B. Bulgurcu, H. Cavusoglu, I. Benbasat, Information security policy compliance: An
empirical study of rationality-based beliefs and information security awareness, MIS
Quart. 34 (3) (2010) 523–548.
[32] E.M, Rogers Diffusion of Innovations, Free Press, New York, 2003.
[33] J.D. Wall, P.B. Lowry, J.B. Barlow, Organizational violations of externally governed
privacy and security rules: Explaining and predicting selective violations under
conditions of strain and excess, J. Assoc. Inform. Syst. 17 (1) (2016).
[34] A.C. Johnston, M. Warkentin, The influence of perceived source credibility on end
user attitudes and intentions to comply with recommended IT actions, J. Organ. End
User Comput. 22 (3) (2010) 1–21.
[35] X. Luo, W. Zhang, S. Burd, A. Seazzu, Investigating phishing victimization with the
heuristic–systematic model: A theoretical framework and an exploration, Comput.
Sec. 38 (1) (2013) 28–38.
[36] M. Warkentin, E. Walden, A.C. Johnston, D.W. Straub, Neural correlates of pro-
tection motivation for secure IT behaviors: An fMRI examination, J. Assoc. Inform.
Syst. 17 (3) (2016) 194–215.
[37] C. Posey, T.L. Roberts, P.B. Lowry, R.J. Bennett, J. Courtney, Insiders’ protection of
organizational information assets: Development of a systematics-based taxonomy
and theory of diversity for protection-motivated behaviors, MIS Quart. 37 (4)
(2013) 1189–1210.
[38] T. Herath, R. Chen, J. Wang, K. Banjara, J. Wilbur, H.R. Rao, Security services as
coping mechanisms: An investigation into user intention to adopt an email au-
thentication service, Inform. Syst. J. (2014) 1–24.
[39] P. Menard, G.J. Bott, R.E. Crossler, User motivations in protecting information se-
curity: Protection motivation theory versus self-determination theory, J. Manag.
Inform. Syst. 34 (4) (2017) 1203–1230.
[40] R.E. Crossler, A.C. Johnston, P.B. Lowry, Q. Hu, M. Warkentin, R. Baskerville,
Future directions for behavioral information security research, Comput. Sec. 32 (1)
(2013) 90–101.
[41] J.D. Wall, B.C. Stahl, A.F. Salam, Critical discourse analysis as a review metho-
dology: An empirical example, Commun. Assoc. Inform. Syst. 37 (1) (2015)
257–285.
[42] A.R. Dennis, J.S. Valacich, Conducting research in information systems, Commun.
AIS 7 (1) (2001) 1–41.
[43] K. Witte, K.A. Cameron, J.K. McKeon, J.M. Berkowitz, Predicting risk behaviors:
Development and validation of a diagnostic scale, J. Health Commun. 1 (4) (1996)
317–334.
[44] R.E. Petty, J.T. Cacioppo, Communication and Persuasion: Central and Peripheral
Routes to Attitude Change, Springer-Verlag, New York, 1986.
[45] S.W. Sussman, W.S. Siegal, Informational influence in organizations: An integrated
approach to knowledge adoption, Inform. Syst. Res. 14 (1) (2003) 47–65.
[46] C.M. Angst, R. Agarwal, Adoption of electronic health records in the presence of
privacy concerns: The elaboration likelihood model and individual persuasion, MIS
Quart. 33 (2) (2009) 339–370.
[47] F.F.-H. Nah, I. Benbasat, Knowledge-based support in a group decision making
context: An expert-novice comparison, J. Assoc. Inform. Syst. 5 (3) (2004) 125–150.
[48] S. Chen, D. Shechter, S. Chaiken, Getting at the truth or getting along: Accuracy-

12
J.D. Wall and M. Warkentin
versus impression-motivated heuristic and systematic processing, J. Person. Soc.
Psychol. 71 (2) (1996) 262–275.
[49] M. Siponen, M.A. Mahmood, S. Pahnila, Employees’ adherence to information se-
curity policies: An exploratory field study, Inform. Manag. 51 (2) (2014) 217–224.
[50] A.C. Johnston, M. Warkentin, Information privacy compliance in the healthcare
industry, Inform. Manag. Comput. Sec. 16 (1) (2008) 5–19.
[51] A. Bandura, Self-efficacy: Toward a unifying theory of behavioral change, Psychol.
Rev. 84 (2) (1977) 191–215.
[52] L.M. Quintiliana, E.T. Carbone, Impact of diet-related cancer prevention messages
written with cognitive and affective arguments on message characteristics, stage of
change, and self-efficacy, J. Nutr. Educ. Behav. 37 (1) (2005) 12–19.
[53] J. van Beuningen, K. de Ruyter, M. Wetzels, S. Streukens, Customer self-efficacy in
technology-based self-service: assessing between- and within-person differences,
Journal of Service Research 11 (4) (2009) 407–428.
[54] R. Willison, M. Warkentin, A.C. Johnston, Examining employee computer abuse
intentions: Insights from justice, deterrence, and neutralization perspectives,
Inform. Syst. J. 28 (2) (2018).
[55] C. Posey, R.J. Bennett, T.L. Roberts, P.B. Lowry, When computer monitoring
backfires: Privacy invasions and organizational injustice as precursors to computer
abuse, J. Inform. Syst. Sec. 7 (1) (2011) 24–47.
[56] B.S. Trinkle, R.E. Crossler, M. Warkentin, I’m game, are you? Reducing real-world
security threats by managing employee activity in virtual environments, J. Inform.
Syst. 28 (2) (2014) 307–327.
[57] J.B. Barlow, M. Warkentin, D. Ormond, A.R. Dennis, Don’t even think about it! The
effects of anti-neutralization, informational, and normative communication on in-
formation security compliance, J. Assoc. Inform. Syst. (2018).
[58] J.J. Lee, M. Warkentin, R.E. Crossler, R.F. Otondo, Implications of monitoring
mechanisms on bring your own device adoption, J. Comput. Inform. Syst. 57 (4)
(2017) 309–318.
[59] D. Axsom, S. Yates, S. Chaiken, Audience response as a heuristic cue in persuasion,
J. Person. Soc. Psychol. 53 (1) (1987) 30–40.
[60] J.M. Hunt, M.F. Smith, J.B. Kernan, The effects of expectancy disconfirmation and
argument strength on message processing level: An application to personal selling,
in: E.C. Hirschman, M.B. Holbrook (Eds.), In Advances in Consumer Research, 12,
Association for Consumer Research, Provo, UT, 1985, pp. 450–454.
[61] C. Jepson, S. Chaiken, Chronic issue-specific fear inhibits systematic processing of
persuasive communications, J. Soc. Behav. Person. 5 (2) (1990) 61–84.
[62] G. Bohner, S. Chaiken, P. Hunyadi, The role of mood and message ambiguity in the
interplay of heuristic and systematic processing, Eur. J. Soc. Psychol. 24 (1) (1994)
207–221.
13
Information & Management 56 (2019) 103157
[63] R.E. Petty, J.T. Cacioppo, The effects of involvement on responses to argument
quantity and quality: Central and peripheral routes to persuasion, J. Person. Soc.
Psychol. 46 (1) (1984) 69–81.
[64] J.E. Bailey, S.W. Pearson, Development of a tool for measuring and analyzing
computer user satisfaction, Manag. Sci. 29 (5) (1983) 530–545.
[65] D. George, M. Mallery, SPSS for Windows Step by Step: A Simple Guide and
Reference, Pearson, Boston, 2010.
[66] H. Nemati, J.D. Wall, A. Chow, Privacy coping and information sharing behaviors in
social media: A comparison of Chinese and U.S. users, J. Global Inform. Technol.
Manag. 17 (4) (2014) 228–249.
[67] J.D. Wall, R. Singh, The organization man and the innovator: theoretical archetypes
to information behavioral information security research, DATA BASE Adv. Inform.
Syst. 49 (SI) (2018) 67–80.
[68] M. Warkentin, D. Straub, K. Malimage, Featured talk: Measuring secure behavior: A
research commentary, Proceedings of the Proceedings of the 7th Annual
Symposium on Information Assurance, Albany, NY, 2012.
Jeffrey D. Wall is assistant professor in the School of Business and Economics, Michigan
Technological University. His research interests include individual and organizational
deviance, and control and power dynamics in organizations. His research examines em-
ployee information security and privacy behaviors in organizations. He also studies or-
ganizational behaviors related to the use and misuse of information assets. His research
has appeared in the Journal of the AIS, Communications of the AIS, Internet Research, the
DATABASE for Advances in Information Systems, the Journal of Global Information
Technology Management, and others.
Merrill Warkentin is the James J. Rouse Endowed Professor of Information Systems in
the College of Business at Mississippi State University. His research, primarily on the
impacts of organizational, contextual, and dispositional influences on individual beha-
viors in the context of information security and privacy, has appeared in MISQ, Decision
Sciences, JMIS, JAIS, EJIS, I&M, DSS, ISJ, CAIS, DATABASE for Advances in Information
Systems, CACM, and others. He is the author or editor of seven books, and has authored or
co-authored more than 300 published manuscripts, including more than 90 peer-re-
viewed journal articles, with more than 14,000 citations (h-index = 34), according to
Google Scholar in 2019. He holds or has held editorial roles for MISQ, ISR, JAIS, EJIS, I&
M, Decision Sciences, and others. He has held leadership positions at AIS, DSI, IFIP, and
ACM, and was the Program Co-Chair for AMCIS2016. His work has been funded by
NATO, NSF, NSA, DoD, Homeland Security, IBM, and others. In 2018, he was named an
ACM Distinguished Scientist.