Strategic Approaches to Business Cybersecurity: Daniel Pienta on Balancing Fear and Confidence

If the global cost of cybercrime were measured as a country’s gross national product (GNP), it would rank third behind only the United States and China. In 2023, cybercrime caused more than $8 trillion in damage; by 2025, that figure is projected to reach $10.5 trillion.  

The scope and cost of cybercrime compel businesses to prioritize online security and educate their workforces on the problem’s severity. But what’s the best way to motivate employees toward stronger business cybersecurity practices? Do scare tactics involving worst-case scenarios help? Should companies rely more heavily on multi-factor authentication? Are training videos or corporate policies effective? Can phishing simulations make a real difference?

Dr. Daniel A. Pienta, an award-winning professor in the Haslam College of Business at the University of Tennessee, Knoxville, wanted answers. He collaborated with peers at other business schools across the country and around the world to produce “Balancing Fear and Confidence: A Strategic Approach to Mitigating Human Risk in Cybersurity,” a report exploring cybersecurity threats and the best ways to combat them. 

Pienta found few simple, yes-or-no answers to questions like the ones above. Instead, he and his fellow researchers learned that the best approach may be multiple approaches, with few one-size-fits-all solutions. This article takes a closer look at their findings and recommendations for real-world solutions. 

Cybercrime by the Numbers 

How has the total cost of cybercrime climbed so high? One data breach at a time, with the number of breaches rising exponentially. Let’s look at the United States, the country with the highest rate of cybercrime.

According to the Identity Theft Resource Center, the number of U.S. organizations impacted by data breaches rose more than twentyfold between 2018 and 2023. The 3,205 breaches reported publicly in 2023 impacted 353 million people.

Data breaches aren’t just growing more common – they’re also growing more expensive. In 2018, the average cost was $3.86 million per breach. In 2024, the cost had risen to $4.88 million, a 26 percent increase.

Research Methods 

Multiple factors contribute to data breaches, including human error and negligence, insufficient security measures, and subterfuge. Pienta and his colleagues cast a wide net to gain insight into why and how breaches occur and to determine what businesses and organizations can do to tighten cybersecurity.

They solicited feedback from chief information security officers (CISOs) and chief information officers (CIOs). Each executive received a list of four questions:

1. What are the biggest barriers to protecting employees and the firm from cybersecurity risks?
2. Which tools seem to work best? Which tools are not so helpful?
3. Is it essential to instill significant fear in employees about how their actions can lead to threats?
4. How important is it to instill confidence that it is possible to defend against cyberthreats?

The researchers examined patterns of agreement and disagreement within the responses. They also used insights gained from two previous studies: “What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors” and “Understanding Inconsistent Employee Compliance with Information Security Policies Through the Lens of the Extended Parallel Process Model.”

What Works, What Doesn’t 

Before making recommendations, Pienta and his colleagues first identified common obstacles to cybersecurity compliance and evaluated the effectiveness of various approaches. They discovered multiple barriers and found that different methods had varying levels of success.

Barriers to Compliance 

Even when employees have good intentions and aim to follow cybersecurity best practices, several factors can get in their way. These include:

• Inconvenience. Security measures like multi-factor authentication can add extra time and effort to routine tasks. Employees may resist using these tools because they find them annoying or cumbersome, while employers might worry about decreased productivity.
• Ignorance. Employees often underestimate the seriousness of cyber threats. As the report puts it: “Users are not intentionally negligent miscreants; they simply do not fully grasp the consequences of cybersecurity carelessness.”
• Varying skill levels. Methods that effectively engage tech-savvy employees may fall short when used by workers with limited technical backgrounds.
• Scare tactics. While fear can motivate action, it must be balanced carefully. The report explains that employees need practical tools and clear solutions to respond effectively; otherwise, they will tend to deny the existence of a threat.
• Threats that outpace training. Cybersecurity training struggles to keep pace with quickly emerging technologies and tactics. The report cites new threats like FraudGPT and WormGPT, along with schemes such as “Pig Butchering,” where attackers stage seemingly accidental social media interactions to exploit victims.
• Distrust of biometrics. Some employees hesitate to use fingerprint or facial recognition security tools due to privacy concerns or mistrust about how their personal data might be used by companies or government entities.

One participant noted the unique challenge of dealing with conspiracy theorists and others who refuse to use biometric security measures: “Do you just block people who won’t comply, or do you make exceptions?” 

Evaluating Various Approaches 

Many tools are available to combat cybercrime, but they don’t all work equally well for every organization. Pienta’s report reviews various cybersecurity approaches and weighs their pros and cons.

• Warning posters: Potentially effective for on-site employees but worthless to remote workers.
• Email reminders: More effective than physical reminders.
• Training sessions: Often considered boring, with attendance for online sessions easily faked in some cases.
• Gamification: A way to make training sessions more fun and engaging, resulting in better attendance and more focused trainees.
• Phishing simulations: Considered one of the better options because they provide real-world examples and support learning over time.
• Cybersecurity policies: Widely seen as ineffective. “Policies did not work,” one respondent wrote. “How often do employees look at them? NEVER.”
• Software tools: Another favored approach. They can force users to abide by policies and safety measures and make it easy for them to take steps like flagging suspicious emails.

“People need something simple,” one respondent said. “One-click reporting ensures phishing emails are flagged quickly.” 

Recommendations

Once Pienta and his peers evaluated the information they had collected, they set to work formulating recommendations to help businesses and organizations fight cybercrime more effectively. Their advice reflects the complex, shapeshifting nature of the threats and the multifaceted approach needed to take them on. What follows is a closer look at their suggestions and the reasoning behind them. 

Ensure Employee Awareness of Threats

Fighting cybercrime takes teamwork and employee buy-in. It also requires judiciousness on the part of managers. Instilling an appropriate amount of fear can produce a beneficial “survival instinct” among employees; too much fear induces panic. The report offers the contrast between someone who understands not to stick keys into an electric socket and someone who refuses to go near an electrical outlet. 

Threats of reporting individuals to management and repeated threats of severe punishment are also generally ineffective. “Most of these are people just making mistakes, so we are not going to punish them,” one respondent said. “There will be no reprisals unless they were intentional.” Management should call out errors without “naming and shaming,” using mistakes as teaching moments. Rewarding improvement and successes works better than dwelling on punishments and threats.

Phishing simulations can boost awareness of possible threats under safe conditions. They can deliver rapid feedback, identify vulnerabilities, and mark progress in fighting threats. “Phishing simulations seem to be one of the best tools,” a respondent noted. “When users fail, they can be exposed to why they failed, and they learn from this. They become champions of cybersecurity.”

One survey participant articulated the challenge of convincing employees that they play a vital role in the fight: “We say they are the front line, but that is very difficult for them, as the adversary is very skilled in what they do.” 

Pienta’s report emphasizes the need for clear feedback and diagnostic follow-up. Such measures can educate users about different kinds of attacks and help them learn from their mistakes.

Foster a Culture of Collective Efficacy 

Workers and their organization benefit when employees feel confident they can quickly and easily report suspicious activity or potential threats. Rewarding employees for making these reports strengthens their confidence and underscores the important role everyone plays in cybersecurity.

Encouraging employees to share potential threats with colleagues helps spread awareness and enables early warnings for cybersecurity professionals. Employees should receive feedback highlighting their role as part of a “human firewall,” along with clear, supportive guidance whenever mistakes occur.

Avoid negative approaches, such as using overly technical language or making the reporting process complicated and time-consuming.

One respondent recommends shifting the blame to insurance companies to boost employee compliance: “Five years ago, the cyber insurer didn’t require anything except a signature and a check to pay the premiums. Now to be insured against a cyberattack, a firm needs to have measures in place to fight against hacks.”

Design Effective Training 

There’s a reason employees hate training sessions. Too often, they are boring, outdated, and irrelevant, particularly if they consist of lengthy cookie-cutter lessons. Some users fake compliance with training video requirements: “People would open 26 windows and play them all at the same time,” one respondent reported.

Businesses and organizations should target specific needs and skill levels of different groups. Training sessions should address important practices specific to the users’ workplace. “We need to differentiate the shop floor versus office people,” one participant said. “The office staff is more aware of fearful outcomes.”

Other effective ways to engage and motivate employees in training sessions: 

• Enlist animated trainers who lead interactive and lively hands-on exercises
• Tie lessons into a learning-focused environment
• Reward highly skilled users
• Gently point out errors and use them to impart valuable lessons to the group
• Steer clear of excessive technical jargon or acronyms 

Introduce an Incentive System

Businesses and organizations should look for signs of users’ proactive and useful security efforts and reward them accordingly. The emphasis should be on praise rather than criticism. Gamification elements, such as leaderboards or points for top performers, can boost motivation. If points don’t work, financial incentives might.

When mistakes happen, the emphasis should be on helping users improve and educating them on how to dodge threats in the future. Motivation killers include embarrassing users publicly and neglecting to provide multiple opportunities for improvement. 

Promote Threat Intelligence

Urge users to share threats widely, whether those threats are confirmed or merely suspected. They should first report them to cybersecurity personnel and then broadcast confirmed threats to a wider audience.

Encouraging widespread discussion reduces knowledge gaps or silos that could create vulnerabilities. Businesses and organizations should maintain a lookout for both new dangers and new tools and methods to fight cyberthreats.

“You need a happy medium,” one respondent said. “Too much fear, and people stop listening; too little, and they ignore the risks.” 

Business Cybersecurity: A Balanced Approach 

Pienta and his colleagues’ work has produced a valuable guide for organizations and businesses to create a sophisticated, bespoke cybersecurity strategy. Their report goes beyond a strictly technical approach to embrace a user-centered model that provides all users a stake in the process.

Building on previous studies focused on empowering employees, these studies have shown the significant benefits of equipping users to recognize and mitigate external threats. When organizations boost user confidence rather than focusing on scare tactics, everyone wins.

Pienta’s report also highlights the importance of well-crafted training programs and the need to balance fear with proactive behavior. When a business or organization combines these elements, it can recognize and mitigate risks while engaging the entire workforce.

You will learn from Daniel Pienta and other business cybersecurity experts when you enroll in the online Master of Science in Business Cybersecurity from the University of Tennessee, Knoxville’s Haslam College of Business. Learn more about the program or, if you’re ready, start your online application today.