Communications of the Association for Information Systems


Passwords are the most widely used method of authentication on the Internet, but users find compliance with password guidelines difficult, and we know little about the long-term effects of attempts to improve compliance. In this paper, we extend the work of fear appeals use in the IS security domain to investigate their longer-term effects. We conducted a longitudinal experimental study to examine fear appeals’ long- and short-term effects. Using a model based on protection motivation theory (Rogers, 1983), we found that fear of threat, perceived password effectiveness, and password self-efficacy predicted compliance. We also found that neither perceived vulnerability to a security attack nor perceived severity of an attack influenced compliance. Providing persuasive communication improved compliance with password guidelines and resulted in significantly stronger passwords, but the effects on compliance intentions were only short term. This study extends our understanding of the factors that influence compliance with password guidelines and how we can modify them to improve compliance. We raise interesting questions about the role of fear in different IS security contexts. We also highlight the need for more research on the long-term impact of persuasive communication.