Too Much Fear: Why Your Scariest Presentations Get Ignored

For fifteen years, fear worked.

We said "catastrophic breach" and boards gave us budgets. We showed breach headlines and executives approved headcount. Fear, Uncertainty, and Doubt were effective tools.

We weren't wrong. The threats were real.

But somewhere along the way, fear stopped working.

Now we say "catastrophic breach" and get eye rolls. We show breach headlines and executives check their phones. The exact same tactics that funded our programs for over a decade now get our budget requests denied.

Not scary enough? People ignore us.

Too scary? People's brains shut down and dismiss us as alarmists.

The narrow zone in between? That's where persuasion happens.

After fifteen years of cranking fear up to maximum volume, most of us are way outside that zone—triggering the exact psychological defenses that make people tune us out.

The good news? The research shows us exactly how to get back into the zone that actually motivates action.

The "Goldilocks" Zone of Fear

Yesterday we tackled the language we use—abstract versus concrete. Today we're confronting something even more fundamental: the emotional intensity of our messages.

Research on InfoSec advice persuasiveness reveals the precise calibration that determines whether our messages motivate action or trigger disengagement:

Low fear (< 2% emotional intensity) = insufficient motivation to act

Moderate fear (2-5% emotional intensity) = optimal persuasion

High fear (> 5% emotional intensity) = defensive shutdown and disengagement

There's a Goldilocks zone. Not too hot, not too cold. Just right.

And most of us—after fifteen years of using Fear, Uncertainty, and Doubt tactics—are way too hot.

Why We Default to High Fear (And Why It's Backfiring)

Let's be honest about how we got here.

For fifteen years, fear was effective. We showed breach headlines. We quantified nightmare scenarios. We painted pictures of catastrophic failure. Boards gave us budgets because they were appropriately concerned.

The threats were real. The risks were genuine. And fear was a rational tool.

But we never turned it off.

Every quarter: "The threat landscape has evolved—we need more resources." Every training: "If you click this link, you could cause a massive breach." Every budget request: "Without this investment, we face catastrophic risk."

And here's what the research reveals about sustained exposure to high-fear messages: people develop defensive coping mechanisms.

When faced with overwhelming fear that they can't easily resolve, humans engage in "emotion-focused coping"—they mentally reframe the situation to make themselves feel better.

In the context of security advice, this manifests as:

"This is just fear-mongering"

"They always say it's catastrophic—but nothing happens"

"I can't do anything about this anyway, so why worry?"

"Security is crying wolf again"

And this connects directly to the advice fatigue we discussed on Day 1: fifteen years of high-fear messages created the desensitization that's now undermining our influence.

The Mechanism: Why Too Much Fear Backfires

The research draws on Protection Motivation Theory to explain exactly how fear influences persuasion.

When people receive a fear-inducing message, they go through two appraisal processes:

Threat Appraisal: "How bad is this threat?"

Perceived vulnerability: "Could this happen to me?"

Perceived severity: "How bad would it be if it did?"

Coping Appraisal: "Can I do something about it?"

Response efficacy: "Will the recommended action actually work?"

Self-efficacy: "Am I capable of doing what's recommended?"

Here's the critical insight:

Low threat appraisal → No motivation to act ("This isn't really a problem")

Moderate threat appraisal + High coping appraisal → Motivation to act ("This is concerning AND I can do something about it")

High threat appraisal + Low coping appraisal → Defensive shutdown ("This is terrifying AND there's nothing I can do, so I'm going to convince myself it's not that bad")

When we use catastrophic language without pairing it with concrete, achievable solutions, we trigger the third response: defensive shutdown.

The audience's brain essentially decides: "I can't handle this level of fear, so I'm going to dismiss the messenger as an alarmist."

We lose credibility not because we're wrong about the threat, but because we've made the threat feel overwhelming.

The Emotional Intensity Analyis

So how do we know if we're in the Goldilocks zone?

The research provides a specific methodology: count your negative emotion words and calculate the percentage.

NOTE: Before we go too far here, let me say that these recommendations come from the Research performed. I personally think that a full analysis like this is probably overkill, but it does help identify the problems and bring them to light for resolution.

I don't expect everyone (or frankly anyone) to run this full scale mathematical calculation...but I do recommend to think about these communications with these concepts in mind. With that....on the to rest of the analysis!

Here's the framework:

Step 1: Identify Negative Emotion Words

Review your presentation, email, or training and count every word that conveys:

• Threat: danger, risk, attack, breach, compromise, exploit, vulnerable
• Severity: catastrophic, devastating, critical, severe, dire, imminent
• Urgency: immediate, urgent, emergency, crisis
• Consequences: failure, loss, damage, destruction, harm

Step 2: Calculate Emotional Intensity Score

Formula: (Number of negative emotion words ÷ Total word count) × 100 = EI Score

Step 3: Calibrate to the Goldilocks Zone

< 2% = Too Low

• Insufficient urgency
• Audience perceives as "not important"
• Recommendations get deprioritized
• Result: Ignored

2-5% = Optimal

• Appropriate concern without overwhelm
• Motivates action without triggering defense
• Balanced with solution confidence
• Result: Action

> 5% = Too High

• Triggers defensive shutdown
• Perceived as fear-mongering or crying wolf
• Audience disengages to protect themselves
• Result: Dismissed

Real-World Transformations with EI Scores

Let me show you exactly what this looks like in practice:

Budget Request: Too High (Fails)

"Our security posture is critically compromised. We face imminent threat of catastrophic breach. Without immediate and substantial investment, we will experience devastating data loss and reputational damage. The threat landscape has become extremely dangerous. We're vulnerable to sophisticated attacks that could cripple our operations and destroy customer trust. This is an urgent crisis that demands decisive action."

Word count: 60 words Negative emotion words: critically, compromised, imminent, threat, catastrophic, breach, devastating, extremely, dangerous, vulnerable, sophisticated, attacks, cripple, destroy, urgent, crisis (16 words) EI Score: 16 ÷ 60 = 26.7%

Result: CFO perceives as fear-mongering. Budget denied.

Budget Request: Too Low (Fails)

"We should consider reviewing our security infrastructure at some point. There may be areas where we could potentially improve our approach. If resources become available, we might want to explore some enhancements to our current capabilities. This could help us address certain concerns that have been identified."

Word count: 46 words Negative emotion words: concerns (1 word) EI Score: 1 ÷ 46 = 2.2% (borderline, but language is so hedging it reads even lower)

Result: CIO perceives as not urgent. Budget denied.

Budget Request: Goldilocks Zone (Succeeds)

"Our Q3 audit identified three specific vulnerabilities in our remote access systems. Industry data shows organizations with these gaps experience 40% more unauthorized access attempts. I'm requesting $180K to implement multi-factor authentication, endpoint detection, and automated patching—three controls that address these vulnerabilities and reduce our exposure by approximately 75%. These controls protect our customer database and payment processing systems, our two highest-value targets."

Word count: 66 words Negative emotion words: vulnerabilities, gaps, unauthorized, attacks (4 words) EI Score: 4 ÷ 66 = 6% (slightly high, but balanced with strong efficacy language)

Result: Appropriate concern + clear solution + concrete ROI = Budget approved.

Notice: The third example has MORE concrete details (Day 2's lesson) AND calibrated emotional intensity (Day 3's lesson). Both principles working together.

The Fear + Efficacy Formula

Here's the tactical framework for every security communication:

For every statement that raises fear, include a statement that builds confidence in the solution.

Minimum ratio: 1:1

Optimal ratio: 1:2 (one fear statement, two efficacy statements)

Examples:

Fear without efficacy (triggers shutdown): "Ransomware attacks are increasing 150% year-over-year. Our industry is being heavily targeted. We're vulnerable to these attacks."

Fear + Efficacy (motivates action): "Ransomware attacks are increasing 150% year-over-year, with our industry heavily targeted. [Fear]

However, the three controls I'm proposing—offline backups, network segmentation, and endpoint detection—address the attack vectors used in 90% of successful ransomware incidents. [Efficacy 1]

Organizations that implemented these three controls experienced 80% fewer successful attacks last year. [Efficacy 2]"

Notice the structure:

• Acknowledge the threat (moderate fear)
• Provide specific solution (efficacy)
• Show evidence it works (confidence)

This creates appropriate concern while maintaining confidence that action will be effective.

Context-Specific Calibration

Not all security communications need the same emotional intensity. Here's how to calibrate by context:

Routine Communications (Target: 1-2% EI)

Context: Monthly security updates, regular training reminders, policy clarifications

Why low: These are ongoing, not urgent. High fear here contributes to fatigue.

Example: "This month's security update covers three topics: our new password manager rollout on March 15, the quarterly phishing simulation scheduled for next week, and updated guidance on secure file sharing. Details below."

EI Score: ~1% (minimal fear words, focuses on information)

Executive Presentations (Target: 2-3% EI)

Context: Quarterly risk briefings, budget requests, strategic planning

Why moderate: Need to convey appropriate concern without overwhelming. These audiences are already fatigued.

Example: "Our Q4 risk assessment identified three areas requiring attention: remote access controls, endpoint protection, and backup systems. I'm recommending focused investments in these areas based on our actual incident data from last year."

EI Score: ~3% (risk, attention, incident = moderate concern, balanced with specifics)

Crisis Communications (Target: 4-5% EI)

Context: Active incident, imminent threat, time-sensitive response needed

Why higher: Genuine urgency justifies elevated emotional intensity—BUT must still include clear actions.

Example: "We're experiencing an active phishing attack targeting our finance team right now. Three employees have received emails impersonating our CEO requesting urgent wire transfers. Immediately forward any email requesting financial transactions to security@company.com. Do not respond or click any links until we verify authenticity. Our security team is monitoring all suspicious activity and will clear these requests within 30 minutes."

EI Score: ~5% (attack, urgent, suspicious, etc., but paired with specific actions and time-bound response)

Employee Training (Target: 2-3% EI)

Context: Security awareness training, onboarding, policy education

Why moderate: Need to create awareness without creating fear that makes them avoid the training.

Example: "Last quarter, someone impersonating our CFO emailed the finance team requesting an urgent wire transfer. The email address was CFO@company.co instead of CFO@company.com—one character different. That one-character difference cost another company $2.1M. Here's how to spot these attempts: always check the full email address, not just the display name."

EI Score: ~3% (impersonating, urgent, cost—but framed as a learning example, not a threat to them personally)

Why This Fixes Fatigue

Remember the four dimensions of advice fatigue?

Concrete language (Day 2) addressed redundancy and exhaustion.

Calibrated fear (Day 3) addresses the other two:

1. Reduces perceived overexposure: When we're not constantly sounding the alarm at maximum volume, each communication feels more differentiated and less like "another security warning."

2. Eliminates tedium: Moderate fear paired with confidence in solutions is inherently more engaging than either "everything is fine" or "we're all going to die."

Calibrated fear makes people lean in. Extreme fear makes people tune out.

And in a fatigued environment, the difference determines whether they engage with our message or add it to the pile of "security noise I'm ignoring."

The Common Objections (And Why They're Wrong)

"But the threats ARE catastrophic—shouldn't I communicate that?"

Yes, some threats are genuinely catastrophic. But communicating catastrophe without communicating confidence in solutions triggers defensive coping, not action.

Our job isn't to scare people. Our job is to motivate people.

And the research is clear: moderate fear + high solution confidence motivates better than extreme fear + any level of solution confidence.

"Won't people think I'm downplaying risks if I'm not using strong language?"

Actually, the opposite.

When we use catastrophic language constantly, people assume we're exaggerating. When we use measured language most of the time and save strong language for genuine emergencies, people trust our judgment.

The CISO who says "critical" about everything is eventually ignored.

The CISO who says "this is genuinely urgent" only when it actually is gets taken seriously.

"But we need to create urgency—how do I do that without fear?"

Urgency doesn't require catastrophic fear. Urgency requires:

Concrete timeline ("by March 15," "before end of Q2")

Clear consequences ("we can't process payments," "audit findings remain open")

Specific actions ("enable MFA," "patch these systems")

Urgency = clarity + timeline, not fear + catastrophe.

The Implementation Challenge

Take your last three security presentations or emails.

Run them through the Emotional Intensity Analysis:

1. Count negative emotion words
2. Calculate total word count
3. Calculate EI score: (negative words ÷ total words) × 100
4. Compare to optimal range (2-5%)
5. If too high: identify which fear statements lack paired efficacy statements
6. If too low: identify where you're being vague about real concerns
7. Rewrite to hit the Goldilocks zone

Then test the Fear + Efficacy Formula:

For every fear statement, do you have at least one efficacy statement?

If not, add them:

• "Here's the solution"
• "Here's evidence it works"
• "Here's the timeline for implementation"

I guarantee you'll find most of your communications are either too high (if you've been using FUD tactics) or too low (if you've overcorrected to avoid sounding alarmist).

Monday: Standing Out in the Noise

We've covered what to say (concrete language) and how to say it (calibrated fear).

Tomorrow we tackle where and when: how to differentiate your message in a saturated environment where everyone is competing for the same attention.

Because even perfectly crafted messages fail if they disappear into the noise.

The research reveals specific differentiation strategies that make your communications memorable when your audience has heard it all before.

Including the most powerful technique of all: explicitly acknowledging the fatigue your audience is experiencing.