• United States




Negative motivation is not positive engagement

Apr 20, 201810 mins
Application SecurityData and Information SecurityNetwork Security

The barrage of fearmongering and FOMO over social media and advertising leads to a vicious cycle of negative engagement that builds anger and frustration that can’t be addressed by buying new products. We can break the cycle through positive engagement, but we first need to understand why and how to do so.

4 shock stunned fear
Credit: Thinkstock

Two events, the 2016 Presidential election and the Cambridge Analytica/Facebook issue, show the negative side of engagement.  The article, “The Internet Apologizes,” by Noah Kulwin, discusses in detail through a series of interviews with notable personalities how we got to such a negative point.  The most poignant quote in the article comes from Roger McNamee, a VC investor who introduced Mark Zuckerberg to Sheryl Sandberg.  He indicates the following about the Internet, Facebook, and social media: 

“They’re basically trying to trigger fear and anger to get the outrage cycle going, because outrage is what makes you be more deeply engaged. You spend more time on the site and you share more stuff. Therefore, you’re going to be exposed to more ads, and that makes you more valuable.”

He also indicates that we have created a persuasion engine unlike any created in history.

What have we created?

We’ve created a toxic environment.  Social media is built upon keeping people engaged.  Security has been sold and marketed using fearmongering.  The effect has been that social media and marketing/advertising channels funnel a constant stream of negative advertising warning us that the next data breach is just around the corner, that ransomware is ready to strike now and cripple our businesses, or that if we don’t buy this next product, government agencies will fine us hundreds of thousands of dollars.  This causes anxiety, fear, and uncertainty, not only with the Information Security community, but also with our customers, many of whom panic and make rash decisions because of it.

Why are we angry?

According to Natalie Wolchover, in the article “Why is Everyone on the Internet so Angry?,” published in Scientific American, it’s a combination of three factors.  Commenters are virtually anonymous and therefore unaccountable, they are at a distance from their targets, and it is much easier to be nasty in writing than in speech.

This article also cites the bad examples set by the media, specifically Jerry Springer, Crossfire, and the former Fox News host Bill O’Reilly.  We can also look at the influence of Lee Atwater, Newt Gingrich, and Rush Limbaugh as putting us on the path toward anger, resentment, and winning at all costs through negative messaging and us vs. them politics. 

There is also significant resentment toward the technological advancements that have caused the United States to lose a significant portion of its manufacturing base to other countries due to lower costs, and the rise of transnational corporations.  Most importantly, this has changed traditional social norms and customs.  These changes have also caused economic decline across the United States, as the traditional manufacturing base has shifted to other nations.  This decline has caused significant resentment as people have longed for a return to a time that economically cannot exist again, and have been presented with few, if any options for hope.

We are angry mostly due to negative messaging and resentment of change, rather than acceptance and transformation.  The Internet has made it very easy to viciously attack people at a distance anonymously.  The distance and anonymity lead to the use of dehumanizing language and terms, setting us back several years.  Having people in positions of power and leadership who do this via social media has made this much worse.  Focusing our attention on nebulous targets and generating anger has led to real-life attacks and a degradation of dialogue.  The very real economic and opiate crises in a number of former manufacturing towns across the US has done nothing but feed the flames.

Social Media has made this much worse because it is driven by algorithms designed to increase engagement by showing users what they want to see.  YouTube, as cited in the article How Does the YouTube Algorithm Work?  A guide to “Getting More Views,” by Ric Mazereeuw, focuses theirs on what users watch, how much time they spend watching a video, how much time they spend watching videos during each visit, and likes/dislikes/not interested feedback.  Facebook, Instagram, and other sites have similar algorithms. 

What this leads to is that negative messaging can be amplified using social media algorithms to create a virtual view of the world that only shows it.  A constant negative barrage of dialogue that pops up in a Facebook feed, suggested videos from YouTube, or suggested content from other sites shuts people out from other viewpoints and keeps them angry and depressed.  The usage of derogatory terms causes people who hold opposing viewpoints to be dehumanized, further amplifying the divide and anger.

Depression sells

Retail Therapy works.  In the working paper “The Benefits of Retail Therapy:  Making Purchase Decisions Reduces Residual Sadness,” Scott Rick, Katherine Alicia Burson, and Beatriz Pereira of the University of Michigan Ross School of Business came to the conclusion that making shopping choices helps to restore a sense of personal control over one’s environment, and therefore helps to alleviate sadness.  However, it does not address anger. 

In the Information Technology community, specifically the Security section, there is a lot of frustration, anger, sadness, and depression.  We often have to deal with limited budgets and resources, a lack of a sense of urgency across entire organizations, while putting out fires and addressing issues. 

Security is a high-pressure environment that causes burnout and depression.  Marketing solutions that claim to address issues to companies, IT staff, and executives after a major breach announcement or malware attack takes their mind off the situation they are in and gives them a sense of control that they can at least prevent some attack from occurring in their environment.

Giving people the option to search for solutions to their problems, even if it doesn’t address the root causes of why we have security issues, reduces sadness and gives a sense of control over the uncertainty, at least until the next round of negative news or the next data breach comes out.  Then the cycle begins anew.

The use of FOMO

FOMO, or the “Fear of Missing Out,” according to the website, is the psychological stress caused by people feeling they believe they are missing out or otherwise excluded from enjoyable experiences others are having. 

I have seen FOMO applied to two different areas in the security world.  The first is with security conferences, specifically some of the smaller ones used to directly engage senior IT management with vendors.  The second has been with product sales, especially in the healthcare sector.

At least once or twice a week I get emails from security conferences that invite me for all expenses paid networking and learning.  The emails will also mention the titles and companies of a number of other participants, and that I will be missing out on opportunities to network with my peers if I do not go.  I know the aim of these conferences is to more directly market to senior management, and that the ultimate product is the attendees.  However, fear of missing out on what the larger systems are implementing, or wisdom they can impart, is the weapon used to get people to attend.

Product sales are not immune.  Almost every time I sit through a vendor presentation now, I expect a “placemat” slide featuring all their major customers.  Healthcare organizations have a pattern of benchmarking and/or emulating “model” health systems, specifically those that have either achieved HIMSS Level 7 or Most Wired status.  Oftentimes we get pressure to implement something simply because one of those systems has done so, and other executives are afraid of missing out on the benefits that said systems are reaping.

Fearmongering and FOMO lead to alarm fatigue

In healthcare, there is a condition called alarm fatigue, which is sensory overload caused when clinicians are exposed to an excessive number of alarms.  According to Sue Sendelbach, RN, PhD, CCNS, and Marjorie Funk, RN, PhD – who documented their findings in the article “Alarm Fatigue – A Patient Safety Concern,” which was published in the journal AACN Advanced Critical Care, Oct-Dec 2013 – 72 to 99 percent of clinical alarms are false.  This leads to desensitization to alarms and missed alarms.  Patient deaths have been attributed to alarm fatigue.

The constant barrages of fearmongering through social media, advertising and FOMO, combined with toxic negativity, has led to alarm fatigue in information security for our customers.  While there is a reduction in sadness every time we put something in that mitigates a risk, there are still the underlying issues that haven’t been addressed.  We don’t address the cause of the anger.  Many of our colleagues succumb to alarm fatigue and many also leave the field because of it.  Our customers experience sensory overload because the constant warnings, threats, and fear about cybersecurity have been incredibly prevalent.  This means that we all tune out the alarms, and we get owned because of it.  We keep the underlying anger and frustration, and sometimes take it out on customers as well.

How do we address this?  How do we reach out?

We have to ask ourselves why we are angry, and what we can do to address our situation.  It’s not enough to have another conference, webinar, or meeting.  We need to reach out beyond IT to address this business issue.  We have to give hope to our customers and empower them with a shared vision of a positive future where we minimize risk.  We need to address the elephant in the room of the constant barrage of social media, fearmongering, and FOMO with our organizations and show them there is a better way.

We have to campaign constantly and be out in front of customers sharing a clear and consistent message of collaboration.  Our teams need to understand the business and sell ourselves.  We need to demystify security and explain it in their terms.  Sometimes this means we won’t be able to put in the most ideal solutions.  However, if we’re able to improve and show how, we’ve won the battle.

We will win the war by reaching out to everyone.  We have to be constantly engaging our customers.  We are dealing with people who will use any means to spread negativity, fear, uncertainty, and doubt to their financial benefit.  We have to combat that by being educated, demonstrating our knowledge in a way our business understands, and building our programs into the business itself.  We cannot sustain information risk management as a separate entity any longer.  We need to be willing to teach, engage, and be a part of the business that focuses on improving it.

Ultimately, we need to work very hard to find friends.  We need to make them and retain them.  Having that underlying anger and frustration will continue to separate us.  We have to constantly campaign and be out there.  October is just another month that we engage.  Due to the need, we need to barnstorm with a clear and concise message, and a team willing to deliver.  We need to focus with laser precision on learning our shared business and how to address their issues their way.

Most important, we need to set the example.  We need to address negative behaviors at the onset in our own teams.  We need to address our fears and potential consequences before they cause lasting damage.  We need to get out of our own tunnels of negativity and break the cycle.  Our customers deserve a better way.  However, they need to see that we follow one ourselves, and that we do not continue the negative cycle of engagement.  The only FOMO we should see is that of missing out on a better future with positive engagement that breaks the cycle.


Mitchell Parker, CISSP, is the Executive Director, Information Security and Compliance, at Indiana University Health in Indianapolis. Mitch is currently working on redeveloping the Information Security program at IU Health, and regularly works with multiple non-technology stakeholders to improve it. He also speaks regularly at multiple conferences and workshops, including HIMSS, IEEE TechIgnite, and Internet of Medical Things.

Mitch has a Bachelor's degree in Computer Science from Bloomsburg University, a MS in Information Technology Leadership from LaSalle University, and his MBA from Temple University.

The opinions expressed in this blog are those of Mitchell Parker and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.