Q: How do I overcome public apathy to internet security, even after revelation after revelation about security failures?

A: Step 1 is determining whether apathy is the problem. If the public doesn’t think cybersecurity is a big deal, then your objective is to educate them about the prevalence and consequences of online security breaches. This would likely entail a balanced mix of PSA-style advertising and PR efforts.

That said, I’m not convinced that apathy is the problem. In a 2015 survey, researchers at the National Telecommunications and Information Administration found that 84 percent of online households reported at least one internet security concern (the most common being identity theft). And in 2016, the TRUSTe/NCSA Consumer Privacy Index reported that 92 percent of U.S. internet users worry about their privacy online — although that same report found that 75 percent believe they already protect their online data adequately.

So, the problem might not be apathy. Americans care and are concerned about internet security. But perhaps the small steps we have taken have lulled us into overconfidence. This is probably true, at least when it comes to the personal steps we can take to manage our own cybersecurity.

But what about how our data is managed and secured by outside entities — retailers, banks, websites, social media and so on? Here, the problem might be that we feel helpless. We don’t take action because we don’t know what to do.

If the public isn’t apathetic, but instead feels overconfident or helpless about cybersecurity issues, your marketing objectives are different. Your focus should be on educating the public about what they must do to increase their own security, and how they can pressure companies to better safeguard their personal data.

And again, fear is a valuable motivator. The key is to provide clear actions that people can take to resolve those fears. Provide instructions on how to encrypt e-mails. Link to a petition for stronger cybersecurity laws. List customer service contacts for retailers with shoddy cybersecurity practices. Fear-based messages often backfire if they don’t include sufficient information about how to take action.

Aaron Sackett is an associate professor of marketing at the University of St. Thomas Opus College of Business.

This article originally appeared in the Star Tribune on May 28, 2017. Used by kind permission of the Star Tribune.