Research suggests that people’s personality types can influence whether they would be more likely to fall for social engineering attacks or be less likely to click on phishing links. The combination of information security with business psychology is an intriguing area to explore, but it may unfairly put the burden of security on to the individual.
Different personality types have different strengths and weaknesses in how they understand—and deal with—cybersecurity, researchers from ESET and Myers-Briggs said in their Cyberchology report. People who focus more on the outside world tended to be more vulnerable to social engineering and people who observe and remember details are better at spotting risks, the study found.
Personality tests that claim to give people insights in how they perceive the world are easy to find, and many enterprises adopted the Myers-Briggs Type Indicator (MBTI) to figure out how to manage employees back in the 1980s. The practice still exists in many industry sectors as managers believe the MBTI helps them adjust team dynamics to create an effective workplace. Now the idea is that similar assessments can help organizations figure out what blindspots their employees may have regarding information security and to customize security training to strengthen those areas.
A self-reported questionnaire, MBTI organizes personality along four psychological features—sensation, intuition, feeling, and thinking—to create the four major categories: Introversion/Extraversion, Sensing/Intuition, Thinking/Feeling, and Judging/Perception. MBTI defines where people draw their energy, how they learn, how they make decisions, and whether they prefer a structured or open-ended approach. ESET and Myers-Briggs polled 520 people who had completed MBTI assessments in Europe for this study with questions about their jobs, security habits, phishing experiences, and overall security knowledge.
No personality type is “more secure” than others.
The researchers drew upon MBTI concepts when they looked at five personality types: “extraverted personality,” or those that focus on the outside world and work out ideas by talking them through; those that prefer to “sense,” as they observe and remember details; those that “feel,” as they are guided by personal values; those that “judge,” as they tend to be systematic and structured; and people with a preference for “thinking,” as they approach problems logically.
Let's get one thing straight: No personality type is “more secure” than others. As many things in information security, it’s complicated.
Security Strengths and Weaknesses
People with extraverted personalities “tend to be more vulnerable to manipulation, deceit, and persuasion from cybercriminals” but their being more aware of what is happening around them means they are “generally faster to pick up on attacks coming in from outside,” the researchers said.
Phishing attacks are less likely to be effective if the targeted person has a preference for sensing because that person is better with details, but that person may take more security risks. People with a preference for “thinking” tend to be very logical, so are more cautious and more rigorous about following security policies. However, this same group is more likely to overestimate their competencies, which leads to mistakes. They scored highly on security knowledge, but they were likely to think that the rules didn’t apply to them.
The value in understanding personality types seem to lie in changing how security is taught. Just as managers rely on the MBTI to adjust how they manage their employees and understand team dynamics to create the most effective working environment, researchers suggested that personality profiles can be used to customize security training. The training materials can be tailored to take into account employee personalities and behavioral preferences when explaining the role each person plays in securing company data. A common security training lesson is to have people scrutinize the email headers to make sure the addresses look legitimate. This is a skill that comes naturally to the thinking types, but may be harder on others.
Knowing what people respond to would be helpful in teaching people on what to be a bit more wary about. A phishing email that relies on facts or talks about a benefit (such as saving money) would be more effective on the people who fall on the objective and analytical side of the equation. The sensing and feeling types tend to be more trusting and loyal, so would be more vulnerable to a phishing email that appear to have been sent by an authority figure. The intuition and feeling types may be more likely to fall for a phishing email disguised as a charity request.
The last thing anyone needs is deciding that a certain type of personality profile is a “better” security employee for that company’s risk profile.
The challenge of relying too much on personality types is that it opens up a trap of explaining that an attack happened because of a person’s alignment. The last thing anyone needs is deciding that a certain type of personality profile is a “better” security employee for that company’s risk profile.
While customizing security training to recognize that some things are easier for some people than others is a useful idea, it’s important to realize that security awareness training is just one item in the security portfolio. There is a tendency to put the onus of security defense on the individual—if you click on the link, we will get breached. If you don’t follow this process, the data will be stolen—which is unfair on the individual. People will make mistakes and forget to do something. Even the savviest, most security-aware person will fall for a carefully-crafted phishing attack. This is where the bulk of enterprise defense lies: setting up automated systems that check that procedures have been followed or deploying technology to ensure the proper controls are in place.
Security training is important, but it is just one item. It can catch some attacks and it helps people identify their weaknesses so that they can adjust their behavior accordingly.
"Overlaying organization-wide self-awareness with a robust cyber security system can create a net of human/digital skills and proclivities which cybercriminals will have trouble slipping through," the researchers said.
Human Behavior and Security
Many organizations have been exploring the intersection of personality and security to figure out why people make decisions and take risks. Forcepoint X-Labs has has identified the personality traits as neuroticism, extraversion, openness, agreeableness, and conscientiousness. Forcepoint X-Labs recently examined how cognitive bias can also influence how people make security decisions.
It's not just security awareness training. A data protection officer at a major European airline has discussed how to use the idea of personality in a supply chain situation to assess a third-party provider's security risk.
Panorays earlier this year discussed how they look at the “employee attack likelihood,” or a score assigned on whether a person be targeted in an attack. Employees may be targeted because of their job titles or roles in certain departments because they have access to specific types of information or systems. While an executive may have access to sensitive information, an IT administrator would have extensive privileges. The score also takes into account the digital footprint and whether the person has had credentials leaked in other data breaches.
“The human factor is always the wild card when considering the cyber resilience of an organization,” said Matan Or-El, CEO and co-founder of Panorays.