General security

Can your personality indicate how you’ll react to a cyberthreat?

Susan Morrow
January 15, 2022 by
Susan Morrow

All of us are as individual as snowflakes in a winter storm … or so we think. Psychologists beg to differ, and in doing so, attribute five main personality types to human beings. 

Personality is a driver for behavior under certain conditions. In other words, what you decide to do is greatly influenced by your personality type. It is this very behavior that cybercriminals attempt to manipulate. Phishing emails, for example, hook into certain known expressions of behavioral traits when confronted by drivers such as trust and fear and so on. How do you react when confronted with an email telling you your account has been compromised?

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

The question is, can we work out if specific personality types react to cyberattacks differently? And if so, can we make our security awareness campaigns more effective?

The Big Five personality types

The concept of distinct personality types has been in discussion and research for many years. By the late 90s, the idea of the Five-Factor Theory, abbreviated to OCEAN, was proposed by McCrae and Costa. This model attempted to wrap areas such as attitudes, roles, relationships and culture into a framework covering personality and behavior. The result was the “Big Five”:

  • Openness to Experience: Aesthetics, feelings, actions
  • Conscientiousness: Dutiful, disciplined
  • Extroversion: Warm, assertive
  • Agreeableness: Cooperative, compassionate
  • Neuroticism: Anxious, self-conscious

It is worth noting that this list of five was whittled down from literally thousands. However, the big five have had a sixth character, “honesty-humility,” recently added.

The Big Five personality types and cyber-behavior

Research that looks into mapping personality traits onto cybersecurity behavior is ongoing. It also remains controversial, which isn’t too surprising. Personality is plastic. We can all think of circumstances where we are extroverted in some circumstances and neurotic in others. 

OCEAN takes this into account. It isn’t a binary theory, but rather recognizes that personality traits exist along a spectrum. This spectrum is used to “score” personality — the scoring being on a scale of 1 to 5, with 5 meaning you score highly in that particular trait area. People are generally a mix of traits, with some traits more influential on behavior than others in any given individual.

Below, I look at two studies that have studied how the Big Five personality traits can affect susceptibility to cyberthreats.

Study 1: Albladi and Weir, “Personality Traits and Cyber-Attack Victimisation: Multiple Mediation Analysis”

Sample size n = 316

Albladi and Weir looked at a user’s susceptibility to cyberattacks using OCEAN. The conclusion was somewhat mixed. The researchers found that personality traits did offer “significant predictors of human vulnerability to cyberattacks.” However, other factors had to be layered to explain the results. 

The following variables had a strong influence on susceptibility to cybercrime along with personality traits:

  • Trust
  • Competence
  • Motivation
  • Past experience as a victim of cybercrime

Other results complicated the picture, showing how difficult it is to attribute personality traits to a cyber threat reaction. For example, Albladi and Weir pointed out that the following traits show a decrease in susceptibility within a social network setting:

  • Conscientiousness
  • Agreeableness
  • Neuroticism

Whereas extroversion increases the risk of falling victim to a cyberattack.

Study 2:  Halevi, et al., “A Pilot Study of Cyber Security and Privacy Related Behavior and Personality Traits”

Sample size n = 100

This study had a dual approach. Firstly, the researchers looked at the impact of the Big Five personality traits on phishing campaigns. The second focus was on privacy and Facebook use pattern.

Using this dual approach, the researchers attempted to map any relationship between openness to sharing online and vulnerability to phishing attacks.

Some of the conclusions of the study are interesting, for example:

  • A sex-based difference between men and women was identified. Women were found to be more susceptible to “prize phishing”
  • A high correlation with neuroticism and phishing attacks (seemingly at odds with the Albladi study)

In terms of personality traits and phishing, the general conclusion of the study was that phishing defenses can be tailored towards people who score highly for those traits.

One of the criticisms of the report was that the phishing email was only based on a “prize scam.” Other types of phishing emails could help tweeze out the finer details of where personality trait maps to susceptibility.

A criticism of both reports and others is the sample size. “N” is at best a few hundred users. This can only ever give a snapshot view of a situation. Once you factor in other limitations and constraints, the result may not be conclusive enough to be applicable in practice.

The general feeling is that linking human behavior to susceptibility and cyber threats is not an exact science, but more of a first approximation. The problem is this: behavior is part of a fuzzy set. Many external influences, some predictable and some not, can materially affect the behavior of an individual at any given moment. Cybercriminals rely on this fact and create multiple types of security threats to cast their net wide.

The future of research into, and practical use of, personality and cyberthreats

Time and again, our behavioral traits are used to manipulate the outcome of a cyberattack. A phishing email, for example, will try to exploit trusting behavior or fear or greed, and so on. 

The discipline of behavioral information security (BIS) uses psychology, behavioral science and computer science to look for common connections between behavior and cybersecurity. The goal is to apply the output from research in this area to practical uses. But is this truly possible? 

Security awareness training, like any form of education, should reflect the needs of its audience. But the human audience behind security awareness training is a complicated mix of behaviors overlaid by experience, culture and even potentially sex-based differences.

I expect the discipline of behavioral information security to mature in the coming years. As it does so, we should expect more nuanced and detailed research done in the area. The more research is carried out, the more results can be fed into further research; each time we can hope to get closer to the goal of creating highly targeted awareness programs that fit your personality DNA. In the meantime, regular and wide-scope security awareness training across all areas of business is an important part of managing reactions to cyberthreats.

Sources

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.