An enterprise’s employees are often regarded as its biggest weakness in terms of cybersecurity. Though some threats are posed inadvertently by employees with certain personality traits, an organization can also be targeted intentionally by an employee acting as an insider threat. Fortunately, by fostering a culture of cybersecurity, organizations can more easily detect any threats to, or gaps in, their cybersecurity, while ensuring that compliance requirements are met.
Employee Personality: The Big 5
Personality is relatively stable, and it can be viewed through the lens of the “big 5” personality traits: conscientiousness, agreeableness, neuroticism, openness to experience and extraversion.1 Studies have shown that these traits are related to information security behavior (figure 1).2, 3 For instance, people who score high on conscientiousness are more likely to shy away from risky behaviors than those who score low on conscientiousness. Similarly, employees who are agreeable or more open to experiences exhibit more secure behaviors than those who score low on these traits, but they have a slightly lower aversion to risky behavior. On the other hand, neuroticism and extraversion are not good predictors of an employee’s security behavior, as shown by their low correlations in figure 1.
Figure 1—Correlation Between Personality Traits and Information Security Behavior
Going beyond the big 5 traits may be even more helpful to managers. Employees who pursue sensation-seeking activities away from work, or who are risk takers by nature, may display risky security behavior at work or take chances with employers’ information.
Connecting Employee Personality to Information Security Compliance
An individual’s commitment to security can be measured on a scale ranging from noncompliance to compliance.4 As shown in figure 2, disobedience is the lowest level of noncompliance and culture represents the highest level of compliance, because the employee’s security behaviors are based on the organization’s culture of compliance.
Figure 2—Personality Traits and Information Security Compliance
Conscientious people are often defined by their willingness to regulate their behavior to achieve goals and complete tasks. Conscientious employees are more willing to obey information security policies than employees who are less conscientious. Similarly, agreeable employees may fall just below conscientious employees in terms of security policy compliance; they may be slightly less committed to adhering to policies as conscientious people. Openness to experience is placed just below agreeableness based on the findings presented in figure 1.
At the other end of the spectrum, employees who are risk takers may show apathy toward information security policies because they do not recognize the danger associated with their behavior. These employees may believe that nothing bad will ever happen—at least, not to them. In the minds of risk takers, occasionally breaking the rules does not lead to negative outcomes. Sensation seekers probably do not reach the same level of apathy toward information security as risk takers, but they may border on it.
Protecting Against Insider Threats
Some personality traits (e.g., conscientiousness, risk taking) may lead to unintentional cybersecurity issues, but managers should prioritize their focus on the intentional threats associated with dark triad behaviors.5 Insider sabotage is a top security concern. Insiders represent a greater threat than outsiders due to their access to information systems. This is especially true when coupled with their advanced organizational knowledge and the trust often afforded them.6 Forty-four percent of data breaches are the result of insider threats, and 90% of security professionals feel vulnerable to insider attacks.7
“Some personality traits may lead to unintentional cybersecurity issues, but managers should prioritize their focus on the intentional threats associated with dark triad behaviors.”
Technical systems (e.g., intrusion detection systems and intrusion preventions systems) are helpful in mitigating deviant behaviors, but they are not sufficient. Insider threats repeatedly occur despite sophisticated technical security mechanisms.8 This is where managerial attention (i.e., screening and monitoring) can close security gaps. A sound information security risk assessment system should include preemployment screening for problematic personality traits and frequent managerial contact with employees to identify high-threat individuals and situations.
To learn more the intentional and unintentional security threats employees can pose to an enterprise, read the ISACA® Journal, vol. 5, 2021, article “The Influence of Employee Personality on Information Security.”
Endnotes
1 Costa, P. T.; R. R. McCrae; NEO PI-R Professional Manual, Psychological Assessment Resources, USA, 1992
2 Kennison, S. M.; E. Chan-Tin; “Taking Risks With Cybersecurity: Using Knowledge and Personal Characteristics to Predict Self-Reported Cybersecurity Behaviors,” Frontiers in Psychology, vol. 11, 2020
3 Shappie, A. T.; C. A. Dawson; S. M. Debb; “Personality as a Predictor of Cybersecurity Behavior,” Psychology of Popular Media Culture, vol. 9, 2019, p. 475–480
4 Furnell, S.; K. L. Thomson; “From Culture to Disobedience: Recognising the Varying User Acceptance of IT Security,” Computer Fraud and Security, vol. 2009, iss. 2, 2009, p. 5–10
5 Padayachee, K.; “Understanding the Relationship Between the Dark Triad of Personality Traits and Neutralization Techniques Toward Cybersecurity Behavior,” International Journal of Cyber Warfare and Terrorism, vol. 10, iss. 4, 2020, p. 1–19
6 Ibid.
7 PricewaterhouseCoopers (PwC), Audit Committee Update: Insider Threat, USA, 2018
8 Ibid.
Gerald F. Burch, Ph.D.
Is a visiting professor at the University of West Florida (UWF) (Pensacola, Florida, USA). His primary areas of teaching are in operations management and information systems at both the undergraduate and graduate levels.
John H. Batchelor, Ph.D.
Is an associate professor of management at UWF. He teaches undergraduate and graduate classes related to management, human resources and entrepreneurship. His research interests include entrepreneurship, meta-analysis, experiential learning and emotions. He also serves as the chair of the UWF Business Administration Department.
Randall Reid, Ph.D., CISA, CISSP, Security+, A+, Network+
Has been on the faculty of UWF since 2003. He previously taught at the University of Alabama (Huntsville, Alabama, USA) and Bowling Green State University (Ohio, USA). His primary research and teaching interests are in the security area and in the pedagogical aspects of teaching.
Tyler Fezzey
Is a student at UWF. She is studying business analytics. Her research interests include organizational behavior and cybersecurity. She is also a graduate assistant for the UWF Center for Entrepreneurship, a lending analytics intern at Navy Federal Credit Union and a member of the UWF women’s volleyball team.
Christine Kelley
Has 23 years of experience in the aerospace industry specializing in design and IT. She is studying for a Ph.D. in aviation business administration from Embry Riddle Aeronautical University (Daytona Beach, Florida, USA).