Anna Collard of Popcorn Training – a KnowBe4 company – conducted a quiz on cyber strengths to get a deeper understanding of how personality traits influence online behavior. Significant testing showed a definite dependency between the personality profiles and their security scores.
The art of ‘people hacking’ involves tricking people into unwillingly participating in scams. Certain personality traits and behaviors make people more (and sometimes less) likely to fall victim to specific attacks or scams, such as phishing or ransomware.
As humans, we all struggle with behaviors. There’s a gap between knowledge, intention and behavior. People may have the knowledge they need to make a wise decision; they may even have the intention to make wise choices; but even the right knowledge and intentions don’t naturally translate to their associated and implied behaviors.
When it comes to the human side of security, you must treat the knowledge-intention-behavior gap as a fundamental law of reality that effects any behavior that you hope to encourage or discourage. As security leaders, we need to stop expecting to make people more secure by simply exposing them to more information. Information will always have its place; however, in order for a person to take an action based on information, you must be able to provide them with context to be able to intentionally reason through the situation they are in.
“As security leaders, we need to stop expecting to make people more secure by simply exposing them to more information”
Popcorn Training – a KnowBe4 company – conducted a cyber-strengths quiz to get a deeper understanding of how personality traits influence online behavior. The quiz was conducted to over 7000 unique users to gauge their cyber-strengths. It was a personality type security assessment that took users through questions related to personality traits as well as general cybersecurity knowledge and behavior.
Personality tests are inherently rewarding because of the urge to learn more about ourselves, which explains why online personality quizzes are one of the top shared apps on social media. What originally started as the idea of using a personality type quiz to engage users in security awareness initiatives, soon became a fascinating research project. We’ve compared how the ‘bad’ and ‘good’ security scorers fared by personality traits in the hope of finding a correlation between personality profiles and their security scores.
Three personality traits out of the Big Five, were particularly interesting, as they were linked to security behavior in various other research papers. These are: conscientiousness, neurotism and openness.
We set out with the hypothesis that a strong security profile is someone with a high degree of conscientiousness, a low degree of neurotism and high openness. A weak security profile is the inverse, in other words, someone with a low level of consciousness, high degree of neurotism and low openness.
The results were fascinating, in that the percentage of bad security scorers was significantly higher amongst the risky personality profile. In turn, the stronger personality profiles had significantly better average security scores. Significant testing showed a definite dependency between the personality profiles and their security scores.
We have to keep in mind that context influences how people react, and someone with what may be considered a ‘low risk’ personality profile may be just as much likely to fall victim to scams when put under pressure, when in a rush or when faced with a cleverly crafted targeted attack that is very convincing.
A personality type quiz can be a powerful awareness vehicle as it sparks users’ interests and makes learning messages more personal, but shouldn’t be used to ever discriminate against anyone based on their personality traits. It is very powerful when people recognize themselves in their individual reports and start becoming aware of their vulnerabilities. Using security assessments that check users’ current level of cybersecurity understanding as well as mock phishing results are a powerful way to identify gaps in security awareness behavior.
Ensuring subtle continuous awareness messages are spread throughout the company on an at least a quarterly basis as well as creating targeted training interventions for the more vulnerable groups (i.e. clickers) is an effective way of changing behavior in the long run.
You can see Anna Collard on the Strategy Talks session at Infosecurity Europe in London from 4-6 June. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.