Certain personality traits seem to make us more or less likely to fall prey to specific attacks or scams. According to “Scam Compliance and the Psychology of Persuasion” people who are more likely to fall for scams do not seem to be in general poor decision-makers, for example, they may have a successful business or professional careers. It also has nothing to do with age or sex.
However, their personality makes up does determine why some people simply seem to be unduly open to persuasion and are easier prey than others. Research recently conducted confirms this.
Through the support of the Sanlam Group, Popcorn Training - a KnowBe4 company, developed a personality traits assessment combined with security general knowledge and behaviour questions called the “Cyber Strengths Test”.
This test was delivered via an online questionnaire rolled out to the Sanlam Group companies as well as some of Popcorn Training's South African enterprise customers and their users, with over 12,000 responses to date. We analysed a total of 12,459 unique and anonymised responses and compared how the “bad” and “good” security scorers fared by personality traits in the hope of finding a correlation between personality profiles and their security scores.
Three personality traits out of the Big 5, were particularly interesting, as they were linked to security behaviour in various other research papers. These are:
For example, highly conscientious people may be more vulnerable to scams impersonating authority figures. And people with a high degree of sensitivity may be more likely to react to scams that play on their anger or fear.
We set out with the hypothesis that a strong security profile is someone with a high degree of conscientiousness, a low degree of neuroticism and high openness. And a weak security profile is the inverse, i.e. someone with a low level of consciousness, high degree of neuroticism, and low openness. The results were fascinating, in that the percentage of bad security scorers was significantly higher amongst the risky personality profile.
In turn, stronger personality profiles had significantly better average security scores. Significance testing showed a definite dependency between the personality profiles and their security scores. For security awareness professionals, this provides an indication of higher risk users which can feed into a prioritised training and awareness plan.
We have to keep in mind that context influences how people react, and someone with what may be considered a “low risk” personality profile may be just as likely to fall victim to scams when put under pressure, when in a rush or when faced with a cleverly crafted targeted attack that is very convincing.
Using security assessments that check a user’s current level of cybersecurity understanding, as well as mock phishing results, are a powerful way to identify gaps in security awareness behaviour. Ensuring subtle continuous awareness messages are spread throughout the company on at least a quarterly basis, as well as creating targeted training interventions for the more vulnerable groups is an effective way in changing behaviour in the long run.
Other actions that can be taken include: