Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/13/2019
05:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Does Personality Make You Vulnerable to Cybercrime?

A new study explores the connections between personality traits and susceptibility to different cyberattacks.

Could extraversion make you more vulnerable to social engineering attacks? It's a possibility, as seen in research investigating links between personality traits and vulnerability to cybercrime.

The study, compiled by ESET and the Myers-Briggs company, drills down into the "human factor" responsible for many security breaches. Verizon's DBIR found 20% of security incidents originate from people within an organization; separate data from Dtex shows nearly two-thirds (64%) of insider threats come from people who put the company at risk with careless behavior.

Myers-Briggs' goal in this research is to determine whether individuals' personality traits make them more susceptible to different types of security threats. As part of an ongoing study, it has so far polled 520 respondents who had completed the Myers-Briggs Type Indicator (MBTI) questionnaire. John Hackston, head of thought leadership for the company, argues the MBTI is a practical starting point for personality-based research as many people and businesses already use it for self-development.

If you're not familiar, the MBTI quantifies "best-fit" personality type using four traits: extraversion/introversion (E/I), which shows where you get energy; sensing/intuition (S/N), which indicates how you learn information; thinking/feeling (T/F), which tells how you make decisions; and judging/perceiving (J/P), which indicates whether you prefer a more structured or open-ended lifestyle. For the security-focused study, respondents also answered questions about their jobs, biographical data, cybersecurity habits, phishing experiences, and overall security knowledge.

"Everybody in an organization is an insider risk when it comes to cybersecurity," says Hackston. "We want to look at how MBTI relates to those to give people guidelines … so they can have guidelines to say 'What things should I look out for?' and 'What things might be my particular downfalls if I'm not careful?'"

There is no single personality type that's more security-savvy than the others, he explains. Similarly, being security-savvy doesn't necessarily mean someone is a lower-risk employee. Oftentimes, security practices boil down to the two middle letters of the MBTI type, which are intended to dictate how an individual processes data and how they make decisions.

As an example, Hackson points to the personality type INTP: a logical, analytical, detail-oriented and introverted person. Myers-Briggs' research shows people who are INTPs score higher on questions about cybersecurity knowledge; unfortunately, they're also more likely to think rules don't apply to them. An ESTP, an extraverted type who focuses on facts and logic, is also likely to flout rules.

The way a phishing attack is communicated can make a difference in which types fall for it, Hackston adds. An email that seems factual and promises someone can save money or be more efficient, for example, will be more effective on the objective, analytical "ST" types. The trusting, loyal "SF" type may be more likely to respond to an email that claims to be from an authority figure, and the warm, altruistic "NF" may fall for a phishing attack disguised as a charity email.

In general, researchers found, extraverts are more likely to fall for social engineering attacks. Their need to stay in tune with the world is "both a boon and a curse," Hackston says. While they're informed of new threats, extraverts' tendency to focus on people puts them at risk. A desire to build a personal connection may lure an extravert into a social engineering trap.

The Big 5

Of course, the MBTI isn't the only way to classify personality. Dr. Margaret Cunningham, principal research scientist for human behavior with Forcepoint X-Labs, has explored security risk alongside the "Big 5" personality traits: neuroticism, extraversion, openness, agreeableness, and conscientiousness, and she agrees extraversion can prove risky.

"We find in the Big 5 personality [traits] that agreeable people tend to be more willing to share information, which makes them more susceptible to social engineering attacks," she adds. When asked what they're doing, an extravert is more likely to be immediately transparent.

Conscientious people lean toward the practical side and use greater caution, she says. "These are the people who read service agreements," she jokes. "They're going to check the settings on a cookie pop-up. Those people tend to be a little less likely to [fall for] phishing attempts."

At the same time, it's important to note personality is a spectrum, Cunningham emphasizes. It's the people who exhibit the extremes of different personality facets who are easiest to associate with predictive behavior. You can be a detail-oriented extravert, for example, or an introvert who accidentally spills too much information to an attacker or falls for a phishing email.

"Knowing that these are the things that push our buttons helps us to be more wary," says Hackston. Security awareness training isn't a "one size fits all" project, and while organizations can't be expected to build different training programs for each personality type, it helps to inform employees where their weaknesses may lie so they're attuned to potential threats. As Cunningham says, people will continue to make mistakes even if they are informed of the risk.

"No matter how aware we are, we will continue to make mistakes and be phished," she says. "We'll continue to click not because of personality, but the limitations we have in cognitive skills like memory and attention."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5034
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
CVE-2019-5035
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...
CVE-2019-5036
PUBLISHED: 2019-08-20
An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially cr...
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...