Organizations that understand their employees’ personality types could better shape their security awareness training, research shows
We know that employees are one of the biggest threats—whether accidentally or through malicious intent—to network and data security. It’s why organizations need to implement security awareness training. It should be one of the most effective tools for addressing insider risks.
Except, we know that security awareness training has a lot of flaws. It doesn’t do enough to engage employees, so the information is quickly forgotten. Training is infrequent and random. It doesn’t stress why employees need to be part of the security process and take ownership of their security behaviors. But most of all, security education is too often a one-size-fits-all proposition. Everybody in the company gets the same training, no matter their skill sets, knowledge or personality.
Personality? What on earth does personality have to do with security awareness training? A lot, according to new research from ESET and The Myers-Briggs Company. Human error, human ignorance and human behavior play a huge role in creating the vulnerabilities in networks—we knew that. But what the research found was that certain personality types are more susceptible to certain types of attacks. For example, those with personalities aligned with Feeling (those guided by personal values) or Judging (those who are systematic or structured) tend to be easy prey for social engineering attacks, while Sensing individuals (those that observe and remember details) are more likely to spot a phishing attack.
Imagine how security awareness training could be shaped if it took our personalities into consideration.
Make the Learning Stick
“If learning is going to stick, it’s important for any training program to speak to the preferences of all those who take part, whatever their personality type,” said John Hackston at The Myers-Briggs Company. For the record, the four dimensions of the Myers-Briggs Type Indicator (MBTI) model are as follows:
- Where you focus your attention (Extraversion or Introversion)
- What sort of information you prefer (Sensing or Intuition)
- How you prefer to make decisions (Thinking or Feeling)
- How structured you like your life to be (Judging or Perceiving)
The MBTI model provides a really good framework for developing a balanced training program. For example, Hackston said a training program might include a number of group- or discussion-based more experiential activities, which would maintain the interest of those with a personality preference for Extraversion, while also including written exercises and time for reflection, which would meet the needs of those with a preference for Introversion.
How Personality Can Improve Security Posture
Cybercriminals know that human error plays to their advantage and they are going to do whatever they can to get users to make a mistake.
“As part of a wholesome cyberstrategy, it is important to evaluate the likelihood of employees to be targeted for cyberattacks and leveraged as a springboard into the company. This human factor can be assessed by examining various elements such as the employee’s social posture, the presence of a security team and employee security awareness,” said Matan Or-El, CEO and co-founder of Panorays.
That’s why it is so important to recognize that each person, from senior leadership to the front desk receptionist—anyone who is connecting to your network—comes with their own set of strengths and weaknesses, puts their spin on their daily tasks and look at the world, including at cybersecurity, through their own unique viewpoint. But too often, leadership sees things in terms of right and wrong (with their way being the right way)—and that, too, trickles down into security awareness and cybersecurity behaviors.
“When someone does something that we don’t think we would do, like make a mistake that results in a data breach, the temptation is to see them as stupid, careless, even malicious,” said Hackston. “But if a different sort of cyberattack had come along, maybe they would not have fallen for it, but you would!”
Will understanding that everyone is different and using that understanding in security awareness training eliminate human errors that create risk? Of course not, but, Hackston noted, by understanding that everyone is different can really help leadership and the organization as a whole take all aspects of cybersecurity seriously, not just the ones that are obvious to them, and to avoid taking a “one size fits all” approach.
How do you create the right security awareness program for the different personality types in your office? Stay tuned. Hackston said the research is ongoing and the goal is to be able to produce specific cybersecurity guidelines for each MBTI type in early 2020.