In August 2019, ESET and The Myers-Briggs Company released preliminary findings of a fascinating study on the way personality types can influence cybersecurity behaviors. With just a snippet of the data available, it was possible that security awareness training could be designed around an individual employee’s personality, increasing the chances that the training would be more effective.
The full report was published this month. While many of the respondents were already practicing good security hygiene, the study did find some consistencies in personality types and their overall behavior and attitudes toward cybersecurity. According to the report:
- Respondents with preferences for Introversion scored higher on “knowledge-informed carefulness” than those with a preference for Extraversion.
- Respondents with preferences for Sensing scored higher on “conscientiously follows rules” than those with a preference for Intuition.
- Respondents with preferences for Thinking scored higher on “knowledge-informed carefulness” and had a higher overall cybersecurity score than those with a preference for Feeling.
- Respondents with preferences for Judging scored higher on “conscientiously follows rules” and “keeps passwords and devices secure” than those with a preference for Perceiving and had a higher overall cybersecurity score.
However, the report added, while there were clear similarities among those within a personality type, all individuals will have differences that must be taken into account when developing a security awareness program.
The Foundation Is Already There
The Myers-Briggs Company’s John Hackston said the first thing he noticed in the overall results of the study was that most people seem to take cybersecurity seriously. More than 80%, for example, agreed or strongly agreed that a data breach would be disastrous for their organization. Another pleasant surprise for Hackston was the high number of people who already had good security knowledge and behaviors.
On the other hand, he was surprised by how clear the differences were in both cybersecurity strengths and potential vulnerabilities in the various personality types. “For example, people like me (my type preferences are for INTP – Introversion, Intuition, Thinking and Perceiving) are mostly quite knowledgeable about cybersecurity issues, but we do find it difficult to follow the rules and have a tendency to think we know best,” he explained. “That’s our Achilles heel when it comes to cybersecurity, but knowing this is really helpful and a reminder that perhaps I don’t always know best, the rules are there for a reason and it might be good to listen to the advice of my IT support team.”
Using those strengths and weaknesses of personality types, Myers-Briggs and ESET developed a list of guidelines and tips on how to best structure security awareness solutions for the different personality types. For instance, those whose personality type falls under one of the extroversion categories might be reminded to not trust a public connection even if it did require a password or to slow down to pay closer attention when reading an email. Introverts may be reminded to follow the rules and not be so trusting of people you meet online. Some of the tips may overlap between introverts and extroverts because their biggest personal (and personality) vulnerabilities fall into one of the other preferences. Sensing personalities, for instance, are warned about trusting both people and networks.
Different Strengths, Different Weaknesses
Knowing your employees’ personality types may help you individualize security awareness programs, but if you don’t feel comfortable having them do personality testing, sharing the tips will at least give your employees something to think about.
“People are different from each other. We all have different strengths and vulnerabilities. and it’s important to realize this when thinking about cybersecurity,” Hackston said.
He added that the data from the study suggests that good cybersecurity knowledge and behaviors can be infectious. “People who worked for IT companies but who did not have directly IT-related jobs still had better behavior and knowledge than people who worked for non-IT companies. People will learn, if you give them the chance,” he said.
Overall, letting people know about their likely strengths and possible vulnerabilities speaks to them as individuals and helps to make cybersecurity real for them. Taking account of differences in the way people want to be communicated to helps get the message across.
“There are many ways in which CISOs and security teams can use a knowledge of personality,” Hackston said. “Perhaps most importantly, by looking at individual personalities and personalizing advice, security becomes everyone’s responsibility, not just something that those IT folks do.”