Most cyber security solutions take a one-size-fits-all approach. Everyone gets the same training and the same simulated phishing emails.
Yet, we all respond to cyber threats in different ways. Our personalities and differences often play a key role in how we act. For this reason, training adjusted to each individual could better reduce cyber risk.
Several factors influence individuals’ security behaviour, from attitudes towards security and confidence to engage in security behaviours, through to job roles and aspects of ourselves, like age and cultural upbringing. In part one of this blog series, we looked at personality as a factor that influences cyber risk. Here, we’ll look at how we might tailor security solutions to individuals based on their personality type.
The future is personal
Personalised cyber security is relatively unchartered territory. Some existing training is tailored to people’s job roles, but further personalisation based on other factors is limited.
Research has been conducted in this area, but sample sizes are limited. Tailored cyber security solutions have not yet been implemented at scale. So how might we start personalising cyber security in the workplace?
Personality inventories, such as the 44-item Big Five Inventory or the IPIP 120, allow us to map people’s personalities. This information could be used to identify the most beneficial types of training for each individual.
For example, someone scoring highly for agreeableness is more susceptible to phishing scams containing a plea for help or assistance. They are more likely than others to respond to such an email in the hope of providing aid.
To help an agreeable person reduce their cyber risk, send phishing simulations that appeal to their generosity. Learning to recognise such emails aids agreeable people to strengthen their defence against attacks they’re more susceptible to.
Information from personality inventories help tailor how people are given information as well as which information they are given. For example, extroverts would receive content relating to their social preferences. Meanwhile, people scoring highly for openness might prefer visual information instead of text.
Personality tests are no panacea. The accuracy of self-reporting personality traits has been questioned. Personality surveys also involve sensitive data collection and storage, which come with ethical considerations.
Still, the benefits of personalisation are potentially too good to ignore. Tailored programmes could target specific issues and risks facing an individual. People would more easily learn the information needed to reduce their risk if the format of training was tailored to suit their personality type.
Given people are the most important defence in cyber security, it makes sense to take account of idiosyncrasies. We are getting better at empowering people to spot risk. But the impact of one-size-fits-all training will always be limited.
A lot is left to do, but the rewards of an effective strategy could be huge. Harnessing individual differences is becoming increasingly important for making cyber security relevant and personable.Want to find out more about personality and cyber security? Read our research paper, produced in collaboration with the NCC Group, here.