Cyber Psychology: Security incidents are a question of character. Stress and individual behavior on the part of employees influence the security risk. For an analysis, ESET surveyed over 100 IT security officers during the Covid-19 pandemic.
People are considered to be the greatest security risk in a company. But why do some employees click on links, download data or use personal equipment, even though compliance and training prohibit this? The IT security manufacturer ESET and the company for business psychology, Myers-Briggs, have investigated these and other questions from a behavioral psychology perspective. For the analysis, more than 100 IT security officers were interviewed during the Covid-19 pandemic and their attitudes and empirical values were evaluated. And the results were surprising: Obviously, the character of the employee plays a decisive role in whether a security incident will occur or not.
Stress influences the handling of IT security
Everyday stress can hardly be avoided. The corona pandemic has ensured that tension has increased further. In this context, it is helpful to better understand this influence on one's own behavior and the handling of IT security. In the study, eight characters (the active, discoverer, leader, emotional, guardian, visionary, analyst and conscientious) emerged who deal with stress differently and showed a concise behavior in security issues.
For example, “The Active One” is analytical, sociable, logical and resourceful. He is stressed theoretically abstract tasks without current, practical applications. This later leads to cocky, dangerous behavior and overconfidence. In contrast, “The Conscientious One” is mostly cooperative, humble and adaptable, as well as gentle and loyal. He gets under stress when he has to work with inflexible and unreflective people. Under pressure, the conscientious then ignores facts and rules that do not fit into the self-designed picture and compulsively works on the optimal solution - in the worst case at the expense of security.
Malware versus character
The vast majority of cyber attacks are successful not because of the hackers' abilities, but because of human error or oversight. According to the study, personality types that are attributed to decisiveness, realism, and clarity may be more prone to malicious downloads. The same applies to people with a pronounced organizational talent and also those who stand out with idiosyncratic or imaginative ways of working. While these employees typically work through the security log one by one, time pressures and stress could cause them to make a quick decision for the sake of efficiency. This can be remedied by focusing strictly on relevant information before making decisions.
Phishing targets confident, positive people
Phishing emails are among the most dangerous attack vectors - and among the most successful. In the meantime, the bogus messages are so deceptively real that even experts have to look several times to expose them. Those personality types who go through life self-confidently, positively thinking and courageously seem to be particularly susceptible to phishing scams. Enthusiastic and creative people who are said to have a high level of enthusiasm must also be particularly careful. In terms of IT security, these characters should take sufficient time to check the trustworthiness of incoming messages before opening them, downloading attachments or replying to them. You should be particularly careful with e-mails with interesting content or emotional presentation.
The Internet of Things puts pragmatists at risk
The Internet of Things (IoT) has long since become an integral part of our lives: the office door opens automatically when we arrive, the smart coffee machine has made the cappuccino at the start of work and the desk lighting adapts to the mood. All of this naturally calls cyber criminals onto the scene, because many of the IoT devices used have some catching up to do in terms of IT security. Then when human error occurs, it becomes critical.
When dealing with IoT in particular, it becomes clear that personality types who are practically inclined and who are also ascribed directness, openness and deliberation could be susceptible if they take the setting of connected devices into their own hands. People with high problem-solving skills and a penchant for independence are also at risk. This is true even if they usually follow the rules. The best approach for these personality types is not to always assume you know best. They should also ensure that no rules or regulations are ignored.
Conclusion of the study
Cyber attacks are a constant threat to businesses. Understanding individual personalities can play a key role in a company's IT security strategy. In this way, more effective training concepts can be developed and employees can be motivated to concentrate more on their self-reflection and their skills. Understanding that the human factor is just as important for IT security as the technical aspects is the first step in developing holistic IT security concepts for companies. The study can be downloaded free of charge.
More at ESET.comAbout ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.