Employees are often considered the weakest link in the information security chain,1 creating both unintentional and intentional security threats for their employers and their employers’ partners and customers.2 However, research on why employees cause these security issues is still in its infancy.3 What is known is that an employee’s personality and their relationships with their employer and fellow employees contribute to both intentional and unintentional information security incidents.4, 5 Therefore, it is crucial for managers to understand the role personality can play in security threats so they can identify potential problems early and develop a culture of information security compliance for all employees.
Employee Personality: The Big Five
Personality is relatively stable, and it can be viewed through the lens of the “big five” personality traits: conscientiousness, agreeableness, neuroticism, openness to experience and extraversion.6 Studies have shown that these traits are related to information security behavior (figure 1).7, 8 For instance, people who score high on conscientiousness are more likely to shy away from risky behaviors than those who score low on conscientiousness. Similarly, employees who are agreeable or more open to experiences exhibit more secure behaviors than those who score low on these traits, but they have a slightly lower aversion to risky behavior. On the other hand, neuroticism and extraversion are not good predictors of an employee’s security behavior, as shown by their low correlations in figure 1.
Going beyond the big five traits may be even more helpful to managers. Employees who pursue sensation-seeking activities away from work, or who are risk takers by nature, may display risky security behavior at work or take chances with employers’ information.
Connecting Employee Personality to Information Security Compliance
An individual’s commitment to security can be measured on a scale ranging from noncompliance to compliance.9 As shown in figure 2, disobedience is the lowest level of noncompliance and culture represents the highest level of compliance, because the employee’s security behaviors are based on the organization’s culture of compliance.
Conscientious people are often defined by their willingness to regulate their behavior to achieve goals and complete tasks. Conscientious employees are more willing to obey information security policies than employees who are less conscientious. Similarly, agreeable employees may fall just below conscientious employees in terms of security policy compliance; they may be slightly less committed to adhering to policies as conscientious people. Openness to experience is placed just below agreeableness based on the findings presented in figure 1.
At the other end of the spectrum, employees who are risk takers may show apathy toward information security policies because they do not recognize the danger associated with their behavior. These employees may believe that nothing bad will ever happen—at least, not to them. In the minds of risk takers, occasionally breaking the rules does not lead to negative outcomes. Sensation seekers probably do not reach the same level of apathy toward information security as risk takers, but they may border on it.
The Dark Triad
The so-called dark triad of behavioral traits— Machiavellianism, narcissism and psychopathy—may represent the greatest security threat. Understanding these negative traits and how to detect them may be the key to managing information security from a personality perspective.
Machiavellianism refers to behaviors focused on self-interest and involving manipulation, deceit and exploitation of situations and people to achieve personal goals. People with Machiavellian traits commonly use interpersonal manipulation and exhibit specific patterns of social and emotional skills, resulting in cunning, scheming, expedient and unscrupulous behavior.10 Machiavellians are known to be goal-, status- and achievement-oriented, even at the expense of sacrificing relationships and self-discipline.11
Narcissists are often identified by self-admiration, entitlement, grandiosity and resistance to negative feedback. Narcissists crave the attention and adoration of others and may have fantasies of control, success and power.12 Narcissists may believe that they are the only ones who can create a solution or understand it.
Psychopathy is such a negative trait that it is defined as a mental disorder or illness. Psychopaths often display superficial emotions, low impulse control, disregard for others’ feelings and well-being, and lack of remorse for actions that harm others; they are willing to be social manipulators.13
Many people with these traits are fully embedded in professional enterprises. Thus, being aware that such individuals exist and closely monitoring their behavior are paramount to securing an enterprise’s information through policy compliance.
Employees with dark triad personality types are motivated differently from other employees. Machiavellians focus on personal gain, narcissists are self-absorbed and psychopaths behave badly for the thrill of it, regardless of the risk to themselves or an organization.14 All three exhibit a socially malevolent character consisting of self-promotion, emotional coldness, duplicity and aggressiveness.
Much of the research concerning deviant employees centers on Machiavellians. Perhaps this is because they are quieter, shiftier and less public about their deviance than others. For instance, narcissists, by nature, outwardly seek attention, and psychopaths are easy to spot because they are extreme risk takers. This makes Machiavellians’ behavior more potentially destructive to an enterprise, because they are more likely to participate in unethical workplace behavior and are less visible when engaging in such behavior.15
EMPLOYEES WITH DARK TRIAD PERSONALITY TRAITS, ESPECIALLY MACHIAVELLIANS, TEND TO ENGAGE IN COUNTERPRODUCTIVE WORK BEHAVIORS.
Employees with dark triad personality traits, especially Machiavellians, tend to engage in counterproductive work behaviors. They go against societal and organizational norms and often engage in destructive behavior. The dark triad is, thus, placed at the negative end of the spectrum in figure 2 because such individuals may be resistant to information security policies or may even be intentionally destructive.
Protecting Against Insider Threats
Some personality traits (e.g., conscientiousness, risk taking) may lead to unintentional cybersecurity issues, but managers should prioritize their focus on the intentional threats associated with dark triad behaviors. Insider sabotage is a top security concern. Insiders represent a greater threat than outsiders due to their access to information systems. This is especially true when coupled with their advanced organizational knowledge and the trust often afforded them.16 Forty-four percent of data breaches are the result of insider threats, and 90 percent of security professionals feel vulnerable to insider attacks.17
Technical systems (e.g., intrusion detection systems and intrusion preventions systems) are helpful in mitigating deviant behaviors, but they are not sufficient. Insider threats repeatedly occur despite sophisticated technical security mechanisms.18 This is where managerial attention (i.e., screening and monitoring) can close security gaps. A sound information security risk assessment system should include preemployment screening for problematic personality traits and frequent managerial contact with employees to identify highthreat individuals and situations.
Preemployment Screening
The first level of defense against the dark triad is
the hiring process. To avoid hiring potentially
problematic employees, the following four steps
can be taken:
- Conduct personality assessments—The Big Five Inventory (BFI) and the Neuroticism Extraversion Openness to Experience Five Factor Inventory (NEO-FFI-3) can be administered to assess personality traits.19, 20 These brief assessments provide satisfactory results, but longer assessments are recommended to accurately identify more complex behaviors. The 27-item Short Dark Triad (SD3) scale provides a reliable, efficient and valid measure of dark triad personality traits.21
- Look for dark triad tendencies—Evidence of these traits can be found in the potential employee’s employment history. Things to look for include lack of respect for security policies and procedures, difficulty interacting with other employees, and a high turnover rate.
- Use multimember hiring panels—Members with diverse backgrounds can pick up on different personality characteristics during the interview process. Figure 3 provides a list of questions to consider asking in a job interview. Higher risk tendencies should likely not be used as a decision-making criterion, but it does give the panel information about where the member might fit best in the organization.
- Conduct telephone interviews with previous employers—Many previous employers are reluctant to put negative comments in writing but they may be willing to share this information on the phone. Even though many previous supervisors may limit their comments, based on potential legal implications, they may be willing to rate the employee’s security behaviors or tendency to take a risk.
TOO OFTEN, EMPLOYEES RETAIN INFORMATION RIGHTS AND PRIVILEGES WELL BEYOND THEIR LEVEL OF NEED.
Information Security Policies and Procedures to
Minimize Internal Threats
The second level of defense against the dark triad is
the implementation of standard policies and
procedures to protect against internal threats. Once
an individual has passed the preemployment
screening process and been hired, managers
should monitor for repeated noncompliance with
policies and procedures, disciplinary actions,
unauthorized access of critical data, and
interactions with other employees. Social media
posts should also be examined, as they often
provide a more honest representation of what
employees are thinking. Employees living beyond
their means is another indicator that something is
amiss. As part of an internal threat mitigation
program, a mechanism for employee suggestions
and complaints should be established.
Enterprise leaders should be trained to recognize potential problems and to redirect employees before unethical behaviors can begin. Managers and other leaders must be on the lookout for employees exhibiting negative information security traits or behaviors and attempt to prevent such behaviors from escalating and becoming organizational threats.
Enterprises should also develop individual training programs for high-risk employees. Simply telling employees about information security policies and procedures is not effective, especially for those with certain personality traits.22 Each employee is different and requires training and monitoring to fit their personality and risk level. Frequent reminders for those who are less conscientious, less agreeable or more likely to engage in risky behavior may reduce both unintentional and intentional information security threats. This adds an extra layer of development and monitoring requirements for managers, but it enables managers to address cybersecurity concerns more frequently and have them become a growing part of the organizational culture.
Training and continuous monitoring can also support the efforts of conscientious and agreeable employees, moving them from the level of obedience and commitment to full participation in a culture of compliance. Similarly, if training and continuous monitoring are implemented properly and consistently, high-risk individuals may advance from ignorance to awareness of information security issues (figure 2).
Common administrative controls such as security policies and associated sanctions for noncompliance may not influence the underlying psychology of malevolent individuals. Such individuals may ignore policies and be unmoved by the threat of punishment. In these cases, the following actions may be useful:
- Develop social bonds—Many dark triad behaviors occur when employees have few social bonds. Thus, these individuals have little to lose on a personal level by violating the enterprise’s social norms. The use of teams is one way to create social bonds, as team members are reliant on one another. In team situations, individual actions become more apparent and are bound by positive norms of compliance. Similarly, a team approach allows managers to rotate members to different security projects so there is no overwhelming sense of ownership or overly protective behavior. The use of teams also helps insulate the enterprise from lone-wolf attacks.
- Change information security roles and access to systems frequently—Too often, employees retain information rights and privileges well beyond their level of need. This encourages employees to believe that their system access is more of a right than a privilege. Adjusting roles and system access ensures that employees understand the overall goal of information security. Placing new employees in monitoring roles may also increase the identification of potential problems because they will be more willing to ask questions and more likely to recognize situations a longtime employee might overlook.
- Develop a culture of information security compliance—Recognize positive information security behavior through awards and the public recognition of those who take security compliance seriously. As figure 2 shows, information security is a continuum of compliance, and developing a culture of compliance ensures the safety of the enterprise, its partners and its customers.
- Conduct training when security threats make the news—Training should be conducted at various levels of the enterprise, but it should always start at the top. For instance, a brief video or email from the chief information officer (CIO) about a negative security event in the news could be used as a training tool and a reminder that the enterprise values security. Subsequently, group training at the team level may reinforce the importance of the event and highlight how the team can ensure that such an event does not occur in its area.
EMPLOYEES’ PERSONALITY TRAITS CAN POTENTIALLY LEAD TO UNINTENTIONAL OR INTENTIONAL BREACHES OF INFORMATION SECURITY.
Conclusion
Employees’ personality traits can potentially lead to unintentional or intentional breaches of information security. This is especially true when information security is maintained by just a few highly autonomous employees. Managers must understand the role of personality in human behavior, know how to detect potentially deviant characteristics and encourage employees to move up the compliance continuum to develop a culture of information security compliance.
Endnotes
1 Pew Research Center, “Americans and Cybersecurity,” 26 January 2017, http:pewresearch.org/internet/2017/01/26/americans-and-cybersecurity/
2 Furnell, S.; K. L. Thomson; “From Culture to Disobedience: Recognising the Varying User Acceptance of IT Security,” Computer Fraud and Security, 2009, iss. 2, 2009, p. 5–10
3 Kennison, S. M.; E. Chan-Tin; “Taking Risks With Cybersecurity: Using Knowledge and Personal Characteristics to Predict Self-Reported Cybersecurity Behaviors,” Frontiers in Psychology, 11, 2020
4 Shappie, A. T.; C. A. Dawson; S. M. Debb; “Personality as a Predictor of Cybersecurity Behavior,” Psychology of Popular Media Culture, 9, 2019, p. 475–480
5 Safa, N. S.; M. Sookhak; R. Von Solms; S. Furnell; A. Ghani; T. Herawan; “Information Security Conscious Care Behaviour Formation in Organizations,” Computers and Security, vol. 53, 2015, p. 65–78
6 Costa, T.; R. R. McCrae; NEO PI-R Professional Manual, Psychological Assessment Resources, USA, 1992
7 Op cit Kennison, Chan-Tin
8 Op cit Shappie et al.
9 Op cit Furnell, Thomson
10 Al Aïn, S.; A. Carré; C. Fantini-Hauwel; J. Baudouin; C. Besche-Richard; “What Is the Emotional Core of the Multidimensional Machiavellian Personality Trait?” Frontiers in Psychology, vol. 4, 2013, p. 454
11 O’Boyle, E. H.; D. R. Forsyth; G. C. Banks; P. A. Story; C. D. White; “A Meta-Analytic Test of Redundancy and Relative Importance of the Dark Triad and Five-Factor Model of Personality,” Journal of Personality, vol. 83, iss. 6, 2015, p. 644–664
12 Morf, C. C.; F. Rhodewalt; “Unraveling the Paradoxes of Narcissism: A Dynamic Self- Regulatory Processing Model,” Psychological Inquiry, vol. 12, iss. 4, 2001, p. 177–196
13 Ibid.
14 Maasberg, M.; C. Van Slyke; S. Ellis; N. Beebe; “The Dark Triad and Insider Threats in Cyber Security,” Communications of the ACM, vol. 63, iss. 12, 2020, p. 64–80
15 Rehman, U.; M. G. Shahnawaz; “Machiavellianism, Job Autonomy, and Counterproductive Work Behaviour Among Indian Managers,” Journal of Work and Organizational Psychology, vol. 34, iss. 2, 2018, p. 83–88
16 Padayachee, K.; “Understanding the Relationship Between the Dark Triad of Personality Traits and Neutralization Techniques Toward Cybersecurity Behavior,” International Journal of Cyber Warfare and Terrorism, 10, iss. 4, 2020, p. 1–19
17 PricewaterhouseCoopers (PwC), Audit Committee Update: Insider Threat, USA, 2018, http://www.pwc.co.uk/audit-assurance/assets/pdf/insider-threat-for-google.pdf
18 Ibid.
19 Rammstedt, B.; O. P. John; “Measuring Personality in One Minute or Less: A 10 Item Short Version of the Big Five Inventory in English and German,” Journal of Research in Personality, vol. 41, 2007, p. 203–212
20 McCrae, R.; P. T. Costa; “Brief Versions of the NEO-PI-3,” Journal of Individual Differences, vol. 28, 2007, p. 116–128
21 Jones, D. N.; D. L. Paulhus; “Introducing the Short Dark Triad (SD3): A Brief Measure of Dark Personality Traits,” Assessment, 21, 2014, p. 27–40
22 Bulgurcu, B.; H. Cavusoglu; I. Benblast; “Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness,” Management Information Systems Quarterly, 34, iss. 3, 2010, p. 523–548
Gerald F. Burch, Ph.D.
Is a visiting professor at the University of West Florida (UWF) (Pensacola, Florida, USA). His primary areas of teaching are in operations management and information systems at both the undergraduate and graduate levels.
John H. Batchelor, Ph.D.
Is an associate professor of management at UWF. He teaches undergraduate and graduate classes related to management, human resources and entrepreneurship. His research interests include entrepreneurship, meta-analysis, experiential learning and emotions. He also serves as the chair of the UWF Business Administration Department.
Randall Reid, Ph.D., CISA, CISSP, Security+, A+, Network+
Has been on the faculty of UWF since 2003. He previously taught at the University of Alabama (Huntsville, Alabama, USA) and Bowling Green State University (Ohio, USA). His primary research and teaching interests are in the security area and in the pedagogical aspects of teaching.
Tyler Fezzey
Is a student at UWF. She is studying business analytics. Her research interests include organizational behavior and cybersecurity. She is also a graduate assistant for the UWF Center for Entrepreneurship, a lending analytics intern at Navy Federal Credit Union and a member of the UWF women’s volleyball team.
Christine Kelley
Has 23 years of experience in the aerospace industry specializing in design and IT. She is studying for a Ph.D. in aviation business administration from Embry Riddle Aeronautical University (Daytona Beach, Florida, USA).