Ep 8 Todd Fletcher and Dr Chris Fullwood

Todd Fletcher and Dr Chris Fullwood | Ep 8

by Cyber SecurityExpertPodcasts
Watch or listen:
The Psychology of CyberSecurity Professionals.

Why do cybersecurity professionals either blatantly or subconsciously disregard standard cybersecurity protocols?

In this episode, we explore how personality and psychology shape cybersecurity roles and how human factors drive defences, risk, and burnout in the digital world.

Connect with the guests
Todd Fletcher
Linkedin X-twitter

Todd Fletcher: Cyberpsychology PhD student exploring the psychology of cybersecurity professionals, with a rich background spanning IT, networking, and cybersecurity engineering.

Visit Todd’s research and personal website.

Dr Chris Fullwood
Linkedin

Dr. Chris Forwood: Senior Lecturer in Psychology at Birmingham City University and co-author of the Oxford Handbook on Cyberpsychology.

Read more about Chris and his research and watch his podcast episode on how we present ourselves online.

This episode delves deeply into the intersection of psychology and cybersecurity, providing invaluable insights for professionals, students, and parents alike. Whether you’re exploring the field or safeguarding your digital presence, understanding the human element in technology is more crucial than ever.

Cyberpsychology vs Cybersecurity:

  • Cyberpsychology: Broad discipline examining human interaction with technology, from motivations to behavioural impacts.
  • Cybersecurity: Primarily technical but deeply intertwined with human psychology, focusing on protecting systems and data while understanding user behaviours and vulnerabilities.

Todd’s Research Journey:

  • Motivation: Todd’s curiosity about the psychological factors influencing cybersecurity professionals.
  • Current Focus: Examining how personality traits, organisational culture, and cognitive behaviours affect decision-making and security compliance among professionals.
  • Goal: Developing a “Security Acceptance Model” to better integrate human psychology into cybersecurity practices.

Insights on Personality and Cybersecurity:

  • Certain traits, such as curiosityopenness to new experiences, and conscientiousness, correlate with success in cybersecurity.
  • Traits like impulsivity and risk-taking can increase susceptibility to breaches, such as falling for phishing scams.

Human Factor in Security:

  • Cybersecurity breaches are often linked to human errors rather than technical failures.
  • Stress, burnout, and cognitive overload significantly impact professionals’ effectiveness and decision-making.

Challenges in the Cybersecurity Profession:

  • High burnout rates due to long hours, constant upskilling demands, and pressure to safeguard against evolving threats.
  • Lack of leadership support and understanding of cybersecurity risks within organisations.

Youth and Cybersecurity:

  • Encouraging curiosity in technology while guiding ethical practices is vital for fostering a positive interest in cybersecurity.
  • Parents should foster open communication and maintain awareness of their children’s online activities to prevent malicious influences.

Pathways into Cybersecurity:

  • Multiple routes include certifications, college degrees, and self-learning. Key attributes for success are curiosity, continual learning, and networking with industry professionals.

Favourite Cyberpsychology Resource:

  • Oxford Handbook of Cyberpsychology: A foundational text that explores the interplay of human behaviour and digital technology.
Other podcasts
Locus of Control and CyberSecurity

What role does job control play in adherence to Cyber Security?

by Cyber SecurityResearch
'Exploring the Role of Work Identity and Work Locus of Control in Information Security Awareness'.

Extracts and summary of the research by: Dr Lee Hadlington, Dr Masa Popovac, Prof. Helge Janicke, Dr Iryna Yevseyeva, Dr Kevin Jones (2019)

In her summary of the work, Dr Popovac describes the research as exploring ‘the adherence to organisational information security and the role of work-related and individual factors such as individuals’ perceived control within the workplace, their commitment to current work identity, and the extent to which they are reconsidering commitment to work.’

Key quotes from the research:

  • ‘Cyber security is not just about technology. Almost all successful cyber attaches have a contributing human factor’ (a direct extract from the UK National Cybersecurity Strategy 2016-2021 p. 38)
  • ‘for the most part, technology cannot be the only solution to issues related to organisational cybersecurity…employee[s] (the human factor), can present a paradoxical element into the fight’
  • ‘On the one hand, employees can be a critical asset in the fight against cybersecurity breaches, and can act to deny malicious attempts to access sensitive company data. On the other hand, employees can be the ‘weakest link’…in the cybersecurity system; they are not logical, prone to misunderstanding and confusion, act on impulse and want to get their jobs done’

Summary of the research: 

This research focuses on what factors, outside of personality type, play into employee engagement in cyber security engagement in the workplace. The main aim of the research was to understand:

  • to what extent the ability to control job function has in the taking of responsibility for cyber security
  • if the identification with the workplace plays any role in improving cyber security amongst workers

The researchers point out that:

  • there is a difference between knowledge of the company’s information security policies and the ability of the employee to understand them.
  • there is also a potential gap in how individual attitudes and behaviour aligns with these policies. 

Previous research done in the area of cyber security has found that those more likely to be cyber-security conscious were: 

In contrast, those who engage in cyberloafing (engaging in non-work tech use during working hours) or have higher levels of internet addiction were less likely to be cyber-security conscious. The assumption was that these workers believed the higher levels of company security mitigated online risk when accessing specific materials and activities. Another assumption is that those who have little regard for the company they work for, or who feel they have limited control over their job, are also more likely to have a lower interest in adhering to internet security protocols.

Employees who have a higher internal locus of control are more likely to have lower stress levels, feel more in control of their work and have greater job satisfaction. Those who are higher in external locus of control feel they have little control over work, higher levels of stress and lower job/company commitment – therefore more likely to engage in counter-productive work behaviours, often to rekindle a sense of self-control over their work or potentially as an active attempt to harm the company.  

Those who feel less committed to their work may be less prone or may not see the value in engaging in cyber security behaviour.

The findings of the research are: 

  • Those with a higher internal locus of control are more likely to see their actions as a way to protect both themselves and the company from cyber attacks
  • Workers with a higher external locus of control perceive themselves to have a minimal amount of control over their work and workplace, assumed that both they and the company were vulnerable to attacks whatever action they did or didn’t take, so saw little value in following processes relating to information security.  
  • Those who have a strong work identity, and experience a sense of belonging in their workplace, are more adherent to cyber security policies
  • In contrast, those with a lower level of work identity and/or looking for a new role are less compliant. 
  • Being older and being female were also found to be more likely to engage in higher levels of information security compliance – confirming previous research. 
  • Those who have a clear understanding of the formal company rules around information security are more likely to follow them. 

Definitions: 

Locus of control: ‘an individual’s expectancy related to how rewards or aspects of life outcomes are controlled on the basis of the actions of the individual (internally) or as a result of forces outside the control of the individual (externality)’.

Organisational commitment: ‘the level of attachment an employee has with their workplace’.

Work identity: ‘the strength of an individual’s identification with their work, and not directly their workplace or organisation’.

Read the original article here

This is not an open-source document and will need purchasing to read the full original article.

Return to the main Research Page
Related Articles
CyberSecurity and CyberPsych

When Cyber Security meets CyberPsychology

by Cyber Security

Cyber Security is not the same as CyberPsychology. It is similar to comparing someone who helps you physically set up home security and someone who seeks to understand why you don’t turn that security on when you leave the house. 

In a recent webinar, one of our Cyber Experts Dr John Blythe joins three of the collaborators of the latest whitepaper on Human Factors in Cyber Security. The video is a playback of the webinar.

If you want to access a copy of the white paper to read, you can find it on the Chartered Institute of Ergonomics and Human Factors website.

The webinar playback showcases a recorded video summary of the white paper and also contains a Q&A session with the three panellists. It provides a value insight, for those involved in Cyber Security within organisations, as to the human factors that have been and continue to affect companies in a remote and hybrid working environment. 

 

Related Articles
Personality Type and Cyber Security

Does our personality type make us more or less susceptible to phishing and online scams?

by Cyber Security

According to academic research in this area, the short answer is ‘yes’. The majority of research has used The Big 5 Personality Types to identify different types of Cyber Security behaviour. Although research in this area has slightly conflicting results, there are some general findings that are interesting to note. These are outlined briefly below.

Openness to Experiences

Those who have a greater level of this type have a greater ability to adjust their viewpoints and are therefore better able to review information in emails on the merit of the content itself, rather than on preconceived ideas around either the content or the sender. They are, therefore, better able to identify phishing content. However, they are more likely to reveal personal information about themselves on social media and within online communication.

Extroverts

Are a lot more sociable and more likely to share information with others around phishing scams. They are also more likely to share information about themselves with others and are more likely to have been bored during lockdowns, craving social interaction, so potentially more likely to click on links to help alleviate boredom.

Agreeableness

Those high in agreeableness traits are more inclined to want to please others, and try avoid people disliking them. They are, therefore, more susceptible to phishing attacks, as they just want to please others. If the email looks like it comes from an internal department or a supplier/customer, they may want to try be helpful and/or ‘fix’ things.

Neuroticism

People who have more of this personality type have an inherent need to believe that others are telling the truth. They also don’t like to upset people, so are likely to fall for phishing scams.

Conscientiousness

Those who display more of this trait are the least likely to fall for phishing scams. They tend to read content more critically and are more likely to follow training guidelines.

Although generic cyber security training and education is vital within any organisation, to help minimise susceptibility to phishing attacks, training should include how each personality type can be affected differently. This may make individual workers more vigilant towards phishing attacks that they are more susceptible to – based on their dominant personality traits.

Take the Big 5 Personality test and a brief explanation of each:

If you want to take the Big 5 Personality Test to find out more about where you fit within each range, you can find a link below.

Take the test.

Read more about The Big 5 personality types.

A few notes about Personality based Psychometric Tests:

  • Although there are a number of psychometric tests available on the market, a large number of them are complicated to decipher and/or are only commercially available. Researchers, therefore, tend to use The Big 5 personality psychometric test as a standard academic for research.
  • Personality tests can indicate a preference for specific behaviour but should not be used to stigmatise people and categorise them into neat boxes. In all things psychological and behavioural, we are all on a spectrum, and display a unique combination of characteristics to a greater or lesser degree.
  • Personality tests are self-completion questionnaires that people fill in based on how they view their own behaviour. We are generally not very good at understanding our own behaviour. This means that they can give us (like any self-completion questionnaires) an indication of different behavioural types, but should be read and interpreted as such.

If you want to know more about what cybersecurity threats you may encounter, you can read ESET’s T2 2021 Cyber Threat Report.

Related Articles