Ep 8 Todd Fletcher and Dr Chris Fullwood

Todd Fletcher and Dr Chris Fullwood | Ep 8

Watch or listen:
The Psychology of CyberSecurity Professionals.

Why do cybersecurity professionals either blatantly or subconsciously disregard standard cybersecurity protocols? 

In this episode, we explore the psychology of cybersecurity and the impact of personality and cognitive bias on our ability to resist cyber-attacks.

Connect with the guests

In today’s episode of Confessions of a CyberPsychologist, I chat with Todd Fletcher, who is a PhD research student focussing on the psychology of cybersecurity professionals, and Dr Chris Fullwood, who is a senior lecturer in psychology at Birmingham City University and one of Todd’s PhD supervisors.

We talk about the psychology of cybersecurity professionals and why they may intentionally or unintentionally disregard sound cybersecurity practices. We focus on:

01:00 Todd’s background in digital technology and how he became interested in studying CyberPsychology.

06:49 The difference is between CyberPsychology and Cybersecurity.

13:00 Todd’s PhD research on the behavioural influences of Cybersecurity professionals.

20:21 The ‘Big 5’ personality and, how they can either help or hinder a cybersecurity professional in an organisation, and if there are common traits amongst those more likely to become cyber victims.

35:23 The Security Acceptance Model and its practical application in organisational cybersecurity.

37:33 The recent DefCon conference in Las Vegas and the research Todd was doing at the conference.

42:49 The difference between White, Grey and Black Hat hackers.

47:20 What parents should know about teen amateur hacking behaviour.

01:02:43 The future of cybersecurity amongst professionals and the general tech user.

1:08:55 Advice for those starting out in cybersecurity, and

10:15:18 Managing good mental health practices amongst cybersecurity professionals.

Todd’s experience is in the digital realm within business. Having spent time implementing cybersecurity practices, he became interested in the people within the cyber processes, leading him to become interested in the psychology of people within cybersecurity.

If you are a cybersecurity professional, manage a cybersecurity team, or are interested in cybersecurity as a career, this is an episode to watch.

Other podcasts
Locus of Control and CyberSecurity

What role does job control play in adherence to Cyber Security?

'Exploring the Role of Work Identity and Work Locus of Control in Information Security Awareness'.

Extracts and summary of the research by: Dr Lee Hadlington, Dr Masa Popovac, Prof. Helge Janicke, Dr Iryna Yevseyeva, Dr Kevin Jones (2019)

In her summary of the work, Dr Popovac describes the research as exploring ‘the adherence to organisational information security and the role of work-related and individual factors such as individuals’ perceived control within the workplace, their commitment to current work identity, and the extent to which they are reconsidering commitment to work.’

Key quotes from the research:

  • ‘Cyber security is not just about technology. Almost all successful cyber attaches have a contributing human factor’ (a direct extract from the UK National Cybersecurity Strategy 2016-2021 p. 38)
  • ‘for the most part, technology cannot be the only solution to issues related to organisational cybersecurity…employee[s] (the human factor), can present a paradoxical element into the fight’
  • ‘On the one hand, employees can be a critical asset in the fight against cybersecurity breaches, and can act to deny malicious attempts to access sensitive company data. On the other hand, employees can be the ‘weakest link’…in the cybersecurity system; they are not logical, prone to misunderstanding and confusion, act on impulse and want to get their jobs done’

Summary of the research: 

This research focuses on what factors, outside of personality type, play into employee engagement in cyber security engagement in the workplace. The main aim of the research was to understand:

  • to what extent the ability to control job function has in the taking of responsibility for cyber security
  • if the identification with the workplace plays any role in improving cyber security amongst workers

The researchers point out that:

  • there is a difference between knowledge of the company’s information security policies and the ability of the employee to understand them.
  • there is also a potential gap in how individual attitudes and behaviour aligns with these policies. 

Previous research done in the area of cyber security has found that those more likely to be cyber-security conscious were: 

In contrast, those who engage in cyberloafing (engaging in non-work tech use during working hours) or have higher levels of internet addiction were less likely to be cyber-security conscious. The assumption was that these workers believed the higher levels of company security mitigated online risk when accessing specific materials and activities. Another assumption is that those who have little regard for the company they work for, or who feel they have limited control over their job, are also more likely to have a lower interest in adhering to internet security protocols.

Employees who have a higher internal locus of control are more likely to have lower stress levels, feel more in control of their work and have greater job satisfaction. Those who are higher in external locus of control feel they have little control over work, higher levels of stress and lower job/company commitment – therefore more likely to engage in counter-productive work behaviours, often to rekindle a sense of self-control over their work or potentially as an active attempt to harm the company.  

Those who feel less committed to their work may be less prone or may not see the value in engaging in cyber security behaviour.

The findings of the research are: 

  • Those with a higher internal locus of control are more likely to see their actions as a way to protect both themselves and the company from cyber attacks
  • Workers with a higher external locus of control perceive themselves to have a minimal amount of control over their work and workplace, assumed that both they and the company were vulnerable to attacks whatever action they did or didn’t take, so saw little value in following processes relating to information security.  
  • Those who have a strong work identity, and experience a sense of belonging in their workplace, are more adherent to cyber security policies
  • In contrast, those with a lower level of work identity and/or looking for a new role are less compliant. 
  • Being older and being female were also found to be more likely to engage in higher levels of information security compliance – confirming previous research. 
  • Those who have a clear understanding of the formal company rules around information security are more likely to follow them. 

Definitions: 

Locus of control: ‘an individual’s expectancy related to how rewards or aspects of life outcomes are controlled on the basis of the actions of the individual (internally) or as a result of forces outside the control of the individual (externality)’.

Organisational commitment: ‘the level of attachment an employee has with their workplace’.

Work identity: ‘the strength of an individual’s identification with their work, and not directly their workplace or organisation’.

This is not an open-source document and will need purchasing to read the full original article.

CyberSecurity and CyberPsych

When Cyber Security meets CyberPsychology

Cyber Security is not the same as CyberPsychology. It is similar to comparing someone who helps you physically set up home security and someone who seeks to understand why you don’t turn that security on when you leave the house. 

In a recent webinar, one of our Cyber Experts Dr John Blythe joins three of the collaborators of the latest whitepaper on Human Factors in Cyber Security. The video is a playback of the webinar.

If you want to access a copy of the white paper to read, you can find it on the Chartered Institute of Ergonomics and Human Factors website.

The webinar playback showcases a recorded video summary of the white paper and also contains a Q&A session with the three panellists. It provides a value insight, for those involved in Cyber Security within organisations, as to the human factors that have been and continue to affect companies in a remote and hybrid working environment. 

 

Personality Type and Cyber Security

Does our personality type make us more or less susceptible to phishing and online scams?

According to academic research in this area, the short answer is ‘yes’. The majority of research has used The Big 5 Personality Types to identify different types of Cyber Security behaviour. Although research in this area has slightly conflicting results, there are some general findings that are interesting to note. These are outlined briefly below.

Openness to Experiences

Those who have a greater level of this type have a greater ability to adjust their viewpoints and are therefore better able to review information in emails on the merit of the content itself, rather than on preconceived ideas around either the content or the sender. They are, therefore, better able to identify phishing content. However, they are more likely to reveal personal information about themselves on social media and within online communication.

Extroverts

Are a lot more sociable and more likely to share information with others around phishing scams. They are also more likely to share information about themselves with others and are more likely to have been bored during lockdowns, craving social interaction, so potentially more likely to click on links to help alleviate boredom.

Agreeableness

Those high in agreeableness traits are more inclined to want to please others, and try avoid people disliking them. They are, therefore, more susceptible to phishing attacks, as they just want to please others. If the email looks like it comes from an internal department or a supplier/customer, they may want to try be helpful and/or ‘fix’ things.

Neuroticism

People who have more of this personality type have an inherent need to believe that others are telling the truth. They also don’t like to upset people, so are likely to fall for phishing scams.

Conscientiousness

Those who display more of this trait are the least likely to fall for phishing scams. They tend to read content more critically and are more likely to follow training guidelines.

Although generic cyber security training and education is vital within any organisation, to help minimise susceptibility to phishing attacks, training should include how each personality type can be affected differently. This may make individual workers more vigilant towards phishing attacks that they are more susceptible to – based on their dominant personality traits.

Take the Big 5 Personality test and a brief explanation of each:

If you want to take the Big 5 Personality Test to find out more about where you fit within each range, you can find a link below.

Take the test.

Read more about The Big 5 personality types.

A few notes about Personality based Psychometric Tests:

  • Although there are a number of psychometric tests available on the market, a large number of them are complicated to decipher and/or are only commercially available. Researchers, therefore, tend to use The Big 5 personality psychometric test as a standard academic for research.
  • Personality tests can indicate a preference for specific behaviour but should not be used to stigmatise people and categorise them into neat boxes. In all things psychological and behavioural, we are all on a spectrum, and display a unique combination of characteristics to a greater or lesser degree.
  • Personality tests are self-completion questionnaires that people fill in based on how they view their own behaviour. We are generally not very good at understanding our own behaviour. This means that they can give us (like any self-completion questionnaires) an indication of different behavioural types, but should be read and interpreted as such.

If you want to know more about what cybersecurity threats you may encounter, you can read ESET’s T2 2021 Cyber Threat Report.