Managing Cybersecurity Risks with Personality Science

Baltas Group

According to the World Economic Forum's 2024 Global Risks Report, cybersecurity deficiencies are among the most significant global risk factors in both the short and long term. Even if organizations have the best technical defenses, research shows that a large portion of risks stem not from technology but from the human factor. It has been observed that humans are the most dominant cause of security breaches, with approximately 95% of breaches stemming from human error.1,2,3,4 When examining cybersecurity incidents, it becomes clear that the center of gravity of risk lies not in external threats, but rather in the behavioral weaknesses of employees with internal access to the system.

The corporate cybersecurity chain is only as strong as its weakest link. Every employee is a link in this chain. Therefore, for comprehensive corporate security, every employee must comply with security protocols. Research shows that individuals do not respond similarly to security threats and defenses; rather, their personality structures directly influence their tendency to comply with or struggle to comply with security policies.5

Researchers use the Five Factor Model, the most widely accepted model in psychology, as a robust framework to explain the impact of the human factor in the context of cybersecurity and to propose management strategies based on these findings. The relationship between employees' risky cyber behaviors and the traits of conscientiousness and openness is particularly noteworthy.

Risky cyber behavior and caution

The prudence trait is positioned as the most important personality factor explaining behavior in areas that may pose risks, such as health behavior and information security, which are thought to have a consistent relationship with behavior patterns. This trait defines individuals as planned, organized, task-oriented, rule-compliant, and thoughtful before taking action. Therefore, individuals with high prudence tend to respond more cautiously in situations that threaten cybersecurity.

The biggest challenge in cybersecurity is sustainable discipline rather than technical knowledge. Individuals with low vigilance may struggle more to maintain security practices that require routine, continuity, and short-term mental effort, regardless of their intentions. This manifests itself in behaviors such as delaying system updates, using weak passwords, or neglecting virus scans. This situation is a source of vulnerability that weakens not only individuals but also the entire network of the organization they belong to.12

While low vigilance is a major risk factor for cybersecurity, there is a second critical factor that affects the security posture of the corporate network and protects it against common threats: employees' approach to innovation and the unknown.

Is transparency a high risk? Is it high awareness?

Individuals with high openness are defined as highly curious, creative, and preferring diversity in their experiences. ¹³ Johnston and colleagues' findings show that perceptions derived from situational factors play a decisive role in intentions toward information security breaches and that this perception-intention relationship is moderated by personality meta-traits such as plasticity, which also includes openness. ¹⁴ In this context, in contexts where security frameworks are not sufficiently clear, weakened perceptions of the binding nature of rules and the consequences of possible breaches can lead to some security breaches being assessed as low risk or tolerable. Such perceptual assessments suggest that high openness, rather than producing a violation behavior on its own, may play a role in strengthening intentions toward cybersecurity violations within the plasticity component, through specific situational perceptions.¹⁴

On the other hand, research shows that openness has a more complex effect than previously thought. In environments where the corporate framework is clearly defined and experience is encouraged in a controlled manner, individuals with high openness can turn their tendency to explore new technologies and security practices into a significant advantage. Learning the functions of new security technologies, identifying potential risk areas at an early stage, and adopting new security solutions becomes easier, and this has the potential to contribute positively to corporate security.15

Result

The human factor in cybersecurity plays as decisive a role as technical infrastructure; individuals' personality traits significantly influence how security practices are perceived and reflected in daily behavior. From this perspective, understanding the impact of traits such as caution and openness on cybersecurity can be used as a strategic tool that provides behavioral foresight, going beyond simple awareness.

Ensuring cyber resilience now requires more than just technical measures and general training. Management strategies must go beyond teaching basic security rules and focus on targeted training and assignments based on personality profiles. This holistic approach will develop individuals with high awareness in areas such as cyber reconnaissance, while protecting those with low caution with supportive security measures. This will remove the human factor as the weakest link and transform it into a strong pillar of the corporate security architecture.

The psychological foundations of personality traits are at the heart of human-centered strategies in digitalized work practices. Digital applications used in HR processes, in particular, are reshaping the employee experience, collaboration, and decision-making mechanisms. For content addressing human-technology interaction and the implications of this transformation for the workplace, you can explore our Source magazine's issue on Digital Applications in HR at https://kaynakbaltas.com/dergiler/ikda-dijital-uygulamalar/ and gain insights into the topic from various perspectives.

References:

1. Parsons K, Calic D, Pattinson M, Butavicius M, McCormac A, Zwaans T. The Human Aspects of Information Security Questionnaire (HAIS-Q): Two further validation studies. Comput Secur. 2017;66:40–51.
2. 2Parsons K, McCormac A, Butavicius M, Pattinson M, Jerram. Determining employee awareness using Human Aspects of Information Security Questionnaire (HAIS-Q). Comput Secur. 2014;42:165–76.
3. PricewaterhouseCoopers. Why you should adopt the NIST cybersecurity framework. 2014.
4. PricewaterhouseCoopers. Key findings from the global state of information security survey 2016. Turnaround and transformation in cybersecurity. 2015.
5. Warkentin M, Carter LD, McBride ME. Exploring the Role of Individual Employee Characteristics and Personality on Employee Compliance with Cyber Security Policies. In Unknown book. 2011.
6. Conner M, Abraham C. Conscientiousness and the theory of planned behavior: toward a more complete model of the antecedents of intention and behavior. Personal Soc Psychol Bull. 2001;27(11):1547–61.
7. Booth-Kewley S, Vickers RR. Associations between major domains of personality and health behavior. J Personal. 1994;62(3):281–98.
8. Hu Q, Dinev T, Hart P, Cooke D. Top management championship and individual behavior towards information security: an integrative model. In: Proceedings of the 16th European conference on information systems; 2008 Jun 9-11; Galway, Ireland. p. 1–13.
9. Cellar D, Nelson Z, Yoke C. The five factor model: investigating the relationships between personality and accident involvement. J Prev Interv Community. 2001;22(1):43–52.
10. 1Shappie AT, Dawson CA, Debb SM. Personality as a predictor of cybersecurity behavior. Psychol Popu Media Cult. 2019:1–6.
11. Li Y, Tan CH, Teo HH, Tan BC. Innovative usage of information technology in Singapore organizations: do CIO characteristics make a difference? Eng Manag IEEE Trans. 2006;53(2):177–90.
12. Shropshire J, Warkentin M, Johnston AC, Schmidt MB. “Personality and IT Security: An Application of the Five Factor Model”. In: Proceedings of the Americas Conference on Information Systems. 2006.
13. Becerra-García JA, García-León A, Muela-Martínez JA, Egan V. A controlled study of the Big Five personality dimensions in sex offenders, non-sex offenders and non-offenders: relationship with offending behaviour and childhood abuse. J Forensic Psychiatry Psychol. 2013;24(2):233–46.
14. Johnston AC, Warkentin M, McBride M, Carter L. Dispositional and situational factors: influences on information security policy violations. Eur J Inf Syst. 2016;25(3):231–251. doi:10.1057/ejis.2015.15
15. Naga J, Tinam-isan M, Maluya MM, Panal K, Tupac MT. Investigating the Relationship Between Personality Traits and Information Security Awareness. Int J Comput Digit Syst. 2024;15(1):1233–46.