People with an agreeable personality have a higher chance of being manipulated by cybercriminals to share private and sensitive information, a new study at Stellenbosch University (SU) found.
Conducted by Cape Town-based system analyst Vian Smit, a recent master's graduate in Socio-Informatics at SU, the study suggests a striking correlation between personality types and cybersecurity risk.
Smit surveyed close to 700 people on their personality type and how likely they were to respond to different social engineering attacks — when cybercriminals trick people into giving up private information or passwords or clicking on harmful links. He wanted to assess their susceptibility to these attacks.
Smit focused on the so-called Big Five personality types used in the field of cybersecurity, namely conscientiousness, extraversion, agreeableness, openness, and neuroticism.
Smit says the results of his study show that being agreeable makes people most likely to fall victim to social engineering attacks, followed by those who are conscientious (disciplined, motivated, and respecting rules and procedures) and extroverts (outgoing, sociable, thrill-seeking). Neurotic (emotionally unstable and anxious) and open-minded people (open to new experiences, events, ideas and beliefs) are less likely to be tricked. Extroverts violate cybersecurity policies more frequently because they tend to comply with malicious requests more regularly, according to Smit.
“Among the personality traits that I examined, agreeableness emerged as the most vulnerable to social engineering tactics. Individuals with high levels of agreeableness were found to be particularly susceptible to manipulation by cybercriminals. Conversely, neuroticism, marked by emotional instability and anxiety, exhibited the lowest susceptibility to such attacks.
“People with an agreeable personality are compassionate, altruistic, friendly, trusting, sympathetic, kind and forgiving. They're not suspicious and hostile and want to please people. They generally believe in the goodness of humanity and that other people are honest and have good intentions. Their inclination to always be kind and wanting to help others puts them at a disadvantage when they are faced with a social engineering attack.
“They are more susceptible to phishing ( a person gets duped into opening fake emails, instant messages, or text messages), spear phishing (a specific person is targeted), impersonation (cybercriminal pretends to be someone else), pretexting (creating deceptive scenarios to gain information), watering hole (infecting the website a person views most frequently), QRishing (malicious software or fraudulent websites are hidden in QR codes), and smishing (use of deceptive text messages to get sensitive personal information)."
Smit adds that neurotic personality types are easy targets for fake applications or plug-ins (software that makes computer programmes or websites do new things or work better) attacks, and extroverts for malvertisements (a person is tricked by fake advertisements to install malicious programmes) and Wi-Fi evil twin attacks (a fake Wi-Fi network is used to gain access to a person's device). Conscientious people are susceptible to phishing, spear phishing, impersonation, pretexting, watering hole and QRishing attacks, while open-minded individuals are more likely to fall for pretexting, watering hole and Wi-Fi evil twin attacks.
Smit says cybercriminals know that we all have psychological needs such as the desire to be liked, socially accepted, and trusted, among others. They use social engineering tactics to trigger our psychological needs so that we can share private information.
According to him, information about people's personality types and their susceptibility to social engineering attacks could help cybersecurity teams in businesses and organisations to incorporate effective mitigation strategies for each personality type. Organisations will also know which employees are more susceptible to these attacks by having a better understanding of their personality types.
“Understanding the personality traits that are most vulnerable to social engineering attacks can help cybersecurity experts develop more effective protection strategies.
“Armed with a deeper understanding of the human psyche, organisations can navigate the complexities of cybersecurity with confidence, safeguarding their most valuable assets in an ever-changing threat landscape."
Smit says nowadays cybersecurity measures do not just encompass technological improvements, but also human personality types. Organisations have a far greater challenge now in mitigating the impact of social engineering attacks, he adds.
“They should improve employee awareness and training, particularly for those with agreeable personality traits, to reduce the risk of successful social engineering attacks.
“In addition to addressing human vulnerabilities, organisations should also implement robust cybersecurity measures, such as those outlined in the top five strategies for vulnerability mitigation — asset discovery and vulnerability identification, implementing security controls, patch management, and continuous monitoring."
