Guest Post: What Personality Type Is Most Likely To Be Successfully Hacked?

MoneyMoneyMoney MUNNNNN-EH

Our friend Dave Winsborough with his colleague, Daniel Robertson, hit it out of the park with their new piece in Forbes (here) on personality types most likely to be scammed by cybercriminals. I love their headline: 

If it were a country, Cybercrimeland would be a world-scale player.

You should read the whole thing. We love cross-posting like this because cybersecurity is a team sport: us against them. And there are a lot of them.

Let's talk about us. As Dave & Daniel note, there are personality types more likely to get 'phished'. Quoting at length:

Modern personality measures are based on the Big 5 framework, which defines human personality along five broad, bipolar dimensions of individual differences:

Openness to Experience ranges from intellectual curiosity and artistic sensitivity to being conventional and pragmatic.

Conscientiousness spans self-discipline, orderliness, and reliability to spontaneity, disorganization, and impulsivity.

Extraversion contrasts sociability, assertiveness, and energy with reserve, quietness, and a preference for solitude.

Agreeableness describes a continuum from compassion, trust, and cooperativeness to scepticism, competitiveness, and antagonism.

Neuroticism ranges from emotional reactivity and vulnerability to stress, to calmness, emotional stability, and resilience.

Across studies, a fairly clear pattern of three traits seem to make a person more likely to respond to phishing scams, or at greater risk of being taken in in sophisticated social engineering attacks. We can think of these people as warm, outgoing, caring, somewhat scattered and not always careful.

One robust finding is that the more disciplined, methodical and thorough people are, the less likely they are to fall for scams. On the other hand, people who are more flexible – that is, impulsive, intuitive and the kind who react quickly and ask questions later – are exactly the sort who might reactively click a malicious link.

Likewise, people who are warm and trusting, and more eager to help, are more open to exploitation. Agreeable people are also more likely to go along with authority figures, and studies have shown a link between agreeableness and falling prey to phishing.

And finally, sociable, gregarious and outgoing people might also show increased vulnerability, because they engage more readily with emails from people they don’t yet know and are motivated to make new connections.

They continue with an observation similar to one made by Ho et al and by us: you are more likely to click on a suspicious link if you're not paying attention or the link looks personally meaningful (v. about routine work issues):

Interestingly, a strong finding from research is that people who are confident in their belief they wouldn’t be fooled and could tell a phishing email from a genuine one were more likely to fall victim. A study of over 800,000 people showed that as confidence increased, detection rates of malicious emails fell. Trusting that "I wouldn’t fall for that” leads to:

• Reduced scrutiny of suspicious emails

• Dismissal of security warnings

• Lower engagement with training

• Failure to verify requests.

Trust matters.

Do you have a "zero-trust" process or do you have a zero-trust "policy"? Does your workforce trust you to look out for their interests? What about your customers?

Turns out that human-to-human teamwork is a good defense against bad actor teams.

Thanks Dave & Daniel for sharing your materials for us at Pythia! 

Ask us how you can manage your risks by increasing your trust.