Employees and Social Engineering

Even though they understood the risks involved, nearly 25% of employees responding to a cybersecurity survey admitted to ignoring company-promoted best practices. Those practices included not storing login credentials or saving company documents onto personal computers.

It’s an unnerving statistic for anyone tasked with protecting a company's network. Or, for that matter, even those who understand the potential ramifications of a breach.

With one study estimating the annual cost of delivering security training to employees at approximately $290,000, such behavior suggests a shortcoming in efforts to defend organizations against cyber threats.

The reasons why might be as varied as the employees entrusted with upholding their companies’ cyber defenses.

Cybersecurity and the Individual

A team of researchers out of Duke University sought to better understand how behavioral controls and personality traits impacted cybersecurity policy violation. One goal driving the research: the idea that identifying empirical connections between employee personality type and effective cybersecurity protocol would prove valuable in developing better guidelines and stronger procedures.

The research helped establish that everyone perceives cybersecurity threats and their ramifications differently based on their personality type, and that different actions spring from this perception.

For example, the fact that John Smith matches the personality profile of someone who is extroverted makes it likelier that he will violate cybersecurity policies than Bob Williams, whose personality profile suggests he’s more neurotic.

OCEAN’s 5

The personality types used in the study are sometimes referred to as the “Big Five” and other times are referenced by the acronym OCEAN. OCEAN stands for Openness (to experience), Conscientiousness, Extraversion, Agreeableness, and Neuroticism.

A brief description of the traits appear below, alongside the descriptions from L.F. Zhang that the Duke researchers used.

Big Five Personality Traits + Descriptions

  • Openness to experience: Tend to exhibit open-mindedness, an active imagination, preference for variety, and independence of judgment.

  • Conscientiousness: Tend to distinguish themselves for their trustworthiness and their sense of purposefulness and of responsibility.

  • Extraversion: Tend to be sociable and assertive, and they prefer to work with other people.

  • Agreeableness: Tend to be tolerant, trusting, accepting, and they value and respect other people’s beliefs and conventions.

  • Neuroticism: Tend to experience such negative feelings as emotional instability, embarrassment, pessimism, and low self-esteem

Their work led the Duke team to compile a list of anticipated reactions from a range of individuals exhibiting specific character traits. A sampling:

Individuals who are LESS LIKELY to violate cybersecurity policies

  • Open individuals with a low sense of Threat Severity

  • Conscientious individuals with a low sense of Threat Severity

  • Extroverted individuals with a low sense of Sanction Severity

  • Agreeable individuals with a low sense of Self-Efficacy

Individuals who are MORE LIKELY to violate cybersecurity policies

  • Open individuals in general

  • Extroverted individuals with a low sense of Threat Severity

  • Agreeable individuals with a low sense of Sanction Severity

  • Neurotic individuals with a low sense of Sanction Severity 

An example from the researchers:

“[E]xtroverted individuals with a low sense of sanction severity are not motivated by punishments (such as a receiving a negative evaluation or losing their job). Hence, training for these individuals could de-emphasize sanctions as a part of the training program, especially appeals which focus on the severity of sanctions”

Effectively Waging Half the Battle

Creating a cybersecurity policy and enforcing it in one particular manner is only half the battle, since different personality types filter the policies and punishments differently. Which is why more than a quarter-million dollars is spent each year on what too often feels like a losing battle.

But if that’s half the battle, there’s still the other half to wage. While no universally approved, empirically definitive path has emerged that provides the sort of cybersecurity training the Duke researchers posited, that doesn’t mean concerned companies and their IT departments are empty handed.

Another study, conducted by a different set of researchers, illustrated that a lack of awareness about information security policies is still a major issue with which to contend. If effectively combating a lack of awareness means the difference between a near-miss and a catastrophic cyber attack, then it’s as worthy a battle to wage as any.

But how does a company do that?

Straightforward and Effective Defense

A survey of cybersecurity awareness training calls up three repeating suggestions:

  1. Foster a culture of “cyber-awareness”

  2. Provide recurring training

  3. Keep it simple

 Culture

Instituting an enterprise-wide cybersecurity-aware culture requires buy-in and promotion from the CEO down to college interns. Periodic organization-wide internal email messages, a brief presentation during new employee orientation, and similar measures help ensure associates conscious of the threats and encouraging of the proper steps.

Recurring Training

Part-and-parcel with establishing a culture favorable to employee cybersecurity awareness is providing regular training. That helps keep employees engaged and provides an opportunity to keep them up to date on the ever-changing threat landscape. A one-and-done approach won’t help you keep pace with the bad guys.

Simplicity

It can be difficult to keep effective cybersecurity measures straight. Requiring employees to memorize a manual’s worth of tips and tricks will ultimately only serve to frustrate them and compromise the company’s policies and practices.

Cybersecurity Solutions

A growing body of work suggests genuine, deep-rooted cybersecurity support among employees will require in many organizations a sweeping adjustment to their training. We can help you maintain tight security in the meantime. 

Related Video

I produced the following video for use on social media to help promote the above content.