Cyberchology: how the human factor affects cybersecurity
That achieving robust cybersecurity requires organizations to understand the very human aspects involved is a topic I've touched on a few times during a year in which Covid has put so many of us through the mental wringer. The importance of the topic has been further underlined, however, by a new paper from cybersecurity firm ESET and the leading business psychology organization The Myers-Briggs Company. The Myers-Briggs Company are famous for their personality tests, and the paper sets out to explore how personality type affects our vulnerability to cybercrime.
The report highlights how the pandemic has prompted a wholesale shift towards remote working, and this has left many organizations and individuals vulnerable to cyberattack. It's a shift that they believe has forced much of the responsibility for robust digital hygiene onto the shoulders of individual employees rather than central systems.
"With so much responsibility resting on employees all working from different locations, devices and networks, a self-awareness of positive cybersecurity habits and personalised cybersecurity training is essential," the report says. "This paper will explore why and how HR and Tech teams should work together to build resilient IT systems, strategies and teams, for a resilient business."
The report highlights that many of the more basic cybersecurity measures, including the use of multi-factor authentication, enabling of automatic updates on devices, and securing Wi-Fi networks are often done automatically for employees when working on-site, but are all things that they themselves are largely responsible for when working remotely.
As such, the research finds that 80% of organizations are citing human factors as a key challenge in ensuring the security of their digital systems.
“With the combination of fractured business IT systems and a lack of central security, a sudden shift to remote working and a global climate of stress and concern is the perfect breeding ground for a successful cyberattack," the authors say.
Stress is the underlying factor behind many of the challenges employees face in maintaining good digital hygiene while working remotely. Myers-Briggs reveal that nearly half of us worry about our ability to manage stress successfully during the pandemic, with the twin concerns of health and finance buffeting our mental wellbeing.
They highlight how this undercurrent of stress affects us in different ways, depending on our personality types. They believe that knowing the personality types of our workforce can help us better understand the very real risks they may be exposed to from cyberattacks.
For instance, activist personality types (ESTP & ESFP) are often stressed about by a lack of stimulation and excitement. They can also struggle with the kind of physical confinement that Covid has forced upon us, whether due to the illness itself or lockdown measures. Stress in such people can manifest itself in the seeking of external stimulation and inherently short-term thinking.
By contrast, for explorer personality types (ENTP & ENFP), stress can be caused by our colleagues, especially if they're inflexible, or a lack of variety in our lives. This can manifest itself in a desire to not be tied down by decisions or an inability to take things seriously enough.
The flipside, of course, is that those on the more introverted side of the spectrum can suffer from a lack of detailed plans or the ability to think through things before responding. Stress for introverted employees can result in withdrawal from the team and a desire to build excessively complex solutions to the problems they face.
The researchers urge organizations to build greater resilience to cope with the heightened risk of cyberattack, whether in terms of the technological infrastructure they deploy, the HR systems in place, or the coping mechanisms used by employees as individuals. They reveal that nearly 70% of employees are concerned about cybersecurity, but lack the means to do anything about their concerns.
"The overwhelming majority of cyberattacks are successful not because of the hacker’s skill, but due to human error or oversight," the researchers explain. "In fact, 80% of companies reported that a significant challenge during COVID-19 was the increase in cybersecurity risk caused by the human factor."
They believe that with cybersecurity so often relying on employees to behave in the appropriate way and engage in the right security practices, this can only really be done if cybersecurity teams understand the way employees respond to the stresses they encounter during periods such as the Covid pandemic.
There is a growing sense that IT teams are appreciating that cybersecurity isn't just an IT problem and that human factors are vital if a holistic cybersecurity strategy is to be developed.
"Accounting for personality preferences can make cybersecurity training more engaging and effective too – by delivering broader training at induction and following it up with regular check-ins and updates that are tailored to employees’ personalities, good cyber hygiene and security habits are more likely to be adhered to," the authors conclude.