Content uploaded by Scott M. Debb
Author content
All content in this area was uploaded by Scott M. Debb on May 13, 2020
Content may be subject to copyright.
Psychology of Popular Media Culture
Personality as a Predictor of Cybersecurity Behavior
Alexander T. Shappie, Charlotte A. Dawson, and Scott M. Debb
Online First Publication, May 23, 2019. http://dx.doi.org/10.1037/ppm0000247
CITATION
Shappie, A. T., Dawson, C. A., & Debb, S. M. (2019, May 23). Personality as a Predictor of
Cybersecurity Behavior. Psychology of Popular Media Culture. Advance online publication.
http://dx.doi.org/10.1037/ppm0000247
Personality as a Predictor of Cybersecurity Behavior
Alexander T. Shappie and Charlotte A. Dawson
Virginia Consortium Program in Clinical Psychology,
Norfolk, Virginia
Scott M. Debb
Virginia Consortium Program in Clinical Psychology, Norfolk,
Virginia, and Norfolk State University
Personality may better predict cybersecurity behavior relative to an individual’s stated intentions;
however, people often behave in ways that are discordant with what they intend. Assuming most people
have the intention of complying with safe practices, it is still no surprise that people violate policies and
put sensitive data at risk regularly. Previous research has investigated all of the “Big Five” personality
factors in relation to cybersecurity behavior, although there is no consensus regarding which factors are
most important. In this study, data were collected from 676 undergraduate students who were adminis-
tered the Employees’ Online Security Behavior and Beliefs questionnaire and the Big Five Inventory– 44.
Significant correlations were observed between self-reported cybersecurity behaviors and some, but not
all, personality constructs. Linear regression was used to examine whether the 5 personality factors were
significantly associated with cybersecurity behaviors, and a hierarchical regression examined the per-
sonality factors that explained additional variance over-and-above cybersecurity behaviors, specifically
perceived barriers, response efficacy, and security self-efficacy. Conscientiousness, agreeableness, and
openness were significantly associated with self-reported cybersecurity behaviors. Results suggest that
personality plays an important role in understanding cybersecurity behaviors, which is consistent with a
growing body of literature highlighting conscientiousness as a strong predictor of cybersecurity behav-
iors. The present study’s findings suggest that personality structure is associated with cybersecurity
behaviors and that conscientiousness and openness may be particularly salient to this relationship.
Public Policy Relevance Statement
Given today’s digitally connected world, minimizing threats to information security have become
increasingly important. People tend to be considered the weakest link in cybersecurity infrastructure.
The present study investigated the association between personality characteristics and cybersecurity
behaviors, and the results have implications for cybersecurity training as well as hiring practices.
Keywords: information security, cybersecurity, Big Five personality, self-efficacy, perceived barriers
The reality of a globally connected society demands that atten-
tion be given to how people from the general population regularly
utilize technology. Given today’s digitally connected world,
threats to information security have the potential to impact large
swaths of society as well as singular individuals. Previous research
has focused on intention as a predictor of cybersecurity behavior
(Shropshire, Warkentin, & Sharma, 2015) because people are
typically considered the weakest link within any cybersecurity
infrastructure (Guo, Yuan, Archer, & Connelly, 2011). This is
likely because people’s actual behavior often differs from what
they intend (Ajzen, Brown, & Carvajal, 2004).
Intention
People often behave in ways that are discordant with how they
intend to behave. Human beings are not bound by a prerequisite
that calls for consistency between a singular intention and a
subsequent behavior. Applied to the modern-day context of infor-
mation security, people tend to express concern about cybersecu-
rity, but fewer actually take action to protect their data (Crossler et
al., 2013). This may be due to intention being a cognitive process,
whereas behavior is more closely associated with impulsivity in
the moment or other unconscious processes that require less cog-
nitive effort (Wansink & Sobal, 2007; Willison & Warkentin,
2013).
If we assume that the majority of everyday consumers of tech-
nology have every intention of complying with cybersecurity
policies and best practices, it is counterintuitive how people si-
multaneously engage in actions that violate policies and put their
own and other people’s sensitive data at risk. Research demon-
strates that this may be the result of laziness, ignorance, lack of
motivation, or simply accidental oversight (Rhee, Kim, & Ryu,
2009). Further, insider threat— broadly defined as what occurs
Alexander T. Shappie and Charlotte A. Dawson, Virginia Consortium
Program in Clinical Psychology, Norfolk, Virginia; Scott M. Debb, Vir-
ginia Consortium Program in Clinical Psychology, and Department of
Psychology, Norfolk State University.
Correspondence concerning this article should be addressed to Scott M.
Debb, Department of Psychology, Norfolk State University, Brown Hall,
Suite 216, Norfolk, VA 23504. E-mail: smdebb@nsu.edu
This document is copyrighted by the American Psychological Association or one of its allied publishers.
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.
Psychology of Popular Media Culture
© 2019 American Psychological Association 2019, Vol. 2, No. 999, 000
2160-4134/19/$12.00 http://dx.doi.org/10.1037/ppm0000247
1
when trusted people behave in ways that put shared data and the
systems they rely upon at risk (Maasberg, Warren, & Beebe,
2015)—may be the net result of distraction, general disinterest, or
insider abuse when someone deliberately violates explicit cyber-
security policies (Boss, Kirsch, Angermeier, Shingler, & Boss,
2009; Warkentin & Willison, 2009). In addition, intentional en-
gagement in workplace security violations are often influenced by
a relative advantage related to job performance (e.g., help in
completing tasks or increasing productivity), perceived security
vulnerability, workgroup norms, and perceived identity or profes-
sional image (Guo et al., 2011).
Behavioral outcomes research has examined the relationship
between intentions and specific cybersecurity behaviors, such as
the utilization of security software, and that personality may be a
stronger predictor of behavior than an individual’s stated inten-
tions (Shropshire et al., 2015). For example, some individuals are
more likely to be guided by their sense of morality, whereas others
are more likely to engage in an assessment of the perceived costs
and benefits of explicit policy violation (Siponen & Vance, 2010).
Personality is thought to better explain the relatedness between
intention and behavior (Conner & Abraham, 2001; Rhodes &
Courneya, 2003) and perhaps even act as a moderator of the
relationship (Shropshire et al., 2015).
The personality constructs of agreeableness and conscientious-
ness in particular have demonstrated a strong relationship with
better cybersecurity practices (Hadlington & Murphy, 2018). For
example, evidence suggests that conscientious people may be more
likely to consistently update software and generate strong pass-
words, whereas extroverted people may be more likely to better
secure their devices (Gratian, Bandi, Cukier, Dykstra, & Ginther,
2018). Interestingly, neither age nor gender has been found to have
a comparatively large impact on awareness of information security
practices (McCormac et al., 2017).
The “Big Five”
One of the most widely used conceptualizations to understand
the nature and manifestation of personality is the “Big Five” (John,
Donahue, & Kentle, 1991). This model measures five personality
constructs: openness, conscientiousness, extraversion, agreeable-
ness, and neuroticism (John & Srivastava, 1999; see Table 1).
Previous research has investigated all of the “Big Five” factors in
relation to information security (Bansal, 2011; Gratian et al., 2018;
Halevi et al., 2016; Korzaan & Boswell, 2008; McCormac et al.,
2017).
When investigating the relationship between the five factors and
dimensions of cybersecurity (secure behavior, self-efficacy, and
privacy attitudes), Halevi and colleagues (2016) found that con-
scientiousness was linked to people who tend to engage in more
secure online behavior. Openness was positively associated
with self-efficacy (an individual’s belief that they can mitigate
cybersecurity risks), whereas neuroticism was negatively associ-
ated with self-efficacy. Conscientiousness, neuroticism, and extra-
version have all been found to be positively associated with
privacy and security concerns (Bansal, 2011). In contrast, Korzaan
and Boswell (2008) found that only agreeableness was positively
associated with concern for information privacy. Openness, agree-
ableness, conscientiousness, and emotional stability (the inverse of
neuroticism) have been positively associated with information
security awareness (defined as the extent to which someone un-
derstands the information security rules and guidelines of their
workplace and behaves accordingly). When controlling for age and
gender, conscientiousness was the strongest overall predictor of
information security awareness, followed by agreeableness (Mc-
Cormac et al., 2017).
McCrae and Costa (1995) emphasized that attitudes and per-
sonal strivings are likely to moderate the relationship between
personality constructs (i.e., the Big Five) and behavior. Despite
compelling evidence, there is no consensus regarding whether all
the Big Five personality factors are important when examining
information security attitudes, intentions, and behaviors. For ex-
ample, conscientiousness and agreeableness seem to moderate the
relationship between intention and initial adherence to security
practices (Shropshire et al., 2015). As conscientiousness and
agreeableness increase, the strength of the relationship between
intention and initial adherence to security practices increases.
Uffen and Breitner (2014) developed a model that included con-
scientiousness, openness, and neuroticism, proposing an explana-
tion of the relationship between personality traits and the attitudes
of information security executives. For this subgroup, conscien-
tiousness positively influenced attitudes toward management of
security measures, and compliance-related factors moderated the
relationships between both conscientiousness and openness with
security attitudes. These results highlight the role that attitudes
may play in the association between personality and behavior.
These findings demonstrate a connection between personality
factors as defined by the Big Five model and cybersecurity atti-
tudes and behavioral practice. Conscientiousness has been most
frequently associated with information security behaviors, atti-
tudes, and intentions; however, previous research has documented
associations between all Big Five personality factors and cyberse-
curity practices (Bansal, 2011; Korzaan & Boswell, 2008). Nev-
ertheless, these associations have varied widely between studies.
One reason is because there does not appear to be a standard way
of operationalizing cybersecurity practices. In addition, many of
these studies examine different outcomes (e.g., self-efficacy, cy-
bersecurity behaviors, and security concern).
The present study aimed to address some of these concerns by
examining the impact of all five personality factors on cybersecu-
rity behaviors while also controlling for other related variables,
including self-efficacy (Siponen, Mahmood, & Pahnila, 2014),
perceived barriers (Anwar et al., 2017), and response efficacy
Table 1
The “Big Five” Personality Factor Descriptions (John &
Srivastava, 1999)
Conscientiousness Impulse control behaviors that help with goal and
task completion, such as planning, organizing,
and delaying gratification
Openness The extent to which an individual’s mind and
experiences are complex and original
Agreeableness Prosocial attitudes toward others, including traits
such as trust and tender-mindedness
Neuroticism The contrast on emotional stability, includes
feelings like anxiety and sadness
Extraversion Sociability and an energetic approach to the
world
This document is copyrighted by the American Psychological Association or one of its allied publishers.
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.
2SHAPPIE, DAWSON, AND DEBB
concurrently (Johnston & Warkentin, 2010). Due to the inconsis-
tency with which previous research included all personality fac-
tors, a research question was proposed to investigate whether the
five factors were significantly associated with cybersecurity be-
haviors. It was hypothesized that self-reported cybersecurity be-
haviors would be correlated with the five personality factors and
that the personality factors would explain additional variance in
self-reported cybersecurity behaviors over and above that of self-
efficacy, perceived barriers, and response efficacy.
Method
Participants and Recruitment
A convenience sample of 676 undergraduate students were
recruited from two public universities, one of which was a large,
research-oriented institution and the other a historically black
liberal arts university. Participants were recruited from undergrad-
uate courses, university e-mail announcements, and formal re-
search participant pools offered at the larger institution. The mean
age of the sample was 23, ranging from 18 to 56. Participants had
to be at least 18 years old to participate in the study. They were
also asked to self-report demographic information including their
age, gender, race, ethnicity, academic major, and grade point
average.
Materials
Personality traits. The Big Five Inventory (BFI; John et al.,
1991) is a 44-item measure used to assess five domains of per-
sonality. These domains (and sample items) include Extraversion
(eight items; e.g., “Is full of energy”), Agreeableness (nine items;
e.g., “Has a forgiving nature”), Conscientiousness (nine items;
e.g., “Does a thorough job”), Neuroticism (eight items; e.g., “Wor-
ries a lot”), and Openness (10 items; e.g., “Has an active imagi-
nation”). Participants were asked to indicate the extent to which
they saw themselves as someone who exhibited specific traits
using a Likert-scale ranging from 1 (disagree strongly)to5(agree
strongly). Scores are calculated by taking the mean of each do-
main, after reverse scoring negatively worded items. John and
colleagues (1991) found the BFI to be reliable in the United States,
with ␣s ranging from .75 to .90, and convergent validity was
demonstrated via correlations with Goldberg’s (1992) Trait De-
scriptive Adjectives (r⫽.81) and Costa and McCrae’s (1992)
NEO Five-Factor Inventory (r⫽.73; John & Srivastava, 1999).
Information security. Anwar and colleagues (2017) created a
questionnaire to measure online security behaviors and beliefs in
organizational settings that incorporated adapted items from other
questionnaires available in the information security literature. The
present study used 24 items from the questionnaire, which com-
prised the following domain areas: Perceived Barriers (four items;
e.g., “Changing the privacy setting on social media sites is incon-
venient”), Response Efficacy (four items; e.g., “Careful compli-
ance with information security policies helps to avoid security
problems”), Security Self-efficacy (seven items; e.g., “I know how
to apply security patches to operating systems”), and Self-
Reported Cybersecurity Behavior (nine items; e.g., “I keep the
anti-virus software on my computer up-to-date”). Items that spec-
ified “employee” were modified to omit wording that would seem
to pertain only to a workplace setting. Participants responded to the
items using a 7-point Likert scale ranging from 1 (strongly dis-
agree)to7(strongly agree). For this study, internal reliability
statistics yielded acceptable ␣coefficients for each subscale, as
well as item-total correlations that were all above 0.70.
Procedure
The present study used a cross-sectional design approved by the
institutional review boards at both universities. Participants com-
pleted an anonymous online survey, providing informed consent
before data collection. To ensure participants did not take the
survey multiple times, an option was included to prevent multiple
submissions from the same IP address, along with an honesty
statement asking participants to indicate whether they completed
the survey previously. Finally, to track the yield of the various
recruitment strategies, participants were asked to indicate which
recruitment strategy led to their participation.
Results
Data were collected from 676 undergraduate participants (see
Table 2 for descriptive data). Before conducting statistical analy-
ses, descriptive statistics were reviewed to determine whether there
was significant missing information or systematic errors in the data
set. Missing values ranged from 2.4% to 4.3%. Little’s missing
completely at random test (Little, 1988) was used to determine that
data were primarily missing at random due to item nonresponse,
and not missing systematically (p⫽.10). Thus, expectation max-
imization imputation was used to correct for missing data. Imputed
values were compared with observed values, and results using
list-wise deletion were similar to expectation maximization. De-
scriptive statistics of the Employees’ Online Security Behavior and
Beliefs subscales as well as the BFI subscales are displayed in
Table 3. Higher scores on subscales were indicative of relatively
greater amounts of each construct. All subscales demonstrated
acceptable to good internal reliability.
Table 2
Descriptive Statistics of the Sample
Variable NPercentage
Gender
Female 528 78.1
Male 146 21.6
Race
African American 292 43.2
Caucasian 259 38.3
Latino/a 45 6.7
Multiracial 42 6.2
Other 10 0.14
Academic status
Freshman 138 20.4
Sophomore 116 17.2
Junior 152 22.5
Senior 244 36.1
Graduate student 25 3.7
Currently employed
Yes 429 63.6
No 245 36.4
This document is copyrighted by the American Psychological Association or one of its allied publishers.
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.
3
PERSONALITY PREDICTORS OF CYBERSECURITY
After examining the descriptive statistics of the sample, the
assumptions of regression analyses were tested. All variables were
found to meet the assumptions of normality and homoscedasticity,
and all skewness and kurtosis values fell within the acceptable
range of ⫺1.5 and 1.5 (Tabachnick & Fidell, 2013). Histograms
appeared relatively normal except for participant age, which was
positively skewed. This was not surprising given the population
sampled. Multicollinearity was assessed via intercorrelations
among predictor variables, variance inflation factor values, and
tolerance values. There were no intercorrelations above .60 be-
tween independent variables.
Bivariate correlations demonstrated significant relationships be-
tween self-reported cybersecurity behaviors and the independent
variables (Table 4). Of particular note, self-reported cybersecurity
behaviors were significantly correlated with four of the five factors
of the BFI: Agreeableness, r⫽.23, p⬍.001; Openness, r⫽.26,
p⬍.001; Neuroticism, r⫽⫺.18, p⬍.001; and Conscientious-
ness, r⫽.26, p⬍.001; as well as three subscales of the security
behavior measure: Perceived Barriers, r⫽⫺.34, p⬍.001; Re-
sponse Efficacy, r⫽.43, p⬍.001; Security Self-Efficacy, r⫽
.49, p⬍.001. See Table 4 for correlations among all study
variables.
Linear regression analyses were used to examine whether the
five factors of the BFI were significantly associated with self-
reported cybersecurity behaviors. Regression analyses were cho-
sen to test the hypotheses because it allows for establishing asso-
ciations between independent variables and a dependent variable
while also taking in to account the impact of other variables of
theoretical importance. Initially, participant’s age, gender, race,
and grade point average were considered as demographic variables
to include in the regression analyses; however, only age was found
to be a significant predictor of self-reported cybersecurity behav-
iors. Nevertheless, skewness and kurtosis values associated with
age were significantly different from what would be expected of a
normal distribution, and age was removed from subsequent anal-
yses. The subsequent regression analysis, which included all five
factors of the BFI, revealed that the overall model was signifi-
cantly associated with self-reported cybersecurity behaviors, F(5,
639) ⫽16.35, R
2
⫽.113. Three of the five factors were signifi-
cantly associated with self-reported cybersecurity behaviors:
Agreeableness (⫽.107, p⬍.05), Conscientiousness (⫽.121,
p⬍.05), and Openness (⫽.184, p⬍.001).
A hierarchical regression analysis was then conducted to deter-
mine whether the three significant personality factors explained
additional variance over and above other cybersecurity-related
subscales, specifically Perceived Barriers, Response Efficacy, and
Security Self-Efficacy. These three subscales were entered into the
first block of the analysis and Agreeableness, Conscientiousness,
and Openness were entered into the second block of the analysis.
The adjusted R
2
for the first block was .403, indicating that the
model predicted 40.3% of the variance in self-reported cybersecu-
rity behaviors. Introducing Agreeableness, Openness, and Consci-
entiousness in to the second block of the analysis explained an
additional 1.2% of the variance. This change in R
2
was significant,
F(3, 637) ⫽5.34, p⬍.01; however, only Conscientiousness and
Openness predicted a significant amount of variance over and
above the variables in the first block (⫽.079, p⬍.05; ⫽.066,
p⬍.05, respectively). The unstandardized coefficients of the full
regression equation, as well as the beta weights, standard errors,
and significance values for all predictor variables, are included in
Table 5.
Discussion
The present study analyzed cybersecurity behaviors among an
ethnically diverse college student population in the United States, with
results providing evidence for the association between the personality
factors reflected in the BFI and self-reported cybersecurity behaviors.
The overall model, which incorporated all five personality factors,
was significantly associated with self-reported cybersecurity behav-
iors; however, Conscientiousness, Agreeableness, and Openness were
the only factors that were significantly associated with self-reported
cybersecurity behaviors. This is in line with previous research that
demonstrated similar findings (Halevi et al., 2016; McCormac et al.,
Table 3
Descriptive Statistics of Included Subscales
Variable NRange M⫾SD ␣
BFI Extraversion 627 1.00–5.00 3.27 ⫾.70 .79
BFI Agreeableness 625 1.67–5.00 3.87 ⫾.63 .78
BFI Conscientiousness 624 2.33–5.00 3.73 ⫾.60 .74
BFI Neuroticism 621 1.00–5.00 2.97 ⫾.75 .78
BFI Openness 625 1.60–5.00 3.63 ⫾.55 .71
Perceived Barriers 654 1.00–7.00 3.45 ⫾1.36 .82
Response Efficacy 655 1.00–7.00 5.51 ⫾1.00 .93
Security Self-Efficacy 638 1.00–7.00 3.98 ⫾1.40 .85
Note. BFI ⫽Big Five Inventory.
Table 4
Bivariate Correlations of Subscale Scores
Variable 1 2 3456789
1. Perceived Barriers — ⫺.19
ⴱⴱⴱ
⫺.10
ⴱⴱ
⫺.34
ⴱⴱⴱ
⫺.05 ⫺.29
ⴱⴱⴱ
⫺.30
ⴱⴱⴱ
.19
ⴱⴱⴱ
⫺.18
ⴱⴱⴱ
2. Response Efficacy — .22
ⴱⴱⴱ
.43
ⴱⴱⴱ
.14
ⴱⴱⴱ
.33
ⴱⴱⴱ
.33
ⴱⴱⴱ
⫺.15
ⴱⴱⴱ
.30
ⴱⴱⴱ
3. Security Self-Efficacy — .49
ⴱⴱⴱ
.02 .01 .01 ⫺.16
ⴱⴱⴱ
.10
ⴱⴱ
4. Cybersecurity Behavior — .06 .23
ⴱⴱⴱ
.26
ⴱⴱⴱ
⫺.18
ⴱⴱⴱ
.26
ⴱⴱⴱ
5. Extraversion — .23
ⴱⴱⴱ
.21
ⴱⴱⴱ
⫺.30
ⴱⴱⴱ
.26
ⴱⴱⴱ
6. Agreeableness — .47
ⴱⴱⴱ
⫺.35
ⴱⴱⴱ
.32
ⴱⴱⴱ
7. Conscientiousness — ⫺.50
ⴱⴱⴱ
.33
ⴱⴱⴱ
8. Neuroticism — ⫺.14
ⴱⴱⴱ
9. Openness —
ⴱⴱ
p⬍.01.
ⴱⴱⴱ
p⬍.001.
This document is copyrighted by the American Psychological Association or one of its allied publishers.
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.
4SHAPPIE, DAWSON, AND DEBB
2017; Shropshire et al., 2015). A follow-up hierarchical regression
analysis revealed that Conscientiousness and Openness explained
additional variance over and above other relevant cybersecurity vari-
ables, including Perceived Barriers, Response Efficacy, and Security
Self-Efficacy. This analysis expands the current literature by exam-
ining personality factors not only concurrently but also in tandem with
other relevant variables.
These results suggest that personality factors play an important role
in understanding cybersecurity behaviors and are consistent with a
growing body of literature highlighting that Conscientiousness ap-
pears to be a strong predictor of cybersecurity behaviors and infor-
mation security awareness (Hadlington, 2018; McCormac et al., 2017;
Shropshire et al., 2015; Uffen & Breitner, 2014). Nevertheless, Open-
ness was also a significant predictor of cybersecurity behaviors in the
hierarchical regression analysis, suggesting that it should be consid-
ered in the adoption of cybersecurity practices.
Although Agreeableness was significantly associated with cy-
bersecurity behaviors in the linear regression analysis, it was not
significant in the hierarchical analysis. There may be alternative
explanations or analyses in which this construct’s relatedness to
cybersecurity practices may become more apparent. It is also
important to note that, as expected, the factors in the first block of
the hierarchical regression explained a large percentage of the
variance in cybersecurity behaviors, as they were more highly
correlated with these behaviors in general, and that the statistically
significant increase in variance explained in the second block may
or may not have real world implications for individual’s with
specific personality traits.
Although the present study contributes to the broader literature
regarding cybersecurity behaviors and practices, there are key limita-
tions. The analyses were conducted on a cross-sectional sample of
relatively young college students. As a result of the cross-sectional
design, it is not possible to determine directionality of outcomes (i.e.,
certain personality characteristics may lead to certain cybersecurity
behaviors). Furthermore, the relatively young age of the sample may
impact generalizability to other populations. Previous research on age
has been mixed, but, nevertheless, this variable may be a significant
contributor to cybersecurity practices. Not much more than a decade
ago, technology was not necessarily as accessible to older generations
due to the digital divide (Loges & Jung, 2001), although much has
changed in this area.
Cybersecurity practices also encompass a great many behaviors
across a wide range of contexts. Although the present study attempted
to control for some independent factors, it is possible that other
variables not surveyed may be more closely associated with extro-
vertedness, neuroticism, or agreeableness. These three factors may be
more highly related to cybersecurity attitudes or intentions—as op-
posed to explicit behaviors—which may help explain why they were
not significantly associated with behaviors in this study. Future re-
search should aim to develop cybersecurity behavioral models that
include different aspects of attitudes so that researchers can gain a
better understanding of how personality make-up is associated with
awareness and implementation of cybersecurity best practices, in
addition to the subjective evaluation of an individual’s intent.
Conclusion
The present study’s findings suggest that personality is associ-
ated with cybersecurity behaviors and that conscientiousness and
openness may be particularly salient to this relationship. More
broadly, this study demonstrated linkages between the “Big Five”
and self-reported cybersecurity behaviors and more specifically
that conscientiousness, openness, and agreeableness may be par-
ticularly important personality factors for future research. These
findings are relevant to cybersecurity training and hiring practices,
as those who are lower in conscientiousness or less open to new
experiences may be less likely to engage in behaviors that align
with best practices.
In addition to personality structure, the present study pro-
vides evidence that investing and improving cybersecurity prac-
tices would be well served by focusing on improving an individ-
ual’s sense of self-efficacy as well as decreasing their perceived
barriers to cybersecurity practices. Self-efficacy may be improved
by targeting both an individual’s knowledge of how to behave in
a way that is in line with the institution or agency’s cybersecurity
practices as well as their belief that doing so will indeed help
improve security and prevent cybersecurity breaches. Finally, this
study provides evidence that individuals who are high in conscien-
tiousness and openness are more likely to engage in cybersecurity-
related behaviors.
References
Ajzen, I., Brown, T. C., & Carvajal, F. (2004). Explaining the discrepancy
between intentions and actions: The case of hypothetical bias in contin-
gent valuation. Personality and Social Psychology Bulletin, 30, 1108 –
1121. http://dx.doi.org/10.1177/0146167204264079
Anwar, M., He, W., Ash, I., Yuan, X., Li, L., & Xu, L. (2017). Gender
difference and employees’ cybersecurity behaviors. Computers in Hu-
man Behavior, 69, 437– 443. http://dx.doi.org/10.1016/j.chb.2016.12
.040
Bansal, G. (2011, December). Security concerns in the nomological net-
work of trust and Big 5: First order vs. second order. Paper presented at
the 32nd International Conference on Information Systems (ICIS),
Shanghai, China. Retrieved from https://pdfs.semanticscholar.org/3283/
7d2dfdfa0463e294eaeb497451f3d6f6139c.pdf
Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., & Boss, R. W.
(2009). If someone is watching, I’ll do what I’m asked: Mandatoriness,
control, and information security. European Journal of Information
Systems, 18, 151–164. http://dx.doi.org/10.1057/ejis.2009.8
Conner, M., & Abraham, C. (2001). Conscientiousness and the theory of
planned behavior: Toward a more complete model of the antecedents of
intentions and behavior. Personality and Social Psychology Bulletin, 27,
1547–1561. http://dx.doi.org/10.1177/01461672012711014
Table 5
Hierarchical Regression Coefficients
Variable BSEB 
Step 1
Perceived Barriers ⫺.188 .024 ⫺.245
ⴱⴱⴱ
Response Efficacy .314 .033 .298
ⴱⴱⴱ
Security Self-Efficacy .299 .023 .399
ⴱⴱⴱ
Step 2
Agreeableness .055 .059 .033
Conscientiousness .139 .064 .079
ⴱ
Openness .126 .064 .066
ⴱ
Note. Total F(6, 637) ⫽77.019
ⴱⴱⴱ
,R
2
⫽.42
ⴱⴱⴱ
.
ⴱ
p⬍.05.
ⴱⴱⴱ
p⬍.001.
This document is copyrighted by the American Psychological Association or one of its allied publishers.
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.
5
PERSONALITY PREDICTORS OF CYBERSECURITY
Costa, P. T., & McCrae, R. R. (1992). Normal personality assessment in
clinical practice: The NEO personality inventory. Psychological Assess-
ment, 4, 5–13. http://dx.doi.org/10.1037/1040-3590.4.1.5
Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., &
Baskerville, R. (2013). Future directions for behavioral information
security research. Computers and Security, 32, 90 –101. http://dx.doi
.org/10.1016/j.cose.2012.09.010
Goldberg, L. R. (1992). The development of markers for big-five factor
structure. Psychological Assessment, 4, 26 – 42. http://dx.doi.org/10.1037/
1040-3590.4.1.26
Gratian, M., Bandi, S., Cukier, M., Dykstra, J., & Ginther, A. (2018).
Correlating human traits and cyber security behavior intentions. Com-
puters and Security, 73, 345–358. http://dx.doi.org/10.1016/j.cose.2017
.11.015
Guo, K. H., Yuan, Y., Archer, N. P., & Connelly, C. E. (2011). Under-
standing nonmalicious security violations in the workplace: A composite
behavior model. Journal of Management Information Systems, 28, 203–
236. http://dx.doi.org/10.2753/MIS0742-1222280208
Hadlington, L. (2018). The “human factor” in cybersecurity: Exploring the
accidental insider. In J. McAlaney, L. A. Frumkin, & V. Benson (Eds.),
Psychological and behavioral examinations in cyber security (pp. 46 –
63). Hershey, PA: IGI Global.
Hadlington, L., & Murphy, K. (2018). Is media multitasking good for
cybersecurity? Exploring the relationship between media multitasking
and everyday cognitive failures on self-reported risky cybersecurity
behaviors. Cyberpsychology, Behavior, and Social Networking, 21,
168 –172. http://dx.doi.org/10.1089/cyber.2017.0524
Halevi, T., Memon, N., Lewis, J., Kumaraguru, P., Arora, S., Dagar, N.,...
Chen, J. (2016, November). Cultural and psychological factors in cy-
bersecurity. Paper presented at the 18th International Conference on
Information Integration and Web-based Applications and Services, Sin-
gapore, Singapore. Retrieved from https://dl.acm.org/citation.cfm?
id⫽3011165
John, O. P., Donahue, E. M., & Kentle, R. L. (1991). The Big Five
Inventory—Versions 4a and 54. Berkeley: University of California,
Berkeley, Institute of Personality & Social Research.
John, O. P., & Srivastava, S. (1999). The Big Five trait taxonomy: History,
measurement, and theoretical perspectives. Handbook of Personality:
Theory and Research, 2, 102–138.
Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information
security behaviors: An empirical study. Management Information Sys-
tems Quarterly, 34, 549 –566. http://dx.doi.org/10.2307/25750691
Korzaan, M. L., & Boswell, K. T. (2008). The influence of personality
traits and information privacy concerns on behavioral intentions. Journal
of Computer Information Systems, 48, 15–24.
Little, R. J. (1988). A test of missing completely at random for multivariate
data with missing values. Journal of the American Statistical Association,
83, 1198 –1202. http://dx.doi.org/10.1080/01621459.1988.10478722
Loges, W. E., & Jung, J. Y. (2001). Exploring the digital divide: Internet
connectedness and age. Communication Research, 28, 536 –562. http://
dx.doi.org/10.1177/009365001028004007
Maasberg, M., Warren, J., & Beebe, N. L. (2015, January). The dark side
of the insider: Detecting the insider threat through examination of dark
triad personality traits. Proceeding of 48th Hawaii International Con-
ference on System Sciences (pp. 3518 –3526). Kauai, HI: IEEE http://dx
.doi.org/10.1109/HICSS.2015.423
McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., &
Pattinson, M. (2017). Individual differences and information security
awareness. Computers in Human Behavior, 69, 151–156. http://dx.doi
.org/10.1016/j.chb.2016.11.065
McCrae, R. R., & Costa, P. T., Jr. (1995). Trait explanations in personality
psychology. European Journal of Personality, 9, 231–252. http://dx.doi
.org/10.1002/per.2410090402
Rhee, H. S., Kim, C., & Ryu, Y. U. (2009). Self-efficacy in information
security: Its influence on end users’ information security practice be-
havior. Computers and Security, 28, 816 – 826. http://dx.doi.org/10
.1016/j.cose.2009.05.008
Rhodes, R. E., & Courneya, K. S. (2003). Investigating multiple compo-
nents of attitude, subjective norm, and perceived control: An examina-
tion of the theory of planned behaviour in the exercise domain. British
Journal of Social Psychology, 42, 129 –146. http://dx.doi.org/10.1348/
014466603763276162
Shropshire, J., Warkentin, M., & Sharma, S. (2015). Personality, attitudes,
and intentions: Predicting initial adoption of information security behav-
ior. Computers and Security, 49, 177–191. http://dx.doi.org/10.1016/j
.cose.2015.01.002
Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adher-
ence to information security policies: An exploratory field study. Infor-
mation and Management, 51, 217–224. http://dx.doi.org/10.1016/j.im
.2013.08.006
Siponen, M., & Vance, A. (2010). Neutralization: New insights into the
problem of employee information systems security policy violations.
Management Information Systems Quarterly, 34, 487–502. http://dx.doi
.org/10.2307/25750688
Tabachnick, B. G., & Fidell, L. S. (2013). Using multivariate statistics.
Boston, MA: Pearson.
Uffen, J., & Breitner, M. H. (2014). Management of technical security
measures: An empirical examination of personality traits and behavioral
intentions. International Journal of Social and Organizational Dynam-
ics in IT, 3, 14 –31. http://dx.doi.org/10.4018/ijsodit.2013010102
Wansink, B., & Sobal, J. (2007). Mindless eating: The 200 daily food
decisions we overlook. Environment and Behavior, 39, 106 –123. http://
dx.doi.org/10.1177/0013916506295573
Warkentin, M., & Willison, R. (2009). Behavioral and policy issues in infor-
mation systems security: The insider threat. European Journal of Informa-
tion Systems, 18, 101–105. http://dx.doi.org/10.1057/ejis.2009.12
Willison, R., & Warkentin, M. (2013). Beyond deterrence: An expanded
view of employee computer abuse. Management Information Systems
Quarterly, 37, 1–20. http://dx.doi.org/10.25300/MISQ/2013/37.1.01
Received November 7, 2018
Revision received April 11, 2019
Accepted April 17, 2019 䡲
This document is copyrighted by the American Psychological Association or one of its allied publishers.
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.
6SHAPPIE, DAWSON, AND DEBB
A preview of this full-text is provided by American Psychological Association.
Content available from Psychology of Popular Media
This content is subject to copyright. Terms and conditions apply.
