ArticlePDF Available

Personality as a Predictor of Cybersecurity Behavior

Authors:

Abstract and Figures

Personality may better predict cybersecurity behavior relative to an individual's stated intentions; however, people often behave in ways that are discordant with what they intend. Assuming most people have the intention of complying with safe practices, it is still no surprise that people violate policies and put sensitive data at risk regularly. Previous research has investigated all of the "Big Five" personality factors in relation to cybersecurity behavior, although there is no consensus regarding which factors are most important. In this study, data were collected from 676 undergraduate students who were administered the Employees' Online Security Behavior and Beliefs questionnaire and the Big Five Inventory- 44. Significant correlations were observed between self-reported cybersecurity behaviors and some, but not all, personality constructs. Linear regression was used to examine whether the 5 personality factors were significantly associated with cybersecurity behaviors, and a hierarchical regression examined the personality factors that explained additional variance over-and-above cybersecurity behaviors, specifically perceived barriers, response efficacy, and security self-efficacy. Conscientiousness, agreeableness, and openness were significantly associated with self-reported cybersecurity behaviors. Results suggest that personality plays an important role in understanding cybersecurity behaviors, which is consistent with a growing body of literature highlighting conscientiousness as a strong predictor of cybersecurity behaviors. The present study's findings suggest that personality structure is associated with cybersecurity behaviors and that conscientiousness and openness may be particularly salient to this relationship.
Content may be subject to copyright.
Psychology of Popular Media Culture
Personality as a Predictor of Cybersecurity Behavior
Alexander T. Shappie, Charlotte A. Dawson, and Scott M. Debb
Online First Publication, May 23, 2019. http://dx.doi.org/10.1037/ppm0000247
CITATION
Shappie, A. T., Dawson, C. A., & Debb, S. M. (2019, May 23). Personality as a Predictor of
Cybersecurity Behavior. Psychology of Popular Media Culture. Advance online publication.
http://dx.doi.org/10.1037/ppm0000247
Personality as a Predictor of Cybersecurity Behavior
Alexander T. Shappie and Charlotte A. Dawson
Virginia Consortium Program in Clinical Psychology,
Norfolk, Virginia
Scott M. Debb
Virginia Consortium Program in Clinical Psychology, Norfolk,
Virginia, and Norfolk State University
Personality may better predict cybersecurity behavior relative to an individual’s stated intentions;
however, people often behave in ways that are discordant with what they intend. Assuming most people
have the intention of complying with safe practices, it is still no surprise that people violate policies and
put sensitive data at risk regularly. Previous research has investigated all of the “Big Five” personality
factors in relation to cybersecurity behavior, although there is no consensus regarding which factors are
most important. In this study, data were collected from 676 undergraduate students who were adminis-
tered the Employees’ Online Security Behavior and Beliefs questionnaire and the Big Five Inventory– 44.
Significant correlations were observed between self-reported cybersecurity behaviors and some, but not
all, personality constructs. Linear regression was used to examine whether the 5 personality factors were
significantly associated with cybersecurity behaviors, and a hierarchical regression examined the per-
sonality factors that explained additional variance over-and-above cybersecurity behaviors, specifically
perceived barriers, response efficacy, and security self-efficacy. Conscientiousness, agreeableness, and
openness were significantly associated with self-reported cybersecurity behaviors. Results suggest that
personality plays an important role in understanding cybersecurity behaviors, which is consistent with a
growing body of literature highlighting conscientiousness as a strong predictor of cybersecurity behav-
iors. The present study’s findings suggest that personality structure is associated with cybersecurity
behaviors and that conscientiousness and openness may be particularly salient to this relationship.
Public Policy Relevance Statement
Given today’s digitally connected world, minimizing threats to information security have become
increasingly important. People tend to be considered the weakest link in cybersecurity infrastructure.
The present study investigated the association between personality characteristics and cybersecurity
behaviors, and the results have implications for cybersecurity training as well as hiring practices.
Keywords: information security, cybersecurity, Big Five personality, self-efficacy, perceived barriers
The reality of a globally connected society demands that atten-
tion be given to how people from the general population regularly
utilize technology. Given today’s digitally connected world,
threats to information security have the potential to impact large
swaths of society as well as singular individuals. Previous research
has focused on intention as a predictor of cybersecurity behavior
(Shropshire, Warkentin, & Sharma, 2015) because people are
typically considered the weakest link within any cybersecurity
infrastructure (Guo, Yuan, Archer, & Connelly, 2011). This is
likely because people’s actual behavior often differs from what
they intend (Ajzen, Brown, & Carvajal, 2004).
Intention
People often behave in ways that are discordant with how they
intend to behave. Human beings are not bound by a prerequisite
that calls for consistency between a singular intention and a
subsequent behavior. Applied to the modern-day context of infor-
mation security, people tend to express concern about cybersecu-
rity, but fewer actually take action to protect their data (Crossler et
al., 2013). This may be due to intention being a cognitive process,
whereas behavior is more closely associated with impulsivity in
the moment or other unconscious processes that require less cog-
nitive effort (Wansink & Sobal, 2007; Willison & Warkentin,
2013).
If we assume that the majority of everyday consumers of tech-
nology have every intention of complying with cybersecurity
policies and best practices, it is counterintuitive how people si-
multaneously engage in actions that violate policies and put their
own and other people’s sensitive data at risk. Research demon-
strates that this may be the result of laziness, ignorance, lack of
motivation, or simply accidental oversight (Rhee, Kim, & Ryu,
2009). Further, insider threat— broadly defined as what occurs
Alexander T. Shappie and Charlotte A. Dawson, Virginia Consortium
Program in Clinical Psychology, Norfolk, Virginia; Scott M. Debb, Vir-
ginia Consortium Program in Clinical Psychology, and Department of
Psychology, Norfolk State University.
Correspondence concerning this article should be addressed to Scott M.
Debb, Department of Psychology, Norfolk State University, Brown Hall,
Suite 216, Norfolk, VA 23504. E-mail: smdebb@nsu.edu
This document is copyrighted by the American Psychological Association or one of its allied publishers.
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.
Psychology of Popular Media Culture
© 2019 American Psychological Association 2019, Vol. 2, No. 999, 000
2160-4134/19/$12.00 http://dx.doi.org/10.1037/ppm0000247
1
when trusted people behave in ways that put shared data and the
systems they rely upon at risk (Maasberg, Warren, & Beebe,
2015)—may be the net result of distraction, general disinterest, or
insider abuse when someone deliberately violates explicit cyber-
security policies (Boss, Kirsch, Angermeier, Shingler, & Boss,
2009; Warkentin & Willison, 2009). In addition, intentional en-
gagement in workplace security violations are often influenced by
a relative advantage related to job performance (e.g., help in
completing tasks or increasing productivity), perceived security
vulnerability, workgroup norms, and perceived identity or profes-
sional image (Guo et al., 2011).
Behavioral outcomes research has examined the relationship
between intentions and specific cybersecurity behaviors, such as
the utilization of security software, and that personality may be a
stronger predictor of behavior than an individual’s stated inten-
tions (Shropshire et al., 2015). For example, some individuals are
more likely to be guided by their sense of morality, whereas others
are more likely to engage in an assessment of the perceived costs
and benefits of explicit policy violation (Siponen & Vance, 2010).
Personality is thought to better explain the relatedness between
intention and behavior (Conner & Abraham, 2001; Rhodes &
Courneya, 2003) and perhaps even act as a moderator of the
relationship (Shropshire et al., 2015).
The personality constructs of agreeableness and conscientious-
ness in particular have demonstrated a strong relationship with
better cybersecurity practices (Hadlington & Murphy, 2018). For
example, evidence suggests that conscientious people may be more
likely to consistently update software and generate strong pass-
words, whereas extroverted people may be more likely to better
secure their devices (Gratian, Bandi, Cukier, Dykstra, & Ginther,
2018). Interestingly, neither age nor gender has been found to have
a comparatively large impact on awareness of information security
practices (McCormac et al., 2017).
The “Big Five”
One of the most widely used conceptualizations to understand
the nature and manifestation of personality is the “Big Five” (John,
Donahue, & Kentle, 1991). This model measures five personality
constructs: openness, conscientiousness, extraversion, agreeable-
ness, and neuroticism (John & Srivastava, 1999; see Table 1).
Previous research has investigated all of the “Big Five” factors in
relation to information security (Bansal, 2011; Gratian et al., 2018;
Halevi et al., 2016; Korzaan & Boswell, 2008; McCormac et al.,
2017).
When investigating the relationship between the five factors and
dimensions of cybersecurity (secure behavior, self-efficacy, and
privacy attitudes), Halevi and colleagues (2016) found that con-
scientiousness was linked to people who tend to engage in more
secure online behavior. Openness was positively associated
with self-efficacy (an individual’s belief that they can mitigate
cybersecurity risks), whereas neuroticism was negatively associ-
ated with self-efficacy. Conscientiousness, neuroticism, and extra-
version have all been found to be positively associated with
privacy and security concerns (Bansal, 2011). In contrast, Korzaan
and Boswell (2008) found that only agreeableness was positively
associated with concern for information privacy. Openness, agree-
ableness, conscientiousness, and emotional stability (the inverse of
neuroticism) have been positively associated with information
security awareness (defined as the extent to which someone un-
derstands the information security rules and guidelines of their
workplace and behaves accordingly). When controlling for age and
gender, conscientiousness was the strongest overall predictor of
information security awareness, followed by agreeableness (Mc-
Cormac et al., 2017).
McCrae and Costa (1995) emphasized that attitudes and per-
sonal strivings are likely to moderate the relationship between
personality constructs (i.e., the Big Five) and behavior. Despite
compelling evidence, there is no consensus regarding whether all
the Big Five personality factors are important when examining
information security attitudes, intentions, and behaviors. For ex-
ample, conscientiousness and agreeableness seem to moderate the
relationship between intention and initial adherence to security
practices (Shropshire et al., 2015). As conscientiousness and
agreeableness increase, the strength of the relationship between
intention and initial adherence to security practices increases.
Uffen and Breitner (2014) developed a model that included con-
scientiousness, openness, and neuroticism, proposing an explana-
tion of the relationship between personality traits and the attitudes
of information security executives. For this subgroup, conscien-
tiousness positively influenced attitudes toward management of
security measures, and compliance-related factors moderated the
relationships between both conscientiousness and openness with
security attitudes. These results highlight the role that attitudes
may play in the association between personality and behavior.
These findings demonstrate a connection between personality
factors as defined by the Big Five model and cybersecurity atti-
tudes and behavioral practice. Conscientiousness has been most
frequently associated with information security behaviors, atti-
tudes, and intentions; however, previous research has documented
associations between all Big Five personality factors and cyberse-
curity practices (Bansal, 2011; Korzaan & Boswell, 2008). Nev-
ertheless, these associations have varied widely between studies.
One reason is because there does not appear to be a standard way
of operationalizing cybersecurity practices. In addition, many of
these studies examine different outcomes (e.g., self-efficacy, cy-
bersecurity behaviors, and security concern).
The present study aimed to address some of these concerns by
examining the impact of all five personality factors on cybersecu-
rity behaviors while also controlling for other related variables,
including self-efficacy (Siponen, Mahmood, & Pahnila, 2014),
perceived barriers (Anwar et al., 2017), and response efficacy
Table 1
The “Big Five” Personality Factor Descriptions (John &
Srivastava, 1999)
Conscientiousness Impulse control behaviors that help with goal and
task completion, such as planning, organizing,
and delaying gratification
Openness The extent to which an individual’s mind and
experiences are complex and original
Agreeableness Prosocial attitudes toward others, including traits
such as trust and tender-mindedness
Neuroticism The contrast on emotional stability, includes
feelings like anxiety and sadness
Extraversion Sociability and an energetic approach to the
world
This document is copyrighted by the American Psychological Association or one of its allied publishers.
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.
2SHAPPIE, DAWSON, AND DEBB
concurrently (Johnston & Warkentin, 2010). Due to the inconsis-
tency with which previous research included all personality fac-
tors, a research question was proposed to investigate whether the
five factors were significantly associated with cybersecurity be-
haviors. It was hypothesized that self-reported cybersecurity be-
haviors would be correlated with the five personality factors and
that the personality factors would explain additional variance in
self-reported cybersecurity behaviors over and above that of self-
efficacy, perceived barriers, and response efficacy.
Method
Participants and Recruitment
A convenience sample of 676 undergraduate students were
recruited from two public universities, one of which was a large,
research-oriented institution and the other a historically black
liberal arts university. Participants were recruited from undergrad-
uate courses, university e-mail announcements, and formal re-
search participant pools offered at the larger institution. The mean
age of the sample was 23, ranging from 18 to 56. Participants had
to be at least 18 years old to participate in the study. They were
also asked to self-report demographic information including their
age, gender, race, ethnicity, academic major, and grade point
average.
Materials
Personality traits. The Big Five Inventory (BFI; John et al.,
1991) is a 44-item measure used to assess five domains of per-
sonality. These domains (and sample items) include Extraversion
(eight items; e.g., “Is full of energy”), Agreeableness (nine items;
e.g., “Has a forgiving nature”), Conscientiousness (nine items;
e.g., “Does a thorough job”), Neuroticism (eight items; e.g., “Wor-
ries a lot”), and Openness (10 items; e.g., “Has an active imagi-
nation”). Participants were asked to indicate the extent to which
they saw themselves as someone who exhibited specific traits
using a Likert-scale ranging from 1 (disagree strongly)to5(agree
strongly). Scores are calculated by taking the mean of each do-
main, after reverse scoring negatively worded items. John and
colleagues (1991) found the BFI to be reliable in the United States,
with s ranging from .75 to .90, and convergent validity was
demonstrated via correlations with Goldberg’s (1992) Trait De-
scriptive Adjectives (r.81) and Costa and McCrae’s (1992)
NEO Five-Factor Inventory (r.73; John & Srivastava, 1999).
Information security. Anwar and colleagues (2017) created a
questionnaire to measure online security behaviors and beliefs in
organizational settings that incorporated adapted items from other
questionnaires available in the information security literature. The
present study used 24 items from the questionnaire, which com-
prised the following domain areas: Perceived Barriers (four items;
e.g., “Changing the privacy setting on social media sites is incon-
venient”), Response Efficacy (four items; e.g., “Careful compli-
ance with information security policies helps to avoid security
problems”), Security Self-efficacy (seven items; e.g., “I know how
to apply security patches to operating systems”), and Self-
Reported Cybersecurity Behavior (nine items; e.g., “I keep the
anti-virus software on my computer up-to-date”). Items that spec-
ified “employee” were modified to omit wording that would seem
to pertain only to a workplace setting. Participants responded to the
items using a 7-point Likert scale ranging from 1 (strongly dis-
agree)to7(strongly agree). For this study, internal reliability
statistics yielded acceptable coefficients for each subscale, as
well as item-total correlations that were all above 0.70.
Procedure
The present study used a cross-sectional design approved by the
institutional review boards at both universities. Participants com-
pleted an anonymous online survey, providing informed consent
before data collection. To ensure participants did not take the
survey multiple times, an option was included to prevent multiple
submissions from the same IP address, along with an honesty
statement asking participants to indicate whether they completed
the survey previously. Finally, to track the yield of the various
recruitment strategies, participants were asked to indicate which
recruitment strategy led to their participation.
Results
Data were collected from 676 undergraduate participants (see
Table 2 for descriptive data). Before conducting statistical analy-
ses, descriptive statistics were reviewed to determine whether there
was significant missing information or systematic errors in the data
set. Missing values ranged from 2.4% to 4.3%. Little’s missing
completely at random test (Little, 1988) was used to determine that
data were primarily missing at random due to item nonresponse,
and not missing systematically (p.10). Thus, expectation max-
imization imputation was used to correct for missing data. Imputed
values were compared with observed values, and results using
list-wise deletion were similar to expectation maximization. De-
scriptive statistics of the Employees’ Online Security Behavior and
Beliefs subscales as well as the BFI subscales are displayed in
Table 3. Higher scores on subscales were indicative of relatively
greater amounts of each construct. All subscales demonstrated
acceptable to good internal reliability.
Table 2
Descriptive Statistics of the Sample
Variable NPercentage
Gender
Female 528 78.1
Male 146 21.6
Race
African American 292 43.2
Caucasian 259 38.3
Latino/a 45 6.7
Multiracial 42 6.2
Other 10 0.14
Academic status
Freshman 138 20.4
Sophomore 116 17.2
Junior 152 22.5
Senior 244 36.1
Graduate student 25 3.7
Currently employed
Yes 429 63.6
No 245 36.4
This document is copyrighted by the American Psychological Association or one of its allied publishers.
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.
3
PERSONALITY PREDICTORS OF CYBERSECURITY
After examining the descriptive statistics of the sample, the
assumptions of regression analyses were tested. All variables were
found to meet the assumptions of normality and homoscedasticity,
and all skewness and kurtosis values fell within the acceptable
range of 1.5 and 1.5 (Tabachnick & Fidell, 2013). Histograms
appeared relatively normal except for participant age, which was
positively skewed. This was not surprising given the population
sampled. Multicollinearity was assessed via intercorrelations
among predictor variables, variance inflation factor values, and
tolerance values. There were no intercorrelations above .60 be-
tween independent variables.
Bivariate correlations demonstrated significant relationships be-
tween self-reported cybersecurity behaviors and the independent
variables (Table 4). Of particular note, self-reported cybersecurity
behaviors were significantly correlated with four of the five factors
of the BFI: Agreeableness, r.23, p.001; Openness, r.26,
p.001; Neuroticism, r⫽⫺.18, p.001; and Conscientious-
ness, r.26, p.001; as well as three subscales of the security
behavior measure: Perceived Barriers, r⫽⫺.34, p.001; Re-
sponse Efficacy, r.43, p.001; Security Self-Efficacy, r
.49, p.001. See Table 4 for correlations among all study
variables.
Linear regression analyses were used to examine whether the
five factors of the BFI were significantly associated with self-
reported cybersecurity behaviors. Regression analyses were cho-
sen to test the hypotheses because it allows for establishing asso-
ciations between independent variables and a dependent variable
while also taking in to account the impact of other variables of
theoretical importance. Initially, participant’s age, gender, race,
and grade point average were considered as demographic variables
to include in the regression analyses; however, only age was found
to be a significant predictor of self-reported cybersecurity behav-
iors. Nevertheless, skewness and kurtosis values associated with
age were significantly different from what would be expected of a
normal distribution, and age was removed from subsequent anal-
yses. The subsequent regression analysis, which included all five
factors of the BFI, revealed that the overall model was signifi-
cantly associated with self-reported cybersecurity behaviors, F(5,
639) 16.35, R
2
.113. Three of the five factors were signifi-
cantly associated with self-reported cybersecurity behaviors:
Agreeableness (␤⫽.107, p.05), Conscientiousness (␤⫽.121,
p.05), and Openness (␤⫽.184, p.001).
A hierarchical regression analysis was then conducted to deter-
mine whether the three significant personality factors explained
additional variance over and above other cybersecurity-related
subscales, specifically Perceived Barriers, Response Efficacy, and
Security Self-Efficacy. These three subscales were entered into the
first block of the analysis and Agreeableness, Conscientiousness,
and Openness were entered into the second block of the analysis.
The adjusted R
2
for the first block was .403, indicating that the
model predicted 40.3% of the variance in self-reported cybersecu-
rity behaviors. Introducing Agreeableness, Openness, and Consci-
entiousness in to the second block of the analysis explained an
additional 1.2% of the variance. This change in R
2
was significant,
F(3, 637) 5.34, p.01; however, only Conscientiousness and
Openness predicted a significant amount of variance over and
above the variables in the first block (␤⫽.079, p.05; ␤⫽.066,
p.05, respectively). The unstandardized coefficients of the full
regression equation, as well as the beta weights, standard errors,
and significance values for all predictor variables, are included in
Table 5.
Discussion
The present study analyzed cybersecurity behaviors among an
ethnically diverse college student population in the United States, with
results providing evidence for the association between the personality
factors reflected in the BFI and self-reported cybersecurity behaviors.
The overall model, which incorporated all five personality factors,
was significantly associated with self-reported cybersecurity behav-
iors; however, Conscientiousness, Agreeableness, and Openness were
the only factors that were significantly associated with self-reported
cybersecurity behaviors. This is in line with previous research that
demonstrated similar findings (Halevi et al., 2016; McCormac et al.,
Table 3
Descriptive Statistics of Included Subscales
Variable NRange MSD
BFI Extraversion 627 1.00–5.00 3.27 .70 .79
BFI Agreeableness 625 1.67–5.00 3.87 .63 .78
BFI Conscientiousness 624 2.33–5.00 3.73 .60 .74
BFI Neuroticism 621 1.00–5.00 2.97 .75 .78
BFI Openness 625 1.60–5.00 3.63 .55 .71
Perceived Barriers 654 1.00–7.00 3.45 1.36 .82
Response Efficacy 655 1.00–7.00 5.51 1.00 .93
Security Self-Efficacy 638 1.00–7.00 3.98 1.40 .85
Note. BFI Big Five Inventory.
Table 4
Bivariate Correlations of Subscale Scores
Variable 1 2 3456789
1. Perceived Barriers .19
ⴱⴱⴱ
.10
ⴱⴱ
.34
ⴱⴱⴱ
.05 .29
ⴱⴱⴱ
.30
ⴱⴱⴱ
.19
ⴱⴱⴱ
.18
ⴱⴱⴱ
2. Response Efficacy .22
ⴱⴱⴱ
.43
ⴱⴱⴱ
.14
ⴱⴱⴱ
.33
ⴱⴱⴱ
.33
ⴱⴱⴱ
.15
ⴱⴱⴱ
.30
ⴱⴱⴱ
3. Security Self-Efficacy .49
ⴱⴱⴱ
.02 .01 .01 .16
ⴱⴱⴱ
.10
ⴱⴱ
4. Cybersecurity Behavior .06 .23
ⴱⴱⴱ
.26
ⴱⴱⴱ
.18
ⴱⴱⴱ
.26
ⴱⴱⴱ
5. Extraversion .23
ⴱⴱⴱ
.21
ⴱⴱⴱ
.30
ⴱⴱⴱ
.26
ⴱⴱⴱ
6. Agreeableness .47
ⴱⴱⴱ
.35
ⴱⴱⴱ
.32
ⴱⴱⴱ
7. Conscientiousness .50
ⴱⴱⴱ
.33
ⴱⴱⴱ
8. Neuroticism .14
ⴱⴱⴱ
9. Openness
ⴱⴱ
p.01.
ⴱⴱⴱ
p.001.
This document is copyrighted by the American Psychological Association or one of its allied publishers.
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.
4SHAPPIE, DAWSON, AND DEBB
2017; Shropshire et al., 2015). A follow-up hierarchical regression
analysis revealed that Conscientiousness and Openness explained
additional variance over and above other relevant cybersecurity vari-
ables, including Perceived Barriers, Response Efficacy, and Security
Self-Efficacy. This analysis expands the current literature by exam-
ining personality factors not only concurrently but also in tandem with
other relevant variables.
These results suggest that personality factors play an important role
in understanding cybersecurity behaviors and are consistent with a
growing body of literature highlighting that Conscientiousness ap-
pears to be a strong predictor of cybersecurity behaviors and infor-
mation security awareness (Hadlington, 2018; McCormac et al., 2017;
Shropshire et al., 2015; Uffen & Breitner, 2014). Nevertheless, Open-
ness was also a significant predictor of cybersecurity behaviors in the
hierarchical regression analysis, suggesting that it should be consid-
ered in the adoption of cybersecurity practices.
Although Agreeableness was significantly associated with cy-
bersecurity behaviors in the linear regression analysis, it was not
significant in the hierarchical analysis. There may be alternative
explanations or analyses in which this construct’s relatedness to
cybersecurity practices may become more apparent. It is also
important to note that, as expected, the factors in the first block of
the hierarchical regression explained a large percentage of the
variance in cybersecurity behaviors, as they were more highly
correlated with these behaviors in general, and that the statistically
significant increase in variance explained in the second block may
or may not have real world implications for individual’s with
specific personality traits.
Although the present study contributes to the broader literature
regarding cybersecurity behaviors and practices, there are key limita-
tions. The analyses were conducted on a cross-sectional sample of
relatively young college students. As a result of the cross-sectional
design, it is not possible to determine directionality of outcomes (i.e.,
certain personality characteristics may lead to certain cybersecurity
behaviors). Furthermore, the relatively young age of the sample may
impact generalizability to other populations. Previous research on age
has been mixed, but, nevertheless, this variable may be a significant
contributor to cybersecurity practices. Not much more than a decade
ago, technology was not necessarily as accessible to older generations
due to the digital divide (Loges & Jung, 2001), although much has
changed in this area.
Cybersecurity practices also encompass a great many behaviors
across a wide range of contexts. Although the present study attempted
to control for some independent factors, it is possible that other
variables not surveyed may be more closely associated with extro-
vertedness, neuroticism, or agreeableness. These three factors may be
more highly related to cybersecurity attitudes or intentions—as op-
posed to explicit behaviors—which may help explain why they were
not significantly associated with behaviors in this study. Future re-
search should aim to develop cybersecurity behavioral models that
include different aspects of attitudes so that researchers can gain a
better understanding of how personality make-up is associated with
awareness and implementation of cybersecurity best practices, in
addition to the subjective evaluation of an individual’s intent.
Conclusion
The present study’s findings suggest that personality is associ-
ated with cybersecurity behaviors and that conscientiousness and
openness may be particularly salient to this relationship. More
broadly, this study demonstrated linkages between the “Big Five”
and self-reported cybersecurity behaviors and more specifically
that conscientiousness, openness, and agreeableness may be par-
ticularly important personality factors for future research. These
findings are relevant to cybersecurity training and hiring practices,
as those who are lower in conscientiousness or less open to new
experiences may be less likely to engage in behaviors that align
with best practices.
In addition to personality structure, the present study pro-
vides evidence that investing and improving cybersecurity prac-
tices would be well served by focusing on improving an individ-
ual’s sense of self-efficacy as well as decreasing their perceived
barriers to cybersecurity practices. Self-efficacy may be improved
by targeting both an individual’s knowledge of how to behave in
a way that is in line with the institution or agency’s cybersecurity
practices as well as their belief that doing so will indeed help
improve security and prevent cybersecurity breaches. Finally, this
study provides evidence that individuals who are high in conscien-
tiousness and openness are more likely to engage in cybersecurity-
related behaviors.
References
Ajzen, I., Brown, T. C., & Carvajal, F. (2004). Explaining the discrepancy
between intentions and actions: The case of hypothetical bias in contin-
gent valuation. Personality and Social Psychology Bulletin, 30, 1108 –
1121. http://dx.doi.org/10.1177/0146167204264079
Anwar, M., He, W., Ash, I., Yuan, X., Li, L., & Xu, L. (2017). Gender
difference and employees’ cybersecurity behaviors. Computers in Hu-
man Behavior, 69, 437– 443. http://dx.doi.org/10.1016/j.chb.2016.12
.040
Bansal, G. (2011, December). Security concerns in the nomological net-
work of trust and Big 5: First order vs. second order. Paper presented at
the 32nd International Conference on Information Systems (ICIS),
Shanghai, China. Retrieved from https://pdfs.semanticscholar.org/3283/
7d2dfdfa0463e294eaeb497451f3d6f6139c.pdf
Boss, S. R., Kirsch, L. J., Angermeier, I., Shingler, R. A., & Boss, R. W.
(2009). If someone is watching, I’ll do what I’m asked: Mandatoriness,
control, and information security. European Journal of Information
Systems, 18, 151–164. http://dx.doi.org/10.1057/ejis.2009.8
Conner, M., & Abraham, C. (2001). Conscientiousness and the theory of
planned behavior: Toward a more complete model of the antecedents of
intentions and behavior. Personality and Social Psychology Bulletin, 27,
1547–1561. http://dx.doi.org/10.1177/01461672012711014
Table 5
Hierarchical Regression Coefficients
Variable BSEB
Step 1
Perceived Barriers .188 .024 .245
ⴱⴱⴱ
Response Efficacy .314 .033 .298
ⴱⴱⴱ
Security Self-Efficacy .299 .023 .399
ⴱⴱⴱ
Step 2
Agreeableness .055 .059 .033
Conscientiousness .139 .064 .079
Openness .126 .064 .066
Note. Total F(6, 637) 77.019
ⴱⴱⴱ
,R
2
.42
ⴱⴱⴱ
.
p.05.
ⴱⴱⴱ
p.001.
This document is copyrighted by the American Psychological Association or one of its allied publishers.
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.
5
PERSONALITY PREDICTORS OF CYBERSECURITY
Costa, P. T., & McCrae, R. R. (1992). Normal personality assessment in
clinical practice: The NEO personality inventory. Psychological Assess-
ment, 4, 5–13. http://dx.doi.org/10.1037/1040-3590.4.1.5
Crossler, R. E., Johnston, A. C., Lowry, P. B., Hu, Q., Warkentin, M., &
Baskerville, R. (2013). Future directions for behavioral information
security research. Computers and Security, 32, 90 –101. http://dx.doi
.org/10.1016/j.cose.2012.09.010
Goldberg, L. R. (1992). The development of markers for big-five factor
structure. Psychological Assessment, 4, 26 – 42. http://dx.doi.org/10.1037/
1040-3590.4.1.26
Gratian, M., Bandi, S., Cukier, M., Dykstra, J., & Ginther, A. (2018).
Correlating human traits and cyber security behavior intentions. Com-
puters and Security, 73, 345–358. http://dx.doi.org/10.1016/j.cose.2017
.11.015
Guo, K. H., Yuan, Y., Archer, N. P., & Connelly, C. E. (2011). Under-
standing nonmalicious security violations in the workplace: A composite
behavior model. Journal of Management Information Systems, 28, 203–
236. http://dx.doi.org/10.2753/MIS0742-1222280208
Hadlington, L. (2018). The “human factor” in cybersecurity: Exploring the
accidental insider. In J. McAlaney, L. A. Frumkin, & V. Benson (Eds.),
Psychological and behavioral examinations in cyber security (pp. 46 –
63). Hershey, PA: IGI Global.
Hadlington, L., & Murphy, K. (2018). Is media multitasking good for
cybersecurity? Exploring the relationship between media multitasking
and everyday cognitive failures on self-reported risky cybersecurity
behaviors. Cyberpsychology, Behavior, and Social Networking, 21,
168 –172. http://dx.doi.org/10.1089/cyber.2017.0524
Halevi, T., Memon, N., Lewis, J., Kumaraguru, P., Arora, S., Dagar, N.,...
Chen, J. (2016, November). Cultural and psychological factors in cy-
bersecurity. Paper presented at the 18th International Conference on
Information Integration and Web-based Applications and Services, Sin-
gapore, Singapore. Retrieved from https://dl.acm.org/citation.cfm?
id3011165
John, O. P., Donahue, E. M., & Kentle, R. L. (1991). The Big Five
Inventory—Versions 4a and 54. Berkeley: University of California,
Berkeley, Institute of Personality & Social Research.
John, O. P., & Srivastava, S. (1999). The Big Five trait taxonomy: History,
measurement, and theoretical perspectives. Handbook of Personality:
Theory and Research, 2, 102–138.
Johnston, A. C., & Warkentin, M. (2010). Fear appeals and information
security behaviors: An empirical study. Management Information Sys-
tems Quarterly, 34, 549 –566. http://dx.doi.org/10.2307/25750691
Korzaan, M. L., & Boswell, K. T. (2008). The influence of personality
traits and information privacy concerns on behavioral intentions. Journal
of Computer Information Systems, 48, 15–24.
Little, R. J. (1988). A test of missing completely at random for multivariate
data with missing values. Journal of the American Statistical Association,
83, 1198 –1202. http://dx.doi.org/10.1080/01621459.1988.10478722
Loges, W. E., & Jung, J. Y. (2001). Exploring the digital divide: Internet
connectedness and age. Communication Research, 28, 536 –562. http://
dx.doi.org/10.1177/009365001028004007
Maasberg, M., Warren, J., & Beebe, N. L. (2015, January). The dark side
of the insider: Detecting the insider threat through examination of dark
triad personality traits. Proceeding of 48th Hawaii International Con-
ference on System Sciences (pp. 3518 –3526). Kauai, HI: IEEE http://dx
.doi.org/10.1109/HICSS.2015.423
McCormac, A., Zwaans, T., Parsons, K., Calic, D., Butavicius, M., &
Pattinson, M. (2017). Individual differences and information security
awareness. Computers in Human Behavior, 69, 151–156. http://dx.doi
.org/10.1016/j.chb.2016.11.065
McCrae, R. R., & Costa, P. T., Jr. (1995). Trait explanations in personality
psychology. European Journal of Personality, 9, 231–252. http://dx.doi
.org/10.1002/per.2410090402
Rhee, H. S., Kim, C., & Ryu, Y. U. (2009). Self-efficacy in information
security: Its influence on end users’ information security practice be-
havior. Computers and Security, 28, 816 – 826. http://dx.doi.org/10
.1016/j.cose.2009.05.008
Rhodes, R. E., & Courneya, K. S. (2003). Investigating multiple compo-
nents of attitude, subjective norm, and perceived control: An examina-
tion of the theory of planned behaviour in the exercise domain. British
Journal of Social Psychology, 42, 129 –146. http://dx.doi.org/10.1348/
014466603763276162
Shropshire, J., Warkentin, M., & Sharma, S. (2015). Personality, attitudes,
and intentions: Predicting initial adoption of information security behav-
ior. Computers and Security, 49, 177–191. http://dx.doi.org/10.1016/j
.cose.2015.01.002
Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adher-
ence to information security policies: An exploratory field study. Infor-
mation and Management, 51, 217–224. http://dx.doi.org/10.1016/j.im
.2013.08.006
Siponen, M., & Vance, A. (2010). Neutralization: New insights into the
problem of employee information systems security policy violations.
Management Information Systems Quarterly, 34, 487–502. http://dx.doi
.org/10.2307/25750688
Tabachnick, B. G., & Fidell, L. S. (2013). Using multivariate statistics.
Boston, MA: Pearson.
Uffen, J., & Breitner, M. H. (2014). Management of technical security
measures: An empirical examination of personality traits and behavioral
intentions. International Journal of Social and Organizational Dynam-
ics in IT, 3, 14 –31. http://dx.doi.org/10.4018/ijsodit.2013010102
Wansink, B., & Sobal, J. (2007). Mindless eating: The 200 daily food
decisions we overlook. Environment and Behavior, 39, 106 –123. http://
dx.doi.org/10.1177/0013916506295573
Warkentin, M., & Willison, R. (2009). Behavioral and policy issues in infor-
mation systems security: The insider threat. European Journal of Informa-
tion Systems, 18, 101–105. http://dx.doi.org/10.1057/ejis.2009.12
Willison, R., & Warkentin, M. (2013). Beyond deterrence: An expanded
view of employee computer abuse. Management Information Systems
Quarterly, 37, 1–20. http://dx.doi.org/10.25300/MISQ/2013/37.1.01
Received November 7, 2018
Revision received April 11, 2019
Accepted April 17, 2019
This document is copyrighted by the American Psychological Association or one of its allied publishers.
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.
6SHAPPIE, DAWSON, AND DEBB
... This could be the case because healthcare staff with a high score of agreeableness characteristics tend to easily agree with cyber security education and training, enabling them to have low risk in ISK and ISA. This finding is in line with previous studies [73,74]. Conversely, the healthcare workers with a high risk score of conscientiousness showed higher ISCCB risk, which contrasts our hypothesis and previous studies [73,74]. ...
... This finding is in line with previous studies [73,74]. Conversely, the healthcare workers with a high risk score of conscientiousness showed higher ISCCB risk, which contrasts our hypothesis and previous studies [73,74]. Our assumption was that a higher score of conscientiousness would have translated into less risk of ISCCB. ...
... For instance, healthcare workers are social beings [76], who work with friends, family members, and other relations, which can have an impact on security measures. This expresses the need to consider social factors in an effort to estimate the security behavior of a hospital [13,20,41,73,74]. ...
Article
Full-text available
Recent reports indicate that over 85% of data breaches are still caused by a human element, of which healthcare is one of the organizations that cyber criminals target. As healthcare IT infrastructure is characterized by a human element, this study comprehensively examined the effect of psycho-socio-cultural and work factors on security behavior in a typical hospital. A quantitative approach was adopted where we collected responses from 212 healthcare staff through an online questionnaire survey. A broad range of constructs was selected from psychological, social, cultural perception, and work factors based on earlier review work. These were related with some security practices to assess the information security (IS) knowledge, attitude and behavior gaps among healthcare staff in a comprehensive way. The study revealed that work emergency (WE) has a positive correlation with IS conscious care behavior (ISCCB) risk. Conscientiousness also had a positive correlation with ISCCB risk, but agreeableness was negatively correlated with information security knowledge (ISK) risk and information security attitude (ISA) risk. Based on these findings, intrinsic and extrinsic motivation methods combined with cutting-edge technologies can be explored to discourage IS risks behaviors while enhancing conscious care security practice.
... This could be the case because healthcare staff with a high score of agreeableness characteristics tend to easily agree with cyber security education and training, enabling them to have low risk in ISK and ISA. This finding is in line with previous studies [73,74]. Conversely, the healthcare workers with a high risk score of conscientiousness showed higher ISCCB risk, which contrasts our hypothesis and previous studies [73,74]. ...
... This finding is in line with previous studies [73,74]. Conversely, the healthcare workers with a high risk score of conscientiousness showed higher ISCCB risk, which contrasts our hypothesis and previous studies [73,74]. Our assumption was that a higher score of conscientiousness would have translated into less risk of ISCCB. ...
... For instance, healthcare workers are social beings [76], who work with friends, family members, and other relations, which can have an impact on security measures. This expresses the need to consider social factors in an effort to estimate the security behavior of a hospital [13,20,41,73,74]. ...
Preprint
Full-text available
Recent reports have it that over 85\% of data breaches are still caused by the human element, of which healthcare is one of the suitable organizations mostly targeted by cybercriminals. The work of healthcare staff is often associated with high workloads, high emergency cases, and a broad range of psychological, social, and cultural factors. The significance of these factors could undermine conscious care information security (IS) practice leading to serious violations. This study comprehensively examined the correlation between the psycho-social-cultural factors, work factors with IS and privacy behaviour in a hospital that has fully adopted electronic health records (EHR) management system. The findings are to facilitate the decision-making process towards improving the cyber-security practice in healthcare. A quantitative approach was adopted where we collected responses from 212 healthcare staff through an online questionnaire survey. A broad range of constructs was selected from psychological, social, cultural perception and work factors based on earlier review work. These were therefore related to some security practices, to assess the IS knowledge, attitude and behaviour gaps among healthcare staff in a comprehensive way. From the study, IS self-reported conscious care behaviour (ISCCB) risk was relatively higher as compared to information security knowledge (ISK) risks and information security attitude (ISA) risk. Furthermore, the study revealed that work emergency has a positive correlation with ISCCB (r=1.95, p-value =0.001) risk. Conscientiousness also had positive correlation with ISCCB risk (r=0.157, p-value=0.05) however agreeableness negatively correlated with ISK risk (r=-0.166, p-value =0.05), and ISA risk (r=-0.140, p-value =0.05). Based on these findings, intrinsic and extrinsic motivation methods combined with cutting-edge technologies can be explored to discourage IS risks behaviours while enhancing conscious care security practice.
... Wiederhold,2014 Sabillon et al., 2021,Saadatdoost et al.,2015,Lee Aloul et al.,2017 ( , Halevi et al.,2016, Zwilling et al.,2022Shappie,et al.,2020 al.,2020 , (Hadlington et al.,2020Thorne,2020-Alqahtani, H., & Kavakli ( ) Shappie,et al.,2020Halevi et al., 2016Shropshire et al., 2015) ...
... Furthermore, audience feedback can highly contribute to the design, development, assessment, and update of a CSA program. Their socio-demographic factors (e.g., age, gender, education level, the field of study, occupation, job hierarchy, frequency of ICT usage, prior cyber-attack experience, and job experience) [43], cultural values (e.g., Hofstede's cultural dimensions theory) [44], and personality traits (e.g., Big five personality traits) [45] can be useful information in shaping the CSA program so that it best fits their needs and requirements. One must also realize that the impacts of some of these factors may overcome others [41]. ...
Technical Report
Full-text available
This report proposes a conceptual framework for the monitoring and evaluation of a cybersecurity awareness (CSA) program. In order to do so, it uses a nonsystematic or purposive literature review. Initially, it reviewed nine existing frameworks/models on CSA mainly to derive the skeleton (phases and sub-phases) of the framework. This is followed by a set of guidelines and practical advice in each phase and sub-phases of the framework that would be useful for the enhancement of a CSA program. The guidelines and advice on "what to do in each phase" as well as "what to expect in each phase" will be useful for CSA professionals, individuals, or organizations who intend to design a CSA program. In addition to this, the report also presents the evaluation criteria of two CSA mechanisms, which are posters and serious games.
... Others studies found that those higher in emotional instability engage in risky cybersecurity behaviors more often than others (Kennison & Chan-Tin, 2020;McCormac et al., 2017). A few studies have shown that those higher in agreeableness may be more aware of cybersecurity best practices and more likely to use them (Shappie et al., 2020). However, an intriguing study found that those higher in agreeableness were more likely to click on links in phishing attacks (Cho et al., 2016). ...
... The latter authors also found a significant positive relationship between conscientiousness and the intended use of Facebook privacy settings. Further research on the security influence of the Big Five personality traits also found a significant positive relationship between conscientiousness and cybersecurity behaviour (Shappie, Dawson & Debb 2019). Given the evidence presented, the authors hypothesise that: ...
Article
Full-text available
Background: Socially desirable responding within the context of self-reported surveys is a well-known and persistent problem that plagues quantitative studies. Such forms of responding are particularly problematic within the context of personality-based studies that investigate privacy-related decision-making. In such instances, certain respondents may feel pressured to provide socially desirable responses, which reduces the overall quality of the collected data. Objectives: The objective of this study was to evaluate the extent to which the Big Five personality traits (openness, conscientiousness, extraversion, agreeableness and neuroticism) elicit socially desirable responses within the context of privacy-related decision-making. Method: To evaluate their hypotheses, the authors empirically situate their study within the context of respondents’ intended use of Facebook privacy settings. To this end, 576 survey responses were analysed using partial least squares structural equation modelling (PLS-SEM). Results: It was found that some personality traits were indeed significantly related to socially desirable responding – albeit not always as expected. For example, highly agreeable individuals were unlikely to provide socially desirable responses: choosing honest responses. Neuroticism, on the other hand, had the opposite effect. Conclusion: Based on the results, the authors conclude that neurotic individuals seem predisposed towards responding in a socially desirable manner within the context of privacy related surveys. The authors, therefore, advise researchers within the field of privacy-based personality studies to take care when analysing their results.
Article
Insider threats are a pernicious threat to modern organizations that involve individuals intentionally or unintentionally engaging in behaviors that undermine or abuse information security. Previous research has established that personality factors are an important determinant of the likelihood that an individual will engage in insider threat behaviors. The present article asserts that dark personality traits, non-clinical personality characteristics that are typically associated with patterns of anti-social and otherwise noxious interpersonal behaviors, may be particularly useful for understanding and predicting insider threat behaviors. Although some relationships between insider threats and dark traits have been documented, most attention has been devoted to a limited subset of dark traits. To address this issue, we critically review contemporary models of dark traits and their potential value for understanding both malicious and non-malicious insider threats, supplemented by discussions of subject matter expert ratings concerning the relevance of dark traits for both insider threat behaviors and cybersecurity personnel job performance. We then review potential assessment issues and provide evidence of possible moderators for the relationships under investigation. Finally, we develop avenues for future research, an agenda for improving the measurement of dark traits, and guidance for how organizations may implement the assessment of dark traits in their organizational processes.
Article
Young adults aged between 18 and 30 are likely to encounter increasing cyber threats. Understanding the cybersecurity behaviors of young adults, and identifying the measures and factors that can help reduce cyber threats is thus crucial. Since the existing studies have not sufficiently explored these factors, this study adopted a socio-behavioral perspective. It employed the primary constructs of the theory of planned behavior (TPB) with other factors, including perceived awareness and knowledge of cyber threats, to predict young adults' behavioral intent to practice cybersecurity behaviors. Data were collected from a random sample of 1581 young adults studying at Technical and Vocational Training Corporation (TVTC) colleges in Saudi Arabia through an online survey and were analyzed using the least-squares partial structural equation modeling (SEM). The results revealed that attitude (ATT), subjective norm (SN), and perceived behavioral control (PBC) strongly influenced young adults’ intentions to practice cybersecurity behavior (IPC). Also important for IPC was the perceived awareness of the consequences of the risks of cyber threats and the need for cybersecurity behavior (PCST). Moreover, while PCST and IPC were directly related to practicing cybersecurity behaviors, PBC was not. Future studies may benefit from examining cultural, and socio-demographic aspects that may influence CSB.
Article
Full-text available
Single sign-on (SSO) enables users to authenticate across multiple related but independent systems using a single username and password. While the number of higher education institutions adopting SSO continues to grow, little is known about the academic community’s security awareness regarding SSO. This paper aims to examine the security awareness of SSO across various demographic groups within a single higher education institution based on their age, gender, and academic roles. Additionally, we investigate some psychological factors (i.e., privacy concerns and personality traits) that may influence users’ level of SSO security awareness. Using survey data collected from 283 participants (faculty, staff, and students) and analyzed using a hierarchical linear regression model, we discovered a generational gap, but no gender gap, in security awareness of SSO. Additionally, our findings confirm that students have a significantly lower level of security awareness than faculty and staff. Finally, we discovered that privacy concerns have no effect on SSO security awareness on their own. Rather, they interact with the user’s personality traits, most notably agreeableness and conscientiousness. The findings of this study lay the groundwork for future research and interventions aimed at increasing cybersecurity awareness among users of various demographic groups as well as closing any existing gaps between them.
Article
Full-text available
The current study focused on how engaging in media multitasking (MMT) and the experience of everyday cognitive failures impact on the individual's engagement in risky cybersecurity behaviors (RCsB). In total, 144 participants (32 males, 112 females) completed an online survey. The age range for participants was 18 to 43 years (M = 20.63, SD = 4.04). Participants completed three scales which included an inventory of weekly MMT, a measure of everyday cognitive failures, and RCsB. There was a significant difference between heavy media multitaskers (HMM), average media multitaskers (AMM), and light media multitaskers (LMM) in terms of RCsB, with HMM demonstrating more frequent risky behaviors than LMM or AMM. The HMM group also reported more cognitive failures in everyday life than the LMM group. A regression analysis showed that everyday cognitive failures and MMT acted as significant predictors for RCsB. These results expand our current understanding of the relationship between human factors and cybersecurity behaviors, which are useful to inform the design of training and intervention packages to mitigate RCsB.
Article
Full-text available
In this paper, we correlate human characteristics with cyber security behavior intentions. While previous papers have identified correlations between certain human traits and specific cyber security behavior intentions, we present a comprehensive study that examines how risk-taking preferences, decision-making styles, demographics, and personality traits influence the security behavior intentions of device securement, password generation, proactive awareness, and updating. To validate and expand the work of Egelman and Peer, we conducted a survey of 369 students, faculty, and staff at a large public university and found that individual differences accounted for 5%–23% of the variance in cyber security behavior intentions. Characteristics such as financial risk-taking, rational decision-making, extraversion, and gender were found to be significant unique predictors of good security behaviors. Our study revealed both validations and contradictions of related work in addition to finding previously unreported correlations. We motivate the importance of studies such as ours by demonstrating how the influence of individual differences on security behavior intentions can be environment-specific. Thus, some security decisions should also depend on the environment.
Conference Paper
Full-text available
Increasing cyber-security presents an ongoing challenge to security professionals. Research continuously suggests that online users are a weak link in information security. This research explores the relationship between cyber-security and cultural, personality and demographic variables. This study was conducted in four different countries and presents a multi-cultural view of cyber-security. In particular, it looks at how behavior, self-efficacy and privacy attitude are affected by culture compared to other psychological and demographics variables (such as gender and computer expertise). It also examines what kind of data people tend to share online and how culture affects these choices. This work supports the idea of developing personality based UI design to increase users' cyber-security. Its results show that certain personality traits affect the user cyber-security related behavior across different cultures, which further reinforces their contribution compared to cultural effects.
Article
Full-text available
Information technology executives strive to align the actions of end users with the desired security posture of management and of the firm through persuasive communication. In many cases, some element of fear is incorporated within these communications. However, within the context of computer security and information assurance, it is not yet clear how these fear-inducing arguments, known as fear appeals, will ultimately impact the actions of end users. The purpose of this study is to investigate the influence of fear appeals on the compliance of end users with recommendations to enact specific individual computer security actions toward the mitigation of threats. An examination was performed that culminated in the development and testing of a conceptual model representing an infusion of technology adoption and fear appeal theories. Results of the study suggest that fear appeals do impact end user behavioral intentions to comply with recommended individual acts of security, but the impact is not uniform across all end users. It is determined in part by perceptions of self-efficacy, response efficacy, threat severity, and social influence. The findings of this research contribute to information systems security research, human computer interaction, and organizational communication by revealing a new paradigm in which IT users form perceptions of the technology, not on the basis of performance gains, but on the basis of utility for threat mitigation.
Conference Paper
Full-text available
Efforts to understand what goes on in the mind of an insider have taken a back seat to developing technical controls, yet insider threat incidents persist. We examine insider threat incidents with malicious intent and propose an explanation through a relationship between Dark Triad personality traits and the insider threat. Although Dark Triad personality traits have emerged in insider threat cases and deviant workplace behavior studies, they have not been labeled as such and little empirical research has examined this phenomenon. This paper builds on previous research on insider threat and introduces ten propositions concerning the relationship between Dark Triad personality traits and insider threat behavior. We include behavioral antecedents based on the Theory of Planned Behavior and Capability Means Opportunity (CMO) model and the factors affecting those antecedents. This research addresses the behavioral aspect of the insider threat and provides new information in support of academics and practitioners.
Article
Full-text available
Employees' failure to comply with information systems security policies is a major concern for information technology security managers. In efforts to understand this problem, IS security researchers have traditionally viewed violations of IS security policies through the lens of deterrence theory. In this article, we show that neutralization theory, a theory prominent in Criminology but not yet applied in the context of IS, provides a compelling explanation for IS security policy violations and offers new insight into how employees rationalize this behavior. In doing so, we propose a theoretical model in which the effects of neutralization techniques are tested alongside those of sanctions described by deterrence theory. Our empirical results highlight neutralization as an important factor to take into account with regard to developing and implementing organizational security policies and practices.
Chapter
A great deal of research has been devoted to the exploration and categorization of threats posed from malicious attacks from current employees who are disgruntled with the organisation, or are motivated by financial gain. These so-called "insider threats" pose a growing menace to information security, but given the right mechanisms, they have the potential to be detected and caught. In contrast, human factors related to aspects of poor planning, lack of attention to detail, and ignorance are linked to the rise of the accidental or unintentional insider. In this instance there is no malicious intent and no prior planning for their "attack," but their actions can be equally as damaging and disruptive to the organisation. This chapter presents an exploration of fundamental human factors that could contribute to an individual becoming an unintentional threat. Furthermore, key frameworks for designing mitigations for such threats are also presented, alongside suggestions for future research in this area.
Article
Security breaches are prevalent in organizations and many of the breaches are attributed to human errors. As a result, the organizations need to increase their employees' security awareness and their capabilities to engage in safe cybersecurity behaviors. Many different psychological and social factors affect employees' cybersecurity behaviors. An important research question to explore is to what extent gender plays a role in mediating the factors that affect cybersecurity beliefs and behaviors of employees. In this vein, we conducted a cross-sectional survey study among employees of diverse organizations. We used structural equation modelling to assess the effect of gender as a moderator variable in the relations between psychosocial factors and self-reported cybersecurity behaviors. Our results show that gender has some effect in security self-efficacy (r = -0.435, p < 0.001), prior experience (r = -0.235, p < 0.001) and computer skills (r = -0.198, p < 0.001) and little effect in cues-to-action (r = -0.152, p < 0.001) and self-reported cybersecurity behaviors (r = -0.152, p < 0.001).
Article
The main purpose of this study was to examine the relationship between individuals' Information Security Awareness (ISA) and individual difference variables, namely age, gender, personality and risk-taking propensity. Within this study, ISA was defined as individuals' knowledge of what policies and procedures they should follow, their understanding of why they should adhere to them (their attitude) and what they actually do (their behaviour). This was measured using the Human Aspects of Information Security Questionnaire (HAIS-Q). Individual difference variables were examined via a survey of 505 working Australians. It was found that conscientiousness, agreeableness, emotional stability and risk-taking propensity significantly explained variance in individuals’ ISA, while age and gender did not. Knowledge of, and attitude towards information security (InfoSec) policies and procedures, explained the most variance in self-reported InfoSec behaviour. Findings highlighted the need for future research to examine individual differences and their impact on ISA. Results of the study can be applied by industry to develop tailored InfoSec training programs.
Article
This study incorporates the Big Five personality traits into a theoretical model that explains and predicts individuals concerns for information privacy, computer anxiety, and individual behavioral intentions. Data was gathered via a survey, which was completed by 230 undergraduate college students, and analysis was conducted utilizing structural equation modeling. Agreeableness was found to have a significant influence on individual concerns for information privacy while neuroticism was found to have a significant influence on computer anxiety. In addition, intellect exerted a significant influence on both computer anxiety and behavioral intentions. Key insights for theory and practice are presented.