Most cybersecurity solutions take a one-size-fits-all approach. Everyone gets the same training and the same simulated phishing emails.
Yet, we all respond to cyber threats in different ways. Our personalities and differences often play a crucial role in how we act. For this reason, training adjusted to each individual could better reduce cyber risk.
Several factors influence individuals’ security behaviour, from attitudes towards security and confidence to engage in security behaviours, to job roles and aspects of ourselves, like age and cultural upbringing.
The future is personal
Personalised cybersecurity is relatively unchartered territory. Some existing training is tailored to people’s job roles, but further personalisation based on other factors is limited.
Research has been conducted in this area, but sample sizes are limited. Tailored cybersecurity solutions have not yet been implemented at scale. So how might we start personalising cybersecurity in the workplace?
Personality inventories, such as the 44-item Big Five Inventory or the IPIP 120, allow us to map people’s personalities. This information could be used to identify the most beneficial types of training for each individual.
For example, someone scoring highly for agreeableness is more susceptible to phishing scams containing a plea for help or assistance. They are more likely than others to respond to such an email in the hope of providing aid.
To help an agreeable person reduce their cyber risk, send phishing simulations that appeal to their generosity. Learning to recognise such emails aids agreeable people strengthen their defence against attacks they’re more susceptible to.
Information from personality inventories helps tailor how people are given information and which information they are given. For example, extroverts would receive content relating to their social preferences. Meanwhile, people scoring highly for openness might prefer visual information instead of text.
Personality tests are no panacea. The accuracy of self-reporting personality traits has been questioned. Personality surveys also involve sensitive data collection and storage, which come with ethical considerations.
Still, the benefits of personalisation are potentially too good to ignore. Tailored programmes could target specific issues and risks facing an individual. People would more quickly learn the information needed to reduce their risk if the training format was tailored to suit their personality type.
Given people are the most critical defence in cybersecurity. It makes sense to take account of idiosyncrasies. We are getting better at empowering people to spot risk. But the impact of one-size-fits-all training will always be limited.
A lot is left to do, but the rewards of an effective strategy could be huge. Harnessing individual differences is becoming increasingly important for making cybersecurity relevant and personable.