How to find security blindspots during COVID-19: Think personality

Security is everyone's job during this time of remote work – and different personality types respond to stress in ways that could increase your organization's risk. Here's how leaders and individuals can respond
213 readers like this.
Security jobs: What's hot and what's cooling

Since COVID-19 forced much of the workforce to go remote, many central IT systems have been replaced by networks of disparate individuals. The resulting fractured security systems leave companies vulnerable to cybersecurity risks, and malicious actors are exploiting the opportunity: My company, Myers-Briggs, in partnership with ESET, has conducted research showing that since the lockdown began cybercrime has increased by 63 percent.

With the remote work model unlikely to decrease anytime soon, it is crucial to explore the role employees play in cybersecurity.

Here, we’ll investigate the link between human behavior and cybercrime vulnerability. Combining the perspectives of more than 100 chief information security officers and over 500 participants in a range of different occupations, our research focused on how an individual’s personality type and susceptibility to stress affect their vulnerability to cybercrime. Here are a few things we learned that you can apply.

[ What security trends matter most in the new year for Enterprise IT? Read also: 7 security trends to watch in 2021. ]

With remote work now standard, continuity matters

For 75 percent of companies, half of the business is now undertaken by employees working remotely who were not doing so before COVID-19. Unfortunately, more than half of businesses had no continuity measures in place prior to the COVID-19 outbreak. While 80 percent said they did have a remote working strategy in place, only a quarter of businesses described their remote working strategy and operations plan as effective.

[ Help your team be more intentional about time and energy. Read also: COVID-19 leadership lessons: 5 ways to help your team recharge. ]

Remote work has fundamentally altered employee access to IT departments. Some baseline security measures that were taken for granted in the office, such as requiring workers to use multi-factor authentication or a VPN to access internal networks, must be compensated for at home. Additionally, companies must remind employees to enable automatic updates and check the security of their own Wi-Fi networks. Some employees do this more readily than others.

The human component

Not surprisingly, 80 percent of companies said that an increased cybersecurity risk caused by human factors posed a challenge. How do IT departments – which traditionally deal with technology rather than "people issues" – cope with a cybersecurity landscape in which people’s behavior is just as critical as technology?

Unlike algorithms, human beings are unique, emotional, and sentient. All three of these elements must be addressed to effectively manage the human aspect of cybersecurity.

Unique human beings and cybersecurity blind spots

Our upbringing, life experience, and wider culture help shape us into one-of-a-kind individuals. In addition, we have underlying personality preferences – which the Myers-Briggs Type Indicator (MBTI) framework refers to as “personality type” – that influence the extent to which we focus on the outside world vs. our inner thoughts, how we take in information, make decisions, and deal with the external world. These personality preferences also provide insight into “blind spots” that can make us vulnerable to cybercrime.

For instance, people with Extraverted personality types (who focus on the outer world of people and activity) tend to be more vulnerable to social engineering attacks that leverage manipulation, deceit, and persuasion. Extraverted people who are focused on the here and now (known as Sensing in the MBTI framework) are often more likely to take cybersecurity risks.

People who are guided by personal values (categorized as Feeling in the MBTI) and those who are systematic or structured (Judging) are more likely to fall victim to social engineering attacks. Likewise, people tend to make decisions based on facts and logic (Thinking) may overestimate their own competence, which makes them vulnerable to mistakes.

Emotion and self-awareness

Let’s consider how emotion plays into our everyday decision-making, particularly when we’re feeling stress. Stress can color our thinking and perception in ways that profoundly impact our decisions and behavior, and the things that make us feel stress and the ways we respond to it are closely tied to personality type. Stress can, in turn, make us more vulnerable to cybercrime by expanding the blind spots that are already inherent in our personality type.

Stress can make us more vulnerable to cybercrime by expanding the blind spots that are already inherent in our personality type.

For instance, personality types that tend toward Extraversion, Sensing, and Perceiving feel stress when they lack stimulation and excitement and are physically confined (does this sound familiar these days?). Under stress, these folks may behave in thrill-seeking or dangerous ways or over-indulge. It’s easy to see how this response could lead to cybercrime vulnerability.

Conversely, people who lean toward Introversion, Intuition, and Judging feel stress when they don’t have time to think through possibilities before answering (a common situation in Zoom calls) or when their well-considered ideas are dismissed or ignored (which may happen more often in digital communications). Under stress, these individuals may not act until they’ve explored every possibility. This can be incompatible with cybersecurity, which often requires quick decision-making.

While the phrase “I think, therefore I am” applies to all sentient beings, human beings operate at different levels of self-awareness. Fortunately, self-awareness is a skill that anyone can develop with training. Achieving a high level of self-awareness is a key component in cybersecurity, as it helps us understand how we might be vulnerable to cyberattacks based on blind spots that are common to our personality type. In particular, we need to understand how those blind spots are exacerbated by stress.

Understanding the personality/stress link

COVID-19 has added stress to our everyday lives, and research conducted by my firm shows that 47 percent of respondents were somewhat or very concerned about their ability to manage stress during the coronavirus crisis. Employees who are feeling stress may be more likely to panic and click on a malicious link or fail to report a security breach to IT due to a lack of attention to detail.

In addition, the pandemic-related stress many of us feel today affects different personality types in ways that can widen the cybersecurity blind spots. As employees learn more about their own personality and its associated blind spots, as well as their stressors and behavior under stress, they can more readily manage their responses to avoid cybersecurity pitfalls.

[ How do containers help manage risk? Read also: Ten Layers of Container Security. ]

John Hackston, head of thought leadership at The Myers-Briggs Company, is a chartered psychologist with more than 30 years experience in helping clients to use psychometric tests and questionnaires in a wide range of contexts including selection, leadership development, performance management, and team building.