Myers-Briggs is a firm that believes in self-development through self-awareness. To improve the level of self-awareness, it has developed a psychometric test to indicate to which of 16 personality types everybody belongs. This is the Myers-Briggs Type Indicator (MBTI), comprising 16 types based on the interaction of four basic personalities.
The 16 types come from the combination of Carl Jung’s four basics: activity (introvert or extrovert); information absorption (sense/logic or intuition); decision-making (thinking or feeling); and life attitude (judging or perceiving).
Cybersecurity firm ESET believes that true security can only be obtained through the fusion of technology and people: the right tools supported by security aware staff. But the tools are being let down by the behavior. “What is notable about the most successful cyberattacks,” it says, “is that they rely on a degree of human error and/or ignorance.”
ESET has now partnered with Myers-Briggs to examine the relationship between staff personality traits (their MBTI) and cyber behaviors. Where links exist, there may be an opportunity to more finely target awareness training to behavioral weaknesses. Myers-Briggs is now engaged on a major study designed to find such links.
The study is a work in progress, but is already showing results. “For example,” said the company, “those with a preference for Introversion had a significantly higher score on Proactive security awareness than those with a preference for Extraversion.” ESET’s hope is that awareness of an employee’s MBTI personality will enable managers or senior staff close to that employee to target training specifically at personality-based cyber weaknesses.
The two firms have published a brief paper on results so far. For example, extroverts are likely to be more vulnerable to social engineering than introverts, but simultaneously more likely to detect other attacks.
Getting more complex, those with a preference for ‘sense’ rather than ‘intuition’ are more likely to detect a phishing attack; but are simultaneously more like to take cyber risks if ‘perceiving’ and ‘extroversion’ are also part of the MBTI.
“ESET and The Myers-Briggs Company,” states the paper, “advocate an integrative human and machine approach, which recognizes the strengths and weaknesses of both human team members and the digital systems they’re working with. Using psychometric tests to build self-awareness can play a big part in this, as can multi-level training.”
It continues, “For example, people with a preference for Intuition (the opposite to Sensing) will really benefit from being reminded to look at the detail of emails – does the sender’s address look odd for example (something they are less likely to do naturally).”
There is little doubt that the Myers-Briggs research will result in providing the opportunity for fine-grained security awareness training aimed at countering behavioral weaknesses that are actually built into the personality of individual members of staff. For this to fully work, however, it would require an alteration to the Myers-Briggs ethical concept — the MBTI was designed for self-awareness to allow self-development. But to be fully effective in a staff training situation, the psychometric test will need to be required by and available to management.
The idea of employment-related psych-evals in everyday work environments could become a concern, regardless of the good intentions. Once it becomes a standard part of employment, where does it stop? Is it even reliable?
“I will say that scoring users is not a new concept in cyber security,” Chris Morales, head of security analytics at threat hunting firm Vectra, told SecurityWeek. “However, I personally think it is a dangerous one. We get into a funny world of what makes a good employee or not. More so, I don’t think you can connect clicking on malicious links with a particular type of persona. When something like phishing is incredibly successful, it means every type of personality is most likely at risk.”
Morales believes that people are not the problem. “The system design and internal processes are. We have to make a fundamental assumption that breaches happen and be prepared with a solid incident response process.”
Whether the MBTI approach offers any serious advantage to adaptive awareness training can also be questioned. Adaptive training will adapt to the weaknesses of those being trained without needing to know their personality traits. “The good news is that proper continuous and evolving training has proven to change behavior of so-called disruptive staff,” explains Shlomi Gian, CEO at awareness training firm CybeReady.
None of this changes the fact that understanding which staff members are more likely to succumb to phishing or click on a malicious link would benefit the overall security posture of any business. “Overlaying organization-wide self-awareness with a robust cyber security system can create a net of human/digital skills and proclivities which cybercriminals will have trouble slipping through,” says ESET.