The Forgotten Value of Personality Traits in Cybersecurity
Table of Contents
by:
Agnė Brilingaitė
Last year, I shared an in-depth piece on this blog titled Cyber Warrior: Who is Behind the Cyber Shield?. It explored the global cybersecurity workforce shortage and highlighted various challenges related to cybersecurity roles and professional training, with a special focus on the human aspect of these specialists. The piece also introduced a research-based interdisciplinary framework designed to support professional skill development by incorporating insights from three key perspectives: psychology, human genomics, and technology. This write-up continues the discussion on the importance of a multidisciplinary approach to cybersecurity.
Human Dimension in Cybersecurity #
In cybersecurity, technical skills and knowledge are vital components of the individual professional portfolio. When the Joint Task Force on Cybersecurity Education issued the ACM/IEEE Cybersecurity Curricula 2017 cybersecurity was defined as:
A computing-based discipline involving technology, people, information, and processes to enable assured operations in the context of adversaries<…>.
The curricula defined eight knowledge pillars, including Human Security and Societal Security (all knowledge areas can be seen in the figure below).
Among other topics, those two distinguished knowledge areas cover the psychology of social engineering attacks, user misbehavior, and cybercriminal behavior. Therefore, the role of a cybersecurity specialist requires understanding human intentions and decision making, to be able to develop the necessary security tools.
Seven years have passed since the curricula was issued. Nowadays, these topics are more relevant than ever. No matter how many tools are developed and protection measures are taken, users continue to fall into various traps. In addition, the number of adversarial actions is only increasing, causing financial and reputational damage and leading to distrust and instability in the private and public sectors.
Every adversial action has a human origin. Even state actors have
decision-makers and campaign initiators acting under the orders of higher
leadership. Moreover, humans often become the means to deliver the exploit
along the cyber kill chain. In conclusion, we can adapt the famous French
saying, Cherchez une Personne, to apply to most cybersecurity incidents.
Have we not forgotten anything? It should be enough to understand the rationale behind the decision-making of human actions, e.g., choosing workarounds to avoid security measures, shouldn’t it? Yet, we need to include one more human element in the schema - the cybersecurity specialist. None of the topic descriptions in the curricula mentions the personality of the cybersecurity specialist, behavior, or psychological incident handling challenges.
The only mentioned trait in the original document is the ability to adapt to
different environmental conditions and situational contexts <…> Professionals will find the ability to learn new technologies and embrace change to be of considerable importance in years to come.
To be more precise, the chapter on Industry Perspective in the curricula highlights several soft skills, including resilience and teamwork. Additionally, it references the external US Cybersecurity Competency Model, which is organized by occupation and includes stress tolerance as one of the key competencies.
The case highlights a clear gap between the curricula and industry needs, as psychology and personality traits are not sufficiently covered within the current scope of the curricula. Many cultures emphasize that everything begins with understanding oneself. As Aristotle wisely put it:
Knowing yourself is the beginning of all wisdom.
In response, the research community has, in recent years, shifted its focus toward the human aspects of cybersecurity, placing greater importance on the personality of the cybersecurity specialist.
A Multidisciplinary Research Protocol #
While implementing project ADVANCES, the research team developed a prototype as a proof of concept that enables the investigation of a personality profile via a multi-discipline approach. As mentioned at the beginning of this write-up, in the framework, education (aka professional skill development) works as an umbrella for psychology, genetics, and technology components. This write-up will provide some insights from the partial research results, with more details available in the pre-print of the research paper [1].
The figure presents a simplified overview of the research protocol. The team obtained approval from the Bioethics Committee, and the protocol was included in the application for this approval. The research team adhered to the protocol and operated in compliance with ethical standards. The approval limited the collection of biomedical data to local citizens only.
The process includes four phases:
-
Phase I is related to biomedical data collection and genetic association analysis. At this stage, the participants are registered in the controlled environment following the protocol and are anonymized for the subsequent phases. The genetics research part is independent and isolated from other systems due to the sensitive data. Only anonymized and statistically calculated data is used in later stages instead of raw data.
-
Phase II includes validated psychological inventories for self-reporting on the web-based system. In the scope of this post, we consider only impulsivity as a trait. Thus, the Barratt Impulsiveness Scale (BIS-11) is used to identify impulsivity factors. The inventory has 30 items (questions), and the participant answers them using the four-point Likert scale. When the questionnaire is complete, a report with diagrams is presented to the participant to show the impulsivity score and other factors such as perseverance and self-control.
-
Phase III is dedicated to IT and cybersecurity skill testing in the Capture the Flag (CTF) module on the same web-based system. The CTF includes several question categories, from cybersecurity hygiene to advanced cybersecurity questions. Some sub-categories are activated only after a prerequisite part is completed to ensure consistent and continuous skill testing. The research participants could stop at any time, and any participant could enter any question category.
-
Phase IV is dedicated to data analysis and triangulation of partial results to draw any conclusions regarding the participant profile.
The research design required two participant groups, i.e., a control group and a group of cybersecurity specialists. The participants assigned themselves to the group when they came to the testing environment. As biomedical data had to be collected in the hospital, the computer room was reserved for participants to fill out the questionnaires and play the CTF on the same premises to save time. The web-based components are reusable. The reusability of the genetics component is limited due to the sensitive data and required permissions to collect and analyze the data. Moreover, special laboratory materials are needed to perform DNA extraction and genome-wide genotyping, i.e., new research iterations would mean new financial costs.
Whether the Price and Effort Met Expectations #
Currently, we can only give insights from half of the collected data as the
pre-print of the research paper is available on the internet. The
straightforward statistical analysis showed some differences between the
control and target (cybersecurity specialists) groups. The trends showed a bit
higher impulsivity of the specialists. However, the difference was not
statistically significant. Moreover, the data sample (n = 48) is not big
enough to draw any serious conclusion. Yet, the developed proof of concept
revealed additional potential and provided further data related to existing
cybersecurity-related myths.
The recruitment of participants confirmed the gender disbalance in cybersecurity. The invitation was spread on social media and university pages. A limited number of women in cybersecurity participated; thus, to ensure group similarity, some women were withdrawn from the list, i.e., we had to reject their interest in participation.
The psychological inventories are based on a set of questions. The psychological trait level is calculated using a subset of those, but individual questions also seem helpful in getting some insights about the participants. For example, the BIS-11 includes questions on how the participant likes puzzles or how fast the participant makes up one’s mind. Based on the results, the target group of specialists was not so fond of puzzles (surprise?) in comparison to the control group but made up their minds fast.
The participants were allowed to return to the system to check results and continue CTF tasks for a limited time outside the dedicated premises. Also, the decision-making was tracked, i.e., if hints were used and how many times the participant tried to answer the question. Unexpectedly, we had some data to support views of the traits, e.g., perseverance. Returning users proved an interest in psychological profiling, as the participants reviewed their results that were presented visually with explanations/interpretations and scientific sources for further reading. Thus, accepting personal traits can be moved to another level, such as specialized training to understand personal opportunities and limitations due to psychological characteristics.
I may publish one more write-up about the multi-discipline approach to the cybersecurity workforce to make a trilogy and present final insights from the research project. Yet, it is essential to emphasize that the results could be biased due to the complex research protocol and required limitations. But it is better to try than do nothing and leave challenging opportunities to others.
[1] Brilingaitė, Agnė and Bukauskas, Linas and Domarkienė, Ingrida and Rančelis, Tautvydas and Ambrozaitytė, Laima and Pirta-Dreimane, Rūta and Lugo, Ricardo G. and Knox, Benjamin J., Towards Projection of the Individualised Risk Assessment for the Cybersecurity Workforce.
The Reasearch Paper Available at SSRN