“Psychology trumps technology,” says Jeff Hancock of the Stanford Social Media Lab. While he’s talking about communicating well on social media, the same principle applies to physical security and cybersecurity in the workplace. With the click of a button or the turn of a key, human actions can either uphold or undermine prevention measures.
Security technology is an essential tool for any organization, of course, but it must be combined with a culture that both anticipates and embraces the human factor. From the executive boardroom to the newest intern's desk, a basic grasp of behavioral science is essential for creating a safer organization.
Whether you’re a security leader or an employee who’s simply curious about your behavior at work, explore how your personality, cognitive biases, and personal experiences shape your approach to protecting your organization.
There’s a reason 80% of Fortune 500 companies use personality tests. Who doesn’t enjoy learning more about themselves? Personality tests also help you understand how your colleagues think and interact with others. While personality categorizations can’t explain or predict anyone’s behavior to a T, they’re a useful tool for building an effective security culture.
To demonstrate how personality traits can affect workplace security, we’ve created five profiles based on the personality types from three common frameworks: DISC, Myers-Briggs Type Indicator (MBTI), and Enneagram. When reviewing the profiles, it's helpful to know your type from at least one of the three frameworks. There are several free quizzes available online.
Security Behavior Profiles
- Approach: Efficiently handles security responsibilities, identifies shortcuts where appropriate, and leads security initiatives
- Traits: Assertive, results-driven, risk-taking, decisive
- Weaknesses: May overlook important details in pursuit of efficiency or take excessive risks
- DISC: Dominance (D)
- Enneagram: Type 3 (The Achiever), Type 8 (The Challenger)
- MBTI: ESTJ, ESTP, ENTJ
- Approach: Engages colleagues in security discussions, emphasizes the significance of security measures, and promotes a shared commitment to creating a culture of security awareness
- Traits: Social, outgoing, persuasive, enthusiastic
- Weaknesses: Susceptible to manipulation due to social nature; may prioritize popularity over strict security adherence
- DISC: Influence (I)
- Enneagram: Type 2 (The Helper), Type 7 (The Enthusiast)
- MBTI: ESFJ, ESFP, ENFP
- Approach: Brings fresh ideas, encourages thinking outside the box, and contributes imaginative solutions
- Traits: Creative, introspective, unique, emotionally aware
- Weaknesses: May introduce unconventional approaches to their work that compromise established security standards
- DISC: Combination of Influence (I) and Conscientiousness (C)
- Enneagram: Type 4 (The Individualist), Type 5 (The Investigator)
- MBTI: INFP, INFJ, INTJ, ENFJ, ENTP
- Approach: Consistently follows security guidelines and maintains a watchful eye to ensure reliable security
- Traits: Patient, cooperative, dependable, loyal
- Weaknesses: Tendency to resist change even when security measures require updates; may become complacent in routine security tasks
- DISC: Steadiness (S)
- Enneagram: Type 6 (The Loyalist), Type 9 (The Peacemaker)
- MBTI: ISFJ, ISFP
- Approach: Pays attention to detail, ensures thorough documentation, and follows security procedures diligently to adhere to precise security protocols
- Traits: Analytical, detail-oriented, systematic, cautious
- Weaknesses: May become overly focused on minute details, potentially slowing down processes; can resist change
- DISC: Conscientiousness (C)
- Enneagram: Type 1 (The Reformer), Type 5 (The Investigator)
- MBTI: ISTJ, ISTP, INTP
Keep in mind that these profiles represent generalized tendencies people might exhibit in relation to security. Actual behavior may vary, and people often display a mix of traits from different personality types.
Modern life has conditioned people to become more efficient, for better or for worse. As your brain is inundated with information and stimuli, it helps you navigate daily life by creating mental shortcuts known as cognitive biases. While this unconscious process helps you make decisions quickly, it can also lead to errors in judgment and make it easier for bad actors to exploit vulnerabilities.
Since an organization’s security relies on everyone to do their part, it’s important to recognize and address common mental mistakes. Some of the ones that affect workplace security include:
- Definition: Being blindly influenced by an authority figure’s guidance.
- Example: An internal bad actor spoofs an email from a company executive requesting that a specific employee be given access to a restricted area. Due to the sender’s perceived authority, the email recipient follows the request without question.
- Definition: Acting on curiosity, even if it has negative consequences.
- Example: An employee peeks inside a confidential file on their coworker’s desk.
- Definition: Performing familiar actions that have been ingrained over time.
- Example: An employee habitually leaves keys on their desk when they go for a break, making it easier for someone to take the keys and access restricted areas.
- Definition: When a positive impression of one aspect of a person, product, or company influences someone’s overall opinion.
- Example: An employee clicks a link in an email that appears to come from a well-known brand.
- Definition: Following the crowd regardless of best practices or personal beliefs.
- Example: Against company policy, employees use company assets like tablets or fleet cars for personal use because everyone else does it.
- Definition: Choosing instant gratification over delayed rewards.
- Example: An employee decides to temporarily place keys on their desk to save time, prioritizing immediate convenience over the potential long-term consequences (e.g., a security breach).
- Definition: The tendency for people to fear losses more than they desire equivalent gains.
- Example: An employee clicks a link in an email that appears to come from their software vendor asking them to renew their subscription immediately or risk having all their data deleted.
- Definition: Underestimating the probability of negative events, believing “it won’t happen to me.”
- Example: Employees leave doors propped open, believing the environment is safe enough that no one will exploit the open doors.
- Definition: Avoiding unpleasant information.
- Example: An employee sees a potential security violation but chooses to ignore it.
- Definition: Remembering recent information or events better than previous information or events.
- Example: Following security training, employees might become more vigilant for a brief period, but over time, they become less stringent about security protocols.
While there’s no way to switch off cognitive biases, being aware of them can help you notice when you’re making mental mistakes. By acknowledging and addressing them, you’ll do your part to maintain security standards.
If you’re experiencing distressing personal situations, your focus, memory, and decision-making ability may be affected. A recent medical study indicates that elevated stress levels can cause cognitive function to decline. Some of the personal circumstances that might affect well-being and job performance include:
- Divorce or separation
- Family responsibilities
- Death of a loved one
- Life milestones (getting married, having a child, buying a home)
- Physical or mental health struggles
- Substance abuse or addiction
- Financial challenges
- Work conflicts or heavy workload
- Legal issues
- Natural disasters or emergencies
When someone isn’t coping well with personal challenges, they’re more likely to make mistakes. For example, a manager expressed concern about their top performer, who was in the middle of a serious health crisis. Faced with crushing stress levels, the employee hadn’t been following operating procedures and was sending repetitive or inaccurate emails to both internal and external stakeholders. In situations like these, it’s easy to see how security lapses can happen.
In extreme circumstances, the burden of personal circumstances could lead employees to deliberately bypass security measures for personal gain. One employee — a top performer, like the employee in the last example — stole supplies from his employer and sold them online. When his boss confronted him, the employee apologetically explained that he was experiencing financial troubles and needed the money.
Understanding the influence of personal situations on your overall well-being and performance mitigates the risks of security lapses. But more importantly, you can recognize when you need to seek support. If you’re a manager, fostering an environment of support and empathy better equips your employees to navigate personal difficulties while maintaining the integrity of security protocols.
Applying Psychology to Security
Understanding how human behavior influences security measures empowers your entire organization to create a more secure environment. To apply these insights, remember these steps:
- Understand your security behavior. Whether you're an Efficiency Champion, Security Ambassador, Innovative Trailblazer, Steady Sentinel, or Precise Protector, you play an important role in upholding security. Embrace your unique strengths and consider how they influence your security practices.
- Stay mindful of cognitive biases. By acknowledging and addressing mental mistakes, you play a significant role in maintaining security standards.
- Prioritize your well-being. Remember that personal circumstances can impact your focus and decision-making. Prioritizing your well-being not only benefits you but also contributes to a more secure and resilient workplace.
- Embrace a security culture. Understand that everyone's involvement matters. Stay informed, participate in training sessions, and promote security awareness among colleagues. If you notice any unusual behavior or security concerns, promptly report them.
Working together with your organization’s security technology, you can use your insights into human behavior to actively contribute to a safer workplace.