a psychological profile of defender personality traits

A Psychological Profile of Defender PersonalityTraitsTara Whalen

Faculty of Computer Science, Dalhousie University, Halifax, NS, CanadaEmail: [email protected]

Carrie Gates∗

CA Labs, CA Inc., Islandia, New York, USAEmail: [email protected]

Abstract— The security community has used psychologicalresearch on attacker personalities, but little work has beendone to investigate the personalities of the defenders. Oneinstrument currently dominating personality research is theFive Factor Model, a taxonomy that identifies five majordomains of personal traits, composed of sets of facets. Thismodel can be used within an organizational or vocationalcapacity to reveal dominant tendencies, such as openness tonew experiences. Within a security context, this tool couldshow what patterns professionals exhibit, which may revealareas of insufficient diversity and “blind spots” in defenses.

We surveyed 43 security professionals using a FiveFactor Model-based test (the IPIP-NEO) to reveal commondominant traits. We found that our sampled securitypopulation demonstrated that they were highly dutiful,achievement-striving, and cautious; in addition, they werehigh in morality and cooperation, but low in imagination.We note that many of these characteristics seem to beappropriate for security professionals, although the lowscores in the “openness to experience” domain may indicatedifficulties in devising new security defense methods and inanticipating new forms of attack. This finding implies thatsecurity professionals might be more reactive to securitythreats, rather than proactive in discovering them beforethey are used by adversaries. This lack of anticipationcould potentially leave large organizations vulnerable toattacks that might have otherwise been prevented.

I. INTRODUCTION

Within the security community, psychological researchhas traditionally been directed towards attackers: for ex-ample, the psychology underlying insider threats [36] orcriminal hacker behavior [32]. However, another pieceof the overall picture is the psychology of the defenderwho must guard against these threats. Security defendersrespond to the approaches and actions taken by attackers:they develop counter-offensive strategies, and attempt toanticipate new threats. In a sense, attackers and defendersoperate in an antagonistic partnership, considering thesame sets of problems from different perspectives. Be-cause psychology (specifically, personality traits) has beenused to understand attackers, it is worth considering howtheir “partners”, the defenders, might similarly be affectedby psychological factors. Specifically, it is useful to un-derstand how personality traits influence the effectiveness

* C. Gates completed this work while at Dalhousie University, Canada

of security defenders. This in turn might indicate wherethere may be weaknesses in defence strategies.

There have been some recent steps in this direction.Greenwald et al. [14], in a panel on psychology insecurity, noted that profiling defenders might be “themost promising solution to the non-acceptance factor: asensation-seeker is a risk taker, so he/she will not buy anInfoSec software package; if bought by somebody else,they will not install it; if forced to install, they will usethe first customer complaint about a performance deficitas an excuse to uninstall it.” These statements suggest thatthere are benefits to developing a better understanding ofthe personality aspects of security defenders.

In order to develop a more complete understanding ofdefender personality traits, we build upon an initial studythat used the Myers-Briggs Type Indicator (MBTI) [11],and employed another current personality test: the FiveFactor Model (FFM). This model has enjoyed recent favorwithin the psychology community, and has been widelyadopted as a comprehensive testing instrument [26]. Asopposed to the MBTI, which describes people in termsof one of 16 “types” of personalities, the FFM describespeople in terms of five overall personality domains, eachof which is further sub-divided into six traits (“facets”).

We solicited the security professionals who attended the2004 Annual Computer Security Applications Conferenceto complete the IPIP-NEO, a 120-item questionnairebased on the FFM. The results from this questionnairewere used to determine how the attendees comparedto the general population on each of the five domainsand 30 facets. We found that these professionals scoredsignificantly higher on the domain conscientiousness andlower on the domain openness to new experience. Thispaper details the methodology and results from having thisgroup of security professionals complete the Five FactorModel personality test.

Section II describes the Five Factor Model used asthe basis of our investigation. Section III presents ourexperimental methodology and statistical results. SectionIV discusses how the personality profiles may affectsecurity practice. Section V presents some related workin this area. We describe future work in Section VI andconclude with some summary remarks in Section VII.

84 JOURNAL OF COMPUTERS, VOL. 2, NO. 2, APRIL 2007

© 2007 ACADEMY PUBLISHER

II. THE FIVE FACTOR MODEL

A. Overview of Five Factor Model

A dominant taxonomy within current personality re-search is the Five Factor Model (FFM), which uses fivebasic domains, each containing subfactors (or “facets”)that make up that category. FFM uses the “OCEAN”domains: Openness to experience, Conscientiousness, Ex-traversion, Agreeableness, and Neuroticism [12]. A per-son will have different levels of each trait, which arecompared to the rest of the population; for example, aperson’s test results may show that he is less extravertedthan the average test subject, but more open to experience.The five FFM domains are described in detail below; thefacets are from the International Personality Item PoolRepresentation of the NEO-PI-R (IPIP-NEO) [12], whichwas the FFM test used in this study.

Openness to Experience: this domain demonstratesa person’s comfort with new ideas, abstractions, andimagination. The IPIP-NEO test characterizes Opennessto Experience in the following way, “Open people areintellectually curious, appreciative of art, and sensitiveto beauty. They tend to be, compared to closed people,more aware of their feelings. They tend to think andact in individualistic and nonconforming ways...Anothercharacteristic of the open cognitive style is a facility forthinking in symbols and abstractions far removed fromconcrete experience” [19]. The facets of Openness areemotionality, artistic interests, imagination, adventurous-ness, liberalism, and intellect. (Note that intellect does notmean intelligence; rather, it refers to enjoyment of playingwith ideas rather than with concrete people or things.)

Conscientiousness: this domain deals with impulsecontrol and spontaneity. The IPIP-NEO states that “Im-pulses are not inherently bad; occasionally time con-straints require a snap decision, and acting on our firstimpulse can be an effective response. Also, in times ofplay rather than work, acting spontaneously and impul-sively can be fun...Nonetheless...Acting impulsively disal-lows contemplating alternative courses of action, some ofwhich would have been wiser than the impulsive choice.Impulsivity also sidetracks people during projects thatrequire organized sequences of steps or stages” [19]. Thefacets of Conscientiousness are self-efficacy, orderliness,dutifulness, achievement-striving, self-discipline, and cau-tiousness.

Extraversion: this domain describes the degree ofengagement with the external world. According to theIPIP-NEO “Extraverts enjoy being with people, are full ofenergy, and often experience positive emotions...In groupsthey like to talk, assert themselves, and draw attention tothemselves. Introverts lack the exuberance, energy, andactivity levels of extraverts. They tend to be quiet, low-key, deliberate, and disengaged from the social world”[19]. Introversion can sometimes be misinterpreted asdepression or unfriendliness; however, introverts merelyrequire less interaction with the social world, and may bequite agreeable and content. The facets of Extraversion are

friendliness, gregariousness, assertiveness, activity level,excitement-seeking, and cheerfulness.

Agreeableness: this domain is focused on how muchpeople value getting along with others. The IPIP-NEOstates that “Agreeable individuals value getting along withothers. They are therefore considerate, friendly, generous,helpful, and willing to compromise their interests withothers’. Agreeable people also have an optimistic view ofhuman nature. Disagreeable individuals place self-interestabove getting along with others. They are generallyunconcerned with others’ well-being, and therefore areunlikely to extend themselves for other people” [19].Agreeable people may be more popular, but disagree-ableness can be an asset when making hard objectivedecisions. The facets of Agreeableness are trust, morality,altruism, cooperation, modesty, and sympathy. (Note thatmorality in this context does not refer to one’s stanceon issues of social significance, such as euthanasia, butrather indicate characteristics such as sincerity and lackof guardedness about telling the truth.)

Neuroticism: this domain has a somewhat mislead-ing title, as it suggests the individual is suffering fromFreudian neurosis. In current psychology parlance, neu-roticism refers to a person’s inclination to experiencenegative emotions (such as anxiety). According to theIPIP-NEO “People high in neuroticism are emotion-ally reactive. They respond emotionally to events thatwould not affect most people...These problems in emo-tional regulation can diminish a neurotic’s ability tothink clearly, make decisions, and cope effectively withstress...individuals who score low in neuroticism are lesseasily upset and are less emotionally reactive. They tendto be calm, emotionally stable, and free from persistentnegative feelings” [19]. Note that those who are low onthe neuroticism scale may not necessarily have positiveemotions most of the time, merely a lack of frequentnegative feelings. The facets of neuroticism are anxiety,anger, depression, self-consciousness, immoderation, andvulnerability.

B. Development of the Five Factor Model

The Five Factor Model is based on an analysis of theEnglish language, rather than on the theory of any in-dividual psychologist. Personality-related adjectives wereextracted from a dictionary, and study participants wereasked to use these adjectives to describe different peo-ple. Statistical correlations were used on the results togenerate groups of adjectives that seemed to describethe same general trait. For example, adjectives such as“lively”, “talkative” and “outgoing” were likely to beapplied together, and thus represented the overall factor ofextraversion. Fiske, in 1949, was the first to establish thatthere are five dominant factors in personality [9]. This waslater confirmed and extended by Tupes and Christal [37].Their work was in turn continued by Norman [28], whopopularized the concept. After a hiatus of nearly 20 years,the idea of using five factors to characterize personalities

JOURNAL OF COMPUTERS, VOL. 2, NO. 2, APRIL 2007 85


resurfaced in the early 1980s and has since been studiedmore extensively.

In this study we used the International PersonalityItem Pool (IPIP-NEO) online test, which was createdby Goldberg in 1999 [12]. This test was designed tomeasure the same aspects as the NEO PI-R test (which isa similar, but proprietary, personality test using the “Big5” as opposed to the Five Factor Model), as well as to beshort enough to encourage subject completion. The IPIPresearchers claim a high degree of correlation betweenthe IPIP-NEO and the NEO PI-R test [12].

C. Scoring

A test subject who takes a Five Factor Model test (suchas the IPIP-NEO) is presented with a series of questionsto determine the level of a particular facet within eachof the five domains. The score is based on a continuum,with subject scores falling along a normal distribution.Approximately half of the questions are keyed positively(towards the high end of the scale) and the other half, neg-atively; this provides some balance so that the responsesare not biased toward one type of response.

Let us consider the example of one facet–sympathy–within the domain of Agreeableness. Some questionswithin the entire test would be designed to measure sym-pathy. Approximately half would be phrased positively(“Feel sympathy for those worse off than myself”) andhalf negatively (“Am not interested in people’s problems”)[12]. Responses, in the IPIP 120-item test, are based on a5-point Likert scale; the person can strongly agree, agree,be neutral, disagree or strongly disagree as to whether thestatement describes them accurately [24]. The responsesprovide a level of sympathy, which can be compared toother test subjects, based on a normal distribution. Wethen see where the person falls in comparison to others,in terms of sympathy: less sympathetic, more sympathetic,or average. Sympathy can then be combined with othertraits within the Agreeableness domain (such as moralityand trust) to give an overall domain score, which again islocated within a normal distribution. In summary, a personis evaluated in terms of an overall population, giving acomparative score expressed as a percentile.

III. METHOD

A. Sampling Procedure

We conducted a survey of security professionals inorder to determine their personality characteristics usingthe NEO PI-R instrument [7]. This instrument is basedon the Five Factor Model, which is widely accepted inmainstream personality psychology [26]. The other pop-ular personality assessment device is the Myers-BriggsType Indicator R©(MBTI)1, which assigns respondents toone of 16 personality “types”. However, this tool isgenerally not as popular amongst psychologists [26]. We

1Myers-Briggs Type Indicator and MBTI are registered trademarksof Consulting Psychologists Press, Inc.

therefore chose the FFM, and concentrated on measuringpersonality traits as opposed to types.

The original NEO PI-R is copyrighted by PsychologicalAssessments Resources Inc. and is available for purchaseby professionals [31], however we did not have thefinancial resources to use this particular test. In addition,this test has 240 questions and takes 35 to 45 minutes tocomplete. Given that our participants were all volunteers,we felt that they would be unwilling to invest that muchtime in completing the survey.

We therefore chose a related test, the IPIP (InternationalPersonality Item Pool) NEO [12] [18], which is similar tothe NEO PI-R [7]. While the full IPIP test is in the publicdomain, it consists of 1,699 questions. Thus, we used amodified version of this test, developed by Dr. Johnsonand available at http://www.personal.psu.edu/faculty/j/5/j5j/IPIP/ipipneo120.htm. Thisversion consists of 120 questions about personality traits(e.g., love large parties, prefer variety to routine), whichsubjects are asked to rate on a 5-point Likert scale fromvery inaccurate to very accurate. The answers are used todetermine scores on 30 facets of personality, which areaggregated into five broad domains: neuroticism, extraver-sion, openness to experience, agreeableness and conscien-tiousness. This particular form of the IPIP NEO personal-ity test uses the results from more than 20,000 respondentsto ensure that it has an acceptable measurement reli-ability (according to http://www.personal.psu.edu/faculty/j/5/j5j/IPIP/).

The on-line questionnaire was converted to a paperformat where subjects were asked to fill in the bubble forthe response that most closely described them. The ques-tionnaires were disseminated with the registration packetsat the Annual Computer Security Applications Conference(ACSAC), held in December 2004. There were 177 atten-dees at this conference, 43 of whom returned completedsurvey questionnaires, providing a response rate of 24.3%.The attendees at this conference covered a broad spectrumof security professionals, including both researchers andpractitioners from government, industry and academia.

B. Analysis

There were 43 responses to the survey: 31 men (72%),ten women (23%) and two people who did not providetheir sex. (This is representative of the field in general,where the percentage of women employed in a com-puter/information science position in the United States is26% [27].)

Of the 43 responses, we discarded the two who did notprovide their sex, as well as an additional questionnairewhere the true responses were difficult to determine.Of the remaining 40, only 23 responses were complete(no missing or ambiguous answers). The remaining 17questionnaires were either missing results for one or morequestions, or had some ambiguous answers (e.g., tworesponses checked for a single question). These errorswere an artifact of the conversion from an on-line formto a paper form, where it is easier to miss questions or



have ambiguous and difficult to read answers. In orderto include these responses, we determined the personalitydomain for the missing or ambiguous questions and thenremoved the results for this user for those domains fromfurther consideration. This left us with N = 34 forextraversion, N = 35 for neuroticism and openness, N =37 for conscientiousness and N = 39 for agreeableness.

The results were analysed using the datacollected and scripts written by Dr. Johnson (seehttp://www.personal.psu.edu/faculty/j/5/j5j/IPIP/ipipneo120.htm). His programscalculate scores for each of the 30 facets and fivepersonality domains. It then compares these scoresagainst scores that have been collected over time froma large number of people to determine the percentileinto which the respondent falls. The only numberreported to the respondent is their percentile score.This would indicate, for example, that a respondent ismore extraverted than some percentage of the generalpopulation.

We obtained the scripts used on this web site, alongwith a spreadsheet of the percentile scores on whichthe calculations are based. The original scripts calculatepercentiles where a respondent is compared against othersof the same sex and age range. However, we did notcollect any demographic information on age, and somodified the scripts to not use this particular data. (Wenote, however, that this is unlikely to affect our results,given that age was divided into only two groups: 21and older or younger than 21.) We therefore calculatedpercentiles using sex as the only discriminator, wherethese values were based on responses from 7743 men and13,524 women, representing the results collected by theweb site over some period of time. We assume that thispopulation is reasonably close to the general population,although it still suffers from the self-selection bias, whichmeans that we only have results from those people whohave access to the study and are willing to take that study,rather than from a truly random population.

We manually entered the data for each respondentvia a web page, and recorded the percentile results thatwere obtained. We grouped the resulting scores into low,medium and high categories, where low indicates that therespondent was below the 30th percentile, high indicatesthe respondent was above the 70th percentile, with theremainder being the medium. The results from dividingthe scores in this manner for both the overall domainsand each of their facets are presented in Table I. Wealso present the results across the five domains for menand women in Tables II and III respectively. We note,however, that the number of women participants in thestudy is too small to draw any gender-based conclusions. 2

Despite this, women and men were analysed separately aswomen tend to score higher than men on the domains

2Even when the binning strategy for the percentiles for each domainwas changed to only two — low (< 50%) and high (≥ 50%) —the number of female participants is still too low to provide reliablestatistical results.

of agreeableness and neuroticism, and so need to becompared to other women rather than the population as awhole.

Domain and Facets Low Medium High Total

Extraversion 13 14 7 34Friendliness 12 11 11Gregariousness 12 15 7Assertiveness 4 21 9Activity Level 4 13 17Excitement-Seeking 22 10 2Cheerfulness 11 13 10

Agreeableness 5 21 13 39Trust 6 20 13Morality 4 13 22Altruism 6 22 11Cooperation 3 15 21Modesty 6 20 13Sympathy 12 15 12

Conscientiousness 1 20 16 37Self-Efficacy 8 20 9Orderliness 11 12 14Dutifulness 3 19 15Achievement-Striving 3 17 17Self-Discipline 7 17 13Cautiousness 2 17 18

Neuroticism 14 13 8 35Anxiety 11 12 12Anger 16 11 8Depression 14 13 8Self-Consciousness 10 16 9Immoderation 8 18 9Vulnerability 11 17 7

Openness to Experience 18 11 6 35Imagination 23 10 2Artistic Interests 12 17 6Emotionality 14 14 7Adventurousness 15 11 9Intellect 8 19 8Liberalism 8 10 17

TABLE I.THE DISTRIBUTION OF RESULTS AMONG LOW, MEDIUM AND HIGH

SCORES FOR THE FIVE DOMAINS AND EACH OF THEIR FACETS.

Personality Domain Low Medium High TotalExtraversion 8 11 6 25Agreeableness 3 16 11 30Conscientiousness 1 14 12 27Neuroticism 12 8 7 27Openness to Experience 13 9 4 26

TABLE II.THE DISTRIBUTION OF RESULTS AMONG LOW, MEDIUM AND HIGH

SCORES FOR MEN.

Personality Domain Low Medium High TotalExtraversion 5 3 1 9Agreeableness 2 5 2 9Conscientiousness 0 6 4 10Neuroticism 2 5 1 8Openness to Experience 5 2 2 9

TABLE III.THE DISTRIBUTION OF RESULTS AMONG LOW, MEDIUM AND HIGH

SCORES FOR WOMEN.



We performed a χ2 test for significance with twodegrees of freedom, comparing our actual results foreach domain with the expected results given a uniformrandom distribution. We assume that the expected resultfits a uniform random distribution because we are usingpercentiles, which is a strict ranking. Therefore we wouldexpect 30% of respondents to have a percentile score onany particular domain of less than or equal to 30 and 30%of respondents to have a percentile score of greater than70, with the remaining 40% falling between 31 and 70inclusive.

We examined each domain independently to deter-mine if our respondents differ from the expected values.We found significant differences across two of the fivedomains. Respondents to our study had unusually highvalues for conscientiousness (p = 0.00159) and unusuallylow values for openness (p = 0.0177). Respondents alsogenerally had high values for agreeableness, with p =0.0623, which suggests that we should examine a largersample to determine if this might actually be significantor if it is an artifact of our sample size.

Regardless of the significance (or not) of each do-main, every domain except neuroticism had at least onefacet that showed a significant deviance from a uni-form distribution. We start with the two domains thatdemonstrated significance: conscientiousness and open-ness. In the domain of conscientiousness, respondentsdemonstrated significance across three different facets.Unusually high percentiles were found for dutifulness(p = 0.0162), achievement-striving (p = 0.00972) andcautiousness (p = 0.00252). Thus, as a group, ourrespondents demonstrate that they have a strong senseof duty and obligation, that they work hard and strivetowards excellence, and that they take time before makingdecisions.

In terms of openness, our respondents demonstratesignificance on the facet of imagination. Our results showthat the survey respondents have a very low score forimagination, with p = 0.00000973. This implies that ourrespondents are very much more oriented towards factsrather than fantasy. Additionally, our responses show astrong tendency towards liberalism, although it is notsignificant (p = 0.0514), where this implies that ourrespondents tend to challenge authority and traditionalvalues. The low p-value here suggests that a larger samplesize might indicate if this is truly a significant trait.

Respondents also exhibited significance on two facetsin the agreeableness domain. The percentile scores formorality were unusually high (p = 0.000645), indicatingthat the respondents tended to be very sincere and straight-forward, demonstrating little need for pretense. Respon-dents also scored highly for cooperation (p = 0.000948),indicating a high willingness to compromise and a desireto avoid confrontations.

While the percentile distribution for extraversion exhib-ited no significance (p = 0.412), there were three facetswithin extraversion where there was significance. Thesefacets were assertiveness (p = 0.0237), activity level

(p = 0.0153) and excitement seeking (p = 0.000023).Respondents showed an unusually high activity level,indicating a busy, fast-paced lifestyle and involvement ina large number of activities. On the opposite extreme,respondents also demonstrated unusually low scores forexcitement-seeking, indicating that they do not like com-motion and do not tend to be thrill-seeking. The thirdfacet, assertiveness, indicates a person’s comfort withspeaking out and taking charge. What is interestingabout this facet is that respondents scored consistentlyin the middle range, whereas all other facets that weresignificant exhibited extremes (e.g., unusually high orunusually low scores). Assertiveness is the only facetwhere respondents were average.

C. Limitations of the Study

There are a number of limitations of this experimentwhich must be considered when interpreting our results.First, there is self-selection bias to consider: the ques-tionnaire was handed out to conference attendees, whocould choose whether or not to complete and returnit. We gathered no data on participants who did notcomplete the test, which means that we may, for example,have gathered no data on people who had no time toparticipate, or who dislike completing tests. We are unableto characterize this bias, as we have no data on whyindividuals did not complete the questionnaire. Thus ourresults might favour some trait that occurs only in thosepeople who are willing to complete questionnaires, andso not accurately represent the population of conferenceattendees. This same bias is present in the sample againstwhich the security professionals are compared, as theresults from that sample were gathered from participantswho took the IPIP NEO test on-line. Thus they both hadaccess to the test and were willing to take it, and so donot represent a truly random sample of the population.

Second, our sample consists only of attendees at theACSAC conference. Although this group represents across-section of the security community, it cannot rep-resent the entire population. Therefore, we cannot gen-eralize to the entire set of security professionals. This isespecially true given that we do not know how repre-sentative the participants of ACSAC are of the generalpopulation of security professionals. Additionally, oursample population is not large: we gathered only 43responses, three of which had to be discarded.

Although this sample size is small, it is similar to sam-ple sizes used in a number of other five-factor model re-search studies. These studies have been conducted withinvarious domains, such as mental health (e.g., cognitiveimpairment (n=48) [3], schizophrenia (n=24) [16], andbrain injury (n=21) [22]) and vocational psychology (e.g.,burnout (n=36) [30], impression management in job appli-cations (n=22) [1] and working with the disabled (n=48)[23]). Furthermore, other personality research studieswithin computer science have used similar sample sizes;examples include studies on graphical interface design(n=24) [21], user modelling (n=48) [38], computer-based



documentation preferences (n=32) [35], and informationtechnology teamwork (n=55) [29]. While our sample sizeis appropriate for our study, and we were able to find sta-tistically significant results, some caution is recommendedto avoid over-generalizing our findings.

Finally, despite its popularity, the Five Factor Model isnot without controversy. One of the most prominent criticsis Block, who faults the model for its lack of groundingin a theoretical model, for its misapplication of factoranalysis, and its reliance on self-reporting and restrictedlaymen’s terms in the questionnaires [4], [5]. Proponentsof the model have replied to these criticisms, noting thatBlock ignores much of the evidence that supports theFive Factor Model [8], [13]. Despite dissenting research,support for the Five Factor Model is strong within thepsychological community: in general, the evidence insupport of the legitimacy of this model of personality isextensive [33]. However, it is worth noting that the debateis by no means resolved, and new theories of personalityand personality tests continue to be developed.

IV. DISCUSSION

Survey participants scored high for the conscientious-ness domain, and low for the openness domain. The con-scientiousness domain relates to spontaneity and actingimpulsively, and a high score indicates that respondentsare not prone to being impulsive, but are prudent instead.Conscientious individuals are considered to be carefulplanners, reliable and persistent. However, they can alsobe perfectionists and workaholics. In particular, surveyrespondents indicated a strong desire to be recognizedas successful, which can also be an indication of beingobsessed with work. Additionally, respondents had astrong sense of duty and moral obligation, and tend tothink carefully before committing to a decision. It can beargued that these are all good characteristics to have ina security professional, and that a lack of balance in thisparticular category is not necessarily detrimental to thefield. However, this cautiousness may be an issue givenevents that require a rapid response, such as when anintrusion has been detected. This is especially true giventhe finding by Cohen [6] that a rapid response time isoften a better strategy than having a large number ofdefences.

On the opposite extreme, survey participants had partic-ularly low scores on the domain openness to experience.This implies that respondents are very practical and down-to-earth, rather than imaginative and creative. At firstglance, this domain deals more with the appreciationof art and beauty, and so it may not be surprising thatcomputer security professionals score low on this domain.However, citing from Dr. Johnson’s descriptions of thedomain [20], a high score on this domain indicates a“facility for thinking in symbols and abstractions” whichcan take the form of “mathematical, logical, or geometricthinking” in addition to more artistic cognitive styles.Further, it is stated that people with low scores here “mayregard the arts and sciences with suspicion, regarding

these endeavors as abstruse or of no practical use.” Giventhat the “intellectual style of the open person may serve aprofessor well” it is surprising that the survey respondentsscored so low on this particular domain. Further, theone facet that was particularly low in this domain wasimagination. This particular style of thought and lack ofimagination might indicate a weakness in security profes-sionals, and the field might benefit from including moreindividuals with an open cognitive style as they mightbe more likely to discover truly new methods to countercyber-adversaries. However, it is interesting to note that“research has shown that closed thinking is related tosuperior job performance in police work.” Given thatcomputer security and police work could be consideredto be related, this may provide some explanation of thelow scores on this particular domain.

Other facets on which respondents scored highly in-cluded morality and cooperation (both part of the agree-ableness domain). It could be argued that high moralityis a desired trait in a security professional, as it could beexpected that they should not exhibit any deception, norshould they be guarded about providing the whole truth.However, respondents also scored high for cooperation,indicating a dislike of confrontations and a desire toget along well with others. This trait might be desirablein the work-place, but is interesting to find in securityprofessionals given that the profession is founded on con-frontation between security professionals and adversaries.However, this can also be viewed that security profes-sionals provide safe-guards to prevent confrontations withadversaries. Additionally, scoring high on this facet mightindicate that there is a great deal of internal co-operationbetween security professionals, which in turn is good forthe profession as a whole as it is likely that professionalsthen share solutions to security problems.

Additionally, respondents scored low on the facet forexcitement-seeking, indicating that respondents are likelyrisk-adverse. Greenwald et al. [14], in a panel on psy-chology in security, noted that “a sensation-seeker is arisk taker” and so is more likely to not install or use anInfoSec software package. Thus it is likely a desirable traitthat security professionals score low on the excitement-seeking facet.

V. COMPARISON TO RELATED WORK

While a number of articles have been published thatrelate the five factor model to work performance (e.g.,see [2] and [34]), very little seems to have been publishedrelating the five factor model to particular career choices.The literature that does deal with this area has beendescribed as “less well articulated”, stating that it is“difficult to formulate hypotheses regarding FFM traitsand the nature of employment.” [10]

One article that does address this area, however, isby De Fruyt and Mervielde [10]. This article uses thefive factor model as a predictor of both employmentstatus and the nature of employment, in combination withthe RIASEC model. The RIASEC model is a theory of



vocational personalities that has been developed by JohnHolland [17]. This model contains six personality types— Realistic, Investigative, Artistic, Social, Enterprisingand Conventional — and it is argued that these six typesalso represent vocational environments. Realistic person-alities are considered to be doers, and prefer to workwith things rather than people. Investigative personalitiesare thinkers, who enjoy abstract problems, while artisticpersonalities are creators who prefer environments wherethey can exhibit self-expression. Social personalities areconcerned with the welfare of others, and are responsibleand helpful. Enterprising personalities are persuaders whoenjoy leading, speaking and selling, while conventionalpersonalities are organizers who are conservative and or-derly. (These descriptions have been adapted from http://edtech.jmu.edu/bis/RIASEC.htm.) De Fruytand Mervielde [10] found that a low score on opennesspredicts employment in a realistic vocation. Sample voca-tions in this domain include electrical engineers, softwaretechnicians and police officers. They also found that ahigh score on conscientiousness also predicted work inrealistic vocations. Interestingly, computer analyst, whichshould require similar traits to a security professional, isan investigative vocation and not a realistic one.

While little has been published comparing the fivefactor model to career choices, there are numerous arti-cles comparing the Myers-Briggs Type Indicator (MBTI)to career choices. In a previous paper, we analysedthe MBTI types of 79 security professionals [11]. TheMBTI consists of four dichotomous domains —- ex-traversion/introversion (EI), thinking/feeling (TF), sens-ing/intuiting (SN) and judging/perceiving (JP) — result-ing in 16 personality “types”. We found that securityprofessionals are different from the general population ofthe United States across all four dichotomies, tending tobe more introverted, intuiting, thinking and judging. Inparticular, we found a predominance of INTJ types, whotend to be “perfectionists who value personal competenceand their own original ideas.” We also noted a verystrong preference in our sample for intuition (85.5%),which is markedly different from the general population(32%). This indicates a strong preference for focusingon meanings and possibilities, and a low preference fordealing with details or observable phenomenon.

Several comparisons have been made between the fivefactor model (FFM) and the Myers-Briggs Type Indicator(MBTI), which has been summarized by Gruber [15]. Henotes in this article that FFM extraversion is related to theMBTI extraversion/introversion dichotomy, and Opennessis related to the sensing/intuiting dichotomy, with a highscore here indicating intuition. The thinking/feeling di-chotomy is related to agreeableness, with a high scorein agreeableness being related to feeling and a low scoreto thinking. Finally, the judging/perceiving dichotomy issimilar to conscientiousness, with a high score beingsimilar to judging and a low score to perceiving.

Using the mappings outlined in [15], a low score onopenness indicates MBTI sensing types, a high score on

conscientiousness indicates MBTI judging types, and ahigh score on agreeableness indicates MBTI feeling types.This results in type xSFJ. Examining the relationshipsidentified by McCrae and Costa [26], the thinking/feelingdichotomy is less clear: while a high score on agreeable-ness is positively correlated with feeling types, a highscore on conscientiousness is negatively correlated withfeeling types. However, MacDonald et al. [25] find thecorrelation between agreeableness and feeling (0.52) tobe significant, while the negative correlation between con-scientiousness and feeling is not (-0.02). MacDonald etal. [25] also found that intuiting was positively correlatedwith agreeableness, however we did not use this result tostrongly influence our hypothesized corresponding MBTItype as it was not found by McCrae and Costa [26].

We found that our result (MBTI type xSFJ) is differentacross two dichotomies from the result found in ourearlier work on a similar sample population [11]. Ourrespondents demonstrated a very low score for open-ness indicating a very sensing-based population. Thisis markedly different from the previous study, whichfound that the security population was extremely high inintuiting. Similarly, we found that our population is morepredisposed to be the feeling type, while the previouspopulation was high on the thinking scale.

These differences are unusual, and require some ex-planation. One possible explanation is that the mappingsbetween the MBTI and FFM models are not particularlyaccurate. For example, the MBTI indicates that someonewho is feeling tends to make decisions based on socialconsiderations while someone who is thinking focuses onfacts. This does not map well to agreeableness, whichdeals more with how people relate to others and not withwhat factors they consider when making decisions. Forexample, someone who tends towards facts and figures isnot necessarily uncooperative or immodest.

Another possible explanation could be related to sizeof the sample population and the limited number ofquestions used in the FFM survey. For example, many ofthe questions regarding openness to experience could beinterpreted more harshly given the audience. One examplehere is the trait “enjoy theoretical conversations.” Thismight have been interpreted with the more narrow viewof computer science theory, and less with the more broadview of “what if” types of conversations. Similarly, one ofthe questions was “enjoy going to art museums”, whichis again very specific. It might be the case that, whilerespondents do not enjoy going to art museums, theymight enjoy going to the symphony, and so answering noto this question does not necessarily reflect an overall lackof artistic interest. Thus it might be the case that the 240-question version of the survey would provide differentresults than the 120-question version.

Another possibility is that, while the sample populationfor both this study and our previous study [11] consistedof security professionals, the sampling strategy resultedin very different people responding. For example, wesampled here from the Annual Computer Security Appli-



cations Conference, which could imply that we are morelikely to encounter individuals concerned with the appliedaspects of security and so have lower scores on opennessand are therefore more sensing in MBTI parlance. In con-trast, the previous study sampled from among primarilyacademic contacts, and so the respondents might be morelikely to be intuiting.

VI. FUTURE WORK

One of the limitations of this study stems from thesize of the sample and the non-random nature of thepool from which participants were chosen. As a result,caution must be used in extending these results to thesecurity profession as a whole. However, the resultsfrom this study indicate that there may be particularpersonality traits that are dominant within the securitycommunity, and thus future studies are worth pursuing.Such future studies would need to address the limitationsof this study, and so would need to consist of a largersample size that is chosen randomly from the sampleof all security professionals. While obtaining a list ofall security professionals may not be possible, it mightbe possible to leverage professional associations, such asACM, IEEE, SANS and (ISC)2, in order to cover a broadspectrum of professionals.

In repeating the study with a larger sample, otherimprovements to the current study should also be incor-porated. For example, the test should be performed on-line, in order to prevent ambiguous or missing responses.The use of the original NEO PI-R [31] should also beconsidered, as it contains more questions and will thusproduce more accurate results.

Finally, much of our discussion of the results has fo-cused on how any dominant personality traits might affectthe profession as a whole, in particular in the contextof developing effective security solutions. However, thisdiscussion is largely based on speculation. Therefore afollow-up study should be conducted that investigatesthe impact that particular personality traits have on jobperformance.

VII. CONCLUDING REMARKS

Our Five Factor Method analysis of security profession-als revealed some interesting dominant personality traits.In particular, participants scored high in the conscientious-ness domain, and low in the openness domain. Havinghighly-conscientious defenders appears to be beneficial,as it indicates caution, a tendency to plan, and thor-oughness. However, it may also be the case that securityprofessionals may not respond quickly in time criticalsituations such as when an intrusion has occurred. Thelow score in the openness to experience domain couldindicate rigidness of thought, although the questionnairefocuses mainly on artistic sensibilities rather than generalacceptance of unusual ideas. However, this aspect isgenerally high in professors and researchers, which mayindicate that security professionals may not be inventivein creating new security mechanisms.

Security professionals also demonstrated significantdeviances in some of the individual facets within everydomain except neuroticism. For example, respondents hada very low score for imagination, which is related to thelow score on openness to new ideas. Respondents scoredvery highly on co-operation, which is unusual given thatthe field is inherently one of conflict, of defenders versusadversaries. The high level of co-operation might be agood trait, indicating that security professionals tend towork well together. Alternatively, it might reflect a weak-ness given the aversion to conflict. Security professionalsalso scored unusually high on the facet for activity level,indicating the preference for a busy life-style with theneed to balance many activities. If security professionalshave positions that mimic their personality preferences,then this could possibly result in the professional beingsubject to missing important security information duesimply to not having the time or inclination to focus onany one particular area.

One additional finding is that the majority of our re-spondents were not excitement seeking (p = 0.00002304);this indicates a risk-averse population. Again, this may bedesirable in a security group: one is attempting to reducethe risk and consequences of a security breach. However,it may also signify that defenders take conservative ap-proaches when they tackle a problem, fearing a negativeoutcome. It may be necessary to create organizationalstructures where “contained failure” is supported, so thatexperimental approaches can be developed without thepossibility of actual system damage.

Future studies should be performed to determine if theresults discovered in the study from the participants atthe 2004 Annual Computer Security Applications Con-ference are more generally representative of the securityprofession. Additionally, assuming that such dominantpersonality traits are still present, follow-up studies needto be performed to determine the exact impact this has onjob performance and if our hypotheses on the weaknessessuch traits might create in the security field are indeedcorrect.

VIII. ACKNOWLEDGMENTS

The authors would like to thank Dr. John A. Johnsonfor providing us with his scripts for quickly analysingthe survey data, and for providing the statistics he hasgathered from conducting the survey on his web site. Wealso thank all of the participants from ACSAC 2004 whofilled out the IPIP NEO personality form. Thanks also toJosh McNutt for assistance with statistical analysis.

REFERENCES

[1] R. Bagby and M. Marshall. Positive impression manage-ment and its influence on the Revised NEO Personality In-ventory: a comparison of analog and differential prevalencegroup designs. Psychological Assessment, 15(3):333–339,2003.

[2] M. Barrick and M. Mount. The big five personality dimen-sions and job performance: A meta-analysis. PersonnelPsychology, 44:1–26, 1991.



[3] R. H. Benedict, R. L. Priore, C. Miller, F. Munschauer,and L. Jacobs. Personality disorder in multiple sclerosiscorrelates with cognitive impairment. Journal of Neuropsy-chiatry and Clinical Neurosciences, 13(1):70–76, 2001.

[4] J. Block. A contrarian view of the five-factor ap-proach to personality description. Psychological Bulletin,117(2):187–215, 1995.

[5] J. Block. Going beyond the five factors given: Rejoinderto Costa and McCrae (1995) and Goldberg and Saucier(1995). Psychological Bulletin, 117(2):226–229, 1995.

[6] F. Cohen. Simulating cyber attacks, defenses, and con-sequences. http://www.all.net/journal/ntb/simulate/simulate.html, 1999. Last visited: 5April 2002.

[7] P. T. Costa Jr. and R. R. McCrae. NEO PI-R: ProfessionalManual. Technical report, Psychological Assessment Re-sources, Odessa, FL, 1992.

[8] P. T. Costa Jr. and R. R. McCrae. Solid ground in thewetlands of personality: a reply to Block. PsychologicalBulletin, 117(2):187–215, 1995.

[9] D. Fiske. Consistency of the factorial structures of person-ality ratings from different sources. Journal of AbnormalSocial Psychology, (44):329–344, 1949.

[10] F. D. Fruyt and I. Mervielde. RIASEC types and big fivetraits as predictors of employment status and nature ofemployment. Personnel Psychology, 52(3):701–727, 1999.

[11] C. Gates and T. Whalen. Profiling the defenders. InProceedings of the 2004 New Security Paradigms Work-shop, pages 107–114, Nova Scotia, Canada, 2004. 20-23September 2004.

[12] L. Goldberg. A broad-bandwidth, public domain, person-ality inventory measuring the lower-level facets of severalfive-factor models. In Personality Psychology in Europe,volume 7, pages 7–28, Tilburg, The Netherlands, 1999.Tilburg University Press.

[13] L. Goldberg and G. Saucier. So what do you proposewe use instead? A reply to Block. Psychological Bulletin,117(2):187–215, 1995.

[14] S. J. Greenwald, K. G. Olthoff, V. Raskin, and W. Ruch.The user non-acceptance paradigm: Infosec’s dirty littlesecret. In Proceedings of the 2004 New Security ParadigmsWorkshop, pages 35–43, Nova Scotia, Canada, 2004. 20-23September 2004.

[15] G. P. Gruber. Standardized testing and employmentequity career counselling: A literature review of sixtests. http://www.psc-cfp.gc.ca/ee/eecco/pdf/standardized_e.pdf, 2000. Prepared for TheEmployment Equity Career Development Office, PublicService Commission of Canada. Last visited: 2 June 2005.

[16] R. Gurrera, P. Nestor, and B. O’Donnell. Personality traitsin schizophrenia: Comparison with a community sample.Journal of Nervous and Mental Disease, 188(1):31–35,2000.

[17] J. Holland. Making Vocational Choices: A Theory ofVocational Personalities and Work Environments. Prentice-Hall, Englewood Cliffs, NJ, 1985.

[18] International Personality Item Pool. A scientific collab-oratory for the development of advanced measures ofpersonality traits and other individual differences. http://ipip.ori.org/, 2001. Last visited: 1 June 2005.

[19] J. A. Johnson. Descriptions used in IPIP-NEO narrativereport. http://www.personal.psu.edu/faculty/j/5/j5j/IPIPNEOdescriptions.html, 2004. Last visited: 2 June 2005.

[20] J. A. Johnson. IPIP-NEO narrative report.http://www.personal.psu.edu/faculty/j/5/j5j/IPIP/shortipipneo3.cgi, 2005. Lastvisited: 1 June 2005.

[21] A. Karsvall. Personality preferences in graphical interfacedesign. In Proceedings of the Second Nordic Conference

on Human-Computer Interaction, pages 217–218, Aarhus,Denmark, 2002. 19-23 October 2002.

[22] J. Kurtz, S. Putnam, and C. Stone. Stability of normalpersonality traits after traumatic brain injury. Journal ofHead Trauma Rehabilitation, 13(3):1–14, 1998.

[23] E. R. Lawrence, L. M. Glidden, and B. M. Jobe. Keepingthem happy: Job satisfaction, personality, and attitudestoward disability in predicting counselor job retention.Education and Training in Developmental Disabilities,41(1):70–80, 2006.

[24] R. Likert. A technique for the measurement of attitudes.Archives of Pyschology, (140):55, 1932.

[25] D. A. MacDonald, P. E. Anderson, C. I. Tsagarakis, andC. J. Holland. Examination of the relationship betweenthe Myers-Briggs Type Indicator and the NEO personalityinventory. Psychological Reports, 74:339–344, 1994.

[26] R. R. McCrae and P. T. Costa Jr. Reinterpretting theMyers-Briggs Type Indicator from the perspective of thefive-factor model of personality. Journal of Personality,57(1):17–40, 1989.

[27] National Science Foundation. Women, minorities, andpersons with disabilities in science and engineering -2002: Employment. http://www.nsf.gov/sbe/srs/nsf03312/c6/c6s3.htm. Last visited: 10 April2004.

[28] W. Norman. Toward an adequate taxonomy of personalityattributes: Replicated factor structure in peer nominationpersonality ratings. Journal of Abnormal and SocialPsychology, (66):574–583, 1963.

[29] A. R. Peslak. The impact of personality on informationtechnology team projects. In Proceedings of the 2006ACM SIGMIS CPR Conference on Computer PersonnelResearch, pages 273–279, Ponoma, USA, 2006. 13-15April 2006.

[30] R. L. Piedmont. A longitudinal analysis of burnout inthe health care setting: The role of personal dispositions.Journal of Personality Assessment, 61(3):457–473, 1993.

[31] Psychological Assessment Resources, Inc. NEOPersonality Inventory-Revised (NEO PI-R). http://www3.parinc.com/products/product.aspx?Productid=NEO-PI-R. Last visited: 1 June2005.

[32] M. Rogers. A Social Learning Theory and Moral Dis-engagment Analysis of Criminal Computer Behavior: AnExploratory Study. PhD thesis, University of Manitoba,2001.

[33] J. Rolland, W. Parker, and H. Stumpf. A psychometricexamination of the French translations of the NEO-PI-R and NEO-FFI. Journal of Personality Assessment,71(2):269–291, 1998.

[34] J. Salgado. The five-factor model of personality andjob performance in the European community. Journal ofApplied Psychology, 82:30–43, 1997.

[35] K. Sayles and D. G. Novick. Assessing effectiveness ofpersonality style in documentation. In Proceedings ofthe 22nd Annual International Conference on Design ofCommunication, pages 75–82, Memphis, USA, 2004. 10-13 October 2004.

[36] E. Shaw, K. Ruby, and J. Post. The insider threat toinformation systems: The psychology of the dangerousinsider. Security Awareness Bulletin, 2-98:1–10, 1998.

[37] E. Tupes and R. Christal. Recurrent personality factorsbased on trait ratings. Technical Report ASD-TR-61-97, Lackland Air Force Base, TX: Aeronautical SystemsDivision, Personnel Laboratory, 1961.

[38] X. Zhou and C. Conati. Inferring user goals from per-sonality and behavior in a causal model of user affect.In Proceedings of the Eighth International Conference onIntelligent User Interfaces, pages 211–218, Miami, USA,2003. 12-15 January 2003.



Tara Whalen is a doctoral candidate at Dalhousie University in Nova Scotia. She previously worked in network security at the Communications Research Centre Canada. Her current research interests include human factors in security, computer-supported cooperative work, privacy, and the social implications of technology.

Carrie Gates is a researcher with CA Labs in New York,

having received her PhD in the area of computer and communications security in May 2006 from Dalhousie University. Previously, she worked as a security researcher at CERT, Carnegie Mellon University. Her current research interests include security, privacy and usability.



a psychological profile of defender personality traits

Documents