The characteristics that can lead to someone becoming a CEO or business owner can also shape their susceptibility to cyber threats and can increase risk for the entire organization. Amongst these risks is an underestimation of how much of a threat they and their organizations are at, and an overestimation of their ability to handle any incidents that do occur. This is an issue given the level of control and power that CEOs hold over organizations.
Even if they are not directly responsible for the information security breaches of the organization, the attitudes leaders hold influence beliefs and behaviors throughout the organization. These CEO characteristics need to be acknowledged and addressed if organizations are to reduce their risk of cyberattacks.
It is important to recognize many of the traits that make for great leadership and subsequent business success can put a business at risk. It is said that somewhere between 4 and 12 percent of CEOs exhibit psychopathic traits, so the line between Steve Jobs, Elon Musk or Reed Hastings (Netflix CEO and self-identified narcissist) and Robert Maxwell, Harvey Weinstein or Elisabeth Holmes is a surprisingly fine one.
If these traits are prized in modern leadership, the question becomes what business infrastructure can be put in place to protect core functions like cybersecurity (opens in new tab)? Together with Professor John McAlaney, Chartered Psychologist and Professor in Psychology at Bournemouth University, we took an in-depth look at the psychology of CEOs and how this relates to an organization’s approach to cybersecurity.
CEOs set the tone for the entire organization
The personality of the CEO has an impact on the workings of an organization, which goes beyond the factors the CEO has direct input into. As predicted by 'upper echelons theory', the CEO or business owner sets the tone for how the organization interacts with the outside world, including how that organization identifies, perceives, and responds to threats.
There have been several high-profile cases of CEOs and business owners acting in ways that are amoral, risky, and damaging to the interests of the business. Research into the personality traits of CEOs and business owners has found that 21 percent of 261 highly educated corporate professionals had clinically significant psychopathic traits.
The Five Factor Model
One of the more influential models into personality traits is the Five Factor Model, also known as the Big 5. Combinations of five factors – Openness, Conscientiousness, Neuroticism, Agreeableness, and Extraversion – have been found to be associated with desirable qualities in CEOs and business leaders, such as strategic flexibility, leader effectiveness, and the success of new business ventures.
1. Openness to experience is associated with being unconventional and non-conformist.
2. Low conscientiousness has been associated with a lack of ethical leadership and risk-taking behaviors, both of which could lead to increased susceptibility to cyber attacks.
3. Neuroticism relates to emotional instability, with CEOs often described as being impulsive, volatile, angry, and hostile – something that can impact on cyber risks.
4. Low agreeableness (or disagreeableness) is also associated with risk-taking behavior, as well as a leadership style that can be cold, detached, and unapproachable.
5. Finally, extraversion characterizes many CEOs, yet an important point is that being an extrovert is not the same as having two other traits that have been associated with business leaders: namely narcissism and psychopathy.
The dark personality traits
Narcissism and psychopathy have been referred to as dark personality traits and it has been observed that both of these traits can lead individuals into senior positions. Narcissism refers to self-involvement, an inflated sense of self-importance and a need for excessive attention and admiration.
The relationship between narcissism and job performance in CEOs is mixed. Narcissistic traits are associated with increased risk-taking and performance volatility, which may exacerbate susceptibility to cyber risk. It is also likely such CEOs would not consider themselves to be at risk of cyberattacks, given their narcissistic traits, which mean they substantially overestimate their own knowledge and competence.
The second dark personality trait of relevance, psychopathy, is associated with a lack of empathy, and behaviors including deception, manipulation, aggression, and the mistreatment of others. Individuals with psychopathic traits can be adept at masking this from others. They may lack empathy but can be charismatic and skilled manipulators. This trait may not appear to be compatible with organizational cultures that promote cooperation and collaboration, but in organizations with competitive cultures such individuals are rewarded.
Caution must be taken to separate reality from myth. There is a distinction between a personality trait and a clinically diagnosable personality disorder, and it is unlikely that people with a clinically diagnosable personality disorder could function as a CEO.
Cognitive bias leads to mistakes
Humans tend to consistently make mistakes in their decision-making due to cognitive biases. One of the most relevant biases in this context is that whenever there are negative repercussions to our decisions, we tend to blame that on external factors. For example, if a company gets hacked, a CEO may sooner blame it on ‘bad luck’ than consider it a consequence of the company’s poor cyber strategy. This is known as the 'actor-observer effect', which can be easily amplified by a CEO whose narcissistic personality style predisposes them to avoid taking any personal responsibility for failure.
Similarly, we also tend to explain positive outcomes as being due to internal factors. “We stopped an attack that happened this week because we are skilled and competent, and the attack we failed to stop last week only happened because the attackers got lucky”. This is known as the 'self-serving bias', and again is something that could be exaggerated within CEOs with narcissistic or psychopathic personality traits.
The five ways people misperceive risk
Writing specifically about cybersecurity, author and expert Bruce Schneier argues people misperceive risk in five different ways.
1. We exaggerate unusual risks but downplay more common risks.
2. We find it difficult to determine risks for things outside of our normal experience.
3. We underestimate risks we are responsible for, whilst overestimating risks outside of our control.
4. We tend to perceive personified risks to be greater than anonymous risks. That is, a cyber threat coming from a known attacker – for example an established hacking group – is perceived as being more severe than an attack by an unknown attacker.
5. We tend to overestimate risks which might gain public attention.
How to address the issue
Information security culture is an area where the CEO and leadership team of an organization set the tone. As we’ve seen, the characteristics that help a business leader deliver success can also increase risk by leading the individual to underestimate the threat and overestimate levels of protection. There are steps that can be taken to enforce cybersecurity despite the potentially dangerous biases associated with some CEO personality traits.
There are three areas for businesses to prioritize:
1. Process: By establishing robust cybersecurity processes, companies can ensure operations are secure and not influenced by the prevailing interests of strong personalities.
2. People: Employees can both be a major source of cyber breaches and the biggest potential win for companies’ cyber defenses. Ensuring all personnel are trained to recognize cyber risks is a major step in the right direction.
3. Technology: The right technology can help organizations mitigate against the risks of self-serving bias. Subjective opinion can only be fought with objective fact and proven process, and when technology can bring these to the surface, it can keep inaccurate perceptions in check.
To get to a point where all three – process, people and technology – work seamlessly together, more and more organizations are exploring services that help them understand their cybersecurity health in simple ways. Independent cybersecurity providers can take a logical, measured approach to uncovering the weakest aspects of a company’s defenses, assess their overall cyber risk position and set out clear actions to improve levels of cyber resilience. These actions have the potential to protect a business against biased decision-making and ultimately, against cyber attacks.
- Here's our take on the best password recovery tools (opens in new tab) out there
Paul Cragg, CTO, NormCyber (opens in new tab)