How CEO character traits can expose businesses to attack

Paul Cragg, CTO at Norm. explores why CEOs and business owners are still reluctant to admit the possibility a cyberattack could happen to them.

Paul Cragg is CTO at Norm. and is responsible for the ongoing development and delivery of its managed service offerings. Cragg leads all technical functions within the business. His previous roles include Director at Confido and Chief Technical Officer at Easynet. Cragg discusses how business leaders’ dark personality traits can weaken their organisations’ cybersecurity defences.

There’s a long-standing cyber security puzzle that we have yet to solve, which is that despite widespread awareness of the risk cyber incidents pose to all businesses, some CEOs and business owners are still reluctant to admit the possibility that it can happen to them – or at least, that’s what the evidence seems to show.

Research shows cyber security is a high priority for 77 per cent of UK business leaders, yet only 31 per cent have a business continuity plan in place that covers cyber threats. To get to the root of this paradox, we worked with Professor of Psychology John McAlaney from Bournemouth University, to try to understand two key human tendencies that could explain this phenomenon:

  • The characteristics that help people rise to the top often mask dark personality traits
  • People in leadership positions influence their entire organisations’ attitudes to cyber threats.

Let’s look at these individually:

Shedding light on the dark personality traits of highly successful people

We all have what are referred to as dark personality traits, and these traits will be more prominent in some than others. Narcissism and psychopathy are two of the most well-known, and while they may seem to be wholly negative attributes, there is evidence to suggest that people with a tendency towards them are often propelled into more senior positions. For example, charisma and increased risk-taking – hallmarks of both psychopathy and narcissism respectively - are both traits that are rewarded in cultures that promote competitiveness. The flip side of these characteristics is that they can mask undesirable behaviours – charismatic leaders can be skilled manipulators, whereas risk-takers are liable to performance volatility.

This doesn’t mean that CEOs that display these traits are unfit to lead or that they pose a danger to their organisations - it is not the same as having a clinically diagnosable personality disorder. But powerful individuals with a strong predisposition towards them can be more susceptible to cyber threats. For example, narcissistic leaders tend to overestimate their knowledge and competence, leading them to underestimate their vulnerabilities. When cyber attacks do happen, a narcissistic leader is more likely to blame external factors or ‘bad luck’ than take personal responsibility. The hypocrisy of this self-serving bias is that at the same time, positive outcomes are always considered to be the direct outcome of competence and skill.

There are other ways individuals, not just CEOs, misperceive cyber risk. For example, we struggle to determine risks for events outside of our normal experience, and we exaggerate unusual risks (such as an attack from a known hacking group) but downplay more common risks from unknown attackers. These cognitive biases are most dangerous to an organisation when they come from upper management. In fact, in a recent survey, we asked business and technology leaders to cite the greatest barrier to building cyber resilience – almost 40 percent said that it was either a lack of understanding of cyber risk at the Board level or that it simply isn’t seen as a priority by the Board.

Leaders’ personality traits and biases increase cyber risk for the entire organisation

With the level of control and power CEOs exercise, it’s not surprising that their attitudes influence beliefs and behaviours throughout the organisation, including cyber threat response. Cyber criminals today understand they don’t necessarily need to target the CEO to reap substantial rewards from phishing, hacking or social engineering attacks. So, even if a CEO who may have narcissistic or psychopathic traits is not the source of a security breach, they are responsible for setting the tone of how others within their organisation identify, perceive and respond to threats – this is called the ‘upper echelons theory’.

For example, it has been found that whether employees update software or not is determined by what they believe the reaction of influential others to be. They might understand that updates often include vital security patches, but if they don’t find adequate levels of support within the organisation, their intent and actual behaviour will diverge. Simply put, employees conform to what they perceive to be the norm, and if a CEO has a strong opinion and influence on how cyber security is valued within an organisation, it is less likely that individuals will challenge the status quo.

Bias-proofing your organisation

To avoid groupthink and overcome dangerous biases there must be a system in place that fights perceptions of cyber risk with objective fact and proven process. 

We know that highly influential individuals with narcissistic or psychopathic traits tend to underestimate the severity or likelihood of cyber attacks, while overestimating the levels of protection and competence. By establishing robust cyber security processes and deploying technologies that provide a real-time view into cyber preparedness, organisations can ensure their operations are not influenced by the prevailing interests of strong personalities. 

Staff training is equally important. Ensuring all employees are able to recognise cyber risks is key to replacing a culture of inactivity with a culture of proactivity and protection. This ‘people’ element, coupled with the right process and technology can keep inaccurate perceptions and biases in check.


Featured Articles

ICYMI: New Age of the CISO and cybersecurity trends for 2023

A week is a long time in cybersecurity, so here’s a round-up of the Cyber Magazine articles that have been starting conversations around the world

Kingfisher chooses Google Cloud as catalyst for growth

Google Cloud will support Kingfisher's digital ambitions with a range of solutions, from infrastructure to data analytics.

ICYMI: Cyber predictions for 2023 and trouble in paradise

A week is a long time in cybersecurity, so here’s a round-up of the Cyber Magazine articles that have been starting conversations around the world

Osirium shares its cyber predictions for 2023

Cyber Security

ICYMI: Unloved emails and cybersecurity worth $500bn by 2030

Cyber Security

Cyber security market anticipated to reach $500bn by 2030

Cyber Security