How CEO character traits can expose businesses to attack
Paul Cragg is CTO at Norm. and is responsible for the ongoing development and delivery of its managed service offerings. Cragg leads all technical functions within the business. His previous roles include Director at Confido and Chief Technical Officer at Easynet. Cragg discusses how business leaders’ dark personality traits can weaken their organisations’ cybersecurity defences.
There’s a long-standing cyber security puzzle that we have yet to solve, which is that despite widespread awareness of the risk cyber incidents pose to all businesses, some CEOs and business owners are still reluctant to admit the possibility that it can happen to them – or at least, that’s what the evidence seems to show.
Research shows cyber security is a high priority for 77 per cent of UK business leaders, yet only 31 per cent have a business continuity plan in place that covers cyber threats. To get to the root of this paradox, we worked with Professor of Psychology John McAlaney from Bournemouth University, to try to understand two key human tendencies that could explain this phenomenon:
- The characteristics that help people rise to the top often mask dark personality traits
- People in leadership positions influence their entire organisations’ attitudes to cyber threats.
Let’s look at these individually:
Shedding light on the dark personality traits of highly successful people
We all have what are referred to as dark personality traits, and these traits will be more prominent in some than others. Narcissism and psychopathy are two of the most well-known, and while they may seem to be wholly negative attributes, there is evidence to suggest that people with a tendency towards them are often propelled into more senior positions. For example, charisma and increased risk-taking – hallmarks of both psychopathy and narcissism respectively - are both traits that are rewarded in cultures that promote competitiveness. The flip side of these characteristics is that they can mask undesirable behaviours – charismatic leaders can be skilled manipulators, whereas risk-takers are liable to performance volatility.
This doesn’t mean that CEOs that display these traits are unfit to lead or that they pose a danger to their organisations - it is not the same as having a clinically diagnosable personality disorder. But powerful individuals with a strong predisposition towards them can be more susceptible to cyber threats. For example, narcissistic leaders tend to overestimate their knowledge and competence, leading them to underestimate their vulnerabilities. When cyber attacks do happen, a narcissistic leader is more likely to blame external factors or ‘bad luck’ than take personal responsibility. The hypocrisy of this self-serving bias is that at the same time, positive outcomes are always considered to be the direct outcome of competence and skill.
There are other ways individuals, not just CEOs, misperceive cyber risk. For example, we struggle to determine risks for events outside of our normal experience, and we exaggerate unusual risks (such as an attack from a known hacking group) but downplay more common risks from unknown attackers. These cognitive biases are most dangerous to an organisation when they come from upper management. In fact, in a recent survey, we asked business and technology leaders to cite the greatest barrier to building cyber resilience – almost 40 percent said that it was either a lack of understanding of cyber risk at the Board level or that it simply isn’t seen as a priority by the Board.
Leaders’ personality traits and biases increase cyber risk for the entire organisation
With the level of control and power CEOs exercise, it’s not surprising that their attitudes influence beliefs and behaviours throughout the organisation, including cyber threat response. Cyber criminals today understand they don’t necessarily need to target the CEO to reap substantial rewards from phishing, hacking or social engineering attacks. So, even if a CEO who may have narcissistic or psychopathic traits is not the source of a security breach, they are responsible for setting the tone of how others within their organisation identify, perceive and respond to threats – this is called the ‘upper echelons theory’.
For example, it has been found that whether employees update software or not is determined by what they believe the reaction of influential others to be. They might understand that updates often include vital security patches, but if they don’t find adequate levels of support within the organisation, their intent and actual behaviour will diverge. Simply put, employees conform to what they perceive to be the norm, and if a CEO has a strong opinion and influence on how cyber security is valued within an organisation, it is less likely that individuals will challenge the status quo.
Bias-proofing your organisation
To avoid groupthink and overcome dangerous biases there must be a system in place that fights perceptions of cyber risk with objective fact and proven process.
We know that highly influential individuals with narcissistic or psychopathic traits tend to underestimate the severity or likelihood of cyber attacks, while overestimating the levels of protection and competence. By establishing robust cyber security processes and deploying technologies that provide a real-time view into cyber preparedness, organisations can ensure their operations are not influenced by the prevailing interests of strong personalities.
Staff training is equally important. Ensuring all employees are able to recognise cyber risks is key to replacing a culture of inactivity with a culture of proactivity and protection. This ‘people’ element, coupled with the right process and technology can keep inaccurate perceptions and biases in check.