The security community has used psychological research on attacker personalities, but little work has been done to investigate the personalities of the defenders. One instrument currently dominating personality research is the Five Factor Model, a taxonomy that identifies five major domains of personal traits, composed of sets of facets. (Barrick, 1991) This model can be used within an organizational or vocational capacity to reveal dominant tendencies, such as openness to new experiences. Within a security context, this tool could show what patterns professionals exhibit, which may reveal areas of insufficient diversity and “blind spots” in defenses.
II. TEST DESCRIPTION
Within the security community, psychological research has traditionally been directed towards attackers: for example, the psychology underlying insider threats or criminal hacker behavior . However, another piece of the overall picture is the psychology of the defender who must guard against these threats. Security defenders respond to the approaches and actions taken by attackers: they develop counter-offensive strategies, and attempt to anticipate new threats. In a sense, attackers and defenders operate in an antagonistic partnership, considering the same sets of problems from different perspectives. Because psychology (specifically, personality traits) has been used to understand attackers, it is worth considering how their “partners”, the defenders, might similarly be affected by psychological factors. Specifically, it is useful to understand how personality traits influence the effectiveness * C. Gates completed this work while at Dalhousie University, Canada of security defenders. This in turn might indicate where there may be weaknesses in defence strategies. There have been some recent steps in this direction. In a panel on psychology in security, noted that profiling defenders might be “the most promising solution to the non-acceptance factor: a sensation-seeker is a risk taker, so he/she will not buy an InfoSec software package; if bought by somebody else, they will not install it; if forced to install, they will use the first customer complaint about a performance deficit as an excuse to uninstall it.” These statements suggest that there are benefits to developing a better understanding of the personality aspects of security defenders. In order to develop a more complete understanding of defender personality traits, we build upon an initial study that used the Myers-Briggs Type Indicator (MBTI) , and employed another current personality test: the Five Factor Model (FFM). This model has enjoyed recent favor within the psychology community, and has been widely adopted as a comprehensive testing instrument . As opposed to the MBTI, which describes people in terms of one of 16 “types” of personalities, the FFM describes people in terms of five overall personality domains, each of which is further sub-divided into six traits (“facets”). We solicited the security professionals who attended the 2004 Annual Computer Security Applications Conference to complete the IPIP-NEO, a 120-item questionnaire based on the FFM. The results from this questionnaire were used to determine how the attendees compared to the general population on each of the five domains and 30 ...