Member Article

Could your CEO be the reason you fall victim to a cyber attack?

By Pete Bowers, Chief Operating Officer at norm.

It has long been known that, despite senior decision-makers being aware of widespread cyber risks, many companies have failed to put adequate controls in place to mitigate them. To understand why this apparent contradiction exists, we joined forces with Professor John McAlaney, Chartered Psychologist and Professor in Psychology at Bournemouth University, to explore the personality traits that help people to rise to the top and how they relate to an organisation’s cyber security preparedness.

The paradox of cyber readiness

According to the UK Government Cyber Security Breaches Survey 2021, 77 percent of UK businesses describe cyber security as high priority for senior management. Yet, the same survey reveals that only 31 percent of organisations have a business continuity plan that covers cyber security.

Our findings show that part of this disconnect is due to the qualities and characteristics that can lead someone to become a CEO or business owner. The very same characteristics, it seems, impact the workings of the entire organisation, including how it identifies, perceives and responds to cyber risk. Specifically, narcissism and psychopathy have been referred to as dark personality traits and it has been observed that both can lead individuals into senior positions.

The dark side of success

Narcissistic traits are associated with increased risk-taking and performance volatility – which may exacerbate susceptibility to cyber risk – while psychopathic traits often manifest as charismatic and skilled manipulators in corporate settings. These traits may be incompatible with organisational cultures that promote cooperation and collaboration, however, in organisations with competitive cultures, such individuals are often rewarded.

This highlights an important consideration – personality traits are not in themselves necessarily positive or negative. Depending on the context, a tendency towards psychopathy could give individuals, and in turn their organisations, an edge over their competition.

There is a further distinction to be made between a personality trait and a clinically diagnosable disorder. Despite Hollywood depictions of CEOs with extreme personality traits, it is unlikely an individual with a clinically diagnosable personality disorder could function as a CEO.

Five ways the intelligent brain explains failure

People make mistakes in their decision-making due to cognitive biases on a daily basis. One of the most relevant biases in this context is that whenever there is a negative outcome to our decisions, we tend to blame that on external factors. For example, a CEO may tell themselves it is just bad luck the company got hacked, not due to underinvestment in cyber security. This is known as the ‘actor-observer effect’ and could feasibly be amplified by a narcissistic CEO who avoids taking any personal responsibility for failure.

Specifically in the cyber realm, security technologist Bruce Schneier argues that people misperceive risk in five different ways.

Firstly, we exaggerate unusual risks but downplay more common ones. For instance, CEOs may focus on high-profile cyber attacks that make the headlines and ignore the more everyday types of cyber risk that could in fact be a greater threat to the organisation.

Secondly, we encounter difficulties in determining risks for things outside of our normal experience. This explains why CEOs who lack practical experience in cyber security struggle to visualise and understand the risks of cyber threats.

Thirdly, we underestimate risks we are responsible for, whilst overestimating risks outside of our control. Therefore, if a CEO retains a high level of control over their organisation, including cyber security, they will tend to underestimate cyber risks.

Fourthly, we tend to perceive personified risks to be greater than anonymous risks. So, a cyber threat from an established hacking group is perceived to be more severe than an attack by an unknown actor.

Finally, we tend to overestimate risks that might become an object for public discussion. This fits with the narcissistic tendency of attempting to control how you are seen. Of course, even without narcissism, it is understandable that CEOs and business owners may focus disproportionally on threats that can ruin their public image. Nevertheless, this can lead to CEOs failing to consider other types of cyber risks that could be harmful to the organisation.

Lessons to learn

It is clear that a CEO’s leadership style is not always conducive to effective cyber risk management, especially if narcissistic or psychopathic traits have contributed to the person’s success. But with charisma and risk-taking prized in leadership, the question becomes what steps need to be taken to uphold cyber security despite the potentially dangerous biases associated with these characteristics?

There are three actions businesses can prioritise:

1. Establish processes that protect ways of working against the prevailing interests of strong personalities.

2. Ensure people are well trained because, as well as being a major source of cyber breaches, employees are the biggest potential win for your cyber security defence.

3. Deploy the right technology in order to mitigate the risks of ‘self-serving bias’. By replacing subjective opinion with objective fact and proven process, much of the dangers associated with personal characteristics can be mitigated.

This was posted in Bdaily's Members' News section by News .