By Pete Bowers, COO, NormCyber
The 2021 UK Government Cyber Security Breaches Survey found that, while some 77 percent of UK businesses describe cyber security as high priority for their senior leadership teams, a relatively paltry 31 percent of organisations stated they have a business continuity plan that covers cyber security.
In short, while the majority of business leaders recognise their operations are at real risk of attack, far fewer are prepared to take the steps required to mitigate these risks. This raises the question; why is there such a large disconnect between knowledge and action?
According to a new report by Professor John McAlaney, Chartered Psychologist and Professor in Psychology at Bournemouth University, the answer is partly down to psychology or – to be more specific – the personality traits of the individuals who make it to the top in business. The very characteristics that make people succeed as entrepreneurs and leaders directly affect their behaviour and in many cases that behaviour will filter down and be reflected throughout the organisation. Particularly when it comes to how companies measure and react to risk, and not always in a good way.
People undertaking the most senior roles in business are likely to have very strong personalities, but alongside the positive qualities two so-called dark personality traits – narcissism and psychopathy – can also reside. Although both of these characteristics are often seen as negative, they may be considered as positive attributes if displayed by those who are charged with steering and growing businesses. For example, people with narcissistic tendencies tend to be more comfortable with taking risks, indeed, they thrive in precarious situations. Meanwhile, those exhibiting psychopathic traits tend to be charismatic. This makes them skilled negotiators who are able to convince others to follow their lead.
While these behaviours do not suit every organisation’s culture, they are prized by some companies, particularly those operating in highly competitive sectors.
Cognitive bias impacts how leaders perceive risk
Anyone who has ever participated in team sports will have – at one point – blamed the referee for a poor result when, in reality, their own team was responsible for the loss. This reaction is common in all walks of life; if a decision goes against us, we tend to look for someone else to blame.
This is known as the ‘actor-observer effect’ and applies as much to cyber security as it does to sport. A CEO may tell him or herself that it is simply bad luck their company was hacked, while the truth of the matter is their organisation lacks the policies, training or technical defences required to thwart external attacks. The need to pin the blame on someone else becomes amplified when a narcissistic or psychopathic CEO is in charge. Such individuals will nearly always back themselves to have made the correct decision, and will be less likely to look themselves in the mirror to find the true cause of the problem.
There are other cognitive biases at play too, which all become exaggerated when someone with narcissistic or psychopathic tendencies is at the helm. For example, most people will exaggerate unusual risks (e.g. they are scared of flying) but downplay more common ones (e.g. the risk of a car accident). CEOs are no different. When it comes to cyber security, they are prone to focus on the high-profile attacks that make the headlines (e.g. widescale ransomware attacks) yet ignore more mundane threats, such as employees logging on to the corporate networks via public WiFi. Yet in reality, both require action. Furthermore, it often proves difficult for us to determine risks for incidents that fall outside of our normal sphere of operations. For business leaders charged with delivering shareholder value and growth, cyber security can be an abstract concept, so may not always receive the attention it deserves.
It’s also human nature to underestimate the risks that we can do something about, while overestimating those risks that lay outside our control. When a CEO retains a high degree of control over their company’s operations and is not a natural delegator, there is a chance that they may be underestimating the severity of the cyber risks they face by not calling upon the expertise of technical experts.
Narcissists are of course preoccupied with their public image, and how others perceive them personally. Business leaders exhibiting these tendencies may place great focus on those threats that could damage their own personal reputations, while ignoring those that they can disassociate themselves from.
How to mitigate these risks
While narcissistic or psychopathic traits often contribute to a business leader’s success, they are not always conducive to good risk management and, as the number and sophistication of cyber attacks continues to rise, this represents a weak spot that needs urgent attention.
To remove the personality factor from their cyber security strategies, businesses should follow three simple steps:
- Policy: establish and enforce cyber security processes that cannot be circumnavigated, even by the strong personalities at the top of the organisation.
- People: Ensure everyone in the organisation receives continuous cyber awareness training and knows how and why to respond to potential attacks. As well as being a major source of cyber breaches, employees are the first line of defence against many criminal attacks, so training is an effective way to boost fortifications.
- Technology: Deploy technology that can proactively identify and eradicate points of weakness within an organisation, and is continually managed by qualified experts in order to ensure round-the-clock protection, even against new and emerging threats.