Information Security is More Than Just Policy; It is in Your Personality

It has been estimated that human factors (HF) account for 27% of data breaches on the global scale (Ponemon institute 2018). Even with clear and often strict policies in place, with clear sanctions, employees still are considered to be the weakest link in the field of information security (IS). This paper seeks to find one explanation to this phenomenon in military context by exploring military cadets' attitudes towards IS, as well as their reasons and justifications for using neutralisation techniques in order to transgress from organisational IS regulations. Neutralisation techniques offer a way of rendering existing norms inoperative by justifying behaviour that violates those norms (Rogers & Buffalo 1974; Sykes & Matza 1957). These techniques are as follows: Condemnation of the condemners, The Metaphor of the ledger, Denial of injury, Denial of responsibility, Appeal to higher loyalties and Defence of necessity. 144 military cadets completed a survey assessing their use of neutralisation techniques (Siponen & Vance 2010) in addition to assessing their personality by the Five Factor (Konstabel, et. al. 2012) and the Dark Triad (Jones & Paulhus, 2014) models of personality. The Dark Triad model supplements the Five Factor model with more sinister aspects of personality: Machiavellianism, Narcissism and Psychopathy, which are still considered to be sub-clinical. Even though the tendency to use neutralisation techniques was relatively low, there still was a significant correlation between personality traits and the use of neutralisation techniques. Those high in Machiavellianism (r. 0.19 - 0.4) and Neuroticism 0.23 - 0.4) were more likely to use these techniques whereas high scores on Conscientiousness (r. -0.18 - -0.27) and Extraversion (r. -0.27 - -0.42) decreased this likelihood. The results suggest that a more individualised approach in IS education could be useful. Understanding how one's personality can sensitise oneself to certain kinds of neutralisation techniques can help an individual to acknowledge his or her strengths and vulnerabilities in IS behaviour.