Whether cracking digital security for good or ill, hackers tend to be people who are manipulative, deceitful, exploitative, cynical and insensitive, according to research from the University at Buffalo School of Management.
Recently presented at the Hawaii International Conference on System Sciences, the study analyzed the psychological profiles of college students in computer science and management to see which personality traits led to three different kinds of computer hacking: white hat, gray hat and black hat.
White hats are the ethical hackers, who help organizations detect and fix their security vulnerabilities. Gray hats are the “hacktivists,” who hack for ideological reasons, such as attacking a political adversary, a company policy or even a nation-state. And black hat hackers, sometimes called crackers, are motivated by personal gain to breach computer systems—or may just be in it for the thrill of the attack, revenge or notoriety.
"Gray hatters oppose authority, black hatters are thrill-seeking and white hatters—the good guys—tend to be narcissists,” says Lawrence Sanders, PhD, professor of management science and systems in the UB School of Management. “So even though white hats may be devious and psychopathic, we need them to address nefarious hacking activity.”
The researchers surveyed 439 college sophomores and juniors to determine their personality traits, and developed a set of scales to determine the three hat categories, as well as a scale to measure each person’s perception of the probability of being caught for violating privacy laws. The paper also investigated the "dark triad" personality traits consisting of Machiavellianism, narcissism, and psychopathy, along with the opposition to authority and thrill-seeking constructs and how these traits relate to hacking potential.
“Engaging in criminal activity involves a choice where there are consequences and opportunities, and individuals perceive them differently,” says Joana Gaia, PhD, clinical assistant professor of management science and systems in the UB School of Management. “But, they can be deterred if there is a likelihood of punishment—and the punishment is severe.”
The results of the study suggest that security compliance will continue to be a problem, but there are several ways businesses and organizations can reduce the impact or prevent security breaches.
“Firms can use monitoring technology and multifactor authentication to prevent unauthorized access to physical and digital spaces,” says Gaia. “Organizations could use personality traits to evaluate employees as security threats, but that should be approached cautiously for practical, ethical and privacy reasons.”
Sanders and Gaia collaborated on the study with University at Buffalo colleagues Bina Ramamurthy, teaching professor of computer science and engineering; Shambhu Upadhyaya, professor of computer science and engineering; UB PhD students Sean Patrick Sanders and Xunyi Wang; and Chul Woo Yoo, assistant professor of information technology and operations management at the Florida Atlantic University College of Business.
Kevin Manne, Assistant Director of Communications @ School of Management
716-645-5238, kjmanne@buffalo.edu