Sage Journals: Discover world-class research

Abstract

In cybersecurity, performance in offensive tasks such as penetration testing or red-team exercises can be influenced by both technical skill and psychological traits. This exploratory study examines how specific psychometric characteristics relate to hacking performance in a controlled environment. Sixty-one participants who passed a cybersecurity skills test completed a two-day simulated hacking exercise and responded to psychometric questionnaires. A Random Forest analysis identified five questionnaire items—drawn from decision-making and personality measures—as the most predictive of cybersecurity skills test scores. The responses to these items were used in a k-means clustering analysis (k = 3), which revealed significant differences in skills test scores and response patterns across clusters. The findings suggest that certain psychological traits may serve as auxiliary indicators of cybersecurity skill. Further research could explore this relationship using aggregated trait-level metrics and broader participant samples, including professional red-teamers, to examine the robustness of these preliminary findings in more ecologically valid settings.

Keywords

cybersecurity psychometrics clustering decision-making traits

Get full access to this article

View all access options for this article.

References

Ahmad

(2020). Personality traits as predictor of cognitive biases: moderating role of risk-attitude. Qualitative Research in Financial Markets, 12(4), 465–484.

Allodi

Massacci

Williams

(2022). The work-averse cyberattacker model: theory and evidence from two million attack signatures. Risk Analysis, 42(8), 1623–1642.

Arkes

H. R.

Blumer

(1985). The psychology of sunk cost. Organizational Behavior and Human Decision Processes, 35(1), 124–140.

Bruine de Bruin

Parker

A. M.

Fischhoff

(2007). Individual differences in adult decision-making competence. Journal of Personality and social Psychology, 92(5), 938.

Crow

A. J.

(2019). Associations between neuroticism and executive function outcomes: Response inhibition and sustained attention on a continuous performance test. Perceptual and Motor Skills, 126(4), 623–638.

Galinkin

Carter

Mancoridis

(2021, October). Evaluating attacker risk behavior in an internet of things ecosystem. In International conference on decision and game theory for security (pp. 354–364). Springer International Publishing.

Gutzwiller

R. S.

Ferguson-Walter

K. J.

Fugate

S. J.

(2019, November). Are cyber attackers thinking fast and slow? Exploratory analysis reveals evidence of decision-making biases in red teamers. In Proceedings of the Human Factors and Ergonomics Society Annual Meeting (Vol. 63, No. 1, pp. 427–431). SAGE Publications.

Hani

Sohaib

Khan

Aleidi

Islam

(2024). Psychological profiling of hackers via machine learning toward sustainable cybersecurity. Frontiers in Computer Science, 6, 1381351.

John

O. P.

(1999). The big five trait taxonomy: History, measurement, and theoretical perspectives. In Pervin

L. A.

John

O. P.

(Eds.), Handbook of personality: Theory and research (2nd ed., pp. 102–138). Guilford Press.

10.

Johnson

C. K.

Gutzwiller

R. S.

Gervais

Ferguson-Walter

K. J.

(2021, November). Decision-making biases and cyber attackers. In 2021 36th IEEE/ACM international conference on automated software engineering workshops (ASEW) (pp. 140–144). IEEE

11.

Lin

C. J.

Jia

(2023). Time pressure affects the risk preference and outcome evaluation. International journal of Environmental Research and Public Health, 20(4), 3205.

12.

Shin

Lee

H. J.

Park

Hong

Song

Y. K.

Yoon

D. U.

(2023). Perfectionism, test anxiety, and neuroticism determines high academic performance: a cross-sectional study. BMC Psychology, 11(1), 410.

13.

C. M.

Schulz

Pleskac

T. J.

Speekenbrink

(2022). Time pressure changes how people explore and respond to uncertainty. Scientific Reports, 12(1), 4122.

14.

Zhang

D. C.

Highhouse

Nye

C. D.

(2019). Development and validation of the general risk propensity scale (GRiPS). Journal of Behavioral Decision Making, 32(2), 152–167.

15.

Zhao

John

R. S.

(2021). Building community resilience using gain–loss framing to nudge homeowner mitigation and insurance decision-making. Risk Analysis, 41(7), 1151–1171.

Understanding Cybersecurity Skill Levels Through Psychological Measures: Clustering Hackers with Traits Questionnaires

Abstract

Keywords

Get full access to this article

References