The Role of Extraversion in Phishing Victimisation:

A Systematic Literature Review

Pablo López-Aguilar∗ , Constantinos Patsakis† , Agusti Solanas‡
∗ Dept.of Research and Innovation, Anti-Phishing Working Group - Europe
2022 APWG Symposium on Electronic Crime Research (eCrime) | 979-8-3503-0169-4/22/$31.00 ©2022 IEEE | DOI: 10.1109/eCrime57793.2022.10142078

Barcelona, Catalonia, Spain. 0000-0002-9685-9084

† Dept. of Informatics, University of Piraeus, Piraeus, Greece.

Athena Research Center, Marousi, Athens, Greece. 0000-0002-4460-9331

‡ Dept. of Computer Engineering and Mathematics, Universitat Rovira i Virgili

Tarragona, Catalonia, Spain. 0000-0002-4881-6215

Abstract—Over the last decade, phishing attacks have become
preeminent and increasingly successful. Anti-phishing strategies
focus on raising awareness and training users to identify risks.
However, those strategies do not fully consider the psychological
profile of each individual. We sustain that maximising potential
victims’ resilience requires additional protection strategies to
focus on individual personality traits.
In this article, we concentrate on extraversion as a personality
trait for which there is no consensus about its effect on suscepti-
bility to phishing attacks. We implement a robust bibliographic
analysis methodology and identify potentially relevant articles,
which we screen and filter against inclusion and exclusion crite-
ria. We report and analyse the findings of the 39 articles that fulfil
all criteria and are deemed relevant to this research. Our analysis
shows that, despite the positive correlation between extraversion
and phishing susceptibility found in many studies, there is no
consensus supported by a well-established psychological theory.
Moreover, we identify a number of reasons justifying this lack of
consensus, namely the use of non-representative samples, the non
consideration of contextual factors, and the use of self-reported
personality tests, which lead to limited reproducibility and data
inconsistencies.
Index Terms—Cybersecurity, Phishing susceptibility, Extraver-
sion, Personality traits
I. I NTRODUCTION
Cybercrime has become a prevalent threat to countries,
companies, and society as a whole. Of specific interest are
phishing attacks, as they are broadly used in the context of
malicious campaigns and focused attacks against high-profile
victims or critical infrastructures. The end goal is to lure the
victim into performing a task that she would not typically
perform and violate some form of security policy. Depending
on the case, this can range from disclosing credentials and
other sensitive information to performing money transfers or
opening a malicious file to allow the attacker to set a foothold
inside the victim’s premises. Therefore, various malicious
actors use phishing, ranging from malicious individuals to Ad-
vanced Persistent Threat groups1 . The main delivery method
is undoubtedly email (97%) [1]; however, other methods, e.g.
via SMS (smishing) are also used.
Although substantial progress has been made by anti-
phishing defence strategies in mitigating many phishing at-
1 https://www.mandiant.com/resources/insights/apt-groups
tacks, they have focused their efforts on a very technical
perspective (i.e., filtering suspicious emails, blocking web-
sites). Moreover, training and awareness campaigns have been
considered from a rather generic perspective without observing
the psychological profile of each individual. Thus, attackers
who have always spent time and effort using a plethora of
techniques to circumvent security measures have seen in hu-
mans a more effective way to penetrate digital systems. Whilst
[2] provides efficient methods to implement more effective
training and awareness campaigns, recent studies [3] sustain
that phishing attacks have doubled throughout the COVID-19
pandemic, being the financial sector the most frequent target.
Indeed, approximately 83% of organisations admit that they
have experienced a successful email-based phishing attack
in 2021, which is 43% above the previous year2 . Moreover,
according to [4], APWG observed the unprecedented number
of 1,097,811 phishing attacks, the worst phishing quarter ever
observed by the non-profit organisation.
When in more than 80% of all data breaches, the human el-
ement is present [1], one must consider the human factors that
lead to such incidents. Given that phishing is the most common
method in such cases, investigating people’s perceptions of
phishing becomes a priority. However, research on humans’
phishing behaviour and its relation to personality traits is
scarce. Nevertheless, given the fact that current literature [5]–
[7] suggests that personality traits might play an important
role in phishing victimization, this work aims to undertake
a comprehensive analysis of the literature on individuals’
extraversion and evaluate the importance of this psychological
dimension in the phishing context.
A. The Role of extraversion in the phishing context
Extraversion, considered one of the Big Five personality
traits [8] and one of the three major traits belonging to
Eysenck’s PEN model [9], is associated with individuals that
interact with other people and openly display feelings. Thus,
according to [10], adjectives related to extraversion are: active,
assertive, energetic, enthusiastic, outgoing, and talkative.
2 https://www.proofpoint.com/us/blog/security-awareness-training/2022-
state-phish-explores-increasingly-active-threat-landscape

Authorized licensed use limited to: Hamad Bin Khalifa University. Downloaded on December 26,2023 at 14:51:16 UTC from IEEE Xplore. Restrictions apply.
 The aforementioned characteristics may lead a person to be
more careless and more prone to disclose sensitive information
or perform a risky action on his system. However, online
behaviour is not always correlated to one’s behaviour in the
real world. The latter is mapped in the contradicting results
of prior research on the influence between extraversion and
susceptibility to phishing attacks. Halevi et al. [11] found a
higher correlation in neuroticism for women than men and
suggested that neuroticism and openness to experience had an
inverse correlation to extraversion. Likewise, [12] investigated
the behaviour response of computer users when they received
either phishing or genuine emails. The study concluded that
those individuals with high levels of extraversion and openness
performed better in detecting phishing emails. However, [13]
and [14] concluded that extraversion was positively correlated
with susceptibility to phishing attacks presenting, therefore,
opposite results. Moreover, Alseadoon et al. [15] found that
extraversion, agreeableness and openness are “responsible
for increasing users’ tendency to proceed with the requested
actions included in the phishing email”.
B. Contribution and plan of the article
Since current research does not provide solid procedures to
explore the role of extraversion in the phishing context, this
article seeks to comprehensively explore the existing literature
discussing the relationship between phishing and extraversion.
In particular, this article analyses individuals’ extraversion as
part of the Big-Five personality traits and Eysenck’s PEN
model and seeks to clarify the reasons behind the contradictory
outcomes found in the literature. To this end, the objectives
of this article are the following:
• To examine the extent to which existing literature has
studied the relationship between extraversion and human
phishing behaviour,
• To improve the understanding of the extraversion trait in
the phishing context, and
• To describe the potential reasons behind the lack of
consensus and to identify further research lines.
The remainder of the article is organised as follows: Section
2 presents the methodology used in the literature review.
Section 3 provides the analysis and synthesis of the results
of the review along with the list of studies reporting positive,
negative or no correlation between extraversion and phishing
susceptibility. Section 4 concludes our work and highlights the
key points for future research.
II. M ETHODOLOGY
The literature review has been implemented following the
well-known methodology proposed by Vom Brocke et al. [16].
This methodology, also used in a previous study on the topic
[17], seeks to find the sources relevant to a specific topic, using
keywords, backward, and forward searches allowing this way
a comprehensive review of related studies.
Authorized licensed use limited to: Hamad Bin Khalifa University. Downloaded on December 26,2023 at 14:51:16 UTC from IEEE Xplore. Restrictions apply.
A. Definition of the review scope
The scope of the review is defined by following the tax-
onomy of literature review presented by Cooper [18] and
differentiated by the following categories:
• Focus: Labelled as research outcomes, research methods,
theories, and/or applications. This category highlights the
main objective of the review. For this study, the literature
review seeks to bring a deep understanding of the field,
from theoretical researches to practical studies.
• Goal: Summarises the objectives of the research amongst
integration, criticism and central issues. In this study, we
aim to investigate those approaches used by the scientific
community and to synthesise literature addressing the
role of extraversion in the phishing context. Current
challenges in the field, along with the proposed solutions
to address those challenges, have also been identified.
• Organisation: The literature review should follow a his-
torical, conceptual or methodological structure, Cooper
suggests. This review is organised by grouping the same
ideas and concepts using a conceptual structure.
• Perspective: The author’s position with regard to the
research is reflected in the perspective of the review.
Without having a previous hypothesis to prove or dis-
prove, this review aims to adopt a critical position by
analysing and synthesising the articles from a critical
thinking point of view, adopting, thus, a neutral position.
• Audience: The audience determines the writing style.
This review focuses on researchers in the field of human
factors and personality traits that influence susceptibility
to cyberattacks.
• Coverage: Labelled as exhaustive, exhaustive and selec-
tive, representative, and central/pivotal. With the aim to
include and analyse relevant contributions, our research
seeks to undertake exhaustive coverage of the available
scientific literature that considers the role of extraversion
in phishing attacks.
B. Topic conceptualisation
According to Vom Brocke’s [16] recommendation: “to start
by a broad conception of what is known about the topic and
potential areas where knowledge may be needed”, this review
provides a working definition of two key terms. On the one
hand, it addresses the topic of phishing, and on the other, it
refers to extraversion. Moreover, following Baker’s suggestion
[19], this review has also analysed English sources that contain
a summary or overview of the critical issues relevant to the
subject (i.e., seminal textbooks, encyclopedias, or handbooks).
C. Database search
As previously stated and to provide a working definition of
phishing and extraversion, the first search performed consisted
in (phishing AND extraversion) in the title, abstract
and full-text evaluation with an all-years time span from
1900 to 31st July 2022. The well-established and universally
recognised selected databases were: IEEE Xplore, Scopus,
ACM Digital Library, Web of Science and Pubmed. The query
returned 863 papers after eliminating duplicate entries. Thus,
after a screening process carried out by the authors, 39 refer-
ences (23 journal articles and 16 publications in conferences)
were accepted in the qualitative synthesis.
D. Literature Evaluation
The articles’ acceptance and rejection were agreed upon by
the authors’ consensus, and no discrepancies were identified.
The inclusion and exclusion criteria applied in the assessment
are defined as follows:
• The publication was written in English.
• The publication was peer-reviewed.
• The full-text of the publication was available.
• The publication was relevant to the subject. In this
review, the publication contextualises phishing and the
personality trait of extraversion. Thus, publications in
which the terms only appear in the references section, are
tangentially mentioned, or result from typos are excluded
in the final qualitative synthesis.
The total number of identified records, duplicates and finally
accepted articles in the first, backward and forward searches
are depicted in Figure 1.
E. First search
To avoid misinterpretations, keywords were limited to
“phishing” and “extraversion”. Thus, the resulting query was
defined as phishing AND extraversion.
This search string was adapted to the particular syntax
of each literature database. The following are the resulting
queries for each database:
• IEEE Xplore: ((‘‘Full Text &
Metadata’’:phishing) AND ‘‘Full Text
& Metadata’’:extraversion)
• Scopus: ALL (‘‘phishing’’ AND
‘‘extraversion’’)
• ACM Digital Library: [All: phishing] AND
[All: extraversion]
• Web of Science: (phishing AND extraversion)
• Pubmed: (phishing AND extraversion)
The first search returned 99 results: 31 in IEEE Xplore, 46
in Scopus, 15 in ACM DL, 6 in Web of Science and one result
was found in Pubmed. The number of records identified in the
first search is summarised in Figure 1. From the 116 results
obtained and imported to Mendeley, 99 papers were screened
after removing 17 duplicates.
F. Backward/forward search
From the selected articles of the first search, Vom Brocke
[16] proposes to perform forward and backward searches. The
forward search seeks to identify the articles cited in an original
article (after its publication) and aims to review the additional
sources where this article has been cited. The backward search
looks for all cited references from a single article found in
the first search. In this study, both the backward and forward
searches were conducted using IEEE Xplore, Scopus, ACM
Authorized licensed use limited to: Hamad Bin Khalifa University. Downloaded on December 26,2023 at 14:51:16 UTC from IEEE Xplore. Restrictions apply.
Digital Library, Web of Science, and Pubmed. This method-
ology guarantees the reliability, validity, and reproducibility
of the literature search process. As highlighted in Figure 1,
there was a large number of articles identified and screened (n
= 561 in the backward search and n = 288 in the forward
search). However, most of these articles did not consider
the relationship between phishing and extraversion; therefore,
they were excluded from the final analysis after the screening
process.
III. L ITERATURE ANALYSIS AND SYNTHESIS
From the initial 863 identified candidate papers, 39 papers
were included in the final analysis after the screening. Based
on their scope and methodology, the articles can be classified
into two categories, namely Empirical Studies and Predictive
Models Based on Personality Traits. We discuss each category
in the following paragraphs.
A. Empirical studies
The articles classified under this category focus on the
effects of personality traits on user behaviour against phishing
attacks. In particular, papers grouped under this category
have conducted empirical studies aimed at understanding the
influence of extraversion as one of the Big Five personality
traits and its influence on phishing victimisation.
Table I lists all identified studies in this category and
shows, for each of the studies, the reported correlation between
extraversion and phishing susceptibility. Moreover, the table
also lists all the studies where no correlation was found.
Whereas a positive correlation is given when extraversion
increases phishing susceptibility, a negative correlation is given
when extraversion decreases phishing susceptibility. The effect
size of the relationship between extraversion and phishing
susceptibility is also considered. Likewise, the table lists
the personality assessment questionnaire used in each study,
namely 60-item International Personality Item Pool (IPIP)
NEO [20], 44-item BFI [21], 50-item IPIP [22], 20-item
IPIP [23], 10-item IPIP [8], NEO-PI-3 [24], NEO-FFI-3 [25],
BFI-2 Short [26], Mini Marker measures [27], NEO-PI-R [28],
and 25-item Big-6 [29]. Although a number of articles used
different online questionnaires to assess individuals’ cyberse-
curity behaviour, the table distinguishes between the studies
that performed email detection tasks and online questionnaires.
Figure 2 enumerates the personality questionnaires used to
assess phishing susceptibility among the articles described in
this section. The results suggest a tendency towards the use of
the 44-item BFI or the 10-item IPIP version.
As illustrated in Figure 3, initially, most publications on
the field were made at conferences. However, after 2017, the
majority of publications comes from journal articles. In terms
of assessment of the outcomes (see Figure 4), only in two
years, 2013 and 2020, authors reported negative results in two
venues each time.
The study conducted with 42 participants in [38] demon-
strated that, under uncertainty and cognitive load conditions,
 Fig. 1: Literature search evaluation methodology.

Fig. 2: Personality questionnaires used by the described arti- Fig. 3: Distribution of type of publications by year.
cles.

neuroticism, and phishing victimisation. Although [40] raised

personality traits affected trust differently. More precisely,
results suggested that under risk uncertainty, participants
with low extraversion showed significantly higher trust over
low cognitive load than high cognitive load. Likewise, the
reason behind the non-significant influence of extraversion
and phishing susceptibility in [36] could be due to the re-
lationship between this trait and its sensitivity to the cultural
background of individuals [54]. In this line, [48] did not find
a significant correlation between extraversion and phishing
susceptibility. However, the study (conducted on 3,348 Dutch
individuals) found a positive correlation between openness and
some gender differences towards cybersecurity behaviour, no
relationship was found between extraversion and risky cyber-
security behaviour.
On the other hand, a positive correlation between extraver-
sion and phishing susceptibility was found in [47]. The results
showed that participants with low levels of extraversion were
more accurate at detecting attacks than those with higher
extraversion. Likewise, [41] concluded that extraversion had
the strongest influence on personality traits towards phishing
susceptibility. The study aimed to examine the personality
traits that influenced phishing susceptibility amongst 252 em-

Authorized licensed use limited to: Hamad Bin Khalifa University. Downloaded on December 26,2023 at 14:51:16 UTC from IEEE Xplore. Restrictions apply.
 TABLE I: List of the selected articles grouped under the empirical studies category.
Ref. Year Sample Extraversion Phishing Correlation Conclusion
Size Assessment Assessment
[30] 2022 235 Third-party Email detection Positive The resulting highly vulnerable profile would have low openness and
company task conscientiousness and high extraversion, agreeableness, and neuroti-
cism.
[31] 2022 101 60-item IPIP Email detection Positive Extraversion is negatively associated with phishing email reporting
NEO task performance. The findings suggest that extraverts perform more poorly
on the positive-oriented behaviours of reporting.
[32] 2021 414 44-item BFI Email detection None Extraversion has no significant effect in phishing email judgment.
task
[33] 2021 28 Third-party Email detection None The personality trait of extraversion is not found to be significantly
company task associated with phishing emails.
[34] 2021 54 Not provided Online None No relationship is specified between extraversion and phishing suscep-
questionnaire tibility.
[35] 2020 71 50-item IPIP Online None No relationship is found between cyber-security behaviour and extraver-
questionnaire sion.
[36] 2020 215 44-item BFI Online None Extraversion has no statistically significant influence on both heuristic
questionnaire and systematic processing.
[37] 2020 102 NEO-PI-3 Email detection Positive High extraversion is predictive of increased susceptibility to phishing
task attacks.
[7] 2020 478 BFI-2 Short Email detection Positive More extraverted individuals are more prone to become victims of
task identity theft.
[38] 2020 42 10-item IPIP Online Negative Under risk uncertainty, participants with low extraversion show signif-
questionnaire icantly higher trust over low cognitive load than high cognitive load.
[39] 2020 328 20-item IPIP Online Negative Higher extraversion is equal to higher awareness of security and privacy
questionnaire procedures.
[40] 2020 325 Mini Marker Online None Extraversion is not related to self-reported cybersecurity knowledge.
measures questionnaire
[41] 2019 252 NEO-PI-R Online Positive Extraversion personality has the strongest positive influence towards
questionnaire phishing susceptibility.
[42] 2019 102 NEO-FFI-3 Email detection Positive Given the consistency with which extraversion predicts susceptibility to
task phishing emails, the potential for personality-based interventions should
be explored further.
[43] 2018 478 BFI-2 Short Online Positive It is riskier to be more extravert, more agreeable, more neurotic, less
questionnaire consciousness and a man.
[44] 2018 369 50-item IPIP Online None There is no significant effect of extraversion on users’ proactive aware-
questionnaire ness.
[45] 2018 538 44-item BFI Online None Extraversion is not a suitable moderator for predicting the risk level
questionnaire associated with users’ security behaviour.
[46] 2018 150 25-item Big-6 Email detection None Personality shares negligible relationships with the detection accuracy of
task phishing and genuine email and perception of maliciousness of phishing
email.
[47] 2017 34 NEO-PI-R Email detection Positive Participants with lower extraversion than the median perform better in
task detecting attacks.
[48] 2017 3648 50-item IPIP Online None No relationship is specified between extraversion and phishing suscep-
questionnaire tibility.
[13] 2017 316 10-item IPIP Online Positive Extraversion is found to significantly increase the user’s likelihood of
questionnaire falling victim to cyber-attacks.
[49] 2017 264 10-item IPIP Online None The impact of extraversion is not found to be significant. This might
questionnaire be due because university students might be more responsible in their
online behaviour.
[6] 2017 505 44-item BFI Online None The correlation between Information Security Awareness and extraver-
questionnaire sion is not significant.
[50] 2016 618 60-item IPIP Online None The personality trait of extraversion is not found to be significantly
NEO questionnaire correlated to any of the variables.
[51] 2015 53 10-item IPIP Email detection None Results do not provide evidence of the role of extraversion in the
task phishing context.
[52] 2014 293 44-item BFI Online Positive Extraversion shows positive associations with regret message.
questionnaire
[53] 2013 117 44-item BFI Email detection Negative For the not-informed participants, the more extraverted they are, the
task better they manage phishing emails.
[11] 2013 100 44-item BFI Email detection Negative There is a high correlation between being phished and rating high on
task neuroticism and openness and low on extraversion.

ployees in a workplace in Malaysia.
The link between personality traits and the influence of
gender and age towards susceptibility to phishing attacks was
also addressed in [49]. Despite the fact that the impact of
openness and narcissism (to a less extent) was significant, the
impact of extraversion was not found to be significant. On the
contrary, findings from [42] and [37] found extraversion to be
the only strong trait to predict susceptibility to phishing attacks

Authorized licensed use limited to: Hamad Bin Khalifa University. Downloaded on December 26,2023 at 14:51:16 UTC from IEEE Xplore. Restrictions apply.

Fig. 4: Distribution of outcome of publications by year.
being, thus, significantly associated with increased susceptibil-
ity to four specific persuasion principles: authority & commit-
ment/consistency, authority & liking, commitment/consistency,
and liking.
To examine how risk-taking preferences, decision-making
styles, demographics, and personality traits might influence
security behaviour intentions on four different themes (device
protection, password generation, proactive awareness, and
updating), [44] found, amongst 369 participants from a large
public university, that extraversion was a significant predictor
of good device protection. However, non-significant results
were provided in the phishing context (proactive awareness).
“More extravert people are more likely to be victims of
identity theft. More extravert and more neurotic people are
more likely to be victims of stalking. Less conscious people
and men are more likely to be victims of phishing. When
considering only personality traits significant at .05 level,
overall, it is riskier to be more extravert, more agreeable,
more neurotic, less consciousness and a man.” This conclusion
was highlighted in [43] when investigating the relationship
between personality traits and gender and the probability
of experiencing virtual offences such as phishing. On the
contrary, to investigate people’s behaviour on phishing emails
compared to genuine emails and examine the factors con-
tributing to this behaviour, [53] found a significant negative
correlation between extraversion and phishing susceptibility.
More precisely, the study conducted on 117 students from
the University of Adelaide, concluded that highly extravert
participants who were not informed about their participation
in a phishing study were managing phishing emails better.
Likewise, the study [50], conducted in four countries (United
States, India, UAE and Ghana), explored the role of cul-
tural factors and personality traits in cybersecurity behaviour.
Whereas conscientiousness and openness were found to be sig-
nificant predictors of behaviour and self-efficacy, respectively,
non-significant results were found with regard to the role of
extraversion.
In the context of social networks and to prove (or disprove)
the indirect effect of extraversion on susceptibility to cyberat-
Authorized licensed use limited to: Hamad Bin Khalifa University. Downloaded on December 26,2023 at 14:51:16 UTC from IEEE Xplore. Restrictions apply.
tacks victimisation, [13] found conscientiousness, agreeable-
ness, and neuroticism to strongly decrease the user’s suscep-
tibility to cyberattacks. However, extraversion was found to
significantly increase the user’s likelihood of being a victim
of a cyberattack. Similarly, to improve the understanding
of those traits that might contribute to online vulnerability,
[11] showed the positive correlation between neurosis and
openness and the negative correlation between extraversion in
phishing susceptibility. Despite the percentage of women being
significantly lower than men (17% women, 83% men), results
highlighted a significant gender-based difference in responding
to phishing emails. In particular, the study found higher levels
of neuroticism in women than in men and suggested, thus, that
women could be more susceptible to prize-related phishing
attacks than men. Contrarily, extraversion showed positive as-
sociations with regret messages in the study of [52], conducted
on 293 U.S. citizens. The study sought to find the relationship
between the effectiveness of information security awareness
messages and individuals’ personality traits, considering five
message themes such as deterrence, morality, regret, feedback,
and incentive.
In an effort to address the lack of standardised measures to
detect phishing susceptibility, [46] conducted a 40-item phish-
ing detection task study on 150 undergraduate psychology
students to measure cognitive and behavioural indicators of
phishing susceptibility. Although the study provided a human-
centred framework to distinguish phishing from legitimate
emails, personality traits shared “negligible relationships with
detection accuracy of phishing and genuine email and per-
ception of maliciousness of phishing email.” In this line, [51]
conducted a study on 53 undergraduate students from North
Carolina State University from an Introductory Psychology
course and an Introductory Computer Science course. Even
though the results did not provide evidence of the role of
extraversion in the phishing context, the study suggested that
personality and impulsivity traits were strong predictors of cat-
egorisation performance and phishing susceptibility. However,
a larger sample was used in [45] (n = 538) aimed at exploring
the effect of personality traits variations (through the Big
Five Inventory [BFI] [21]) and its relationship with different
security behaviours (i.e., password sharing, delete suspicious
emails, file downloading from suspicious/unknown websites,
use of VPN). Whereas conscientiousness, agreeableness and
openness played a significant role across most of the examined
behaviours (two-thirds), the role of extraversion was found
to be significant only for the “password sharing” behaviour.
Thus, the study concluded that this trait could not be a
relevant indicator for predicting the risk level associated with
users’ security behaviour. Similar results were found in [6],
where extraversion was excluded in the regression analysis
due to its lack of significance. However, the study found that
conscientiousness, agreeableness, emotional stability and risk-
taking propensity significantly explained variance in individ-
uals’ Information Security Awareness (ISA) and suggested,
therefore, further research.
Theoretical implications of phishing susceptibility were
discussed in [32] where 414 Chinese participants completed
the 44-item BFI [21]. Although results demonstrated that
neuroticism and conscientiousness could be strong predictors
of phishing behaviour, extraversion had no significant effect.
However, the study highlighted that other influential factors
(i.e., interests and contexts) might affect the likelihood of
phishing victimisation, also suggesting undertaking further
research. Likewise, following the assumption that extraversion
could positively impact the likelihood of a data breach [39],
328 subjects participated in an online survey using the Mini-
IPIP scales [23] (brief measurement of the Big Five traits with
20 items). Nevertheless, the results of the study did not support
the initial hypothesis due to the negative correlation found
between extraversion and phishing susceptibility. In particular,
outcomes demonstrated that higher extraversion led to higher
awareness of security and privacy procedures.
Over the last few years, research has begun to explore the
relationship between human factors (gender, age, education,
risk-taking preferences, decision-making style, personality and
impulsivity) and their role in the phishing context. Based on
the above but also aiming to include individuals’ acceptance
of the internet, [35] conducted a study on 71 university
students and investigated how individual differences might
affect cybersecurity behaviours. Although the study suggested
undertaking further research considering individual differences
and cybersecurity behaviours, “no relationship between ex-
traversion, or any of the personality sub-scales” was found.
On the contrary, [7] found a positive correlation amongst a
significant sample of participants (n = 478) and suggested,
thus, that high extraversion could increase the likelihood of
identity theft.
A recent study performed on 235 individuals [30], provided
a positive correlation between extraversion, agreeableness and
neuroticism validating, thus, the formulated hypothesis. Al-
though limitations existed in the study (e.g., “no validation
of the information provided by the victims”, limited control
of users’ environment, etc.), the phishing campaign was close
to a real environment. Similarly, extraversion was positively
associated with phishing victimisation in [31]. According
to the results, extraverted individuals performed poorly on
the positive-oriented behaviours of reporting phishing emails.
Moreover, intending to clarify the role of extraversion in
the phishing context, the authors highlighted the need to
undertake further research. In this line, [33] presented a
study conducted on a small software enterprise to validate
psychological profiles using a previously developed framework
[55]. The small (n = 28) and limited sampling method, along
with other environmental variables, might be behind the non-
significant correlation found in the study. Also, the role of
extraversion was non-significant in [34], where 54 individuals
filled out a form to identify users’ practices (i.e., updating
software, changing passwords, and information disclosure on
social media).
Authorized licensed use limited to: Hamad Bin Khalifa University. Downloaded on December 26,2023 at 14:51:16 UTC from IEEE Xplore. Restrictions apply.
B. Predictive models based on personality traits
Humans have become the primary target for cybercriminals
who are taking advantage of the anxiety generated throughout
the pandemic and the massive use of electronic devices [56].
Although some researchers have conducted different empirical
studies (described in the previous section) aimed at under-
standing the role of personality traits in the phishing context,
there is a lack of standardised measures to detect susceptibility
to phishing attacks. To address this issue, this section describes
models or frameworks that could help predict the role of
extraversion in individuals’ phishing susceptibility.
Extraverted individuals tend to interact with people and
promote social relationships [10]. Thus, [57] presented a word
similarity dictionary based on the Five Factor Model (FFM)
[58] to label phishing emails according to personality bias.
Following the previous study, [59] designed a decision support
system and a phishing experiment. In particular, the study
provided a virtual stock market for determining phishing attack
susceptibility based on the users’ personality traits according
to the FFM. In the example given in the study, the pretext
of an extraversion phishing email “compliments the victim
by claiming they can become part of an elite group of high-
performance ebay sellers. It provides a fake link to a website
to provide information and join the group.” Moreover, [60]
presented a security prevention model using speech personality
traits in a mobile environment. The prevention model consisted
of different steps (obtaining the user’s normal speech clip, fea-
tures extraction, and user speech personality traits assessment)
to guarantee customised security and prevention services.
Based on the assumption (amongst others) that high levels
of extraversion are not closely related to either trust or distrust
emails, [61] proposed a probability model using Stochastic
Petri Nets (SPN) [62] contributing, therefore, to protecting
people and improving their resilience to phishing attacks.
Augmented Reality (AR) systems are used in several fields.
Thus, with the premise of believing that personality traits (e.g.,
extraversion) correlate with individuals’ security avoidance
behaviour, [63] identified some of the traits that should be
considered when designing AR games. The study aimed to
identify those key elements that should be addressed during
the implementation of these games to build more effective
cybersecurity training campaigns. On the other hand, to im-
prove the development of detection, mitigation and prevention
strategies based on human factors, [64] developed the “Social
Engineering Personality Framework” (SEPF) using Cialdini’s
principles of influence [65]. Moreover, the study provided
a literature review and highlighted the positive or negative
correlation of extraversion depending on the context and other
sub-traits. Also, [66] presented a summary of phishing victims’
characteristics, highlighting the positive correlation between
extraversion and phishing susceptibility. However, [67] could
not demonstrate the positive influence of extraverted individ-
uals on Concern For Information Privacy (CFIP) introduced
in [68]. The study incorporated the Big Five personality
traits into a theoretical model to explain and predict people’s
concerns for “information privacy”, “computer anxiety”, and
“behavioural intentions”.
An insider threat is defined as a security risk that origi-
nated within an organisation. Typically, it involves a specific
employee or person with access to sensitive information.
In this context, [69] extends the scale used in the previ-
ously mentioned cybersecurity questionnaire (CSEC+) [70] to
demonstrate that intentional disclosure of sensitive information
can be differentiated from unintentional insider threats. Thus,
the study can set the ground for improving cybersecurity
practices from the insiders’ perspective. Moreover, with a
different approach but aiming to clarify the understanding of
the human factor in the cybersecurity context, [71] provides
a thorough review on the state of knowledge of social en-
gineering attacks. Thus, the study summarises the different
definitions (or concepts) of the term “social engineering” over
the years, and lists the most relevant prevention methods.
IV. C ONCLUSIONS AND F URTHER W ORK
The easy and cost-efficient implementation of phishing
attacks makes them preeminent and one of the most dangerous
threats to people and organisations. Although large companies
are investing in defence mechanisms, training courses are
still considered from a very generic perspective. In addition,
the current lack of cybersecurity awareness and the limited
resources of Small & Medium Enterprises (SMEs) make it
difficult for them to address the human factor.
In an intent to clarify the extent to which existing literature
has addressed the relationship between the role of extraversion
and human phishing behaviour, and to enable more effective
cyber defences, this paper has performed an extensive liter-
ature review of 863 articles and, after a thorough screening,
extracted the findings of 39 relevant articles on the topic. Our
review has clearly shown the fragmented conclusions reached
by these 39 selected studies and has provided a summary table
to show the differences between the studied papers. Although
most studies suggested a positive correlation (n = 10) between
extraversion and phishing susceptibility, four studies showed
a negative correlation, and 14 found no correlation. This
apparent lack of consensus might be due to several reasons:
• The small sample size, along with the specific par-
ticipants’ population used in most of the studies (i.e.,
students, employees, etc.) were not representative of the
general public.
• The use of online tools to perform the studies might
generate a lack of control over contextual factors.
• The use of self-reported personality tests might subjec-
tively rate participants’ personalities. Hence, the use of
informant reports can be seen as an interesting alternative
to perform personality assessments [72].
• Actions performed by participants in phishing exercises
had no real consequences.
• The limited research, along with the lack of reproducibil-
ity of the studies aiming to explore the relationship
between extraversion in the phishing context, do not
generate consistent results.
Authorized licensed use limited to: Hamad Bin Khalifa University. Downloaded on December 26,2023 at 14:51:16 UTC from IEEE Xplore. Restrictions apply.
• The studies were not performed in an operational and real
environment where work pressure, timing, and tiresome
may significantly bias the user’s perspective contrary to
standardised questionnaires and simulated environments.
• Some of the studies did not consider the experience of the
participants (e.g., the subject might have already fallen
victim to a phishing attack in the past and is now more
cautious).
With the aim to clarify the role of extraversion in an indi-
vidual’s phishing behaviour, future research should mitigate
the above-mentioned issues that might lead to the existing
lack of consensus. Thus, new research should include vari-
ables about culture and habits, objective measures instead of
self-report questionnaires, and perform phishing studies with
higher consequences for participants. In this line, we have not
found evidence of studies which aim to reproduce the results
described in the articles studied in this article. This lack of
reproducibility might affect the consistency of the assessed
results.
The above implies the need to perform such studies differ-
ently. Beyond the scale factor, there is a need to perform such
studies more diverse, trying to have broader representation
in terms of several factors, including but not limited to age
groups, gender, IT and cybersecurity background, and ethnic-
ity. Moreover, isolated and structured studies may significantly
bias the research, so closer they must be developed to match
different real-world scenarios under realistic, if not real, oper-
ational environments. Besides, the context of a phishing attack
and the user’s response are crucial and should be taken into
consideration. For instance, a phishing email to a university
student asking him to deposit money in a foreign account could
be easily considered a phishing email, yet an accountant at a
shipping company may consider this part of the daily routine.
Hence, interpreting that the student is less susceptible to a
phishing attack would be a false assumption. Similarly, one
should also consider previous experience. If the subject has
fallen victim to such a scam, it is highly likely that it would be
more conscious than it was in the past, regardless of whether it
is extravert or not. As a result, this perspective must be taken
into consideration in the evaluation of the outcomes.
In the mid-term, we will undertake cross-cultural research
with a large-scale analysis to enable the creation of representa-
tive base linings allowing practical experiments. These results
will facilitate the generation of more efficient anti-phishing
training programs, enhancing people’s protection and reducing
the economic losses of companies and governments.
ACKNOWLEDGEMENTS
This work was supported by the European Commission
under the Horizon Europe funding programme, as part of the
project LAZARUS (Grant Agreement 1010703030).
Views and opinions expressed are however those of the
author(s) only and do not necessarily reflect those of the
European Commission. Neither the European Union nor the
granting authority can be held responsible for them.
 R EFERENCES [25] R. R. McCrae and P. T. Costa, Jr, “Brief versions of the neo-pi-3,”
Journal of individual differences, vol. 28, no. 3, pp. 116–128, 2007.
[1] Verizon, “Data breach investigations report,” https://www.verizon.com/
[26] C. J.Soto and O. P.John, “Short and extra-short forms of the big
business/en-gb/resources/reports/dbir/, 2022.
five inventory–2: The bfi-2-s and bfi-2-xs,” Journal of Research in
[2] A. van der Heijden and L. Allodi, “Cognitive triaging of phishing
Personality, vol. 68, pp. 69–81, 2017.
attacks,” in USENIX Security Symposium. Santa Clara, CA: USENIX
[27] G. Saucier, “Mini-markers: A brief version of goldberg’s unipolar big-
Association, Aug. 2019, pp. 1309–1326.
five markers,” Journal of personality assessment, vol. 63, no. 3, pp.
[3] APWG, “Phishing activity trends report q4/2020,” https://docs.apwg.org/
506–516, 1994.
reports/apwg trends report q4 2020.pdf, 2020.
[28] P. Costa Jr. and R. McCrae, “Revised neo personality inventory (neo-
[4] ——, “Phishing activity trends report q2/2022,” https://docs.apwg.org/
pi-r) and nep five-factor inventory (neo-ffi),” United States of America:
reports/apwg trends report q2 2022.pdf, 2022.
Psychological Assessment Resources., 1992.
[5] J. L. Parrish Jr, J. L. Bailey, and J. F. Courtney, “A personality based
[29] G. Saucier, “What are the most important dimensions of personality?
model for determining susceptibility to phishing attacks,” Little Rock:
evidence from studies of descriptors in diverse languages,” Social and
UoA, pp. 285–296, 2009.
Personality Psychology Compass, vol. 3, no. 4, pp. 620–637, 2009.
[6] A. McCormac, T. Zwaans, K. Parsons, D. Calic, M. Butavicius, and
[30] S. Eftimie, R. Moinescu, and C. Răcuciu, “Spear-phishing susceptibility
M. Pattinson, “Individual differences and information security aware-
stemming from personality traits,” IEEE Access, vol. 10, pp. 73 548–
ness,” Computers in Human Behavior, vol. 69, pp. 151–156, 2017.
73 561, 2022.
[7] F. Sudzina and A. Pavlicek, “Virtual offenses: Role of demographic
[31] M. Canham, M. C. Posey, and M. Constantino, “Phish derby: Shoring
factors and personality traits,” Information (Switzerland), vol. 11, no. 4,
the human shield through gamified phishing attacks,” vol. 6, pp. 536–
2020.
546, 2022.
[8] S. D. Gosling, P. J. Rentfrow, and W. B. Swann Jr, “A very brief measure
[32] Y. Ge, L. Lu, X. Cui, Z. Chen, and W. Qu, “How personal characteristics
of the big-five personality domains,” Journal of Research in Personality,
impact phishing susceptibility: The mediating role of mail processing,”
vol. 37, no. 6, pp. 504–528, 2003.
Applied Ergonomics, vol. 97, p. 103526, 2021.
[9] H. Eysenck and S. Eysenck, “Eysenck personality questionnaire-
[33] S. Eftimie, V. Cotenescu, R. Moinescu, C. Răcuciu, and D. Glăvan,
revised,” 1984.
“A case study in anticipating insider vulnerabilities using psychological
[10] J. Digman, “Personality structure: emergence of the five-factor model,”
profiling,” in 2021 IEEE International Black Sea Conference on Com-
Annual Review of Psychology, vol. 41, no. 1, pp. 417–440, 1990.
munications and Networking (BlackSeaCom), 2021, pp. 1–4.
[11] T. Halevi, J. Lewis, and N. Memon, “A pilot study of cyber security
[34] J. R. Schoenherr and R. Thomson, “The cybersecurity (csec) question-
and privacy related behavior and personality traits,” in Proceedings of
naire: Individual differences in unintentional insider threat behaviours,”
the International Conference on World Wide Web, 2013, pp. 737–744.
in 2021 International Conference on Cyber Situational Awareness, Data
[12] M. Pattinson, C. Jerram, K. Parsons, A. McCormac, and M. Butavicius,
Analytics and Assessment (CyberSA), 2021, pp. 1–8.
“Why do some people manage phishing e-mails better than others?”
[35] L. Bishop, P. Morgan, P. Asquith, G. Raywood-Burke, A. Wedgbury, and
Information Management and Computer Security, vol. 20, no. 1, pp.
K. Jones, “Examining human individual differences in cyber security and
18–28, 2012.
possible implications for human-machine interface design,” LNCS, vol.
[13] S. Albladi and R. George, “Personality traits and cyber-attack victimisa-
12210, pp. 51–66, 2020.
tion: Multiple mediation analysis,” in Conference on Internet of Things
[36] E. Frauenstein and S. Flowerday, “Susceptibility to phishing on social
- Business Models, Users, and Networks, vol. 2018-January, 2017, pp.
network sites: A personality information processing model,” Computers
1–6.
and Security, vol. 94, 2020.
[14] P. Lawson, O. Zielinska, C. Pearson, and C. Mayhorn, “Interaction
[37] P. Lawson, C. Pearson, A. Crowson, and C. Mayhorn, “Email phish-
of personality and persuasion tactics in email phishing attacks,” in
ing and signal detection: How persuasion principles and personality
Proceedings of the Human Factors and Ergonomics Society, 2017, pp.
influence response patterns and accuracy,” Applied Ergonomics, vol. 86,
1331–1333.
2020.
[15] C. T. Alseadoon I., Othman M.F.I., “What is the influence of users’
[38] J. Zhou, S. Luo, and F. Chen, “Effects of personality traits on user
characteristics on their ability to detect phishing emails?” Advanced
trust in human–machine collaborations,” J. Multimodal User Interfaces,
computer and communication engineering technology, vol. 315, pp. 949–
vol. 14, no. 4, pp. 387–400, 2020.
962, 2015.
[39] B. Thomas and J. Hajiyev, “The direct and indirect effects of personality
[16] J. Vom Brocke, A. Simons, B. Niehaves, K. Riemer, R. Plattfaut, and
on data breach in education through the task-related compulsive technol-
A. Cleven, “Reconstructing the giant: On the importance of rigour in
ogy use: M-learning perspective,” International Journal of Computing
documenting the literature search process,” in Conference on Information
and Digital Systems, vol. 9, no. 3, pp. 459–469, 2020.
Systems, 2009.
[40] S. Kennison and E. Chan-Tin, “Taking risks with cybersecurity: Using
[17] P. López-Aguilar and A. Solanas, “Human susceptibility to phishing
knowledge and personal characteristics to predict self-reported cyberse-
attacks based on personality traits: The role of neuroticism,” in IEEE An-
curity behaviors,” Frontiers in Psychology, vol. 11, 2020.
nual Computers, Software, and Applications Conference (COMPSAC),
[41] S. Anawar, D. Kunasegaran, M. Mas’Ud, and N. Zakaria, “Analysis of
2021, pp. 1363–1368.
phishing susceptibility in a workplace: A big-five personality perspec-
[18] H. Cooper, “Organizing knowledge syntheses: A taxonomy of literature
tives,” Journal of Engineering Science and Technology, vol. 14, no. 5,
reviews,” Knowledge in Society, vol. 1, no. 1, pp. 104–126, 1988.
pp. 2865–2882, 2019.
[19] M. J. Baker, “Writing a literature review,” The marketing review, vol. 1,
[42] P. Lawson, A. Crowson, and C. Mayhorn, “Baiting the hook: Exploring
no. 2, pp. 219–247, 2000.
the interaction of personality and persuasion tactics in email phishing
[20] J. L. Maples-Keller, R. L. Williamson, C. E. Sleep, N. T. Carter, W. K.
attacks,” Advances in Intelligent Systems and Computing, vol. 822, pp.
Campbell, and J. D. Miller, “Using item response theory to develop a 60-
401–406, 2019.
item representation of the neo pi–r using the international personality
[43] F. Sudzina, R. Novák, and A. Pavlı́ček, “Impact of personality traits
item pool: Development of the ipip–neo–60,” Journal of Personality
and gender on experiencing virtual offenses,” in Strategic Modeling
Assessment, vol. 101, no. 1, pp. 4–15, 2019.
in Management, Economy and Society - Interdisciplinary Information
[21] O. P. John, S. Srivastava et al., The Big-Five trait taxonomy: History,
Management Talks, 2018, pp. 243–249.
measurement, and theoretical perspectives. University of California
[44] M. Gratian, S. Bandi, M. Cukier, J. Dykstra, and A. Ginther, “Correlating
Berkeley, 1999, vol. 2.
human traits and cyber security behavior intentions,” Computers and
[22] L. R. Goldberg, J. A. Johnson, H. W. Eber, R. Hogan, M. C. Ashton,
Security, vol. 73, pp. 345–358, 2018.
C. R. Cloninger, and H. G. Gough, “The international personality item
[45] M. Alohali, N. Clarke, F. Li, and S. Furnell, “Identifying and predicting
pool and the future of public-domain personality measures,” Journal of
the factors affecting end-users’ risk-taking behavior,” Information and
Research in Personality, vol. 40, no. 1, pp. 84–96, 2006.
Computer Security, vol. 26, no. 3, pp. 306–326, 2018.
[23] M. Donnellan, F. Oswald, B. Baird, and R. Lucas, “The mini-ipip
[46] S. Kleitman, M. Law, and J. Kay, “It’s the deceiver and the receiver:
scales: Tiny-yet-effective measures of the big five factors of personality,”
Individual differences in phishing susceptibility and false positives with
Psychological Assessment, vol. 18, no. 2, pp. 192–203, 2006.
[24] R. R. McCrae, P. T. Costa, Jr, and T. A. Martin, “The neo–pi–3: A item profiling,” PLoS ONE, vol. 13, no. 10, 2018.
more readable revised neo personality inventory,” Journal of personality
assessment, vol. 84, no. 3, pp. 261–270, 2005.

Authorized licensed use limited to: Hamad Bin Khalifa University. Downloaded on December 26,2023 at 14:51:16 UTC from IEEE Xplore. Restrictions apply.
[47] S. Baki, R. Verma, A. Mukherjee, and O. Gnawali, “Scaling and
effectiveness of email masquerade attacks: Exploiting natural language
generation,” in ACM on Asia Conference on Computer and Communi-
cations Security, 2017, p. 469–482.
[48] S. Van De Weijer and E. Leukfeldt, “Big five personality traits of cy-
bercrime victims,” Cyberpsychology, Behavior, and Social Networking,
vol. 20, no. 7, pp. 407–412, 2017.
[49] F. Sudzina and A. Pavlicek, “Propensity to click on suspicious links:
Impact of gender, of age, and of personality traits,” in Bled eConference:
Digital Transformation - From Connecting Things to Transforming our
Lives, 2017, pp. 593–602.
[50] T. Halevi, N. Memon, J. Lewis, P. Kumaraguru, S. Arora, N. Dagar,
F. Aloul, and J. Chen, “Cultural and psychological factors in cyber-
security,” in ACM International Conference Proceeding Series, 2016,
pp. 318–324.
[51] C. Mayhorn, A. Welk, O. A. Zielinska, and E. Murphy-Hill, “Assessing
individual differences in a phishing detection task,” in Proceedings 19th
Triennial Congress of the IEA, vol. 9, 2015, p. 14.
[52] M. Kajzer, J. Darcy, C. Crowell, A. Striegel, and D. Van Bruggen, “An
exploratory investigation of message-person congruence in information
security awareness campaigns,” Computers and Security, vol. 43, pp.
64–76, 2014.
[53] M. Pattinson, C. Jerram, K. Parsons, A. McCormac, and M. Butavicius,
“Managing phishing emails: A scenario-based experiment,” in Proceed-
ings of the International Symposium on Human Aspects of Information
Security and Assurance (HAISA), 2011, pp. 75–85.
[54] J.-P. Rolland, “The cross-cultural generalizability of the five-factor
model of personality.” R. R. McCrae and J. Allik, pp. 7–28, 2002.
[55] S. Eftimie, R. Moinescu, and C. Rǎcuciu, “Insider threat detection using
natural language processing and personality profiles,” in International
Conference on Communications (COMM), 2020, pp. 325–330.
[56] H. S. Lallie, L. A. Shepherd, J. R. Nurse, A. Erola, G. Epiphaniou,
C. Maple, and X. Bellekens, “Cyber security in the age of covid-19:
A timeline and analysis of cyber-crime and cyber-attacks during the
pandemic,” Computers & Security, vol. 105, p. 102248, 2021.
[57] K. Ding, N. Pantic, Y. Lu, S. Manna, and M. Husain, “Towards
building a word similarity dictionary for personality bias classification of
phishing email contents,” in IEEE International Conference on Semantic
Computing (IEEE ICSC), 2015, pp. 252–259.
[58] R. McCrae and O. John, “An introduction to the five-factor model and
its applications,” Journal of Personality, vol. 60, no. 2, pp. 175–215,
1992.
[59] N. Pantic and M. Husain, “A decision support system for personality
based phishing susceptibility analysis,” in IEEE International Confer-
ence on Big Data, 2019, pp. 3066–3071.
Authorized licensed use limited to: Hamad Bin Khalifa University. Downloaded on December 26,2023 at 14:51:16 UTC from IEEE Xplore. Restrictions apply.
[60] H. Zhao and X. Zhang, “A mobile security-related behavior pre-
vention model based on speech personality traits,” in IEEE Trust-
com/BigDataSE/ISPA, 2016, pp. 1803–1810.
[61] J.-H. Cho, H. Cam, and A. Oltramari, “Effect of personality traits on
trust and risk to phishing vulnerability: Modeling and analysis,” in IEEE
International Multi-Disciplinary Conference on Cognitive Methods in
Situation Awareness and Decision Support (CogSIMA), 2016, pp. 7–13.
[62] J. M. G. Ciardo, R. Fricks and K. Trivedi, “Spnp user’s manual version
6.0,” Center for Advanced Computing and Communication (CACC)
Department of electrical and Computer Engineering, Duke University,
1999.
[63] H. Alqahtani and M. Kavakli-Thorne, “Exploring factors affecting user’s
cybersecurity behaviour by using mobile augmented reality app (cybar),”
in International Conference on Computer and Automation Engineering,
2020, p. 129–135.
[64] S. Uebelacker and S. Quiel, “The social engineering personality frame-
work,” in Workshop on Socio-Technical Aspects in Security and Trust
(STAST) and IEEE Computer Security Foundations Symposium (CSF),
2014, pp. 24–30.
[65] R. B. Cialdini and L. James, Influence: Science and practice. Pearson
education Boston, MA, 2009, vol. 4.
[66] A. Darwish, A. E. Zarka, and F. Aloul, “Towards understanding phishing
victims’ profile,” in International Conference on Computer Systems and
Industrial Informatics, 2012, pp. 1–5.
[67] M. Korzaan and K. Boswell, “The influence of personality traits and
information privacy concerns on behavioral intentions,” JCIS, vol. 48,
no. 4, pp. 15–24, 2008.
[68] H. Smith, S. Milberg, and S. Burke, “Information privacy: Measuring
individuals’ concerns about organizational practices,” MIS Quarterly:
Management Information Systems, vol. 20, no. 2, pp. 167–195, 1996.
[69] J. R. Schoenherr, “Insider threats and individual differences: Intention
and unintentional motivations,” IEEE Transactions on Technology and
Society, vol. 3, no. 3, pp. 175–184, 2022.
[70] J. R. Schoenherr and R. Thomson, “The cybersecurity (csec) question-
naire: Individual differences in unintentional insider threat behaviours,”
in International Conference on Cyber Situational Awareness, Data
Analytics and Assessment (CyberSA), 2021, pp. 1–8.
[71] W. Syafitri, Z. Shukur, U. A. Mokhtar, R. Sulaiman, and M. A. Ibrahim,
“Social engineering attacks prevention: A systematic literature review,”
IEEE Access, vol. 10, pp. 39 325–39 343, 2022.
[72] S. Balsis, L. D. Cooper, and T. F. Oltmanns, “Are informant reports of
personality more internally consistent than self reports of personality?”
Assessment, vol. 22, no. 4, pp. 399–404, 2015.