Vol.:(0123456789) Security Journal (2025) 38:18 https://doi.org/10.1057/s41284-025-00466-4 ORIGINAL ARTICLE Identifying personality traits associated with phishing susceptibility Amanul Islam 1  · Md Mamunur Rashid 2  · Fazidah Othman 3  · Mohammed Golam Kaosar 4  · Lamia Islam 5 Accepted: 22 January 2025 This is a U.S. Government work and not under copyright protection in the US; foreign copyright protection may apply 2025 Abstract Phishing is one of the most prominent and long-lasting cyber-attacks, whereby attackers use social engineering methods to deceive targets to reveal private infor- mation. This study analyzes individual differences in victims’ vulnerability from the perspective of victimology and applied psychology. Although most studies have focused on the technical nature of phishing attacks, very little is known about per- sonality traits as drivers of vulnerability. It involved a large-scale survey in which all participants completed a personality assessment questionnaire, along with a phish- ing susceptibility questionnaire. The results of the survey could be used to create personalized phishing prevention programs in which personality traits, which could be particularly susceptible to phishing, would be targeted. The developed treatments were evaluated in a randomized controlled trial. The findings identified crucial per- sonality traits that influenced the tendency toward phishing attacks, specifically impulsivity and neuroticism. The designed programs for phishing prevention proved capable of reducing susceptibility, thus informing selective intervention designs for improved cybersecurity. This study underscores the importance of integrating psy- chological theories and victimology approaches to better understand and mitigate phishing risks, offering valuable insights for both academic and practical applica- tions in cybersecurity. Keywords Cybersecurity · Phishing attacks · Personality traits · Phishing susceptibility Introduction Phishing is a form of cyberattack in which social engineering techniques make peo- ple disclose specific sensitive personal information (Owen et al. 2024). Attackers try through email, messages, or websites that visually appeal to the victim to click on Extended author information available on the last page of the article