Phishing vulnerability and personality traits: Insights from a systematic review

Abstract

Phishing attacks have gained prominence and effectiveness over the years. Although many efforts are devoted to combat them, generic anti-phishing awareness and training campaigns have shown limited success. In this context, considering individuals’ personality traits in relation to phishing behaviour could significantly enhance cybersecurity defence strategies. In this article, we concentrate on personality traits and their effects on vulnerability to phishing attacks. We implement a rigorous systematic review following the methodology proposed by vom Brocke et al. (2009) along with the PRISMA statement. We searched five major databases (i.e., Web of Science, Scopus, IEEE Xplore, ACM Digital Library, and PubMed), with an all-years’ time span from 1900 to January 2025. From the 1919 articles yielded in the initial search, 26 satisfied all criteria. Results reveal that extraversion, agreeableness, and neuroticism generally show a positive association with phishing vulnerability, whereas conscientiousness emerges as a protective factor. The review also highlights significant gaps in the current methodologies used to measure phishing vulnerability, noting a lack of standardised measurement tools to perform phishing experiments. Finally, this study underscores the need to develop secondary prevention strategies targeting at-risk groups to combat the increasingly sophisticated phishing threats. To enhance consistency in future research, the Appendix includes guidelines for measuring phishing vulnerability under experimental conditions.