User Personality Archetypes: The All-Clickers, Non-Clickers, and Everyone Between

The Inconvenient Truth About Human Variability

Security professionals often design training programs as if all employees are fundamentally similar, just at different points on a learning curve. The research tells a different story entirely. Approximately one-third of your workforce will remain problematic regardless of training quality or frequency, split between two opposite but equally challenging personality types that no amount of education seems to change.

The numbers are stark and consistent across studies. About 11% of users are what researchers term "all-clickers" - employees who click on virtually everything that arrives in their inbox. Another 22% become "non-clickers" after training, paralyzed by fear of making mistakes. That's 33% of your workforce operating at behavioral extremes that training cannot moderate. Understanding these archetypes isn't just academic curiosity; it's essential for realistic security planning.

The All-Clickers: Perpetual Optimists of the Inbox

That 11% of all-clickers represents a fascinating psychological profile. These aren't necessarily careless or unintelligent people. Often, they're highly responsive, helpful individuals whose natural inclination is to engage rather than ignore. They might be your best customer service representatives, your most collaborative team members, or your most curious innovators. The very traits that make them valuable employees make them security nightmares.

Research suggests several psychological factors drive all-clicking behavior. Some all-clickers have attention deficit traits that make careful email screening difficult. They operate on autopilot, clicking through their inbox as a mechanical task rather than a series of security decisions. Others are eternal optimists who genuinely don't believe bad things will happen to them. They've clicked on hundreds of emails without consequence, reinforcing their belief that the danger is overblown.

Perhaps most interestingly, some all-clickers are thrill-seekers who find the minor risk exciting. They know they shouldn't click, but the tiny adrenaline rush of doing something slightly dangerous appeals to them. It's the digital equivalent of jaywalking - they know it's against the rules, but the risk seems minimal and the convenience is immediate.

The Non-Clickers: Paralyzed by Paranoia

The 22% who become non-clickers after training present a different but equally serious problem. These employees become so afraid of making a security mistake that they stop clicking on legitimate emails. Important communications go unread, collaboration tools go unused, and business processes grind to a halt because these users won't risk any interaction that might be a test or attack.

The psychology of non-clicking often stems from perfectionism and fear of judgment. These employees have internalized security messages so strongly that they'd rather miss important information than risk being the person who clicked on a phishing email. They might have been embarrassed by failing a previous phishing test, or they might be naturally risk-averse personalities who interpret "be careful" as "trust nothing."

Non-clickers often develop elaborate workarounds that create new vulnerabilities. They might ask colleagues to check emails for them, forward everything to personal accounts they consider safer, or simply ignore digital communication entirely in favor of inefficient verbal confirmation of everything. Their extreme caution doesn't make them secure; it just shifts risk to different vectors while degrading organizational efficiency.

The Malleable Middle

Between these extremes lies approximately 67% of users who can be influenced by training. These are the employees who will improve with regular reminders, who will learn from mistakes, and who can maintain reasonable vigilance without becoming paralyzed. They're your training success stories, the ones whose behavior actually changes in response to security awareness efforts.

But even this middle group isn't homogeneous. Some are naturally cautious and need only minor reinforcement. Others are naturally trusting and need regular reminders to maintain vigilance. Some respond to fear-based messaging, while others need to understand the technical details. The challenge is that most training programs are designed for this middle group as if they're all the same, when in reality they represent a spectrum of personalities and motivations.

The Implications for Security Strategy

Accepting that one-third of your workforce will remain problematic regardless of training fundamentally changes how you should approach security. For the 11% of all-clickers, training is essentially useless. They need technical controls - restricted permissions, isolated network segments, and enhanced monitoring. No amount of education will make them safe, so you must make their environment safer.

For the 22% of non-clickers, the challenge is reintegration. They need reassurance that some risk is acceptable, that perfection isn't expected, and that reasonable judgment is valued over absolute caution. This might mean separate messaging that emphasizes balance rather than vigilance, or buddy systems where they can verify suspicious emails without feeling foolish.

The Uncomfortable Conclusion

The existence of these personality archetypes forces an uncomfortable acknowledgment that training has hard limits. You cannot train someone out of their fundamental personality. The optimist will remain optimistic, the paranoid will remain paranoid, and the distracted will remain distracted.

This doesn't mean training is pointless - it remains valuable for the malleable middle. But it does mean that any security strategy that relies solely on training is doomed to fail for at least one-third of your workforce. Perfect security awareness is not just difficult to achieve; it's psychologically impossible for a significant portion of the population. Planning must begin with this reality rather than pretending it doesn't exist.