The Hackers Double “R”: Rationality and Risk

In the beginning, the term hacker had a positive connotation in the computing sector and among programming experts. “Hackers” were considered to be especially skillful and creative in developing programs and highly effective algorithms. Over the years, this positive image gradually changed.

The growing need for computer networks in the business sector and computing’s increasing importance in people’s daily lives meant that many people began to take an interest in this field, some of them with illicit motives. It was no longer a question of understanding programs or networks or making them more efficient; now it was a question of learning how to sabotage them or break into company or institutional networks.

Many famous hackers are known not for designing an algorithm or program but for having broken into the system of some bank, company or government agency.

Today, the term hacker is applied to a broad range of computing experts, intelligent but sinister, who spend hours in front of a computer with the sole aim of finding a system with security system flaws that they can exploit, allowing them to break into it and steal information or disable it.

That is a stereotypical and simplistic definition, but it lets us identify two hacker personality characteristics that we are going to examine in this post.

The few studies that have been done to understand the hacker personality reveal that they are often people with a significant need for cognitive challenges. They enjoy technical complexities and overcoming intellectual challenges and their own limitations.

This desire to improve is even greater when it involves risk, when it goes beyond rules and legal limits, when they go where others cannot or where they are not allowed to go.

Personality tests often study two different types of information processing used in decision-making. In this approach, there are people who prefer and develop an analytical-rational process, as opposed to others who prefer one that is intuitive-experiential.

The first type involves people who make decisions by basing themselves on data and its analysis; they are comfortable in situations where they have information available to them, where the solution is obtained through calculation and logic.

On the other hand, people with intuitive processing allow themselves to be guided by experiences when it comes to making decisions; they are more emotional and intuitive. If we wanted to illustrate this difference with an emotional metaphor, we could say that the first group uses their brain to make decisions, while the second group uses their heart.


Some studies indicate that, compared to the general population, hackers prefer more analytical and rational thought. Moreover, this preference is greater among those hackers with the most success in their activity, which reinforces their preference for these analytical environments and for improving their hacking skills. They prefer complex intellectual challenges to simple ones and enjoy solving problems that require reflective thought.

On another note, there is a very traditional element of study in criminology called risk propensity. According to numerous studies, people who are involved in criminal activity often demonstrate high risk propensity, a behavioral tendency to seek out and feel danger.

Our species, like any other, is programmed to run from or completely avoid that which may put its survival at risk. Avoiding harm or punishment is a basic type of behavior that is shared by all animals. However, human beings are the only animals which, as a response to being self-aware, are able to play with fire and obtain pleasure from it.

It seems impossible to imagine a gazelle strutting in front of a lioness to feel the excitement of running for its life, or a mountain goat jumping off a cliff to feel the thrill of free fall. However, human beings can derive pleasure from driving at 200 km/h on the wrong side of a highway or bungee jumping off a bridge 100 meters high. Some people obtain this risk-related pleasure by engaging in illegal activities, by being on the wrong side of the law and feeling the danger of their possible capture by the Police.

This risk propensity is linked to a well-studied personality dimension, sensation seeking. People who are high sensation seekers need to experience new feelings and seek out unusual experiences and engage in exciting activities, even if they are risky.

According to Zuckerman’s theory, these people need a lot of stimulation to feel good. Some studies link this trait with certain areas of the cerebral cortex involved in feeling pleasure and reward, so this type of behavior has the same effect as some opioid drugs.

Therefore, this search for excitement leads them to assume certain risks, but only up to a point. According to Clarke and Cornish’s Rational Choice Theory, a criminal weighs the costs and benefits of committing a crime.

The crime will be committed if the criminal judges that they can obtain a benefit greater than the assumable cost. In the criminal world this cost is linked to being discovered by the police, arrested and receiving some type of punishment, a fine or even the loss of liberty.

Today, the cyberspace context generates a low feeling of risk among fairly skilled hackers. The internet offers user anonymity; it is possible to hide or use a false identity to navigate through the internet, which creates a certain feeling of security among cybercriminals that they will not be discovered (identified).

Additionally, it is possible to operate internationally without having to actually cross borders or move around, which leaves the field wide open when seeking victims. In addition, there is not yet high police coordination on an international level to fight cybercrime.

The lack of virtual borders clashes with the different jurisdictions, penal codes and police operations in each country, which sometimes makes the inter-country cooperation needed to pursue particular cybercrimes impossible to achieve. All of this means that the level of risk perceived by the hacker is not high enough to tip the cost-benefit scale.


On the other hand, this propensity for risk is also linked with another personality trait that has been the subject of a lot of study in psychology as well, and forms part of one of the best-known personality evaluation models, the Big Five.

For its author, Raymond Cattell, a subject’s personality is like a structure made up of 5 major parts or traits: extraversion, neuroticism, agreeableness, conscientiousness and openness to experience. It is this last trait, openness to experience, which has been linked to the hacker personality.

It is defined as willingness to try new things, the search for interesting stimuli, intellectual curiosity, imagination, aesthetic sensitivity, a preference for variety and awareness of one’s own feelings, emotions and thoughts.

People with high openness to experience are creative, curious and think outside the box. The components of this openness to experience are:

  • Intellectuality and creativity.
  • Capacity to feel and express emotions.
  • Imagination
  • Enjoyment of originality
  • Adventurousness

This relationship between openness to experience and the world of hacking is more significant in the so-called black hat hackers, those who use their technical skills to engage in criminal activity. It is precisely this trait that can explain why they are drawn to illegal activity, to break rules or social conventions.

When a hacker sabotages a system’s security and enters it without permission, they are getting the thrill they need. And the thrill is even stronger when they show their superiority and control when it comes to selling the information obtained or extorted from those responsible for the hacked system to third parties.

Seen in this light, not only does the hacker’s personality not fear a certain level of risk; rather, they seek it and need it, which explains why they go beyond the simple understanding and control of a program or computer system.

When they crack it and cross the line into illegal activity they become that kamikaze driver on the highway or the person who engages in extreme sports.

This risky situation creates very pleasurable excitement for them that has an addictive quality (remember, it activates the same areas of the brain as drug addiction). Therefore, cracking a system is not a means or instrument in a hacker’s hands: it becomes an end in and of itself; the thing they really seek and need.


In short, we see how the hacker’s personality reveals two very interesting elements if we want to create a profile with regard to their cybercrime activity.

  • On the one hand, a cognitive process with a preference for the analytical-rational, which allows them to evolve and obtain the instrumental competencies that mean they can get along in the hacker environment.
  • On the other hand, an element of interaction with the context based on seeking risk, which leads them to engage in certain behaviors and become cybercriminals.

Experts coincide that current efforts to combat cybercrime face a multitude of challenges. In addition to a lack of resources and other practical difficulties, attempts to apply the law are also hindered by the lack of substantial, reliable information to create cybernetic criminal profiles, detailed profiles of the different types of cybercriminals.

Knowing their skill levels and their motivations is essential, because this provides a useful guide for investigating cybercrimes.

We need to acquire knowledge of cybercriminals that goes beyond the computer processes that guide their activity. Knowing what they are like, their psychology and personality traits is something necessary that the companies and agencies dedicated to fighting cybercrime must take into account.

Check how our solution can help you to resolve your company's online fraud issues by requesting a free DEMO and we explain it to you in detail.

Watch video



Posted by Tim Ayling

Tim Ayling is currently the Vice-President EMEA at buguroo. With over 20 years' experience in the cybersecurity and anti-fraud industry, Ayling began his career in technical support, and moved on to System Engineering. He began his leadership career when he established Entrust Inc. in Australia in 2003 and was made Vice-President Asia Pacific in 2006. Ayling has held numerous leadership roles in large cybersecurity vendors, including serving as the Global Head of Fraud Prevention Solutions at Kaspersky Labs, as EMEA Director of Fraud & Risk Intelligence at RSA Security, as well as spending time in the cyber-security practice of KPMG.

Did you like it? Share in your social communities

We recommend you...