Famous psychological experiments
The Stanford Prison Experiment and the Bystander Apathy Experiment are famous for what they revealed about human behavior; the first provided insight into people’s willingness to conform to the social roles they are envisioned to play, and the latter showed that a person is less likely to help someone in need when there are others around unless someone else begins helping that person.
Findings from the experiments
When recalling these famous psychology studies, I began to think about how the learnings from the experiments could be applied to a business’ culture, especially when it comes to being informed about cybersecurity threats and how to avoid them. This may seem obvious, but an individual is less susceptible to the effects observed in either the Stanford Prison Experiment or the Bystander Apathy Experiment by being knowledgeable of the effects. For example, by being familiar with the Bystander Effect, you are less likely to ignore someone in an emergency if you’re in a crowd of people because you know that person will most likely be ignored if you don’t jump in to help, and you also know that when others see you help, they will also be likely to help as well.
How these experiments tie into cybersecurity
How does what I’ve presented so far have anything to do with cybersecurity? Let’s say someone is being onboarded to a new job they recently accepted, and part of the onboarding process involves sitting down and going through some educational material that covers common cyber threats, how to recognize them, such as email phishing attempts, and how to avoid and report them to the IT department. The likelihood that the employee falls for phishing attempts is significantly reduced, and the same logic follows for other cyber threats.
Change negative effects into positive outcomes
Now, take the negative effect of the Stanford Prison Experiment and flip it in a positive way to make it work for your business. Building a company culture that embraces safe practices by establishing all employees as cybersecurity “experts” regardless of experience and knowledge can also contribute to the business’ security. It’s important to note that it is beneficial to explain to all employees why the business is going through great lengths to teach them about cyber threats. I recall many times in previous roles where I constantly questioned why certain IT and cybersecurity policies were in place, and the feeling that I got from the company was very much an “It is what it is, and just do at we say” attitude which made me very lethargic about always keeping my computer updated or responding and participating in phishing tests that the company would role out every once in a while.
What are your thoughts?
Those are my suggestions and thought processes for implementing company policies based on what we have learned from human behavior through the Stanford Prison Experiment and the Bystander Apathy Experiment.