I recently read The Lucifer Effect by Philip Zimbardo which details The Stanford Prison Experiment ran by Zimbardo in 1971. If you aren’t familiar with The Stanford Prison Experiment, essentially a number of students from Stanford University participated in a study to examine the effects of environmental or situational factors on behaviour. Students were randomly assigned to be prisoners or guards. The study was ended after six days as pacifists became violent authoritarians and otherwise stable prisoners emotionally broke down. It was scheduled to run for two weeks.

What Zimbardo outlines is a layer of abstraction that is not dealing with something internally driven but from something that is external. He talks at length about how situation influences behaviour. His main contention is that given the right circumstance, anyone is capable of anything, and this is framed in the paradigm of good and evil. In a sense this could be considered as a follow up to the Milgram experiment from 1961 that sought to understand how authority figures during WWII influenced ordinary people into committing atrocities.

The experiment sought to understand if there is contextual, or even causal element to how people behave in response to their situation. Zimbardo also explores the relationship between assigned or named roles and how the expectations of those roles inform behaviour. But it’s not simplistic due to the interplay of elements. Zimbardo references how group dynamics interact with roles to further reinforce behavioural expectations adding another layer from individual, to group, through to the environmental.

The main point Zimbardo makes is that the situation or environment influences behaviour. For me, this is the most impactful point he makes. As security practitioners it’s not just how we conduct ourselves and hold to our principles that requires careful reflection but the environments in which we find ourselves need to be understood. As much as we can optimise how we engage with interpersonal relationships to reach beneficial outcomes, we can also curate the organisational context to support these outcomes.

Authority

The first day of the experiment consisted of the chosen prisoners being arrested at their homes (by real police) and taken to the local police station for processing. They were assigned numbers which will be used in place of their names, taken through a delousing procedure, and generally given the full prisoner induction experience. This day was about eroding the existing identity of the prisoner and applying techniques of dehumanisation. The guards were already in their roles and awaiting the prisoners when they arrived at the prison which was a mock up created in the basement of Stanford university.

The second day of the experiment there was a prisoner rebellion. This was a reaction to the application of overly authoritarian measures by the guards in the form of a rebellion. The prisoners barricaded themselves into their rooms, there was even an escape attempt. This achieved a number of things although I don’t think why this occurred was that obvious. The rebellion spoke to some core elements of our humanity. We are a conflict driven species, and we are tribalistic. The rebellion galvanised the respective groups and the outgroup was defined for both prisoners and guards. Prisoner 8612 left the experiment having broken down, the weak were purged and the group was strengthened.

The hierarchy of the group was yet to be defined and the shared narrative of the group was yet to be established. Maybe it was inevitable that there would be an event such as this early on. It created the division on which alliances can be defined. This was a reaction to the situation but served a number of purposes in terms of group formation.

But what is the lesson for security or organisational behaviour here?

Conflict is inevitable but it can have utility. Alliances can be created in an organisational context where conflict is leveraged to create the shared identity and create in group preference. Perhaps this might be the security function and a business unit dealing with a tricky auditor or maybe it could be a problematic supplier or an incident. Shared adversity can be useful in creating long lasting bonds and meaningful intergroup relationships.

If the security function chooses to adopt an authoritarian approach it will likely consolidate sentiment against them. Affiliations between groups will still be established but not in a way that is useful to the security function. We shouldn’t seek conflict but must accept that we will find ourselves in those situations as we cannot control the actions of others. Where we do find ourselves in these situations, we should seek to create the shared narrative that creates long lasting bonds.

Group Identity

The prisoners for the most part demonstrated the formation of group identity very clearly following the rebellion. The prisoner group quickly formed their own social norms and peer expectations. From there the group started to enforce these norms.

An example of self-enforcement of a group identity would be where prisoners refused better meals that were given to them as a reward where other prisoners did not receive the same. This was also manifest when one of Zimbardo’s students, Dave, was implanted as an informant and replacement for 8612 who left following the rebellion. Dave very quickly decided to withhold information or only pass on information at a point where it was no longer useful and broke the verbal contract he had with Zimbardo. This shows how we can expect that group affiliation can be influential in short order even where there doesn’t appear to be an obvious vested interest in that group. We should consider that formal or informal groups within organisations passively enforce their norms onto those associated with them.

Groups tend to ostracise its members where they perceive that they have transgressed the norms of that group. Prisoner 819 is labelled a ‘bad prisoner’, an inversion of the language patterns the guards had established when creating the mantra about ‘good prisoners’. A subtle point but this is a reinforcement of the norms and shared narrative of the group. 819 hears multiple of his fellow prisoners calling him a ‘bad prisoner’ and breaks down. Zimbardo isolates him from the group to check on him and 819 expresses that he wants to return to the group to show that he is not a ‘bad prisoner’.

There is a component of seeking status within a group and we see this in groups within organisation. Where people are accepted, they then need to affirm their status within that group and where their reputation is diminished, they will seemingly do almost anything to recover it. This perhaps is the starkest example of how group identity then becomes a part of individual identity. We might expect this kind of behaviour to be apparent in scrum teams, small business teams, long standing working groups, or similar. An individual in an organisation might have competing sets of groups which have their own norms. Any security function should be aware of these groups as they can be a beneficial influence or a destabilising force within an organisation.

Zimbardo notes that the mechanisms of moral disengagement are contextual and disengagement depends on circumstance. This is as true for groups as it is for individuals. Groups establish their own norms, often creating their own short-hand language to reinforce the group identity (in a previous role we referred to server hardening as ‘Ross Kemping’). The group identity can lead to its members disengaging their expected moral standards and positioning immoral acts as virtues. Groups within an organisation can be as powerful as they can be destructive. Even if a group is disliked within an organisation they can carry significant influence over a protracted timeline, a point we’ll return to later.

Individual Identity

What’s in a title? I’ve seen it many times, when people take on new job roles with new titles how they conduct themselves in relation to others changes. Previously sensible people get a ‘Head of [grandiose title here]’ and it’s like they scoffed a bumper pack of pillock pills. They have assumed a role. We see this in the Stanford Prison Experiment where guards become authoritarian, and prisoners’ flit between insubordination and compliance as you would expect with a subjugated class.

But this is more than a role that someone is assuming. It’s the integration of an identity into the person. But it’s also the reaction to a perceived identity that has note. Prisoners obviously don’t react to guards in the same way as they do with other prisoners. There is a group element at play which forms part of the individual identity. The concept of role is contextual to a wider structure so it is clear that a role will contain a group component.

How we structure our organisation and the ‘roles’ we designate within the organisation can be influential on behaviour. People seek to meet the expectations of the role they occupy. Even something as simple as how we designate job titles can dramatically alter the behaviour of those within the organisation. Words have connotations that inform the meaning and therefore the expectation. Again, we arrive back at how the guard’s modified language as a form of control over the prisoners and although not to that extreme, an organisation can choose to modify its language to influence the behaviour it expects its staff to behave. I have been called a ‘positive disrupter’ in the past. It was in vogue at the time and might have been a way to smooth over my rough edges but there was a temptation to live up to the label and start disrupting however at that point, I cared little for titles and actively removed it from anything I could like e-mail signatures so didn't engage with the label.

But we can look towards Agile and how they have rebranded traditional Waterfall roles and altered the expectations of those within those roles. A project manager could be considered a proxy for scrum master, one being an authoritative figure and the other a servant leader of the group. What the Stanford Prison Experiment shows is how these roles become integrated as part of the person’s identity and meeting the expectation of the roles does not cause an immediate sense of incongruence when juxtaposed with pre-established values.

Careful consideration should be given to how roles in an organisation are defined. The title isn’t as arbitrary as you might expect, and how someone is perceived, acts, and is accepted or rejected from groups is steered, in part, from these labels.

Descent as a sword (and a shield)

There is a complex interplay between the assumed roles and personal feelings. This is manifest in the prisoner rebellion. What becomes clear in this exchange is that control factors into feelings of security. The prisoner called ‘Sarge’ volunteers to do press up until he drops, although the guards did not ask this it gives him a sense of control and reinforces his group affiliation. The prisoners in cell 3 refuse a nicer meal in solidarity with the other cells. The prisoners initiate singing happy birthday to 5704 although they are about to go to bed. These demonstrations indicate that although the prisoners do not have freedom they can exert control, no matter how small or self-detrimental over their environment creating a sense of security in a place where they feel they have none. We talk about controls in security. Is it the ownership of that control that gives us the feeling of security perhaps in a way that is more impactful that the effectiveness of that control? Maybe it’s the trade off between personal comfort and group acceptance that is the notable point but decent is used to demonstrate to the guards that the prisoners still have control over a small amount of their situation.

If you after a pithy takeaway . . . then this is probably it. Zimbardo makes the observation that a minority can influence the majority perspective. He cites research undertaken on juries where there is no unanimous verdict and identifies four key attributes where a dissenting opinion becomes adopted by a wider group.

1. The minority is consistent in their message.

2. Their message is articulated confidently.

3. They avoided seeming rigid and dogmatic.

4. They were skilled in social influence.

There are a couple of important notes in that the influence only worked over a long duration. He also notes that the minority were not well liked (that’s basically security, isn’t it?!). But it does suggest that even if there is dislike, consistent and confident people will get listened to over time. This is a useful lesson for a security function but one that should be observed as this is where we can influence even where we are disliked. But this is not something that can be utilised by those with benevolent intent, it can also be used by those who have bad intentions.

Conclusion

We can see there are related concepts that hinge around identity that are contextually sensitive to the environment. It almost feels like concentric circles of components that interplay. These concepts are transposable to organisational behaviour and useful to understand from a security perspective.

Group identity also forms a component of identity, and the designation of roles may assign a person into a group. In an organisation this will be a team, department, and division. Competitive groups can be productive within an organisation however this can also lead to conflict if consideration of these groups is not thoughtfully considered. This talks to the very structure of an organisation and the delineation between groups within it. Although, it’s not realistic that a security function would have direct influence over how an organisation is structured it can seek allegiances with other groups in that organisation.

The speed at which identities were assumed by the participants of the Stanford Prison Experiment is of note. It suggests that changes made can be effective in a short duration, but this can be a double edge sword. There are consequences for getting the situational context wrong. Groups within an organisation can be highly disruptive if pushing back against what is perceived to be an overly authoritarian management style. These groups, if a minority, can also influence over time and change the direction of travel. We see that group affiliation hold primacy over perceived consequences and a discontented group may act against an organisation even if it works against their personal interests. The norms of the group trump individual concerns.

If we lean into conventional security orthodoxy for a moment, the obvious implication is that insider threats could be a natural by product of your organisational structure and environment. Maybe if you have identified insider threats in your organisation then this should be a prompt for you to look at your organisational structure and environment to see if that is a problem in need of attention.

And this is the point. We can influence organisational behaviour through the environment we create and we are not limited to that which has been created for us.