Acknowledging Risks from The Cyber Lucifer Effect

Written by Ben Rendle, contributor to The Risk Management Handbook.

In 2015, the UK media reported that cyber hackers infiltrated Ashley Madison, a controversial online dating website for secret extra marital affairs. The website claimed a “100% discreet service, with a Trusted Security Award on its homepage” for up to 37 million people worldwide[i]. According to media reports, the cyber hackers are threatening to release all of the details to client’s partners and close contacts unless Ashley Madison goes offline.

The internet can blur activities between individuals, not for profit organisations and businesses. What makes this example interesting is the unique online aspects of clients having an extra martial affair. Firstly, hosting a website service enables companies to commercialise extramarital affairs to a global scale and secondly, clients had “the illusion that adultery is somehow different, safer, when conducted online”[ii]. Online extramarital affairs do not even have to involve real people, as the UK’s Daily Telegraph reports a case where a woman divorced her husband for having a 'virtual' affair with an imaginary, animated woman on a computer game called ‘Second Life’[iii]. However, extramarital affairs aren’t the only cases where specific online activity has been the downfall of individuals, not for profit organisations and businesses. Some other examples include:

In 2014, the UK National Crime Agency reported that 650 people were arrested for accessing child abuse images online. Many of these people were from highly respected professions, including teachers, medical staff, former police officers, a social services worker and a scout leader[iv].
Professional gaming is highly popular in South Korea, where the best can earn “hundreds of thousands of pounds every year”. A South Korean man addicted to online gaming suffered repetitive strain and injured his muscles as a result, deforming them and making surgery the only option to save his illustrious career as “the best player in StarCraft”[v].
Ellen Pao, described as one of Silicon Valley’s most prominent women, resigned as interim CEO of Reddit, the entertainment, social networking, and news website. She was targeted for months with racist and sexist threats and commentary, mainly generated by online users on a website which promoted free expression at any cost [vi].

Why would employees, or customers, or individuals behave online like this yet act benevolently offline? Dr Zimbardo, a professor at Stanford University, conducted the notorious Stanford prison experiment in 1971 which examined the psychological effects of becoming a prisoner or a prison guard. The experiment stopped after just six days, when participants adapted to their roles well beyond Zimbardo's expectations; the guards became highly authoritarian and subjected some prisoners to psychological torture.

Shocked by this transformation, and by similar behaviours at the Abu Ghraib prison in Iraq in 2004, Zimbardo questioned why seemingly good people turned to evil behaviours in his book “The Lucifer Effect”[vii]. In this book, Dr Zimbardo defines evil as “intentionally behaving in ways that harm, abuse, demean, dehumanize or destroy innocent others – or using one’s authority and systemic power to encourage or permit others to do so on your behalf”.

Dr Zimbardo defines two types of evil: essentialised and incrementalist (see table 1 below):

Table 1: Essentialised and Incrementalist Evil

Type of Evil

Characteristics

Essentialised

Deflects responsibility away from other individuals in the organisation
“there will always be a few bad apples in the barrel”
“it’s the way of the world – we can’t change it”

Incrementalist

Recognises that responsibility may be present in every individual
It may even have systemic causes with senior management setting the wrong tone or turning a blind eye to adverse online activities (looking beyond the “bad apples” to the designer of the apple barrel).

The traditional focus for adverse online ‘human’ activities in corporate cyber security has been on ‘insider threats’, defined as “a person who exploits, or has the intention to exploit, their legitimate access to an organisation’s assets for unauthorised purposes.”[viii] Examples of this can include dishonest employees stealing money or sensitive information within their organisation’s IT systems for personal gain or revenge. In most cases, the motivation has been solely to identify and remove the insider threats as quickly as possible whilst causing minimal damage to the organisation’s assets and reputation.

It may be much harder for both organisations and individuals to accept an alternative “incrementalist evil” perspective, which upholds a view that we are all capable of adverse online activities, depending on our changing circumstances and perspectives (“we all could become those bad apples depending on where we sit in the barrel”).

It may be tempting at this point to claim that online incrementalist evil is nearly impossible to mitigate, let alone through cyber risk management. I would however suggest that it can play a part by helping to identify and manage any inconsistencies between how management, employees and individuals behave online as well as offline.

Beyond just identification, management, employees and individuals need to own and be accountable for these types of risks both at an individual and systemic level. Cyber risk management needs to recognise that the online workspace blurs professional online activities with personal ones and that cultural factors, not just IT factors, play a critical role in managing cyber risks.

There are significant opportunities that can be identified by businesses, organisations and individuals in response to online incrementalist evil. Senior management within businesses and not for profit organisations can set the tone online and positively impact on how other employees communicate. Clearer policies and governance around online behaviour can provide reassurance and improved morale for staff. Combined with this, cyber opportunity management can work with businesses and individuals to identify and exploit positive social initiatives online to help both the victims in the workplace (e.g. the Cybersmile Foundation www.cybersmile.org) and employees with internet addictions or adverse online behaviours[ix]. Whilst cyber risk management can identify risks about the darker side of human nature in online activities in the workplace, it can also highlight the opportunities of positive online behaviour at the same time and therefore help employees enjoy the online world at work safely, more fully and more effectively.

References

[i] Metro, UK edition. Tuesday 21^st July 2015 p.4

[ii] See UK London Evening Standard, Tuesday 21^st July p.15

[iii] See http://www.telegraph.co.uk/technology/3453273/Woman-divorces-husband-for-having-a-virtual-affair-on-Second-Life.html

[iv] See http://www.bbc.co.uk/news/uk-28326128

[v] See http://www.bbc.co.uk/news/technology-32996009

[vi] See http://www.nytimes.com/2015/07/11/technology/ellen-pao-reddit-chief-executive-resignation.html?_r=0

[vii] ZIMBARDO, P. (2009) The Lucifer Effect – How Good People Turn Evil. 2^nd Ed. Reading: CPI Cox & Wyman.

[viii] See CPNI https://www.cpni.gov.uk/Documents/Publications/2013/2013003-insider_data_collection_study.pdf

[ix] See http://news.bbc.co.uk/1/hi/8493149.stm