/ cybersecurity

Information security and the observer effect

The initial empirical study of the observer effect (Hawthorne effect), which said that people change their behaviour to the better when observed, has seen equal measures of criticism and support over the years.

Whilst a lot of the critiques were typically academic (i.e. no impact on the end effect, just argument on which factor influences it) there were also a number of empirical studies that failed to replicate the original study's results.

Two academic papers that I used in the past on the effect of being watched (quantum physics observer effect in real world psychology, if you will) have a lot of lessons for information security designers and architects, if only they will stop rolling out new boxes and start thinking about what it is they really need to do. No, the main purpose of information security is not to put more and more obstacles in the path of authorised and unauthorised users; it is to ensure that desired activities take place and undesired activities do not result in success.

With that in mind, here’s the first study on the effect of being watched:

We examined the effect of an image of a pair of eyes on contributions to an honesty box used to collect money for drinks in a university coffee room. People paid nearly three times as much for their drinks when eyes were displayed rather than a control image. This finding provides the first evidence from a naturalistic setting of the importance of cues of being watched, and hence reputational concerns, on human cooperative behaviour.

The second field study took the learnings from the first and expanded the control environment. This time they tried to see if the influence of ‘watchful eyes’ changes behaviour in a larger scale. This study introduced incidental observers, I.e. people standing around that weren’t part of the experiment, as well as different local norms: “litter is OK” and “litter is not OK”. The results were mixed:

The eye effect might be strongest when people are either alone (the situation in the empty café), or in a large, anonymous crowd (possibly the situation when people were collecting their bikes outside a building in the midst of a large group), and weakest when people are interacting in social groups (possibly the situation when the café was fuller or when people are watching each other in a supermarket checkout queue).

And

In conclusion, in a field experiment in which we manipulated cues of locally normative behaviour, we found no evidence to support the hypothesis that images of watching eyes make behaviour more normative. Instead, our data provide tentative support the hypothesis that images of watching eyes induce more pro-social behaviour irrespective of the local descriptive norm.

Lessons for information security: the impression that user’s activity is being monitored is a strong deterrent and shapes behaviour away from anti-social and towards more pro-social, legal and legitimate.