Register for the EDUCAUSE Annual Conference today. Extra 25% off in-person registration, through July 8. →

Hotline: Cybersecurity and Privacy | January 2026

This Month: Cybersecurity as Human Nature, Ethical Frameworks, and Jurisdictional Purgatory

Authors:
Michael Corn
Published:
Tuesday, January 27, 2026
Columns:
Cybersecurity and Privacy
min read


"Hotline: Cybersecurity and Privacy" tackles the philosophical, moral, strategic, and organizational quandaries related to higher education cybersecurity, privacy, and data. This month, Mike answers your questions about the nature of cybersecurity, the ethical foundations of policy decisions, and the organizational challenges of incident response.

Stacked tiles with various icons: key, lock, shield, etc. The top on is a phone in use.
Credit: HowLettery / Shutterstock.com © 2026

Cybersecurity Through the Looking Glass

Dear Hotline: Some days, I wonder whether cybersecurity in higher education is really a technology problem or simply a reflection of human nature. We build policies and controls, but our greatest risks come from fear, ego, shame, pride, or plain exhaustion. How should a security leader think about a problem that is less about firewalls and more about the souls of the people behind the keyboard?

Souls on Fire

Dear On Fire: What an insightful question, though "fear, ego, shame, pride, or plain exhaustion" sounds like a sitcom based on my junior high school experience. I wish that I had worked for you early in my career. Had I learned what you so clearly state—that cybersecurity is simply a reflection of human nature—it would have saved me a lot of scar tissue. I've written a lot on this topic elsewhere, so let's focus on your question about how a security leader should think about cybersecurity when it's fundamentally about people, not technology.Footnote1

I suspect many readers are asking, "But Hotline, it's the tech that fails and the tech that heals. Aren't you leaving that out?" If we were running an R&D lab and devising the next (next) gen of firewalls, I might feel differently. But most of us in higher education are market consumers. We buy solutions, chase technological trends, and, for better or worse, put our trust in these vended products. Few of us ever modify open-source solutions; instead, we configure and deploy them.

No, the hard part of our jobs as cybersecurity and privacy professionals is human. We give people powerful data-sharing tools and are horrified that they use them to share data. We try to deploy some of that effective technology, but we are frustrated when users push back, questioning why we're imposing security practices on them. We make impassioned pleas to our managers, filled with risk assessments and logic, only to be swatted away, defeated by the attraction to some new "transformational" service.

While it's tempting, and at times called for, to act as the traffic cop—do this, don't do that, go here, don't click on that—the more appropriate metaphor is to think of security leaders as institutional coaches or mentors. Some lessons can't be learned by being told something. They need to be arrived at through a process of discovery and persistence. Great musicians don't learn by being told to "play with more feeling." Rather, they grow to understand how to tap into that soulful skill through practice and exposure. My advice is to cultivate relationships with the disparate communities at your institution. Engage with them without arriving with an "ask." Focus on making your interactions less transactional. Recognize that user resistance is feedback, not defiance. You'll find that doing this requires you not only to change how you view your community but also to reframe yourself.

Ethics in a Noisy Conference Room

Dear Hotline: Every policy discussion on my campus turns into a clash of competing values: privacy versus safety, autonomy versus standardization, academic freedom versus compliance. Is there an ethical framework colleges and universities should use to weigh these tensions, or are we just negotiating with the loudest voices in the room? Sapere aude, my friend.

I Can't Hear over the Yelling

My Dear Yelling: It's tempting to chuckle a bit at your question, for vigorous academic debate, including yelling, may be the defining feature of almost all policy development at colleges and universities. At least in your case, it's merely yelling and doesn't rise to the level of the infamous St. Scholastica Day riot. It's not February 10, though, so let's not count those chickens quite yet.Footnote2

Of course, there are plenty of ethical frameworks one could use to reach a decision, all of which revolve around answering a few specific questions. For example, which option produces the greatest overall good (or least harm) (utilitarianism)? What best advances my (or the institution's) self-interest (egoism)? Is the action itself right, regardless of outcome (Kantian ethics)? And, relevant for privacy concerns, does this decision respect fundamental rights (rights-based ethics)? Not to mention the 21st-century approach: Who has the most likes and followers (🤦-ism)?

I would start by examining the very values you've listed. When a policy debate is explicitly framed in terms of competing ethical commitments rather than preferences, personalities, or politics, it changes the nature of the argument. The question is no longer who is loudest or most aggrieved, but which values the institution is willing to privilege and why. That doesn't end the debate, but it makes it legible, and legibility, not consensus, is what allows institutions to govern themselves with integrity. (Consensus, after all, is often just a proxy for exhaustion.)

If you explore, for example, various "balancing" exercises (most commonly framed as privacy balancing), you'll notice that they generally exemplify this examination of values through the institutional lens.Footnote3 You don't say "privacy versus safety." Rather, the balancing metaphor suggests that you have two legitimate values on each side of a scale, and your job is to find the right equilibrium point. It presupposes that trade-offs are necessary and that context determines where the balance point sits. Early in my career, I was pretty dismissive of these approaches as mere bureaucracy until I realized they were cultural exercises used to defuse precisely the tension you're describing.

Prudenter aude.

Jurisdictional Purgatory, and How to Avoid It

Dear Hotline: I just discovered that our institution has two separate incident response policies—one owned by the privacy office, and the other by the security office. Isn't an incident an incident? Is there an issue here, or should I just keep to my Roomba philosophy of bumping into walls and turning around so people think I'm doing something?

Too Many Forks in the Road

Dear Forks: Ooh my, there's a lot to unpack here. Most critically, please don't diminish my Roomba to just bumping and turning. You're forgetting the hours of entertainment it provides for the dog. Second, while it may seem like a simple question with a simple answer (two offices, two policies), it's actually quite nuanced, and in ways that many people overlook.

In very practical terms, not all incidents are so easily grouped. Imagine a situation in which some HR system, through a human or coding error, sends a set of messages about medical benefits or payroll to a population and includes the data for all recipients in each message. No hacking, no malicious intent, but definitely a data breach. An accidental exposure. Someone from your security office shows up, waving their policy and saying, "Data breach! We have a policy on handling that!" Someone from your privacy office also shows up (I imagine both of them trying to fit through the door at the same time, shoulders comically wedged in the doorway), waving their policy and saying, "Data breach, personal information exposed! We have a policy on handling that!"

One would like to believe that the two offices, security and privacy, have worked together to harmonize their response practices, examining which elements of the response are best handled by whom. While this does happen, all too often, the offices are not collaborating as sincerely as they should. I've even seen privacy and security teams in the same office refuse to share their response playbooks, sometimes going so far as to hide incidents from one another.

There's no way to know from your question whether this has happened at your institution. It's quite possible there's a meta-level agreement or understanding that involves an incident analysis, which routes it entirely (or partially) to each office to address. But if that agreement is implicit, undocumented, or dependent on personalities, it is a source of risk itself. Perhaps, despite appearances, everyone is working together just fine. But as I have said elsewhere, "organizational boundaries, not threats, determine response pathways."Footnote4 At times, this is sufficient. But regardless of your position on how privacy and security should be organized—unless the institution has made a strategic decision on how incidents should be handled—it's hard not to see your situation as one that unnecessarily introduces risk. These risks include delayed response, conflicting notifications, or inconsistent regulatory interpretation—all of which can harm the institution, affect individuals, and erode trust between offices.

Addressing this cage match of policies can be incredibly uncomfortable. Issues of control, ego, and status are awkward and difficult to navigate. Make no mistake: these will surface even when everyone is a good-faith actor. Using the HR example above (which I view as primarily a privacy event), what if the security team has much stronger communication skills? Who then leads the outreach to the impacted community? The reverse situation is equally likely. Regardless of whether an organization has one incident response policy or two, reviewing incidents annually through the lens of where they sit on a spectrum bounded by security on one side and privacy on the other remains valuable. Security and privacy are not in competition. Rather, they are a set of roles and skills that an institution brings to bear on every incident.

I would avoid viewing incident response through organizational boundaries and instead focus on the design requirements for any incident response process: a single incident taxonomy, shared intake and triage, explicit handoffs, and a single incident commander coordinating many contributors. The fundamental goal is to avoid jurisdictional purgatory.

So, keep asking questions. With enough persistent bumping, some walls can collapse.

Concorditer aude.

Notes

  1. To read about cybersecurity as a metaphor for the human condition, see Michael Corn, "Are We Winning or Losing?"Michael Corn (blog), Substack, October 24, 2025.Jump back to footnote 1 in the text.
  2. "St. Scholastica Day Riot,"Wikipedia, last modified January 11, 2026. Jump back to footnote 2 in the text.
  3. Some examples include"Privacy Balancing Process," UC Privacy and Information Security Steering Committee Report (University of California, January 2013), and "Privacy Balancing Assessments," University Privacy Office, Yale University, March 2023. Jump back to footnote 3 in the text.
  4. Michael Corn, "Policy by Design," Michael Corn (blog), Substack, December 31, 2025. Jump back to footnote 4 in the text.

Have a cybersecurity or privacy dilemma you'd like Mike to unpack? Submit your question through our anonymous form.

Michael Corn is an Executive Strategic Consultant at Vantage Technology Consulting Group.

© 2026 Michael Corn. Michael Corn. The content of this work is licensed under a Creative Commons BY-NC-SA 4.0 International License.