Control vs. Education: How Should We Change Human Behavior on Privacy and Data Security?

Authors:
Daniel J. Solove
Published:
Thursday, October 2, 2014
Columns:
Cybersecurity and Privacy
min read

Daniel J. Solove is the founder of TeachPrivacy and John Marshall Harlan Research Professor of Law, George Washington University Law School.

It seems these days as though we're barraged by stories of privacy and data security incidents. Photos hacked in the Cloud. Massive data breaches. Troubling research studies on social media sites, such as the Facebook mood study. Many of these incidents are caused, at least in significant part, by people.

A PC World article discusses a new study by Forrester that reveals internal threats as the "leading cause" of data breaches.

According to a stat in SC Magazine [http://www.scmagazine.com/security-awareness-training/slideshow/946/#1], 90% of malware requires a human interaction to infect.

According to a survey by Enterprise Management Associates:

  • 33% of workers use the same password for work and personal devices.
  • 35% have clicked on email links from unknown senders.
  • 59% have stored work information in the cloud.

Data breaches are often not the result of technical deficiencies but of the human element of security. A person can so readily click on the wrong thing, put data in the wrong place, fail to properly dispose of data, improperly access data, or fall for a social engineering trick. All it takes is for one member of the workforce to slip up, and...bam...there's a data breach.

I've read the stories told of master hackers, and the interesting thing is that they succeed not because of their technical wizardry but because they are good con artists who trick people. A lot of people. Humans play a key role in data security, and managing human behavior is immensely challenging. How should higher education respond to this state of affairs? There are essentially three broad types of responses.

  • Don't do anything. It can be a big challenge to change human behavior, especially in higher education where powerful corporate hierarchies often don't exist to force change.
  • Impose more control on people's behavior. Find ways to force people to engage in better security practices.
  • Educate people.

Little needs to be said about the first approach—it is clearly wrong, especially in light of increasing privacy and security risks. The consequences of an incident can cause real harm to people, injure an institution’s reputation, and lead to substantial costs.

The second and third approaches require more discussion.

Control

One strategy is to impose more control on people, but imposing too much control on people can be both oppressive and counterproductive.

Stronger controls aren't particularly consistent with the educational environment, which is open and free. A control strategy can be stifling to academic freedom and the sense of openness that is common in higher education.

Moreover, rigid controls are often not effective because they can lead to people taking end-runs around security measures.

For example, people can be forced to select very long and complex passwords and change them every month. But some people will have trouble remembering their passwords under this system and will write them down. Just like that, a good security control can be thwarted.

Education

The alternative way to change human behavior is through awareness and education. This is the best way to go, in my opinion. I believe in education, which is why I work in higher education. I believe that I can influence my students and make a difference by my teaching.

If you can’t force people to do the right thing, then you must teach them to do the right thing.

As one influential dissertation has concluded, studies have demonstrated that "gaining senior management support and ensuring a security-trained workforce are arguably the two most critical issues to obtain effectiveness in organizational information security."

Ironically, I have found that higher education lags behind other industries in training its workforce and community. Privacy and data security training are mandatory annual requirements in many industries. In higher education, many schools—perhaps most—do not have privacy and security training.

Higher education should be a leader in such training because we believe in this strategy—we believe in education. This is why it is so odd that higher education isn't a leader in privacy/security training.

Although I use the term "training" because that's the term commonly used, I personally don't like the word "training" and prefer to think of it as "education." Good training should be like good education. Just sticking up some videos or modules on a website isn't sufficient. The training must be effective. Unfortunately, much online training is typically not very sound from an educational perspective. It is a moribund process of dull slideshows, of hearing do's and don'ts.

Good education involves making an emotional connection. People respond to stories; they stick in people's minds. Stories also motivate—they explain the consequences of behavior. Merely stating rules in the abstract doesn't work. Interaction is also key, because people learn better when they are active rather than passive.

Some degree of variation can enhance learning. I'm a visual learner, so I believe that good visuals are key. People learn in different ways, so multiple ways to engage them should be used.

Training should be done with passion. When a teacher has genuine passion for a subject, it can be infectious. When a teacher loves a subject, you can almost sense it, and it's hard not to be swept up in that love story. I still remember those classes with professors who had that passion—and these professors weren't necessarily the best lecturers. But they cared about the subject so much that they wanted others to care too. I felt it. And it worked—people really did care more, and the subject came alive.

A research study presented at a NIST conference in 2012 concluded that it is "[n]ot enough to provide training at new employee orientation only." Instead, training must be "sustainable and repeatable." According to the study's author, "Research has shown that people recall more of what they hear and see together, versus what they only see or only hear." The study concludes that merely reciting policies and procedures is not adequate.

I believe it is very important that training be excellent in both content and pedagogy.

Whenever developing or selecting a training program, the two most important things are:

  1. The program should be designed by an expert in the subject who knows the requirements of the law and the kinds of behaviors that lead to incidents. The expert should have compliance wisdom and knowledge about how effective training and awareness programs work.
  2. The program should be designed by a person with teaching expertise. Merely saying the right messages isn't enough—it is how the messages are taught that matters.

I recommend that the program be evaluated by people with teaching experience. Those with such experience tend to be more aware of some of the basic elements of good teaching.

In the weeks and months to come, I plan to discuss on my LinkedIn blog the factors that make training most effective. I aim to provide concrete examples of how privacy and security can be taught well, especially via e-learning, which presents some special challenges that are distinct from in-person training. Please follow my LinkedIn blog if you are interested.

Conclusion

The best way to address privacy and security incidents in higher education is through education. This approach is much better than the alternative, and it is an approach that higher education already believes in. I hope that one day higher education can be the leading industry in privacy/security training rather than one that lags behind.

© 2014 Daniel J. Solove. Creative Commons Attribution 4.0 license