DATA SECURITY IS AN ART,

NOT JUST A SCIENCE

by Daniel J. Solove

Far too often, the mandate for data security is simply to “secure it,” and people often think of data security as a set of clear choices. This is in contrast to privacy, which is understood as a set of muddy policy issues. But data security is, in fact, quite muddy itself.

Imposing too much control on people can be oppressive and counterproductive. It can change the culture of an organization and make it feel more closed, rigid, less free, less trusting. And it can lead to people taking end-runs around security measures. People can be forced to select very long and complex passwords and change them every month. But some people will have trouble remembering their passwords under this system and will write them down and stick them in their wallets. And just like that, a good security control can be thwarted.

DATA SECURITY IS AN ART

www.teachprivacy.com

One choice is to impose more controls on people -- make it harder for them to do anything with data on their own. But that can come at a cost, because these control measures can make things more inconvenient and seem oppressive. For example, one of the things I love most about being in higher education is the open and free atmosphere. I enjoy not being in a hierarchical structure and not being monitored in everything I do. But this open structure is not ideal from a data security standpoint, where more control would eliminate risks.

Data security is about risk management. Data security measures can reduce the risk of having a data breach, but these measures have costs. These costs can be financial, but they also can involve efficiency, convenience, and the very culture of an organization. Because humans play a key role in data security, this makes data security quite complicated. Managing human behavior is immensely challenging. People are hard to control. They need to be educated. They need to care. But people forget. They have lapses in judgment. They don’t learn what they’re supposed to learn and don’t do what they’re supposed to do.

Data security thus involves difficult tradeoffs. It is something that must be delicately balanced with other considerations. Good data security involves forging an appropriate level of risk. How much risk is appropriate? That’s a hard question to answer, because it involves the nature and sensitivity of the data being protected, the amount of data per individual being protected, the number of individuals whose data is being protected, the potential harms from the breach of that data to the individuals involved, the potential harms form the breach to the organization, the nature of the threats, the financial and efficiency costs of various measures to reduce risk, and the standard data security practices in industry.

Good data security involves making sound policy judgments and having an astute understanding of human behavior. Data security choices are often far from clear. Of course, data security decisions can still be evaluated as being good or poor, and industry standards have developed. But the equation is more than merely whether data is secure. Instead, the equation involves establishing an appropriate balance between a number of considerations and devising ways to manage human behavior.

DATA SECURITY IS AN ART

www.teachprivacy.com

It is a myth to think that data security is just about technology. It involves policy, because managing risk involves making choices and tradeoffs. And it involves people, because people are such a large component of the data security risk equation, and people are one of the most challenging variables to control. In other words, data security is an art, not just a science.

About the Author

TeachPrivacy was founded by Professor Daniel J. Solove. He is deeply involved in the creation of all training programs because he believes that training works best when made by subject-matter experts and by people with extensive teaching experience. According to Professor Solove: "Great training isn’t about slickness or tricks. It is about teaching. The goal is to make people understand, care, and remember. Great training must made with genuine passion. " TeachPrivacy provides privacy awareness training, information security awareness training, phishing training, HIPAA training, FERPA training, PCI training, as well as training on many other privacy and security topics.

In addition to creating enterprise-wide training, TeachPrivacy has teamed up with the American Health Information Management Association (AHIMA) to produce a series of more advanced courses on the HIPAA Privacy and Security Rules: http://www.ahima.org/education/onlineed/Programs/hipaa

Professor Daniel J. Solove is the John Marshall Harlan Research Professor of Law at the George Washington University Law School. One of the world’s leading experts in privacy law, Solove has taught privacy and security law for 15 years, has published 10 books and more than 50 articles, including the leading textbook on privacy law and a short guidebook on the subject. His LinkedIn blog has more than 890,000 followers: http://www.linkedin.com/today/post/articles/2259773

Professor Solove organizes many events per year, including the new Privacy + Security Forum, Oct. 21-23, 2015 in Washington, DC: http://privacyandsecurityforum.com

About TeachPrivacy

www.teachprivacy.com