Data Security and the Human Factor: Training and Its Challenges

Posted by Daniel J. Solove

According to a stat in SC Magazine, 90% of malware requires a human interaction to infect.  One of the biggest data security threats isn’t technical – it’s the human factor.  People click when they shouldn’t click, put data on portable devices when they shouldn’t, email sensitive information, and engage in a host of risky behaviors.  A lot of hacking doesn’t involve technical wizardry but is essentially con artistry.  I’m a fan of the ex-hacker Kevin Mitnick’s books where he relates some of his clever tricks.  He didn’t need to hack in order to get access to a computer system – he could trick people into readily telling him their passwords.

There have been a number of good recent articles on data security and data security training.  Robert O’Harrow, Jr.’s recent piece in the Washington Post discusses the human element to data security in his piece, “In Cyberattacks, Hacking Humans is Highly Effective Way to Access Systems.”  The article describes the increasing sophistication of phishing.  The old misspelled lottery scam emails are now your grandfather’s phishing.  Today’s phishing is more personalized – and much more likely to trick people.  According to O’Harrow’s article: “The explosive growth of cyberspace has created a fertile environment for hackers. Facing the flood of e-mail, instant messages and other digital communication, many people have a hard time judging whether notes or messages from friends, family or colleagues are real. Many don’t even try.”  O’Harrow goes on to note that “Hackers are so confident about such permissiveness that they sometimes begin their attacks in social media three or four steps removed from their actual targets. The hackers count on the malicious code spreading to the proper company or government agency — passed along in photos, documents or Web pages.”

The Washington Post also recently ran a piece called “Companies Seeking to Train Employees on Cybersecurity.”  In a survey by SC Magazine nearly 90% agreed that data security training is important.

Because I provide such data security training with TeachPrivacy, I’m quite excited by all the attention to the issue, as I have long stressed two points:

1. Many data security vulnerabilities are human rather than technical.

2. Training is essential to reduce the human vulnerabilities.

But challenges remain.  According to SC Magazine:”80% of West Point cadets clicked on a link embedded in a phishing email after four hours of security training.”

I have long believed quantity of hours in training is not the key to driving the message home.  Doing so takes telling stories.  People respond best to stories.  Stories stick in people’s minds.  Moreover, stories are more effective than a list of do’s and don’ts because stories also motivate – they explain the consequences of one’s behavior.  Training should not just educate, but motivate. I’ve often found that although people know they should be more careful, they often take shortcuts when they don’t fully understand the gravity of the situation.  Data security often makes things less convenient and it requires constant vigilance.  Unless people really care, they might make choices for convenience or have lapses in vigilance.

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of training on privacy and security topics.  This post was originally posted on his blog at LinkedIn, where Solove is an “LinkedIn Influencer.” His blog has more than 600,000 followers.

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
* Professor Solove’s LinkedIn Influencer blog
* Professor Solove’s Twitter Feed
* Professor Solove’s Newsletter

Please join one or more of Professor Solove’s LinkedIn Discussion Groups:
* Privacy and Data Security
* HIPAA Privacy & Security
* Education Privacy and Data Security