Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    Is There Still Hope for Privacy?

    privacy-P2BTX2JJanuary 28 is Data Privacy Day. In honor of that, I’d like to share some random thoughts on privacy that I put together for a recent webcast with StaySafeOnline.org. And when I say, “random thoughts,” I really do mean random thoughts.

    Privacy is an intricate topic to tackle. That’s because even the term ‘privacy’ itself has different implications to each individual. And there are certainly differences in the fundamental expectations of privacy that people within different regional contexts have. But even more than that, there is an internal understanding, expectation, and appreciation of privacy that is extremely context-based. That makes privacy really difficult to solve for.

    Let me explain:

    Privacy exists in a delicate balance. And that balance has inherent tension and give-and-take between each element. The elements are:

    • Security
    • Privacy
    • Convenience
    • Trust

    And here’s how those elements create tension. We have to make trade-offs between privacy and security. For example, if you are going to a big concert, sporting event, or traveling on a plane, you usually have to subject yourself to having your bags searched and walking through some type of personal screening system. In those instances, we are trading away a bit of privacy in the name of the security needs associated with the event we are participating in.

    Adding to tension and confusion is the fact that security measures are usually required to ensure privacy. So, security can either strip away privacy, or can enhance privacy; the devil is in the details. And some forms of privacy can be scary or threatening in some contexts. Encryption is a security technology that is also privacy enhancing. But – as you probably know – many governments fear strong encryption because it limits their ability to monitor and alert on traffic that may reveal threats to national security. Tensions escalate and debates rage.

    There is also tension between security, privacy, and convenience. As a society, we tend to make impulsive decisions for our short-term comfort. And that’s at the heart of why people around the world are trading away privacy every day. If we want to participate in a social networking site, then we must trade away rights to a certain amount of privacy. If we want to purchase goods/services through some retailers, or sign-up for customer loyalty programs or attend certain conferences, then we are basically required to sign-away some of our privacy. Heck, even when our kids take college entrance exams like the ACT or SAT, they are forced to consent for the testing vendor to share data broadly (i.e. sell student data to a broad spectrum of colleges and other interested parties).

    The last balancing element that I see is all related to ‘trust.’ Depending on the activities that we are engaging in, there can be a tension between ‘trust’ and ‘convenience.’ For example, within the context of banking, most people would actually feel less comfortable if an online transaction with their account is too easy/convenient. In other words, when there is an inherent, emotional feeling of risk involved, then the person engaging in the activity can actually experience a sense of comfort when they feel a bit of security-related friction associated with signing-in, performing additional step-up authentication, and so on. And so, sometimes a sense of trust can be injected and enhanced by making security and privacy controls more visible and felt versus allowing for more convenient, invisible ways to achieving the same goal.

    And here’s my take-away and our dilemma:

    Even more than technology, privacy is an issue involving mindsets and behaviors

     … and these involve “in the moment” tradeoffs that

    neither humans nor corporations are good at being rational about.

    Humans keep making the “in the moment” decision to accept privacy-onerous terms and conditions statements for social networks and other everyday lifestyle platforms and activities. And corporations persist in trading in personal data because of the short-term benefits that they get from exploiting and/or monetizing personal data. In a sense, both parties are now stuck in an ecosystem of their own creation and complacency. And, I don’t see it changing anytime soon.

    Those of you who know my work, will be familiar with what I call the “Three realities of security awareness.” They are:

    1. Just because I’m aware doesn’t mean that I care
    2. If you try to work against human nature, you will fail
    3. What your employees do is way more important than what they know

    And I typically pair these three realities to a similar trio of realities mentioned by B.J. Fogg, Ph.D. He says, there are “3 Truths about human nature. We’re lazy, social, and creatures of habit.”

    These realities are just as true when it comes to privacy awareness and our dilemma. People and corporations know that the status quo is, let’s say, less than desirable… but that goes out the window whenever presented with a quick in-the-moment decision. That’s directly because of “reality #2.” Specifically, much of society is now setup such that people feel like they must participate in all of the social networks, apps, platforms, and (fill in the blank) of the day. If not, then they are “missing out” of social inclusion, activities, discounts, incentives, or other real-or-perceived benefits. And so, the price for not blindly accepting the terms and conditions can feel like social isolation and fear of missing out (FOMO). And the fact that most terms and conditions statements are binary (simple yet or no to everything) leads to complacency and hopelessness. So now society is conditioned to simply click ‘yes’ and move on…

    That sounds pretty hopeless doesn’t it? Society is conditioned into complacency, and corporations are caught in a cycle of data hoarding, exploitation, and monetization. How do we break the cycle? Well, there’s no quick fix… but I do think that there is some hope.

    We need to consider a combination of social pressures/supports, morality tales, creative motivation, ease-of-use, and tech-based facilitation: 

    1. Security & Privacy awareness

    2. Finding ways to change the social dynamic

    3. Creating new social pressures for corporations

    If you need to arm yourself with resources for Data Privacy Day, I highly suggest checking out a recent webinar with my colleague and KnowBe4's Data Privacy Director Lecio DePaula on best practices to creating a robust data privacy impact assessment. You can watch the webinar here

     

    Return To KnowBe4 Security Blog

    Topics: Security Awareness Training

    Perry Carpenter

    ABOUT PERRY CARPENTER

    Perry Carpenter is the Chief Evangelist and Strategy Officer at KnowBe4. He is the author of "Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviors" and coauthor of "The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer." He previously led security awareness, security culture management, and anti-phishing behavior management research at Gartner Research, in addition to covering IAM strategy, CISO program management mentoring, and technology service provider success strategies.

    Read more from Perry »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews