Data Security Is an Art, Not Just a Science

Far too often, the mandate for data security is simply to “secure it,” and people often think of data security as a set of clear choices. This is in contrast to privacy, which is understood as a set of muddy policy issues. But data security is, in fact, quite muddy itself.

Data security is about risk management. Data security measures can reduce the risk of having a data breach, but these measures have costs. These costs can be financial, but they also can involve efficiency, convenience, and the very culture of an organization.

Because humans play a key role in data security, this makes data security quite complicated. Managing human behavior is immensely challenging. People are hard to control. They need to be educated. They need to care. But people forget. They have lapses in judgment. They don’t learn what they’re supposed to learn and don’t do what they’re supposed to do.

One choice is to impose more controls on people -- make it harder for them to do anything with data on their own. But that can come at a cost, because these control measures can make things more inconvenient and seem oppressive. For example, one of the things I love most about being in higher education is the open and free atmosphere. I enjoy not being in a hierarchical structure and not being monitored in everything I do. But this open structure is not ideal from a data security standpoint, where more control would eliminate risks.

Imposing too much control on people can be oppressive and counterproductive. It can change the culture of an organization and make it feel more closed, rigid, less free, less trusting. And it can lead to people taking end-runs around security measures. People can be forced to select very long and complex passwords and change them every month. But some people will have trouble remembering their passwords under this system and will write them down and stick them in their wallets. And just like that, a good security control can be thwarted.

Data security thus involves difficult tradeoffs. It is something that must be delicately balanced with other considerations. Good data security involves forging an appropriate level of risk. How much risk is appropriate? That’s a hard question to answer, because it involves the nature and sensitivity of the data being protected, the amount of data per individual being protected, the number of individuals whose data is being protected, the potential harms from the breach of that data to the individuals involved, the potential harms form the breach to the organization, the nature of the threats, the financial and efficiency costs of various measures to reduce risk, and the standard data security practices in industry.

Good data security involves making sound policy judgments and having an astute understanding of human behavior. Data security choices are often far from clear. Of course, data security decisions can still be evaluated as being good or poor, and industry standards have developed. But the equation is more than merely whether data is secure. Instead, the equation involves establishing an appropriate balance between a number of considerations and devising ways to manage human behavior.

It is a myth to think that data security is just about technology. It involves policy, because managing risk involves making choices and tradeoffs. And it involves people, because people are such a large component of the data security risk equation, and people are one of the most challenging variables to control. In other words, data security is an art, not just a science.

* * * *

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at George Washington University Law School, the founder of TeachPrivacy, a privacy/data security training company, and a Senior Policy Advisor at Hogan Lovells. The views here are Professor Solove’s personal views and not those of any organization with which he is affiliated.