MetaPrivacy Culture: 2022 Marks a Significant Shift from Information Security to Information Privacy
Updated: Feb 25, 2022
Particularly in the Kingdom of Saudi Arabia
On the Data Privacy Day (January 28, 2022), we participated in a major privacy event organized by Peck Advogados and IIEDE, leading legal organizations tackling pressing industry issues around data privacy in Brazil and globally. Our session was conducted by Tawfiq Alashoor, Sabrina Palme and Andre Quintanilha (the C-level team at Palqee Technologies, a fast-growing privacy company in the UK), and Marcelo Crespo (Ph.D., a founder and partner of privacy solutions companies). More than 400 employees attended this 5-hour online event.
During the session, we asked the attendees two questions: (1) “Do you care about the privacy of your personal information?” (100% chose yes, not surprising because almost everyone had a privacy background) and (2) “Would you give a sample of your DNA for an unlimited COVID pass? (to freely travel, enter any shops or restaurants, no use of masks, etc.)” (30% chose yes, not surprising but surprising at the same time).
Welcome to the privacy paradox, a phenomenon that privacy scientists have recognized since the early 2000s. This phenomenon suggests that individuals who express privacy concerns act in ways that are not consistent with their privacy concerns. Your DNA represents the deepest and most sensitive personal information about you as a human. While 100%indicated that they care about privacy, 30% were willing to give a sample of their DNA. This 30% is a manifestation of the privacy paradox in a hypothetical scenario. We have conducted many behavioral experiments supporting the prevalence of this phenomenon not only in hypothetical, but also pseudo-actual and actual scenarios in which subjects had to disclose personal data (some of those data are very sensitive, such as health status, income, number of sexual partners).Yes, this gets creepy sometimes, but we follow established ethical standards before conducting such experiments.
Four basic science-based principles can explain the privacy paradox and its consequences at the population level:
Privacy decisions are volatile and malleable because of psychological (e.g., cognition and affect) and economic (e.g.,choice architecture and nudges) factors.
These psychological (e.g., cognitive depletion and positive affect) and economic (e.g., hidden privacy choices)factors can divert individuals’ attention away from privacy-protective behaviors.
If not used wisely by digital platform designers and software engineers, these factors may lead employees to make privacy decisions (at work or outside work) that are not in the best interest of the employee or the organization.
In the long run, this may lead to serious potential threats to personal, organizational, and ultimately governmental and societal information assets (i.e., cybersecurity disasters).
Cybersecurity professionals have done a fantastic job developing robust technical protection solutions (e.g., firewalls,IDPSs, and content filters) to mitigate potential cybersecurity risks. However, human error is a critical factor causing cybersecurity disasters. Cybersecurity professionals are working hard to address this human error issue, one example of which could be simply sharing your DNA sample without knowing what potential consequences this decision could have.For instance, based on your DNA, a machine could predict your future preferences and hence can either help or harm you– and your organization – in some way or another.
Existing Security Education, Training, and Awareness (SETA) programs have been developed to address this notorious human error issue to help mitigate the potential risk posed by data breaches and cybersecurity disasters. Unfortunately, such programs do not delve deeply into the essence of security behaviors (i.e., privacy decisions). Privacy is the essence of the Confidentiality, Integrity, and Availability (CIA) triad, a basic principle taught in SETA programs. Confidentiality is related to protection against unauthorized access or disclosure, a major dimension of privacy concerns. Integrity is related to data misuse or unauthorized secondary use, another major dimension of privacy concerns. Availability is related to data erasure or the right to be forgotten, which is yet another major dimension of privacy concerns. At this point in time, in which many individuals have incurred a tangible cost (e.g., losing multiple millions of Riyals) due to mismanagement of basic privacy decisions, it is seriously time for adopting Privacy Education, Training, and Awareness (PETA) programs.
What makes PETA programs even more critical today is the Saudi Personal Data Privacy Law (PDPL), which will enter into force on March 23, 2022. The PDPL is expected to bring about revolutionary changes in the privacy and security field in Saudi Arabia and the Middle East. The PDPL emphasizes the need for establishing a privacy culture within Saudi organizations. It is one of the most comprehensive privacy laws in the world. The Kingdom of Saudi Arabia is expected to be a leading nation in the privacy domain if the PDPL is implemented effectively, especially that the PDPL aims to protect information assets while promoting the concept of open data for innovation, a very hot topic among scientists allover the world.
It is time for public and private organizations to be proactive about data privacy. It is time to establish a strong privacy culture through PETA and other programs to enhance privacy decisions from the bottom-up (from employees and managers to a meta privacy culture). A meta privacy culture bolsters human cybersecurity measures because it is based ona root-cause analysis perspective, and hence a meta privacy culture can contribute significantly to mitigating the potential risk of cybersecurity disasters.
Many privacy companies have the capability and capacity to guide and direct organizations to enhance data privacy and security practices. For example, Kite and Palqee Technologies have privacy and security scholars and practitioners, holding doctoral degrees from esteemed universities and professional certifications from globally recognized associations(ISACA, ISO, EC-Council), and are well-equipped with scientific tools and tech solutions to provide high-quality services to organizations. It is not a matter of if, it is a matter of when meta privacy culture will be a basic organizational need.
TAWFIQ ALASHOOR is an Assistant Professor at Copenhagen Business School (Denmark), a highly ranked business school by global rankings. Alashoor holds B.S., M.S., and Ph.D. degrees from King Fahd University of Petroleum and Minerals (KFUPM, Saudi Arabia), Penn State University (U.S.), and Georgia State University (U.S.), respectively. He has completed a postdoc program at the University of Notre Dame (U.S.) and has taught managerial cybersecurity at KFUPM. Alashoor’s main research focuses on privacy decision making and cybersecurity. His research has been published in peer-reviewed journals in the Information Systems (IS) field, such as Communications of the AIS, and globally recognized conferences, such as ICIS and HICSS. He received a Best Research Paper Award at ICIS (2015) and MENA-CIS (2018) and a Best Research Reviewer Award at the Academy of Management (2019). He serves as a reviewer for top tier journals, such as MIS Quarterly, Information Systems Research, and Management Science, including other editorial roles in the privacy research community. Alashoor’s teaching interests include managerial cybersecurity, systems analysis & design, quantitative research methods, and business statistics. He received a Teaching Excellence Award from Georgia State University (2019). Among other communities in the field, Alashoor is a member of the Association for Information Systems (AIS) and AIS SIG on Information Security and Privacy. HUSSAIN ALDAWOOD earned a Bachelor’s degree in Management Information Systems from University of Arizona, USA in 2009, and a Master’s degree in Business Administration from Florida Atlantic University, USA in 2015. He completed his Ph.D. degree in Information Systems (cyber security) at the University of Newcastle, Australia in 2020. He also completed an executive education program in cyber security leadership and risk management at Harvard University, USA in 2020. From 2010 to 2018, he was an Information Security Professional with the Saudi Arabian Oil Company (Saudi Aramco). From 2019 to 2021, he was an academic with the School of Electrical Engineering and Computing, University of Newcastle. Currently, he is the Director of Engineering & Cyber Security in GulfNet Solutions Company (GNS), Saudi Arabia. He has published several cyber security articles. His research interests include cyber security, social engineering threats and solutions, and information security awareness programs. Hussain is a member of several committees and institutions on cyber security engineering and project management. He is a recipient of many prestigious and international honors and awards. He is internationally and professionally certified by ISACA, ISO, PMI, PECB, CompTIA, EC-Council, with the following certifications: CISM, CISA, PMP, DRP, Security+, ISO27001, ISO27005, ECIH, and others.