Daniel J. Solove on Privacy and Security Training Program

LIFARS question and answers session with cyber security experts, Where,who,when,how,why,what

Daniel J. Solove is the John Marshall Harlan Research Professor of Law at the George Washington University Law School.  He is also the founder of TeachPrivacy, a company that provides computer-based privacy and data security training programs to businesses, law firms, healthcare institutions, schools, and other organizations.  Additionally, he is the organizer of many conferences, including the Privacy + Security Forum.

One of the world’s leading experts in privacy law, Solove is the author of numerous books, including Nothing to Hide: The False Tradeoff Between Privacy and Security (Yale 2011) and Understanding Privacy (Harvard 2008).  Additionally, he is also the author of several textbooks, including Information Privacy Law (with Paul Schwartz), currently in its 5th edition.  He is the author of more than 50 articles. He was selected by LinkedIn to be one of its thought leaders, and he has more than 1 million followers on LinkedIn.  He blogs at Privacy+Security Blog.

LIFARS: Tell us some background on you and how you got where you are today.

Daniel: I am a law professor at George Washington University Law School in Washington, DC.  I specialize in privacy and security law, and I have been teaching and writing in the field for more than 17 years.  I got into the field in the late 1990s when the Internet was starting to become mainstream.  Privacy issues were relatively unexplored, and I thought that these issues were important and relevant.  The field grew tremendously, and it was like catching a wave that has just kept going and growing.  I have written a number of books about privacy and security.  I find these issues fascinating, and I love continuing to think and write about them.    

LIFARS: Could you tell us about Teach Privacy and what kind of training programs it offers?

Daniel: TeachPrivacy offers computer-based training on privacy and security including topics such as GDPR, HIPAA, PCI, FERPA. phishing, social engineering, malware, etc.  We also offer simulated phishing.  In the training I develop for TeachPrivacy, I try to humanize the abstract topics of privacy and security and makes the issues come to life.  I use vivid examples, humor, stories, quiz questions, games, and activities.

We have training modules of many different lengths and styles.  We short vignettes (each about 2-4 minutes long) and short topic modules (each about 5 minutes long) on more than 100 topics. Our training is highly customizable and can be used in many ways.

LIFARS: Could you give us some tips on how to promote effective ways to train privacy and information security issues to employees?

Daniel: Training the workforce is an essential way to protect data security, but not all training endeavors are successful.  Poor training is akin to shouting into the void.  Excellent substance is essential.  The material must be explained clearly, understandably, and concretely.

People remember stories and concrete situations much more readily than a bunch of abstract do’s and don’ts.  Interactivity, humor, vivid imagery, and memorable ways to visualize and remember information – all of these things are essential.

  • Training must be understood. Information is worthless unless people understand it.
  • Training must be remembered. If people don’t remember the training, then what’s the point?
  • Training must be followed. Many incidents aren’t due to people not knowing what they did was careless or wrong; they are due to people just not caring enough about doing the right thing.

There are many ways to train, and a good training program has many dimensions.  It is on ongoing education and awareness campaign. 

LIFARS: End-user carelessness is one of the biggest problems that cause security breaches. Could you tell us what a company could prepare to prevent this problem?

One of the courses we offer to prevent end-user carelessness is called Humans are the Biggest Data Security Risk. The vast majority of data breaches occur because of human mistakes.  Information security is only partly a technology problem; it is largely a human problem.  Thus, effective information security requires managing human behavior – and this is a tricky thing to do.

Organizations can go to elaborate measures to force workforce members to engage in better data security practices, but forced measures can only go so far. People can often defeat them.  For example, some organizations force employees to change their passwords frequently, but then people forget them and start pasting them on sticky notes near their computers.

The best way to change behavior is to educate people.  There are training skeptics who say that training doesn’t work, but that’s wrong.  Training does work if done right.  The ideal training is done in small bite-sized chunks of information throughout the year, with lots of repetition.  It is highly engaging and memorable – it must stick in people’s minds.  It not only educates but motivates.  In other words, training must make an emotional connection with people if they are to really learn; people must learn why they should care.  Over time, with extensive ongoing education that uses the time-tested techniques of good teaching, human behavior can improve.

But human behavior will not improve if people are just given a list of do’s and don’ts.  They will forget.  They won’t care.  That’s why many training programs out there ’ve seen are not effective.

Also, it is important that the organization maintain a culture of excellent protection of both privacy and data security.  Privacy and security go hand-in-hand.  Respect for privacy and security starts at the top – there must be sufficient resources and a real commitment to create the right culture.   Upper management must care, because if they don’t care, then why would the workforce care?