I have recently written of how data breach responses and response plans cannot be one-size-fits-all and must be tailored to the unique needs of the company involved, as well as its culture. That is, they must be tailored to fit a company of humans dealing with humans. This morning I read an article that discusses that human approach to data security — a slight variation on what I was discussing regarding data breach and response — but a very close sibling.
The ultimate premise of the article is that, because data security involves interaction with human beings, it must necessarily be an art, not a science. The same is true for data breach response plans as well as the data breach response process. Here is a little teaser of the thought provoking article:
Because humans play a key role in data security, this makes data security quite complicated. Managing human behavior is immensely challenging. People are hard to control. They need to be educated. They need to care. But people forget. They have lapses in judgment. They don’t learn what they’re supposed to learn and don’t do what they’re supposed to do.
* * *
Data security thus involves difficult tradeoffs. It is something that must be delicately balanced with other considerations. Good data security involves forging an appropriate level of risk. How much risk is appropriate? That’s a hard question to answer, because it involves the nature and sensitivity of the data being protected, the amount of data per individual being protected, the number of individuals whose data is being protected, the potential harms from the breach of that data to the individuals involved, the potential harms form the breach to the organization, the nature of the threats, the financial and efficiency costs of various measures to reduce risk, and the standard data security practices in industry.