Data security – is the stick more effective than the carrot

While positive reinforcement is generally the most desirable way of bringing about changes in attitudes and behaviours, the hard fact remains that in the real world, a “carrot-and-stick” approach is often by far the quickest and most effective way to generate meaningful results. We may hope that businesses will make changes because they are the right thing to do, but it is not necessarily the case that they will actually take action for that reason.

It is, therefore, perhaps, hardly surprising that a new report from the Cyber Security Research Group and the Policy Institute at King’s College London, suggests that it may be appropriate to “name and shame” companies that fail to ensure that customer data is adequately protected. The UK Active Cyber Defence: A public good for the private sector report proposed that this approach would incentivise businesses to protect their customers’ data more effectively.

It is also unsurprising that this is a somewhat controversial suggestion.

Effective IT security generally requires investment and company managers are often only willing to sign off on corporate expenses when they see the potential for a clear return on their investment.

Even though directors may understand, in general terms, that robust IT security is a very good idea and worth some level of budget, there is typically no real quantifiable “carrot” to dangle in front of them as a potential reward for their investment.

Because of this, IT managers tend to have to rely on the threat of big sticks being wielded against a company and the bigger the sticks available, the more the average business owner is likely to pay attention to the threat of cyber attacks. Therefore, anything that serves to frighten managers into paying up for IT security should probably be regarded as a good idea unless there is a clear argument to the contrary.

Probably the single, biggest argument against the naming-and-shaming approach is that while it sounds very simple in theory, it’s unclear how it could be implemented fairly but effectively in practice.

This is because companies that are found to have poor data-security practices can already be named and shamed through various channels, especially social media and the traditional press. This problem becomes all the more apparent when you consider the fact that cybersecurity, like all security, has to be set in context. You would hardly expect someone running a hobby business selling hand-made crafts from their home to have the same level of security as the Ministry of Defence.

Therefore, if such a system were to be implemented, it would have to reflect this reality, so as to be fair to businesses, but still be simple enough for members of the public to understand easily, otherwise, they simply would not use the system.

The government and King’s College London are keen for organisations to adopt the government’s Active Cyber Defence (ACD) programme, a technology that has so far only been in place for public sector organisations. ACD has already demonstrated that it has effectively reduced the number of scam emails from fake govt addresses, and has removed phishing sites that pose as government agencies.

As ACD has been so effective for the public sector, the wider adoption of this programme for other types of organisations seems like a sensible approach that could reduce the need for naming and shaming, when utilised properly.