IT Security and Consumer Privacy: Cutting-Edge Perspectives

Sitting in a cafe in San Francisco recently, Operations & Information Management professor Ryan Wright conducted an experiment using a brand-new laptop with software designed to monitor processor activity by others, specifically, hackers. The idea was to see how long it would take for his system to be accessed by an unauthorized entity through basic web surfing. The answer: 45 minutes.

It was just one of several chilling stories, told by Wright and marketing professor George Milne to MBA students in a talk about cyber security and privacy. Wright identified five species of attacks, including unpatched software, phishing, network worms (USBs should be banned, he noted), incursions that suspend components of IT service, and espionage-like advanced persistent threats (a distant 5th place). He also touched on credit card scams (most of them are U.S. based) and the Dark Web, which he characterized as “that nasty, nasty, loveable, hateable place.”

The IT security challenge is growing, revealing the inability of the current approach to solve it, Wright emphasized. In an increasingly mobile communications environment, 48% of personal computers are infected at any given time, yet 85% of the public says it feels safe. “That a huge disconnect,” he remarked. Mega attacks, like those that bedeviled Target and Home Depot (government agencies have also been targets), have more than tripled since 2013. They are products of social engineering, observed Wright. “The Target phishing attack, which in a flash extracted 6 terabytes of personal information from the company, gained entry through an HVAC repair guy. The Home Depot attack also went after people.”

“In most organizations, IT departments want to firewall everything. It’s a broken approach,” he exclaimed.

For a year and a half, Wright and colleagues at the University of Oklahoma have conducted NSF-funded research that is yielding recommendations on empowering employees in security best practices. Their view: We must replace today’s heavy-handed technical firewall with a “human firewall."

Wright and his fellow researchers have devised a 10-step organizational strategy to cast IT security in broadly participative, human terms. “It’s about behavior rather than knowledge-based training; about engaging and empowering employees,” he emphasized. In that, onboarding new employees into a participative culture is critical, he said. “Initially, we want to reach 10% of the organization and seed them into different teams,” he added. “We also think we can improve participation by gamifying employee learning about security.” Read Wright’s White Paper, The Human Firewall.

Protecting Privacy

Privacy should be elevated to marketing’s “5^th P,” insisted Isenberg marketing professor George Milne, who is director of the school’s Ph.D. program. That’s because in today’s increasingly digital world, privacy issues get baked into the traditional four “P’s,” i.e., product, price, place, and promotion.  “Everything we do with the P’s is on digital platforms, which exact compromises in consumer privacy,” continued Milne, who is author of Digital Privacy in the Marketplace (Business Expert Press).  

You probably have little idea of which aspects of your privacy you’re trading off when you click on that legalistic agreement when downloading an app, observed Milne. Fans of the hit smartphone game Angry Birds, for example, were miffed to learn that the app had been tracking their movements via GPS.

When you reveal something on line about yourself, you may think it’s innocuous, Milne continued. “But by aggregating data from different sources, companies can put together a profile of you with 80% accuracy. There’s a whole ecosystem of companies that collect and resell your data. For the most part, it’s entirely legal.” Most companies that do get into trouble with the FTC, he said, get caught after violating their privacy agreements with consumers.

Many of those transactions between consumers and companies can be explained by the Privacy Paradox, Milne told the students. It’s pretty straightforward and supported by numerous studies, including his own: Consumers will give up more and more of their privacy for incremental rewards. To that end, companies can behaviorally nudge consumers down the road of personal disclosure.

Milne agrees with Wright that changing human behavior, not greater hegemony by IT rule-makers, is a more productive avenue for privacy protection. “We need to educate companies and consumers so that they’ll adopt best information and privacy practices,” he remarked. “And we need to help people understand and set their own privacy boundaries.”