2. 1
Creating and Implementing
Privacy Awareness Programs
Dr K Rama Subramaniam
Director and CEO, Valiant Technologies Pvt Ltd, India
Executive Director, Baker Tilly MKM, Abu Dhabi
Chairman, Information Security and Cyber Crimes Research Foundation
Adjunct Professor, Dept of Criminology, University of Madras
4. 3
Abstract
This work presents key considerations in creating
and implementing nation-wide privacy awareness
programs. After discussing the need to create
privacy awareness, its suggested contents are
rationalized. The choice of target audience and
the delivery mechanisms are considered from a
relevance perspective. The need for feedback
and assessment of effectiveness of delivery is
emphasized. Some key areas where it is difficult
to clearly take a stand today are presented as areas
requiring further work.
5. 5
Dr. K Rama Subramaniam
MBA(UK), Ph.D, FCA, FISC, CISA, CISM, CISSP, CEH, CHFI, CSQP, Security+
Director & CEO of Valiant Technologies Pvt Ltd, India
Executive Director, Baker Tilly MKM, Abu Dhabi
Adjunct Professor in the area of information security and cyber
criminology at the University of Madras.
IBM GIO Alumni.
India’s country representative at International Federation of Information
Processing (IFIP); serving on their Technical Committee TC-11 dealing
with information security.
Chairman of ISCCRF, a not-for-profit trust carrying out research in
information security and cyber crime prevention.
He has been an information security consultant, audit and assurance
professional, trainer and educator for over two decades. He is a certified
and experienced professional in the areas of creating and implementing
secure information security architecture; internal controls systems and
processes; business continuity and disaster recovery plans; security audits
and certification of network infrastructure, ERP application, bespoke
application development processes; multifactor authentication (including
PKI and X.509 compliant certification infrastructure); and certification
processes for SOX, COSO, COBIT, ITIL, PCI-DSS, ISM3, ISSAF, ISO-
27001, ISO-17799, ISO-31000 and ISO-15408 compliant information
security management systems.
He has trained experts in many information security domains across Gulf
nations, India, Far East and Africa. He is a consultant to a number of
organizations in the commercial, government, armed forces, judiciary and
law enforcement segments in these countries.
His current research and development interests are in the areas of creating
and implementing technolegal processes for data security and privacy.
He was invited by ENISA, the European Union agency for Information
Security to address the EU Security Experts who had gathered in
about the author
6. 6
Athens, on the need for and process to guarantee data privacy in ITES
businesses. He was invited to chair a session on security aspects of cyber
crimes a Conference organized by the Stockholm University and the
Swedish Police.
He served earlier as Global Chair of the Education and Awareness
Principles Expert Group of Globally Accepted Information Security
Principles (GAISP), based in the United States and is former Global Chair
of the Accreditation Process committee of Open Information Systems
Security Group (OISSG), based in the UK where he established their
certification and accreditation processes. He is the charter President of
the first chapter of ISSA (Information Systems Security Association) in
Asia and served on the boards of Dubai, Chennai and Bangalore chapters
of ISACA.
He was formerly Managing Director of Thewo Corporate Services based
in Lusaka, Zambia; Group Operations Director of Benetone Group of
Companies based in Bangkok, Thailand and Commercial Director of
Dynaspede Integrated Systems Ltd, based in Mumbai.
7. 7
First word-----------------------------------------------------09
1 Developments till Date--------------------------------11
2 Why this interest----------------------------------------15
3 How is Privacy Awareness relevant------------------19
4 Managing the Privacy Awareness Program---------31
5 Program Content and Delivery-----------------------41
6 Delivering the Program--------------------------------51
Last word-----------------------------------------------------64
contents
8. 9
first word
The exponential growth of the Internet in the last few
years has left most of us gaping for breath. It has captured
attention both in the commercial and in the personal space.
Internet banking, travel booking, product purchase, electronic
mail, voice chats, video chats, telephone communication,
social networking sites – well it has really shrunk both time and
space. We are truly a global village. You can now access a book
in the third rack of the fourth floor building of an American
University library sitting here in India, make margin notes,
return the book; all without shifting a leg [read Google].
But in the wake of all this, the internet has brought in a fair
share of troubles. In the anonymous world of the Internet
every act of ours is public. When it comes to privacy as
the common man understands, it’s a zilch. Take G-Mail for
example. When you receive or write a mail, on the right side
window you have a pane that carries advertisements relating
to the content you are writing! That’s big brother watching
you, in one sense. And in a far more serious sense your private
information can and does get compromised. Sellers track your
buying preferences, hackers hack your name, address, phone
number and mail id and put it up for sale; others log into your
bank account and withdraw your money; yes on the other side
of the Net you don’t know who is sitting.
The irony is that many of us don’t know that our privacy is
being compromised and some don’t care until it becomes too
late. There is an urgent need for knowledge on this front and
the steps to be taken to stall privacy invasion. How do we go
about doing this is what this document outlines.
9. 10
I recall the discussions I had some years ago with two
of my good friends, Nandakumar Saravade and
K Ponnurangam, when they encouraged me to come up with a
privacy awareness program blue print. It did not then see the
light of the day but with my consulting experiences pointing
to the devastating consequences of poor privacy awareness,
I thought it was time to complete this so that it could help
those who are working on privacy awareness issues. Looking
back, I appreciate their foresight in encouraging me to work
on this significant and relevant area.
The Trustees of Information Security and Cyber Crimes
Research Foundation (ISCCRF) readily came forward to
publish this, for which I am indeed grateful.
My sincerest thanks to my long time friend, V Pattabhi Ram,
Chartered Accountant, for supporting this effort with his
exemplaryjournalisticskills,whichhasbroughtthispublication
to its present state and shape.
K Rama Subramaniam
rama@valiant-technologies.com
10. 11
1
Developments till Date
Judge Louis Brandeis was on target when he said that
“the makers of the (American) constitution conferred the
most comprehensive of rights and the right most valued
by all civilized men - the right to be let alone.” He, along
with Samuel Warren, articulated on Privacy way back in the
1890 in their seminal work “Right to Privacy” that appeared
in the Harvard Law Review[1]
. The next one hundred years
saw various points and counter points being discussed on
what is privacy; as in should it be enforced by the state; is
it as fundamental a right as the right to life; is it something
that can be guaranteed so long as the state does not see any
hindrance to its governance role by acceding the right to
[1] Warren S. & Brandeis L.D.: ‘The Right to Privacy’ 4 Harvard Law Review (1890) 193-220
11. 12
privacy, etc. A defining moment came in the judgment of
the US Supreme Court in Whalen vs. Roe (429 U.S. 589 (1977))
when a distinction was made between two types of interests
in the case of a constitutionally protected privacy. First was
the “individual interest in avoiding disclosure of personal
matters” and the second pertained to “independence in
making certain kinds of important decisions.” When we
refer to privacy today, we refer to the first of the two interests
enunciated in the Whalen vs. Roe judgment.
While on the one hand, we have the likes of Louis
Brandeis and Samuel Warrens as also the various courts that
have tried to define privacy with anatomical precision typical
of the legal fraternity, we also have on the other side Alan
Westin’s celebrated book, Privacy and Freedom, that opens
by lamenting that “Few values so fundamental to society
have been left so undefined in social theory or have been
the subject of such vague and confused writing by social
scientists[2]
.” Arguably the concept of privacy in the context
of personal information and organizational information
assets begs an academically rigorous definition. Westin
attempts a good articulation when he writes that “Privacy is
the claim of individuals, groups, or institutions to determine
[2] Westin A.F.: ‘Privacy and Freedom’ Atheneum, New York, 1967
12. 13
for themselves when, how, and to what extent
information about them is communicated to
others [pp. 7, 2].”
Roger Clarke[3]
seeks to evolve a working
definition of Privacy. Drawing on an earlier
work of W L Morison[4]
, Clarke proposes
that Privacy is the interest that individuals
have in sustaining a ‘personal space’, free from interference
by other people and organizations.
DO YOU
KNOW?
India ranks
5 in “Top
malicious
activity
country”.
[3] Roger Clarke: Introduction to Dataveillance and Information Privacy, and Definitions of Terms found in
http://www.anu.edu.au/people/Roger.Clarke/DV/Intro.html
[4] Morison M. L.: Report on the Law of Privacy’ Govt. Printer, Sydney, 1973
13. 15
A large number of factors, chief among them being
technology driven proliferation of information about people
and organizations, are driving the current flurry of interest
in the area of privacy and security of information assets
that includes e-mail records, chat transcripts, data held on
databases and various web sites that are regularly accessed.
In this chapter, we focus on privacy as an emerging concept
and its relevance in the context of a variety of information
systems that handle Personally Identifiable Information (PII)
with privacy implications. PII is understood as any piece
of information which can potentially be used to uniquely
identify, contact, or locate a single person. There is a debate
2
Why this interest
14. 16
on whether an element of PII that may not be unique globally
should be removed from PII [5]
. This debate is referenced for
sake of completeness but will not be considered in this paper
as its impact on creating and implementing an awareness
program is minimal.
A distinction is made between personal information that
have privacy implications and personal information that have
no privacy implications while evolving an awareness program.
Key dimensions relating to creation of awareness of privacy
elements of information in the Indian context is the focus of
the discussions that follow.
From the perspective of determining how the concept
of privacy came into being, most scholars trace it back to
the social need of humans to acquire a “personal space” for
themselves. This takes us to a revisit of Abraham Maslow’s
Need Based Theory.[6]
. More recent developments can be
traced to the pioneering work of human rights activists
and global organizations that have pioneered human rights
concepts and have strongly factored the idea of privacy as
part of human rights. Article 12 of the Universal Declaration
of Human Rights [1948] states that “No one shall be
subjected to arbitrary interference with his privacy, family,
home or correspondence, nor to attacks upon his honor and
[5] See, for instance the discussion post at http://www.circleid.com/posts/82225_ip_addresses_
personally_identifiable_information/
[6] Maslow A.H.: ‘A Theory of Human Motivation’ Psychological Review 50 (1943) 370-396
15. 17
reputation. Everyone has the right to
the protection of the law against such
interference or attacks[7]
.”
This Declaration provides for
protection of privacy in a very generic
form. The earliest attempt to define conditions where such
privacy can be compromised, is found in Article 8 of Section
I of the European Convention on Human Rights [1950]. It
states that “Everyone has the right to respect for his private
and family life, his home and his correspondence. There shall
be no interference by a public authority with the exercise
of this right except such as is in accordance with the law
and is necessary in a democratic society in the interests of
national security, public safety or the economic well-being of
the country, for the prevention of disorder or crime, for the
protection of health or morals, or for the protection of the
rights and freedoms of others[8]
.”
We next move on to appreciate how an awareness of
privacy is relevant in any and every sphere.
DO YOU KNOW?
Today’s malicious
codes, particularly
Trojans, are
directed at
violating privacy.
[7] United Nations: Universal Declaration of Human Rights (1948) General Assembly Resolution 217 A (III)
of 10 December 1948
[8] Council of Europe: The European Convention on Human Rights (1950) Rome, as amended by five
protocols between 1952 and 1963
16. 19
These developments and the contemporary thought
process on privacy find their origins in a number of well
evolved principles of governance, of human rights, of
constitutional guarantees and a strong personal and social
need. There have also been cases where privacy breaches
have impacted the victim’s life and social standing. These
too have contributed to the development of increasing
interest in privacy related issues. Whereas the concept of
privacy in itself is not new, it has acquired a renewed interest
because of the open information networks that span the
globe, supported by cost-effective data carrier protocols that
reach out across the globe. The business applications built
3
How is Privacy Awareness
relevant
17. 20
on open network architecture have opened a wide range of
business and convenience opportunities and has brought
with it a basket of woes; one among them being the challenge
to privacy.
A question that requires attention concerns the
distinction between business information and personal
information. This distinction acquires significance since
businesses that have emerged as large repositories of
personal information have many instances where the same
information processing system stores both business data
and PII. A good example of this could be HR systems
that have PIIs that require protection from unauthorized
access, yet be available for processing in the regular course
of business .
As the number of people who handle PIIs increase,
so does the obligation and responsibilities of those who
handle third party information that have privacy content.
Developments in the recent past have pointed to a number of
situations where, if the owner of the PII is not alert enough,
his privacy has been trampled upon. The second reason for
individuals to protect their privacy is that privacy elements in
information can today translate easily into money.
Significant developments in the awareness of privacy
related issues will be a sure protection against attempts
18. 21
to intrude into privacy of individuals and its abuse for
illegal or unethical purposes; often driven by commercial
considerations.
This document looks at awareness from two different
viewpoints; one, the awareness to be raised among those
whose PIIs need protection and two, the awareness amongst
those who design and manage systems that handle PIIs,
as also to those who handle PIIs individually. Therefore,
there is need to create different contents and adopt different
delivery mechanisms to different classes of people, who must
be reached. A recommended generic grouping, following the
recommendations of NIST [9]
could be to group people who
are involved in the following actions or processes relating to
information systems:
• Manage
• Acquire
• Design and Develop
• Operate
• Review and Evaluate
• Use
There could be individuals who qualify to fit into more
than one classification and the last group viz. those who use
information are both the largest in volume and arguably the
[9] NIST: SP800-50 – Building an Information Technology Security Awareness and Training Program – 2003
19. 22
most vulnerable and therefore require the maximum exposure
to privacy awareness initiatives.
Stakeholders of information with privacy elements
embedded in it should realize that they have to consider the
privacy dimension not just when they use the information
but also when storing it on systems owned and managed by
them, and when permitting the information to pass through
their active and passive network components.
A quick analysis of the state of today’s connected world
identifies a number of groups which handle information
assets – owners, users, custodians, processors and
transporters of information. Each of them have a role vis-
à-vis privacy component found in the information handled
by them. Covering all these groups as part of privacy
awareness program will require consideration from different
perspectives, an illustrative list of which is considered here:
Legal
The first formal look at Privacy came from the legal fraternity
and today a good understanding of the legal framework that
governs reporting, follow up and protecting the chain of
evidence has to be covered as part of any awareness program.
Law enforcement agencies and victims of privacy violations
have complained that they don’t know which law is to be
20. 23
invoked to prosecute perpetrators of privacy violations. The
awareness program must cover law enforcement personnel;
particularly those who are the first point of contact for
complainants so that they are aware of the process to be
used while recording and investigating privacy violations.
A good starting point in this direction is the India Cyber
Labs initiative of NASSCOM in association with state police
forces.[10]
Technological
Privacy has a strong technology dimension especially
when we refer to privacy in a connected world. Lack of
understanding of technology that drives the Internet has
contributed to a variety of privacy violations; what with the
screen asking questions like “Do you want to install and run
Active-X controls?” albeit without putting the user on notice,
in a form that enables the user to make a conscious decision.
For the less technologically initiated, this is a pretty complex
question and the user often ends up letting cookies, applets
and the like, usurping PIIs from the computer. Creating a
basic awareness of the underlying technology that drives the
Net and the areas where caution has to be exercised should
form part of the privacy awareness program. The argument
against this is invariably that technology becomes obsolete
[10] More information on India Cyber Lab can be found at
http://www.nasscom.in/Nasscom/templates/NormalPage.aspx?id=5952
21. 24
quite fast and with new technologies regularly being used,
what is the point in creating awareness on a technology that
will soon become obsolete. Admittedly the emergence of
new technologies is rapid but that is no reason to defer or
avoid training on current technologies since we will never
ever come to a stage where the evolution of technologies has
stopped. Organizations like the International Association of
Privacy Professionals (IAPP) have evolved, over a period of
time, programs that tend to be technology neutral to some
extent [11]
.
Behavioral
Privacy awareness, like security awareness, can be inculcated
as second-nature to the users. But such inculcation does not
happen overnight and requires steady and persistent efforts.
As mentioned elsewhere in this document, in a multi-
cultural society like ours where languages, culture and long-
held beliefs play a significant role in individual responses to
situations, it is hard to prototype a one approach to privacy
awareness that fits all. In addition to these issues that
affect behavioral response to privacy awareness, there are
also varying perceptions about Net based services that are
influenced by peer groups and family members’ advice by
[11] Details of programs developed by IAPP can be found at https://www.privacyassociation.org/
22. 25
leveraging on knowledge acquired from popular literature.
The influence of these factors can be quite strong and in
many cases, there may be a need to help the participants
unlearn principles and practices that have been picked up
based on incorrect or incomplete understanding of what
is involved. An exploratory study by Kumaraguru and
Cranor [12]
discuss attitudes of a cross section of Indian
society towards privacy. While there is no attitudinal profile
drawn up of Indians towards privacy, the study points to an
“overall lack of awareness of privacy issues and less concern
about privacy in India than has been found in similar studies
conducted in the United States”. (pp. 1, 12)
Criminological
Privacy related issues may result in crimes that have attributes
and characteristics that appear to be significantly different
from the traditional forms of crimes. While attempts have
been and are being made to fit privacy related crimes into
time tested criminological paradigms, certain features of
privacy do not permit a neat fit. First of all, it is still not
clear if violation of privacy is a crime or an aberration of an
established principle of behavior. The serrated boundaries of
privacy needs to be rounded off well before we can attempt to
[12] Kumaraguru P and Cranor L: “Privacy in India: Attitude and Awareness” available at http://www.cs.cmu.
edu/~ponguru/PET_2005.pdf
23. 26
test if we can take advantage of the results of good research
findings in criminology and apply it to a better understanding
of privacy issues resulting in creating an appropriate form of
awareness program [13]
.
Victimological
A concern that has attracted attention is the process that will
empower victims of attacks with knowledge and skills to
recognize that they have been victimized and also to know
the process of reporting the attack. Unlike a conventional
crime scene where the victim is most probably the first
person to raise an alarm almost immediately after the attack,
victims of privacy violations often find that out after a long
time gap; if at all they find it out. This presents a pressing
need to sensitize victims to a set of processes of finding out
privacy violations as soon as the violation had occurred.
Ease-of-use
No awareness program can succeed if it cannot be presented
in a manner that can be easily understood by the target
audience. However, the technology and implementation
architecture of information systems that has enabled privacy
[13] Subramaniam, Rama K.: “Cyber Crimes – A Criminological Paradigm” – Chapter V in “Cyber Crime
– Criminological, Victimological and Legal Perspective” unpublished PhD thesis, University of Madras,
April 2006
24. 27
violations, are too complex to be
simply explained. Designers of privacy
awareness programs need to clearly
understand the challenges in increasing
awareness of non-technical users of
networked information systems since they simply look at
the system as a value addition tool and not beyond that.
The emergence of multi-lingual Internet enabled services
and portals bring a new group of people to the user base,
which may need awareness programs in languages that are
comfortable to them and are customized. The need to retain
the spirit and content at the same level in all languages need
to be carefully addressed.
Economic
Will a typical participant in a privacy awareness program
consider it being of sufficient value-add that he will pay for
it? Perhaps not always; at least not as of now. This brings
forth the issue of economic implications of running a privacy
awareness program. The process of designing and delivering
privacy awareness program should be built on the assumption
that it may not be sufficiently funded by the beneficiaries of
the program. This realization will enable the managers of
such a program to look for resources and funding so that
there is no disappointment when the program is delivered
DO YOU KNOW?
Most of the
attacks are
aimed at inflicting
damage on the
victims financially.
25. 28
and the participants are reluctant to pay for it or when it takes
time to get beneficiaries to pay for it. There is another school
of thought which strongly believes that any ‘free’ program
does not make the participant feel that they got value out of
it. While there is merit in this argument, it may be difficult
to ‘commercially sell’ privacy awareness programs; at least as
of now.
An area that requires considerable work is to determine
how best to fund these privacy awareness programs at a
national level; and if there are significant regional differences
in the programs, some regionally operating funding
possibilities need to be considered. Any effort at creating
and implementing a nationally relevant privacy awareness
program cannot yield the desired results unless it is adequately
funded. As privacy awareness programs are conceptualized,
adequate funding should be established so as not to let the
program momentum to deteriorate. The forms of funding
privacy awareness programs are in themselves an area that
can justify a complete study.
One source of funding privacy awareness programs
could be to utilize a portion of the penalties imposed on
offenders under the information technology law and on
violators of privacy legislation and regulations. This would
not be an immediate solution but could yield results in the
26. 29
long term. Conceptually this is a bit
questionable since we are presuming that
there would be a number of violations
resulting in penalties being imposed and
recovered.
Beneficiary profile
One way to differentiate the set of persons who need to be
addressed by these awareness programs is between individuals
and businesses. While the general perception is that privacy
awareness is more focused on individual users of information
systems, small and medium businesses will benefit from the
efforts at creating and sustaining a generic privacy awareness
program. Individuals can be classified as youth, adults and
senior citizens, more popularly referred to as silver surfers, in
Internet related literature [14]
. The business segment can be
categorized as micro organizations (small professional firms
and individual traders or experts operating as a specialist
service provider), small and medium businesses. It is assumed
that large enterprises will have an in-house process to create
and sustain privacy awareness across the organization.
DO YOU KNOW?
The users of
laptop connect
and use it in
locations that
often do not have
the requisite
security and
protection
perimeter.
[14] The term ‘silver surfers’ is being increasingly used to refer to senior citizens using the Net. It is found
itself into common newspaper reporting. See for instance, http://www.dailymail.co.uk/sciencetech/
article-477140/Silver-surfers-beat-young-Web-wizards.html.
27. 30
The recommended set of broad contents of privacy
awareness program is discussed elsewhere in this document.
The above classification of beneficiaries of the awareness
program will help in arriving at the optimal mix of content
and the depth of their coverage for beneficiary grouping.
28. 31
Awareness is the first line of defense against privacy
violations[15]
. Creating a national level privacy awareness
program and delivering it to all those who need this awareness
is a huge task, given the geographical spread of the nation
and the burgeoning internet penetration across the country.
The reducing tariffs for Internet access and the increasing
realization of its benefits keeps increasing the size of the
target group that needs to be covered by the awareness
program.
4
Managing the Privacy
Awareness Program
[15] Multiple view points have been expressed converging on the idea that “awareness is the first line of
defense against privacy violations.” See Frye, D.W.: “Network Security Policies and Procedures” Chapter
12 – The Human Element); An interesting counter view is expressed by Motall, A. Z. A.: “The legal
protection of the right of privacy of networks” available at http://webworld.unesco.org/infoethics2000/
documents/paper_motaal.rtf.
29. 32
A number of stakeholders can be identified for creating,
implementing, sustaining and monitoring a national
level privacy awareness program. The stakeholder group
would include the IT departments of the central and
state governments, the central and state information
commissioners, industry bodies like NASSCOM, the cyber
crime cells of police forces, ISPs, educational institutions,
judiciary, not-for-profit organizations and public trusts that
work in the area of information privacy and security. A
project management approach is needed for creating and
implementing the program. Following are some steps to be
considered in this context:
• Formnon-formalworkinggroupswithrepresentatives
from all stakeholder segments. The preference for
non-formalworkinggroupasagainstaformalworking
group is driven by the need to integrate flexibility in
approach with speed and ease of communication
amongst members. Non-formal groups will also
enjoy the benefit of lesser regimentation in adding to
the membership or altering the composition of the
group. The most significant benefit of course will
be the ability to come together quickly when a mid-
course correction or change needs consideration.
Further, the response to feedback from the users
and stakeholders of the awareness program can be
30. 33
interpreted and acted upon faster when entrusted to
a non-formal group.
• In consultation and collaboration with the
stakeholders, determine the ultimate state of privacy
awareness to be achieved. Determination of this end
point will be a good starting point for strategizing
the overall program and will also contribute to
the determination of the metrics to measure the
effectiveness of the awareness program.
• Successful awareness program management involves
building competencies in the areas of:
program design
management of delivery channels
determining beneficiary profile and constantly
updating the attributes that will determine
this profile
test checking on actual delivery for
conformance to appropriate controls and
efficiencies of that delivery channels (eg., if
the delivery is via a direct interaction between
the specialist and the beneficiary, does the
specialist conform to International Board
31. 34
of Standards for Training, Performance and
Instruction IBSTPI standards?)
reviewing feedback and using it to fine tune
the contents and delivery mechanism
structuring and implementing measures to
assess the effectiveness of the program
• Clearly define roles, responsibilities, deliverables and
accountability measurement of all involved in the
program
• Build sufficient flexibility to cater to different
stakeholders’ requirements
• Establish and maintain a communication channel
that is open, clear and meets time lines.
The program design and implementation should be such as
to result in obtaining the following benefits:
• In addition to creating awareness on privacy, the
program should become a focal point for the
convergence of all initiatives already in place
to increase the privacy awareness of information
system users
32. 35
• Minimize the number of privacy
violations and increase the
number of cases where people
have responded to privacy
violationsbyassertingtheirrights
to privacy, thus being a deterrent
to those who may attempt any
violations on privacy, in future
• Function as a well knit and efficient communication
channel for quick dissemination of methods and
approaches to thwart new attempts at privacy
violations
• Constantly update and disseminate information on
emergingformsof privacyviolations,countermeasures
and controls to minimize the damage
• Educate individuals about their roles and obligations
in preserving the privacy of information under
their control and encourage them to go beyond
practicing ‘minimum-adherence’ to privacy mandates
and policies.
• Create a culture where all participants will respect
privacy and encourage all connected entities, systems
and people to respect privacy.
DO YOU KNOW?
Public computers
like the ones that
are installed in
cyber café can
pose a threat
by exposing
the personal
information of the
users.
33. 36
While designing programs to minimally achieve the benefits
listed above, considering the following will enhance the
overall effectiveness of the program:
• Whether the program should confine itself to
creating awareness or will it extend to training and
education which, in turn, will reinforce the awareness
created and increase the skill levels to fight privacy
violations. For instance, creating awareness about
phishing and introducing the participants to a
structured set of Do’s and Dont’s will satisfy the
awareness process. Additional efforts at educating
and training them will result in building capabilities
of identifying new versions of phishing and be able
to follow a digital forensic trail to trace the attacker.
However three factors merit consideration when an
awareness program is extended to cover training and
education – the justification for such extensions, the
competence of the recipient group to respond to
training initiatives and finally, additional resources
needed.
• Considerations that will determine the frequency of
repeating an awareness program include the recall
quotient of the program (tested via standardized
tests),theneedtoupdateinordertofightobsolescence
of the program contents and any possible adverse
34. 37
feedback on the delivery of the
program.
• Determine and freeze the
depth of underlying technology
and / or legal framework that
should be presented to the participants. It will be
advantageous to have a structured approach to match
the depth of presentations with the audience profile
that can be accommodated in one of the many pre-
defined classes. This pre-supposes that there would
be different contents for different target audience
groups.
• In addition to the usual practice of presenting
the technical and legal aspects of privacy, there is
merit in presenting essentials of criminological and
victimological aspects of privacy so that victim
assisted violations are minimized and participants
will be sensitized to the need to quickly realize if their
privacy is violated and if so, have before them a clear
course of action.
• It is well accepted that the goal of the program is
to raise the privacy awareness levels across the entire
spectrum of the population. While that by itself is
a sufficient objective to justify this program, there is
DO YOU KNOW?
Installing a
patch or hot fix
on a system is
regarded as a
necessity for
better security.
35. 38
merit in asking if the program could aim at attaining
a ‘significant’ change in attitude of the participants
since privacy is, like security, more of a mental-state
than just a technological issue.
• Given the size and spread of the country, there is a
strong case for decentralizing the privacy awareness
initiative and making it relevant to the local culture
and language. ISPs that are locally present and other
interest groups can be encouraged to develop privacy
awareness programs with regional flavor and have it
vetted by DSCI . Upon approval, locally organized
awareness groups should be encouraged to sustain the
program. The advantage in decentralizing delivery
with a centralized superintendence over scope and
contents will facilitate the awareness program to
be implemented on a recurring basis. One of the
metrics that can be used to measure the effectiveness
of the awareness program will be determining the
actual and incremental number of participants who
come forward with complaints of privacy violations.
As with most other measurement systems, these
measurements will have a limitation when it comes
to establishing a base line against which increments
can be computed.
36. 39
• The privacy awareness program can be managed by
a number of interested groups or individuals. Reach
can be achieved through
Not-for-profit bodies working in the
areas of information security, cyber crime
management, digital forensics, digital rights
management and privacy issues
Industry associations and chambers of
commerce
University departments of Computer Science
and Engineering, Criminology and Law
Human Rights Activist groups
Cyber Crime cells working in Metropolitan
cities
Legal Aid Societies
Private enterprises who have significant
employee strength
Media
Outreach programs of public enterprises,
private banks, mobile operators and ITES
businesses
37. 40
Community centers and schools
Corporateandotherinstitutionalsponsorships
that can result in organizing seminars and
conferencesonprivacyawarenessandsupport
to different privacy awareness initiatives.
38. 41
What should be covered by the privacy awareness creation
process? As with the case of difficulty in deciding on the mix
of delivery mechanisms, it is very hard to find a one-content-
fit-all solution. Having said that, we shall none the less identify
a set of areas where the participants need familiarity if the
program should create the right degree of awareness. Any
awareness program on privacy cannot be devoid of interfaces
with technology, legal systems and business models that
handle data with privacy content.
An issue that is being debated is the difference between
privacy and security. One school of thought is that you
5
Program Content
and Delivery
39. 42
cannot consider privacy per se without reference to the overall
information security framework[15]
. This stems from the
belief that privacy is one of the attributes of information
security. The other view point is that while privacy may have
a relationship with security, privacy can stand on its own
when it comes to sensitizing users whose privacy is being
discussed [16]
. This view point is fortified by the belief that
in order to understand your privacy rights and obligations,
you need not concern yourself with other attributes of
information security like confidentiality, integrity, availability
and, to some extent, authentication and non-repudiation.
While admitting that there could be some merit in de-linking
privacy from security at least in the context of creating
awareness and sensitizing users, there is no denying the close
relationship between security and privacy.
A case in point could be determining the sensitization of
individuals to the need to maintain their passwords as a
closely guarded secret. This is a definite need when it comes
to creating awareness on privacy issues since consequential
collateral damages resulting from loss of passwords can
be catastrophic. Password related issues have a place of
significance in any information security program. We
[16] See, for instance the position of Price, S: “Protecting Consumer Privacy Information” available at:
http://www.infosectoday.com/Articles/Protecting_Customer_Privacy_Information.htm
40. 43
cannot, however, lose sight of the subtle
differences in the ways in which password
related issues will be addressed in the two
different awareness programs.
There is a good scope for entering into
an intellectually stimulating discussion
on whether or not the content in a typical
privacy awareness program should have
similarities to security awareness programs. This document
steers clear of it and confines to broadly presenting some
suggested content for privacy awareness programs. The
suggested contents are not presented in the traditional ways
contents are understood. In other words, the following
table does not say, in detail, ‘what’ is required to be covered.
Instead it discusses ‘why’ that content is relevant. The actual
‘content’ can be discussed and finalized after freezing target
audience and delivery mechanism.
DO YOU KNOW?
In the United
States, federal
agencies may
be authorized to
engage in wiretaps
by the US Foreign
Intelligence
Surveillance
Court, a court
with secret
proceedings.
41. 44
Content
Area
Why is this content relevant to privacy
awareness?
1 Using and
Managing
Passwords
Passwords have two roles to play in privacy related
environments. It by itself is a PII (when combined with
user names of such other identifiers) and it is arguably
one of the most frequently used means of protecting
access to PIIs. An inadequate awareness of the nature
and advantages of using good passwords is a sure first
step in losing one’s privacy on the anonymous Internet.
With the Internet being used by the common person for
a variety of efficiency enhancing operations, business
transactions and knowledge sharing, there is a need for
good password management.
2 Malicious
codes –
viruses,
worms and
Trojans
Malicious codes have presented themselves in varying
manifestations to the users over the past two decades.
With time, the virility of these malicious codes have
continued to increase; so have their capabilities, inter
alia, to violate privacy information of users of infected
systems. Today’s malicious codes, particularly
Trojans, are directed at violating privacy. The problem is
aggravated by the fact that we don’t have comprehensive
solutions against Trojans. Awareness and the need to
sensitize users to refrain from doing something or take
affirmative action under certain conditions is a sure way
to minimize the chances of attacks by malicious codes
and content.
42. 45
3 E-mails
and attach-
ments
With the ubiquitous reach and cost-effectiveness of
e-mails come a whole horde of vulnerabilities and each
of these are easily exploited by intruders since the
uninitiated users are not always aware of the risks in
using e-mails without adherence to secure practices.
Such insecure use of e-mail systems can result in a
number of privacy infractions not just of the users’ PII
but also of PIIs of others stored on the system.
4 Web
browsing
and other
usage of
web ser-
vices
Simple web browsing a k a ‘vanilla browsing’ can be
harmless from a privacy perspective so long as the
users have taken basic precautions like running an
updated AV system and installing a well configured
firewall. However, with the range of opportunities to
avail of value added services, many services require
identification and authentication of the users. Lack of
awareness on ‘safe net-use’ practices could result in
compromise of privacy.
5 Spam Spam could represent an already compromised privacy.
The fact that spam has addressed a non-public mail
ID sometimes influences users to give credence to the
spam mail. Awareness about the privacy implications of
spam mails need to be created from both dimensions;
namely of receiving of spam and also of creating /
propagating spam. The fact that it is hard to precisely
define spam is demonstrated by our inability to design a
zero-defect spam control mechanism.
43. 46
6 Social En-
gineering
There are no proven structured processes to counter
social engineering attacks aimed at compromising
privacy information of victims. Increased awareness
leading towards a higher level of consciousness of
social engineering as a possible attack pattern will go a
long way in helping users to protect their privacy. The
absence of technology dimension in social engineering
makes it hard to build an robust content for this element
of awareness program and will therefore need quite a
bit of creative approach to create awareness. Certain
forms of social engineering attacks (eg., phishing) can
be countered through a combination of attitudinal and
technological countermeasures.
7 Shoulder
surfing
Shoulder surfing happens when an unauthorized person
watches the operation of a user and acquires access to
information to which the person does not have access.
For instance, a person watching the key strokes of the
user and comes to know of the password being typed,
has performed shoulder surfing. The incidence of
this form of attempt to compromise privacy may not
be frequent since significant awareness exists about
shoulder surfing. One reason is the changing social
fabric, at least in urban India, where it is regarded as
a socially unacceptable behavior. However, there are
people who indulge in this practice sometimes out of
sheer curiosity rather than with any malicious motive.
Creating awareness on this and making such awareness
work is far easier than other cases.
44. 47
8 Incident
Response
– recogniz-
ing and
reporting
incidents
Recognizing an incident that warrants attention is a very
good first step in combating the effort of the attacker. An
incident could have multiple consequences, including
violating privacy information of the victim. Due to
the significant differences in skill and competencies
between the attacker and the victim, the incident can
go un-noticed; often unreported. This is an area where
lot of efforts need to be expended to develop and offer
a high level of awareness so that incidents that threaten
to disclose privacy information is quickly identified.
In addition to helping identify incidents that require
handling at a level different from that of the affected
person, awareness creation is needed that will assist
in determining the right reporting and / or escalation
process. Awareness in this area will also add to the
utility of national or regional level Computer Emergency
Response Teams (CERT) or equivalent initiatives .
9 Phishing This is perhaps the most direct attack on the privacy of
individuals by seeking to motivate the victim to part with
PIIs, which has more value than just identification of the
individual. The uniqueness of this form of attack is that
it motivates victims to engage in an affirmative action
of compromising their privacy. Most of the attacks are
aimed at not just compromising privacy but take it to the
next level of using the compromised privacy for inflicting
further damage on the victims; often financially.
10 PDAs and
other hand
held de-
vices
The proliferation of Personal Digital Assistants (PDA)
and other hand held devices have added more people to
the exposure of attacks on PIIs. While this proliferation
is good from a number of perspectives, most of those
who use their PDAs to connect to open information
networks may not have had the requisite exposure to
privacy issues because of their first time exposure to
using open networks .
45. 48
11 Encrypted
data and
communi-
cation
Users of Internet based information systems are often
led to believe that their PIIs are safe because they are
communicating toserversusing a‘secure’or‘encrypted’
path. There is truth in this assertion but there are still
areas where the users must know that their PIIs are not
secure end-to-end in the transmission over the open
networks. Users need to understand the limitations of
standard secure communication channels when being
used to carry PIIs.
12 Laptop us-
age – espe-
cially while
on travel
Laptops undoubtedly store PIIs; perhaps more PIIs than
any other class of devices excepting authentication
servers. Laptops, by their very nature, are personally
carried by their owners across locations and with it
go a whole lot of PIIs. The users of laptop connect
and use it in locations that may not have the requisite
security and protection perimeter. A case in point could
be connecting the laptop to the Internet via connection
provided by a Hotel where you do not know the security
settings of the Hotel’s network connection.
13 Permitting
use of your
computers
by others
This happens very often. Many enterprise security
policies have restrictive clauses in this matter but there
aresituationsandcircumstancesthatwarrantoverlooking
these restrictive clauses. Privacy awareness initiatives
as contemplated here may not have a direct relationship
to this issue but creating and enhancing awareness of
the need to protect PIIs stored on a computer used by
another person will significantly reduce the exposure in
such cases.
46. 49
14 Repair-
ing your
systems
– patches
and hot
fixes
Installing a patch or hot fix on a system is regarded as a
necessity for better security. There are a few application
vendors who insist on your connecting to their servers to
download and implement the patch or hot fix while being
so connected to their servers. This could have privacy
implications since some of these download ask either
directly or may collect, clandestinely, PIIs stored on the
system. Awareness in this area will help strike a balance
between the importance of patching the applications
and a possible compromise of privacy
15 Acknowl-
edgement
using PIIs
Acknowledgement using the PII of the user is the order
of the day in many of the applications and network
interfaces. The acknowledgement seekers need the use
of PII to protect their interests while those who share the
PII need to sensitize themselves to the risks of using their
personal information when acknowledging anything on a
networked information system. The awareness will help
users carefully balance between the need to participate
in the acknowledgement process; yet keep their privacy
information as confidential as possible under the given
circumstances. This is not limited to networked systems
and can affect voice communication too . The process of
identifying yourself when speaking to customer service
personnel of your credit card issuing Bank invariably
involves the provision of PIIs on a voice network.
47. 50
16 Desktop
Privacy
The earliest attempts at desktop privacy aimed at
establishing clear screen policy, which required that
whenever a computer screen is left unattended it is
blanked out. Desktop privacy is no longer limited to
just clear-screen policy. It involves understanding the
various forms in which PIIs can be disclosed when a
desktop is inappropriately handled – facilitating piggy
backing, allowing remote desktop functions, and the
like. What facilitates loss of privacy via inappropriately
managed desktops is the inability to see through the
possible ways in which something as innocent as a
desktop can be exploited by those who seek to violate
privacy of users
17 Destroying
media with
PIIs
Corporatemediacontaining privacydatawillbegoverned
by an appropriate enterprise security policy on secure
disposal of media. Not all individuals may have the
awareness to securely dispose off media that contain
PII. Awareness in this area will contribute significantly
to the reduction of loss of privacy via data scavenging
or similar attempts.
18 Troubles
on using
“public”
computers
Public computers like the ones that are installed in
cyber café can pose a threat by exposing the personal
information of the users. This can happen in a variety
of ways including the installation of key-loggers or
spyware that detect, record, and transmit the personal
information of the users to destinations outside the
local host network or secure it in the local host for
later retrieval. Even when the owners of the “public”
computers take precaution to ensure that such spyware
are not present on their system, the fact that these
computers are connected to the internet can open a
path for installation of malicious programs in the form of
Trojans that can hide in the system and go undetected
during a normal scan but continue to spy on the users.
48. 51
A variety of channels are available for consideration
while determining effective ways to reach the target audience
who need to be sensitized on the privacy issues. Obviously,
a large program such as this cannot rely on just one delivery
channel and it is expected that a combination of different
channels will normally be used. Some of the possible
channels are:
• Computer based program – both offline and on-line
• Video based programs
• Using regular educational delivery channels like
6
Delivering the Program
49. 52
schools and colleges by integrating privacy awareness
into their core curriculum
• Event based – using conferences, seminars, public
lectures, fairs and other popular events
• Print and Electronic media (including TV and Radio)
in the form of sponsored programs and infotainment
presentations, newsletters and moderated blogs
• Fact sheets, posters and brochures (print and
electronic) aimed at targeted audience
• Pop-ups on popular web sites
Reliance on just one of the channels will not meet the
objectives of the program fully. A combination of channels
is required. As a national level initiative is being planned, the
advantages and disadvantages of each of these channels of
delivery and their relative relevance to the target audience
need detailed consideration.
Whatever be the combination of channels used, some of the
key factors to be considered to enhance the effectiveness of
communication include:
• The success of the campaign is directly related to its
ability to change the way participants perceive and
handle privacy issues. Awareness process should
50. 53
get the target group to change
its ways of seeing-and-doing
things in the recommended way.
The program will not succeed
if it merely elicits a theoretical
concurrence to what is said.
• The success of the program can be enhanced if the
program consists of case studies that focus on real
life issues. For example, the program can start by
asking the audience – “Are you sure of what happens
in the 5 minutes between handing over your credit
card to the waiter in a restaurant and till he returns
after swiping it?”
• If the participants in an awareness program can
be made to experience “hands-on” the effects of
neglecting privacy considerations, such an experience
is more likely to leave an indelible impression on
them. For instance, if the participants can be made to
believe that they are on the net (while actually being
connected to a locally hosted web service) and made
to go through a typical transaction, it is likely that
they would bypass good privacy practices and the
consequences can be explained in detail. This requires
careful planning to avoid possible complacence at the
end of the session. This is similar to the training
DO YOU KNOW?
Hacking originally
meant making
furniture with
an axe.
51. 54
methodology that teaches network defense by asking
the participants to build defense mechanisms on
a classroom network and attack it successfully to
explain the vulnerabilities.
• Being directed at a multi-cultural society with wide
variations in perceptions of privacy, the program
has to recognize the subtle differences in approach
that will appeal to the beliefs and faiths long held by
certain target groups.
• The approach should steer clear of using threats and
should refrain from being alarmist in nature. There
are a number of benefits in carefully strategizing
to handle the first resistance when participants say
‘this has not happened to me for the past 20 years!’
Alarmist approach can also create a mind set and
actionpaththatwilldenyusersof informationsystems
the complete benefit of technology proliferation. If
such a thing should happen, the program would have
created greater disservice to the user community than
having helped them preserve their privacy
• Design the message and choose the communication
channel in such a way that multiplier effect can be
used.
52. 55
• The program has to consider
multi-lingual delivery mecha-
nism. We often hear people
rejecting multi-lingual require-
ment contending that most of
IT is still in English and those
who use English language sys-
tems can and should be trained or oriented in that
language. While conceding the merit in this argu-
ment, we must recognize that the purpose of privacy
awareness programs is not to educate them but to
bring about a change in the way they perceive privacy.
A language in which they can be reached comfortably
will be a good option.
• Where a personal touch is given to the spread
of privacy awareness, the person spreading the
awareness message should carry adequate credibility
amongst the target audience. When the presenter
is drawing lessons or examples from the success of
imparting privacy awareness among another group or
in another location as reinforcement for the learning
in the program, such reinforcement will be effective
if the audience do not doubt the credibility of what is
stated. Thiswillbeparticularlytruewhenthepresenter
is quoting and relying on unpublished experiences.
DO YOU KNOW?
Computer hacking
was started by
a group of MIT
students when
they prepared to
punch cards to
manipulate an
IBM mainframe.
53. 56
Every awareness program that is designed should fully
consider the following:
1 Define target audience. This is perhaps the most
important step given the geographical spread of the
country, its multi-cultural characteristics and differing
degree of technology reach. While this is the most
important task, this is also the most difficult task.
2 The complexity in understanding the various
attributes of the target audience, as presented above
also presents issues on determining what could be
the need of a given target group form the point of
view of privacy awareness. One way to handle this is
to start with a set of well reasoned assumptions and
then fine tuning it based on feedback obtained from
the target group.
3 The choice of the right mix of channel used for
delivering privacy related messages is a key factor
and hence needs to be chosen carefully. That mix
of channels should fully meet the needs of the target
audience and their comfort level with the chosen mix
of channels.
4 This privacy awareness program cannot be a single-
content-fit-all type. It is this absence of ubiquity
that provides both the challenge and also the charm.
54. 57
Appropriate choice of contents
(suggested list discussed in
Section – 5 earlier) can be
considered as one of the critical
success factor in achieving the
objectives.
5 It is important to identify an owner for each of the
form and channel of delivery. This ownership will
be useful in constantly monitoring the effectiveness
of the program and will serve as a single point
of reference to initiate and finalize mid course
corrections while delivering the awareness programs.
It will also come in handy when major changes are
to be made in the structure, content and delivery
channels based on feedback and measurement of
program effectiveness.
6 Establish a clear feedback mechanism where the
target group members can get back with what they
feel about the program. To assist them in providing
structured feedback, it is important to provide
them with tools, formats and checklists to evaluate
the effectiveness of delivery and also state their
expectations for future delivery of the program.
• It will be a productive exercise if a definite
DO YOU KNOW?
A hacker, John
Draper invented
a whistle that
emits a 2.6 kHz
tone used in
AT&T’s trunk call
switching system.
55. 58
time slot is devoted for participant’s feedback.
This would be an interactive or moderated
session where candid feedback from the
users can be gathered and such feedback will
form the bedrock on which to design future
programs. This method has significant merit
over the more common form of asking the
participants to fill in a feedback form since
most forms filled cannot be revalidated with
the participants while a feedback session
provides such an opportunity. Of course
this will be possible only where the delivery
mechanism involves personal meeting with
the participants
• In cases where personal meeting is not the
way a delivery channel is designed, it will be
a good idea to have a follow up structured
interview with the participant’s (either via a
phone or an interactive net / chat session) so
that the feedback can be quickly validated.
• Feedbacks are valuable lessons from which
designers of future programs can learn a
lot. As with any other feedback, the valuable
lessons will be lost if it were not to be
56. 59
carefully documented,
analyzed, interpreted and
the results integrated into
future program design.
7. When to deliver the program is as
important as how and where to
deliver the program. Determining the most receptive
time for each target group and also determining the
frequency of repeating the program to reach the
threshold recall levels are important considerations.
8. Designers of the program must recognize that
the potential beneficiary is the recipient of a large
number of information sharing and skill transfer
programs in the normal course of his activities. An
additional program on creating privacy awareness
will be effective only if the message is delivered in a
proactive way and the process is compelling enough
for the beneficiary to pay attention to it.
Every delivery of an awareness program, irrespective of the
nature of delivery mechanism, must consider the following
general issues in addition to what has been discussed above.
1. The greatest weakness found in most awareness
programs is that it focuses on “what” rather than
“why” of the subject matter on which awareness is
DO YOU KNOW?
Hacking first went
Hollywood in a
1983 movie War
Games, about a
kid who breaks a
DoD computer.
57. 60
being created. As an example consider the awareness
about usage of good passwords. This is a very
common topic in quite a few awareness programs.
Most users of information systems can very well
answer the question – “What” are the good practices
in constructing and using effective passwords. It is
however not the case when asked “Why” are you
doing this? As an example, most people know that
the optimal size of passwords is eight but most don’t
know the rationale in choosing it. In a typical privacy
awareness program, it is important that the participant
understands why he or she is encouraged to do or
refrain from doing a few things. If the answer to
the question “why” is not convincingly presented,
however attentive the participant may be in the
program and however well received the program may
be, its benefits will be short lived.
2. A significant part of any privacy awareness program
will have technology content; and technology will
keep changing rapidly. Changes in technology should
be quickly and completely captured in the form of
updates to the awareness program.
3. As with technology, changes in the legal framework
that impacts privacy issues need to be quickly captured
and integrated into the program.
58. 61
4. Privacy awareness programs
should not end up creating
information overload. Programs
shouldhaveonlysomuchcontent
as is comprehensible to the target
audience and as will be within
the threshold at which rejection
of information starts in different forms – outright
rejection, casual attention, incomplete attention or
superficial attention to what is being delivered.
The size and complexity of a national level privacy awareness
program requires good validation process. The size and
complexity also poses a significant challenge to creating a
validation process. Privacy awareness program covering all
users of information systems and all stakeholders needs to
consider the following issues when attempting to validate the
competencies of delivery mechanism:
• If the delivery involves human effort, can we validate
these efforts to meet baselines established for
delivery of facilitator led programs? An example of a
framework could be IBSTPI. Seeking to validate the
delivery performance against this framework would
guarantee minimum standards of performance which
can then be revalidated using the feedback received.
DO YOU KNOW?
In 1988, Robert T.
Morris, invented
the worm or self-
replicating code,
purportedly to
assess Internet
security.
59. 62
• If the delivery mechanism involves the use of public
or mass media like the Radio and / or the Television,
the media has good methods of determining the
reach and intake of contents using listeners / viewers
surveys which could form the basis of determining
the competencies of the media and the presenter.
• If awareness is sought to be enhanced through
Computer Based Training (CBT) or Web Based
Training (WBT) process, objectively measuring their
effectiveness is difficult except through interactive
testing process and ideally the rigor of such
testing process should change with the degree of
understanding demonstrated by the beneficiary so
that the correct intake is assessed. Though such a
process can be established and integrated into the
CBT or WBT, the challenge will be in assembling the
results of all these assessments done across multiple
locations, multiple times and under multiple learning
environments.
• Wheretheoptionusedisintegratingprivacyawareness
into college and school curriculum, their effectiveness
is best assessed by seeking help from the educational
institutions to determine to what extent the programs
have changed the attitude and understanding of the
beneficiaries as far as privacy is concerned. If the
60. 63
educational institution decides
to use the conventional exam-
driven means of assessing
effectiveness of the program,
the results may not be relevant
since passing an examination on
privacy may not be the same as
acting in the best recommended
way to protect one’s privacy.
• Automated tools and processes will impact most
parts of creating the program, introducing and
updating the contents of the program, distributing
it across the country, actually delivering the program,
collecting feedback, assessing the efficacy of the
channel of delivery and finalizing on the changes to
be incorporated for future. These tools and processes
require a centralized approval and a decentralized
implementation.
DO YOU KNOW?
It was rumored
that agents of
China’s PLA
hacked the
U.S. power grid
and triggered a
massive blackout
throughout North
America in 2003.
61. 64
This document considered the issue of creating and
implementing privacy awareness programs from multiple
view-points. By no stretch of claim is this the most
comprehensive approach paper on this subject. There
are a number of areas, referenced in this document, that
requires further study and analysis before a comprehensive
national level privacy awareness program can be successfully
implemented. Having said that, it is important to point out
that the lack of a comprehensive approach to awareness
programs should not deter one from starting it. As with most
other learning experiences, an early start is a good ingredient
for success; as they say ASAP.
last word