Which method works better: end-user or automated tagging?
While there are proponents for both sides of this ongoing debate, they do agree on this: properly tagged content provides countless benefits. It is more organized, easier to find, optimized for search and indexing, and when also classified, is easily protected.
Common sense might suggest that a document author is the best person to tell you about the content, but end users are notoriously inconsistent when tagging their own documents. There are two reasons for this issue:
- Asking end users to access the properties of an Office document or a PDF is viewed as an extra step beyond their normal responsibilities. This step is necessary, but requires knowledge, discipline and interest to complete accurately and effectively.
- End users don’t recognize that failing to tag a document themselves will, in some cases, cause metadata to be automatically assigned. This can lead to an issue if a document has inherited the properties or metadata of a past version that may contain incorrect or sensitive information — such as customer names, Personally Identifiable Information (PII) or trade secrets.
The Classification Conundrum
Many companies fall into the trap of building cumbersome classification policies and procedures with the best of intentions, but possibly dire consequences. They go through the process of delineating between public information, internal information, and either confidential or highly confidential data.
All of this sounds quite logical so far.
However, when you couple this kind of schema with additional barriers to end-users that require many more steps before they can work with confidential or highly confidential data, you run the risk of pushing them to under-classify their content in order to do their jobs effectively and easily.
What's the solution?
Automated tagging eliminates the problem of end users under-classifying their content. Automated tagging tools can help reduce guesswork, human error and the likelihood that an end user may try to take shortcuts around technical security controls to get their job done quicker.
But let’s take automated tagging off the table for the purpose of this article. How can we encourage end-users to tag content themselves in lieu of automation?
The Law of Inertia in Data Tagging
Education and awareness are very powerful motivators. There is nothing more awkward than sending a document to a client with another client’s name in the properties, or sending a document to your supervisor with a peer listed as the author. Simple exposure to not only the importance of tagging, but the very real risks of not doing so, may motivate some of your end-users.
Then consider the power of the default. Many of us are familiar with Newton’s first law of motion, also known as the Law of Inertia, which states that an object at rest stays at rest, and an object in motion stays in motion with the same speed and in the same direction unless acted upon by an unbalanced force.
I studied this theory in college, and after a humbling experience with physics, hoped that I was done with it forever. But a keynote from the International Association of Privacy Professionals about a study on the habits of consumers (pdf) in completing online purchases, surveys, polls and questionnaires jarred my memory.
The study looked at how consumers behaved if information in an online checklist was pre-selected for them versus the consumer having to choose: Would a consumer accept the default answer or were they more likely to make an active choice?
Consumers in the study were far more likely to accept the default answer, even when the consequence of accepting the default choice led to purchases amounting to hundreds of dollars.
In one example, a large German automotive website used the least expensive option as the default. Another used no default. Changing the default raised the average sale price from 35,000 euros to 36,100 euros — with no change in customer satisfaction. This was the case across numerous examples, from automobile features to insurance policy options and even in the case of organ donation.
The keynote referenced the study as part of a long-standing privacy debate regarding “Opt-out” versus “Opt-in” privacy protections. Given the results of the survey and our analogy to Newtonian physics, many consumers are sharing their information without intending to do so, wanting to do so and without even knowing that they are doing so.
What can be problematic for Opt-in versus Opt-out consent may however be useful in defining default metadata. If you are concerned about the content tagging habits of your end-users, setting default metadata values and requiring them to either accept or change them as needed may help. While not ideal, it may be better than nothing — particularly from a classification perspective.
Encouraging End-User Tagging
Reward good behavior. Trust and verify that they are tagging their documents and use as many creative ways as possible to promote their doing so. Conduct regular reviews of content and look for opportunities to highlight and showcase employees who take the time to tag their documents properly.
Recruit volunteers who are willing to serve as champions for pilot programs and also serve as conduits to their business units. Be sure to also recognize these volunteers for their contributions to the overall success of the program.
Decide what training each project needs. A change of process affects the entire organization, so train people outside of the projects to give them an understanding of what the change will mean to them. This training may consist of an overview course combined with seminars to introduce the new process and tools.
The importance of classification to your organization should be directly proportional to the importance of security to your organization. Base this primarily on three factors: the risk you are willing to take, the functionality of the system and the costs you are prepared to pay.
Most importantly, security is not a status or a snapshot — it is an ongoing process. Always strive to make it easier for employees to do the right thing rather than the wrong.
Title image Public Domain