How we handle privacy and trust at Secure Practice

With Secure Practice, we set out to understand what people truly need for cybersecurity education to be a meaningful, helpful experience for them.  

Gaining deep insight into human behavior is essential to achieving this, yet it is crucial that we respect individual privacy in the process.

So it became essential to us to help organizations measure and manage human cyber risk without creating additional challenges for them. 

That is why handling personal data with integrity is central to our mission.

How privacy fits within our business model

We understand the critical importance of privacy protection, particularly in relation to human cyber risk measurement. As such, we built our product with privacy by design principles ingrained into every aspect of our offering.

Our approach combines multi-disciplinary research, advanced data models, machine learning algorithms, and intuitive visualizations to deliver targeted security training and key performance indicators (KPIs) for managing the human aspect of cybersecurity within organizations. 

We are particularly mindful of handling personal data and have taken proactive steps to ensure that organizations can offer a customized learning experience but that individual actions can never be tied back to a particular person. 

We believe that building trust through transparency and privacy is essential for offering a positive experience for both our customers and their colleagues.

Advancing privacy standards in human risk management

To further reinforce our practice of privacy principles, we actively participate in regulatory initiatives that promote privacy innovation. We were proud to be selected to be part of the regulatory sandbox for responsible artificial intelligence (also known as the "AI sandbox") initiated by Datatilsynet, i.e. the Norwegian Data Protection Authority (DPA).

During our participation in the “AI sandbox” project, we engaged in extensive collaboration with the Norwegian Data Protection Authority, addressing legal, technical, and socio-technical aspects of our innovation. This collaboration included workshops with various stakeholders, including labor organizations and employees as data subjects.

As part of our commitment to transparency, we conducted a thorough Data Protection Impact Assessment (DPIA), with valuable input from the DPA. The DPIA resulted in updated risk assessments and privacy-related information, which we make available for review by our customers upon request.

The DPA also published a public version of the final project report in February 2022, which includes details about some of the specific challenges we faced during the project.

Ensuring privacy in personalized cybersecurity education

One of the key outcomes of our collaboration with the Norwegian Data Protection Authority was the absolute necessity to protect the identities of individual employees in relation to risk data. To address this, we implemented technical controls that ensure individual risk scores are never exposed to employers.

Our approach prioritizes privacy by never revealing individual employees' risk scores, yet still enables actions for groups based on their collective, measured knowledge and interest.

Moreover, we introduced joint controllership for individual profiling data related to human cyber risk measurement in our standard data processing agreement. This arrangement empowers us to reject any customer requests for individual risk data, ensuring that individual actions collected through Secure Practice products remain private.

Leading with transparency in cybersecurity education

Our commitment to transparency extends to our customers, whom we provide with clear insights into our data processing practices and privacy features. We offer organizations a validated solution for measuring and managing human cyber risk, that exceeds GDPR requirements and focused on statistical data analysis and targeted training.

For employees in the organizations that use Secure Practice, we created a dedicated privacy page within our learning portal, where they can access detailed information about data processing and privacy features. We encourage them to explore this page and reach out to our support team with any questions or concerns.

Our entire team is dedicated to not only innovation but also to maintaining the highest standards of privacy and regulatory compliance. Your trust is paramount to us, and we remain committed to upholding it through transparency, collaboration, and continuous improvement.