Data: The Heart of Digital Trust

Motivated by “Towards Rebuilding Data Trust,”

ISACA Journal Vol 1, 2023

Guy Pearce

January 2023

1
 WEBINAR INFORMATION & QUICK TIPS

• Download the presentation deck from the MATERIALS window.

• Windows on the platform can be hidden or expanded to fit your preference.

• Submit questions in the Q&A window.

• Use the HELP icon at the bottom for FAQ’s and system requirements.

• Please click on the ISACA Customer Experience Center image to be

redirected to ISACA’s customer support page.

• Experiencing technical difficulties? Try Refreshing your browser!

2
 CPE CREDIT PROCESS
LIVE EVENT & ON DEMAND RECORDING

• You must view the live or recorded webinar for the required amount of time
(50-minutes). Check the CPE Credit window to view the timer.

• Your CPE Certificate will automatically appear in the ISACA CPE RECORDS
tab on the MyISACA page after completing the required viewing time.

• Please be patient. This process could take up to 48 hours for your CPE Certificate
and the CPE credit to be applied to your account.

• As a reminder, ALL ISACA webinars, the CPE credits and CPE certificates expire
365 DAYS POST LIVE EVENT. Please make sure you save the appropriate
documents to your personal records.

3
 APPROACH

“This webinar features the key activities instrumental in growing internal and
external trust in enterprise data.”

• I will do this by highlighting some activities that cause a decline in data trust. The
organizational response should be to change the way those activities are performed

“It also highlights the public’s obligations with respect to their data as one of their
most prized possessions.”

• As much as the focus is on organizations to improve trust, you will see how you and I
have significant trust responsibilities too

4
 AGENDA

1. Introduction

2. Setting the Scene Part 1: How much is your personal data worth to organizations?

3. Setting the Scene Part 2: How much is your personal data worth to you?

4. Data Trust: A great big mess filled with opportunity for reflection, and correction

5. Your Obligations: As an organization and as an individual

6. Conclusion

5
 EXECUTIVE SUMMARY

• Your data (often used without • 3rd party data drives the decline in
permission – reducing trust) can trust; opportunities in zero and 1st
yield 10,000% ROI party data collection need trust
• They can also unethically be • Data quality is a costly business
used for political gain, further problem that also decreases trust
reducing trust
• Low data quality puts both
• Some are sadly happy to trade businesses and consumers at
their data for short-term trinkets risk, further decreasing trust
• Business is out of touch; many of • Data can and does impact the
them say data trust is increasing integrity of our social fabric,
while consumers say it isn’t decreasing trust
Organizations are not solely responsible for the decline in data trust;
consumer behaviour is problematic too. Both parties need to address it
6
 Introduction
About this trust thing…

7
 IT CAN BE HELPFUL TO DEFINE TRUST VIA DISTRUST

Distrust:ThisAPhoto
lack of Author
by Unknown faith based
is licensed on knowledge - like experiencing a lie or a
under CC BY

broken promise - where what is key to you is unsafe with the counterparty
8
 ALTERNATIVELY, TRUST IS A VULNERABILITY

Is your organization trustworthy?

• Is it good at what it does?

• Does it look after the best

interests of its clients or
customers?

• Does it uphold principles that are

important to its clients or
customers?

Trust: Accepting vulnerability based on the expectation of a positive

outcome. An organization breaking one of the three above, breaks trust
9 Based on: https://wendyhirsch.com/blog/how-to-build-trust-on-your-implementation-team
 NOW, I’M GOING TO SHARE A SECRET WITH YOU

10
 THAT’S WHY IT’S CRITICAL TO UNDERSTAND DATA TRUST

The webinar explores an organizational perspective, a personal

introspective, and an organizational introspective of data trust
11 Source: https://www.isaca.org/resources/isaca-journal/issues/2023/volume-1/toward-rebuilding-data-trust
 FYI: ELEMENTS OF DATA TRUST IN ISACA’S DTEF

CU.01 Manage Culture e.g. CU.01.02 Modify Culture

AR.01 Create Enterprise Trust Architecture

EM.01 Identify, Evaluate and Manage

Potential Triggers e.g. EM.01.01 Identify and Manage
Internal Signals

ES.04 Manage Technology Development

DM.07 Manage Data and Information

Ownership e.g. DM.07.01.4 Establish data analytics,
processes and tools

CU.03 Manage Skills and Competencies e.g.

CU.03.02.3 Conduct ethics training

Strong, credible leadership acting on these and other trust factors is key
12
 Setting the Scene Part 1
How Much is Your Personal Data Worth to Organizations?

13
 HOW MUCH IS YOUR PERSONAL DATA WORTH TO
ORGANIZATIONS?

What it costs Legally

to acquire it

Illegally

What can be
done with it Unethically

e.g. it is generally legal to collect

Note: A legal practice isn’t necessarily ethical publicly available personal data
14 Legal? Maybe. Ethical? Not always.
 ACQUISITION COST EXAMPLE

Legally
Data Capture
What it costs
to acquire it
Illegally $
Data
Procurement
Unethically ± US$0.40 - $US1.70 per person
The most valuable data? 18-24 year old
Middle Eastern men in the US Northeast,
earning US$120k - US$150k pa
Based on: https://mackeeper.com/blog/most-desired-data/

<US$1 for the average person

Source: https://ig.ft.com/how-much-is-your-personal-data-worth/#axzz2z2agBB6R

We are rightfully distrustful of how our data are acquired without our
knowledge, never mind our consent. It’s cheap and easy to acquire
15
 FINANCIAL BENEFIT EXAMPLE
± US$41 per active
Ad Revenue user per year
Source: https://www.statista.com/statistics/234056/facebooks-average-advertising-revenue-per-user/

Sales
Behaviour
Legally Prediction Political
Gain
What can be
done with it
Illegally Behaviour
Modification Social
$
Influence
Unethically
Mimicry Identity
Theft
Surveillance
16
 ANOTHER FINANCIAL BENEFIT EXAMPLE

Ad Revenue Customer Lifetime Value

Sales = ∑revenue
Behaviour
Legally Prediction Political
Gain
What can be
done with it
Illegally Behaviour
Modification Social
$
Influence
Unethically
Mimicry Identity
Theft
Surveillance
17
 SO, A SIGNIFICANT OPPORTUNITY EXISTS FOR RETAILERS

Generally From this Presentation Q3 2022 example

Investment Revenue (R) US$41

Q3 ARPU = US$9.41 (US$38pa)
- -
Q3 average active users
Investment Costs (C) US$0.40 to US$1.70
= 1.98 billion
= =
Q3 revenue from ad sales
Investment Profit (P=R-C) US$39.30 to US$40.60 = ARPU*users
= US$18.6 billion

What about CLV? 10 years ?

ROI = (P-C)/C ROI = 2,212% to 10,050%
CLV from ad sales
≈ US$744billion (40 quarters)

And many readily exploit it

18
 “The … [CA MD described] … his
company’s sway over [the] Kenyan
A POLITICAL BENEFIT EXAMPLE President’s … previous two election
“Kenya is CA’s [Cambridge Analytica’s] biggest success story – the campaigns. Fake news and
one they use to lure in politicians who want a shortcut to power.”1 misinformation impacted Kenya’s
“… an undercover sting operation caught …
Ad Revenue 2017 elections like never before.”2
executives boasting about psychological Sales
manipulation, entrapment … and fake news
campaigns.”2
Behaviour
Legally Prediction Political National
What can be Gain Elections
Illegally
done with it
Unethically
Behaviour
Modification Social
$
CA manipulated the psychology of an entire Influence
country, “not just in the [US]. [CA] mined
Kenyan voters’ data to help President Uhuru Mimicry Identity
Kenyatta win disputed elections. Over two
presidential election cycles, it presided over Theft
some of the darkest and most vicious
Surveillance
campaigns Kenya has ever seen.”3
1 Source: https://www.aljazeera.com/opinions/2018/3/22/politics-in-the-digital-age-cambridge-analytica-in-kenya
19 2 Source: https://www.cnbc.com/2018/03/23/cambridge-analytica-and-its-role-in-kenya-2017-elections.html
3 Source: https://www.washingtonpost.com/news/global-opinions/wp/2018/03/20/how-cambridge-analytica-poisoned-kenyas-democracy/
 A POLITICAL POWER BENEFIT EXAMPLE IN FICTION
With privacy lessons from nearly 40 years ago

Ad Revenue
Sales
Behaviour
Legally Prediction Political
Gain
What can be
done with it
Illegally Behaviour
Modification Social
$
Prochazka
Set in the 1960s, Prochazka
Influence discredited
supported reform and publicly Unethically
criticized conservative views in Mimicry Identity
Czechoslovakia. In a final attempt to Theft
silence him, he was bugged, and his
private conversations (mocking his Surveillance
friends) were broadcast on radio
20 Source: https://www.goodreads.com/quotes/6158505-in-private-a-person-says-all-sorts-of-things-slurs
 PRIVACY THOUGHTS FROM THE YEAR 1984

“Of course, we all act like Prochazka, in private we bad-mouth our

friends and use coarse language; that we act different in private
than in public is everyone's most conspicuous experience, it is
the very ground of the life of the individual; curiously, this obvious
fact remains unconscious, unacknowledged, forever obscured by
lyrical dreams of the transparent glass house, it [privacy] is rarely
understood to be the value one must defend beyond all others.

Thus only gradually did people realize (though their rage was all the
greater) that the real scandal was not Prochazka's daring talk but the
rape of his life; they realized (as if by electric shock) that private and
public are two essentially different worlds and that respect for that
difference is the indispensable condition, the sine qua non, for a
man to live free; that the curtain separating these two worlds is
not to be tampered with, and that curtain-rippers are criminals.”
Milan Kundera, The Unbearable Lightness of Being

These concerns are 40+ years old, and remain mere talking points today
21 Source: https://www.goodreads.com/quotes/6158505-in-private-a-person-says-all-sorts-of-things-slurs
 Setting the Scene Part 1 Summary
• Your data are of significant value to organizations, especially business

• They are also of significant value to politicians

• Because it is so cheap and easy to acquire, your data have become a

business and political imperative, ethically or not

Do you trust organizations or politicians with your data?

22
 Setting the Scene Part 2
How Much is Your Personal Data Worth to You?

23
 HOW MUCH IS YOUR PERSONAL DATA WORTH TO YOU?

How much money

you would accept to
give it up

What incentive you

would give it up for

24
 WHAT IS THE VALUE OF YOUR PERSONAL DATA TO YOU?

A 2011 study sought to determine the value consumers place on various forms of their data

Type of Data How Much in IT Services They Would Give it up For

Social Security Number: $240 of free services

Credit Card Information: $150 of free services

Digital Chat History: $59 of free services

Internet Search History: $57 of free services

Physical Location: $55 of free services

Health History: $38 of free services

For us as privacy practitioners, this is astonishing, right? And it’s real

25 Source: https://www.more-with-mobile.com/2013/06/prices-and-value-of-consumer-data.html
 EACH COUNTRY VALUES PERSONAL DATA DIFFERENTLY
Note: Was
US$184 for
worth US$240
Health
History
only four years
US$112 for earlier
Gov’t ID
(SSN)
US$59 for
Health
History
US$22 for
Credit
Card Data
NB Great Britain, not
the United Kingdom
US$4 for
Digital
Comms

People don’t value their data. That’s bad for a personal asset
that you carry with you for your whole life…
26 Source: https://hbr.org/2015/05/customer-data-designing-for-transparency-and-trust
 EXAMPLE: THE CASE OF VERIZON IN 2017

In 2017, Verizon Wireless offered a rewards program that required customers

opting into Verizon sharing their data with “vendors and partners”

The customers would earn credits for their spend, which could be exchanged
for streaming subscriptions, discounts on device upgrades, and movie tickets

Information shared included:

• Information about your wireless device and how you use it

• Information about your device location

• Your postal and e-mail addresses.

• Information about the quantity, type, destination, location, and amount of use of
your Verizon telecommunications services and related billing

• Information from other companies like gender, age range, interests, shopping
preferences, and ad responses
27 Source: https://arstechnica.com/information-technology/2017/08/want-verizon-rewards-just-let-vendors-and-partners-see-your-browsing-history/
 TAKE CARE: THE ALLURE OF MERE TRINKETS

• 58% of consumers from around the world Unfortunately, people will do anything for
would share internet activity in exchange a free pizza
1
for free online content A Domino's franchisee in Russia decided to
award 100 free pizzas each year for 100
years to customers that got visible tattoos of
“Most people … don’t assign any real cost the restaurant chain's logo
to losing their privacy because they have
the luxury of living … in places where the
rule of law is strong and human
2
rights are at
least somewhat protected.”

“How many times have you participated in a

free silly online quiz like ‘what kind of cat 3
were you in your past life’ for a bit of fun?”

If your data is worth trinkets to you, don’t complain about consequences!

1 Source: https://legaljobs.io/blog/privacy-statistics/
28 2 Source: https://www.quora.com/Why-are-most-people-willing-to-trade-privacy-for-convenience
3 Source: https://thenextweb.com/news/were-living-in-a-digital-serfdom-trading-privacy-for-convenience
 SO, A RETAIL ARBITRAGE OPPORTUNITY EXISTS

Consumer Point of View Retailer Point of View

How much personal data is How much “free stuff” will
worth, for example: vs consumers take in exchange for
their private data
US$112 for How about $120 of free services in
Gov’t ID exchange for your government
(SSN) identification (SSN in the USA)?

US$112 is already half the findings

of four years earlier…The cost of
data acquisition is declining

It’s troubling that individuals are placing less value on their personal data
over time, and also that they’re willing to exchange it for “free stuff”
29
 WHAT IF “MOST” OF A PERSON’S DATA WAS AT STAKE?
3,000

2,500

2,000

1,500
$

1,000

500

State

Top 5 States Bottom 5 States US Average

The average American would sell most of their personal data for US$1,452
30 Based on: https://www.fastcompany.com/90776352/how-much-do-americans-think-their-personal-data-is-worth-it-depends-on-where-they-live
 BUT HOW MUCH OF YOUR DATA IS OUT THERE FOR SALE?

In a 2018 experiment to determine the amount of personal data collected on the

average Canadian by Facebook, Google, and Twitter, 1.7GB of personal data was
downloaded. It contained:

• Search history • Every address searched for

• Every ad clicked on • Preferred sources of news

• Every event attendance • Appointments and meetings attended

• Every message • Tweets liked and retweeted

• Every friend, from start to unfriending

There are many, many more organizations collecting your personal data

With so much data about you out there, it’s unlikely a retailer will pay you
US$1,400 for anything else you may have
31 Source: https://ottawacitizen.com/news/national/just-how-much-of-your-personal-data-is-actually-online-we-take-a-look
 SO, THE HORSE HAS BOLTED, BUT ALL IS NOT LOST

Government Identification Does not expire; Jealously protect (1st prize for hackers: impersonation)
Biometric Information 1 Does not expire; Jealously protect (DNA, fingerprints, retina)
Date of Birth Does not expire; Jealously protect
Name Does not expire; Jealously protect
Biometric Information 2 Expires slowly; Jealously protect (face, voice, signature)
Phone Numbers Expire, but can be long-lived; Jealously protect Key
Email Addresses Expire, but can be long-lived; Jealously protect Does not expire
Credit Cards Expire within 4 or 5 years; Jealously protect Expires but critical
Address Expire, but can be long-lived; Jealously protect Expires but can haunt
Employee Records Expire, but previous bad behaviour may haunt you
Social Media Expires, but previous posts may haunt you
Resume Expires, but the information in it may haunt you

Some data expires, so they are still worth protecting

32
 Setting the Scene Part 2 Summary
• Individuals value their data differently across the globe

• Many are happy to trade such a valuable personal asset for trinkets at retail prices

• There is so much cheaply and freely data about you out there

• It is still worth protecting because much of it expires

Can you trust yourself with your own data?

33
 Data Trust
A big mess filled with opportunity for reflection, and correction

34
 THE ELEMENTS OF DATA TRUST

The trust you

have in the retail
businesses you
buy from

The trust a retail

business has in
the data it has
about you

35
 BUSINESSES ARE OUT OF TOUCH WITH THEIR CONSUMERS

Trust has Trust has

Increased decreased

36 Based on: https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/defining-data-trust-strategy.html

 DATA PROCUREMENT IS A BIG DRIVER OF DECLINING TRUST

Data Collection Trend: Zero and 1st Party data collection vs 3rd Party data
procurement, to reduce liability. Its success however depends on trust
37 Source: https://aimagazine.com/data-and-analytics/first-party-data-key-to-rebuilding-trust-in-online-platforms
 BUT WHAT HAPPENS WITHIN AN ORGANIZATION IS JUST
AS PROBLEMATIC

Can a business trust itself?

38
 USING YOUR DATA CAN BE EXPENSIVE FOR ORGANIZATIONS

22%-33% of the time of an employee that uses data is spent fixing and
%1)
preparing it (McKinsey & Co find the average to be 29
39 Source: https://www.isaca.org/resources/isaca-journal/issues/2023/volume-1/toward-rebuilding-data-trust
1 Source: https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/designing-data-governance-that-delivers-value
 IS YOUR DATA TRUSTWORTHY?

Root cause of
data problems

40 Adapted from: https://hbr.org/2015/10/can-your-data-be-trusted

 REASONS ORGANIZATIONS DON’T TRUST THEIR D&A
(DATA & ANALYTICS) From 1,000 senior executives in 10 countries and 9 industries
Does it Excel at Does it Aspire to Meet Does it Check D&A Does it Use the Right
Managing D&A Quality? D&A Best Practice? Model Accuracy? Data Sources?
Root 10% Root Root Root
Cause Cause Cause Cause
46% 45% 43%
54% 55% 57%

90%
Yes No Yes No Yes No Yes No

Are D&A Outcomes Does it Trust Does its C-Suite Has its D&A Improved
Used Consistently? Operational D&A? Support D&A? Effectiveness?
Outcome Outcome Outcome Outcome
33%
47% 44%
49% 51%
53% 56%
67%

Yes No Yes No Yes No Yes No

Lack of C-Suite support, poor data sources, poor quality, poor model
checks, and poor consistency lead to poor trust and thus poor utilization
41 Based on: https://www.cioinsight.com/big-data/why-many-organizations-dont-trust-their-data/
Based on: https://www.fastcompany.com/3065294/why-executives-dont-trust-their-own-data-and-analytics-insights
 THE RISKS OF ORGANIZATIONAL DATA USE
Data Risk
• Have the data been acquired
legally?
• Have the data been acquired
ethically?
How can you trust an
organization that acquires your
data illegally or unethically?
Legal and Reputational Risk
42
Data Use Risk
• Are the data from different
sources (e.g. procurement)
comparable?
• Has the data quality been
verified?
• Has the data processing been
verified?
How can you trust what is being
done with your data if the inputs
cannot be validated?
Operational and Reputation Risk
 HAS SOCIAL MEDIA DAMAGED OUR SOCIAL FABRIC?
• “…we have created tools that are ripping apart the social fabric…”

• “…short term, dopamine-driven feedback loops … are destroying how society works. …
No civil discourse, no cooperation: misinformation, mistruth.”

• “…bad actors can manipulate large swathes of people to do anything you want.”
Former Facebook VP for User Growth Chamath Palihapitiya1

• Facebook and others have succeeded, “exploiting a vulnerability in human psychology.”

Early Facebook Investor Sean Parker1

• Facebook lies about its ability to influence individuals based on the data it collects on them
Former Facebook Product Manager Antonio Garcia-Martinez1

• “… [I]t is increasingly observable that social media present enormous risks for individuals,
communities, firms, and even for society as a whole … [like] cyberbullying, addictive use,
trolling, online witch hunts, fake news, and privacy abuse.”
Baccarella, Wagner, Kietzmann, and McCarthy; European Management Journal2

Our data has changed community trust dynamics in a way we did not expect
43 1 Source: https://www.theverge.com/2017/12/11/16761016/former-facebook-exec-ripping-apart-societyF
2 Source: https://beedie.sfu.ca/sms/admin/_DocLibrary/_ic/82d7197664a0ffce171b0b585495808f.pdf
 Data Trust Summary
• Some businesses are out of touch with the reality of data trust, with data procurement
being a major driver of declining trust

• Dirty data is a major operational issue, incurring risk for organizations and individuals

• Many businesses don’t trust their own data and analytics because of it

• The negative impact of social media on our social fabric is only just being understood

Can you trust yourself with your own data?

44
 Your Obligations
As an organization and as an individual

45
 INCREASING TRUST: SOME ORGANIZATIONAL OBLIGATIONS

1. To enable data and data processing

transparency
“…the best tonic for depleted trust is
heightened transparency.” Understandable
2. To enable ethical value creation and Up-to-Date Better data quality
can increase trust in
delivery
Accessible business by 3% and
trust in government
3. To enable strong data management Traceable by 6.1%
practices
Clean
4. To enable multi-stakeholder data
interactions to build internal trust and
legitimacy

5. To drive 1st party and zero party data

acquisition vs 3rd party data procurement

46 Based on: https://www.isaca.org/resources/isaca-journal/issues/2023/volume-1/toward-rebuilding-data-trust

 INCREASING TRUST: SOME PERSONAL OBLIGATIONS

1. Know your worth in data terms

You are worth much more than movie tickets
or a discount on a new cellphone

2. Time is on your side

Your data becomes less useful over time; it’s
never too late to protect your data

3. Learn to recognize exploitation

“if it’s free; you’re the product”

4. Differentiate between your public and

How many organizations know
your private self
something about you?
Jealously guard your private self

5. Be aware of the influence of social media 6. Clean up after yourself

You may be the subject of a destructive play Watch those old user profiles…
47
 Obligations Summary
• Both businesses and individuals have a role to play in rebuilding data trust!

Business will exploit individuals not valuing their data. Both are to blame
48
 Conclusion

49
 SO WHAT ARE YOU DOING TO PROTECT YOUR SECRET?

50
 CONCLUSION

• Your data (often used without • 3rd party data drives the decline in
permission – reducing trust) can trust; opportunities in zero and 1st
yield 10,000% ROI party data collection need trust
• They can also unethically be • Data quality is a costly business
used for political gain, further problem that also decreases trust
reducing trust
• Low data quality puts both
• Some are sadly happy to trade businesses and consumers at
their data for short-term trinkets risk, further decreasing trust
• Business is out of touch; many of • Data can and does impact the
them say data trust is increasing integrity of our social fabric,
while consumers say it isn’t decreasing trust
Business is not solely responsible for the decline in data trust; consumer
behaviour is problematic too. Both parties are responsible for addressing it
51
Questions?
THANK YOU FOR ATTENDING