Traditional models of incentivising people suggest that positive incentives are more effective than negative ones. We argue that in data access the opposite can be true, as the assumptions made at the design stage can fundamentally change the user environment and hence perceptions of the ‘right’ way to act. Such assumptions also affect the ‘legitimacy’ of any control measures: empathy can encourage positive reinforcement. Both of these issues are dependent upon the training given to data users, particularly if this can develop a self-policing ethos. Hence training (of the ‘right kind’) should be seen as a positive investment to improve the benefit:cost ratio, rather than unavoidable expenditure.
The focus on policing rather than engagement is particularly acute when considering the vast research potential of the data resources in the public sector. Although evidence-based policymaking is widely supported, specific costs and diffuse benefits encourage an overly risk-averse environment amongst the data owners. Discussions about user risk are dominated by academic studies based on worst-case scenario planning.
This study uses an example of research data access to demonstrate how insights from criminology, psychology and economics, supported by evidence rather than theory, can provide substantial improvements in the risk profile, the user experience and the net cost of data access. The example also demonstrates how an effective culture of data security can be developed using the carrot rather than the stick. While the example reflects a particular environment, the lessons that can be drawn from this are more general. In particular, we suggest ways that the perception of cybersecurity experts, that people are the weak link in any security system, can be turned into a potential positive benefit.