The Necessity of Trust

In this post, I will try to build a small interdisciplinary bridge between cybersecurity and philosophy or social sciences.

The skeptical CISO: But why the hell would you debate philosophy with cybersecurity professionals? Do you believe my security team will more effectively mitigate risks by applying maieutic* or by fixing these urgent vulnerabilities? Are you insane?

Trust me: some concepts borrowed from philosophy or social sciences are worth looking at.

The skeptical CISO: (laughter) Ok, I give you one minute to convince me that your philosophical abstractions are more effective than my technological firewall.

Ok, I take the bet.

Perhaps the most essential philosophical concept that cybersecurity professionals continuously and intensively work with is…

TRUST

Countless times per day cybersecurity professionals take decisions on whether to trust a technology, a piece of software, a person, a business process, or an organization. Often, these decisions bear dramatic consequences. Think of it this way: a data breach is nothing else than the consequence of trust that was originally misplaced on something or somebody.

Therefore, revisiting our understanding of what trust is may help us take better informed (trust) decisions.

The skeptical CISO: (grumbling)

Let me propose the following definition:

Trust is the subjective probability assessed by a trusting entity that a trusted entity will act in a certain way.

The skeptical CISO: You give me a headache!

Sorry if this sounded a little too abstract, let’s rather have a look at a conceptual diagram:

Now, consider the controls you implement and the information you gather with your security team. In the end, their only value to the organization is that they build trust. Take any security control and ask yourself: does it bring an increase in trust that is worth its cost? Whenever the answer is no, get rid of it.

The skeptical CISO: Huh…

Trust has some key characteristics that we often lose sight of when taking our daily decisions. While reviewing the following basic properties of trust, please reconsider your last threat analysis:

• Subjectivity: the fact that Bob trusts Alice does not imply that Eve trusts Alice.
• Asymmetry: the fact that Bob trusts Alice does not imply that Alice trusts Bob.
• Intransitivity: the fact that Alice trusts Bob and Bob trusts Eve does not imply that Alice trusts Eve.
• Non-distributivity: the fact that Alice trusts the association formed by Bob and Eve does not imply that Alice trusts Bob or Eve individually.

The skeptical CISO: Okay, I may rework a little my last threat analysis.

And there's much more to it than that, but I hope this was sufficient to spark your interest. To dive deeper in this topic, I invite you to trust me once more and have a look at the Trust entry on the Open-Measure wiki:

The skeptical CISO: Ok, there is perhaps a bit more to it than I originally expected. I'll keep my firewall but I'll have a look at it as well…

_______

*. Maieutic: related to the Socratic method of teaching through questioning rather than lecturing.