Shostack + Friends Blog Archive

 

The Only Trust Models You'll Ever Need

Lately there has been quite a bit of noise about the concept of “trust” in information security.  This has always confused me, because I tend towards @bobblakley when he says:

“trust is for suckers.”

But security is keen on having trendy new memes, things to sell you, and I thought that I might as well weigh in because we’re seeing “trust models” in everything from OSSTMM to NIST 800 series to Cloud model thingies.

The problem I have getting all excited about “trust modeling” is that it’s basically yet.another.hypothetical.construct.  We already have “security” and “risk” that our industry finds problematic to define and measure.  Why are we soooo keen on creating another problem child?

And I have to wonder, is it really necessary?  Think about it: my ability to “trust” – a person, connection, system, whatever – is simply an acknowledgement of the risk in transacting with them.  I “trust” my good friends and certain relatives because I have a bunch of experience (priors) that lead me to believe that they are “trustworthy”, which is a nice way of saying “low risk”.  I know these people will go out of their way *not* to hurt me without just cause.

Similarly, when dealing with car mechanics, salespeople, and politicians – I have very little “trust” because there is a high degree of risk in my transaction and I either have no prior experience with them, or really bad experiences with them.

So really, my amount of “trust” is the inverse of the amount of risk I perceive for whatever reason (past experience, lack of data, expected experiences given some trending data).

THE ONLY TRUST MODELS YOU’LL EVER NEED

So in 2011, if you’re sitting in a meeting and some GRC pusher decides that they need trust models for you to be really good at your jobs, you can use the following and explain to them you already have a very nice one, thanks.

IF YOU USE QUALITATIVE RISK STATEMENTS

Trust = Opposite of Risk

So “Low Risk” becomes “High Trust”.

IF YOU USE RISK SCORING WITHOUT MEASUREMENT SCALES

Trust = 1/Risk

So The larger the risk score, the smaller the trust score.

IF YOU USE QUANTITATIVE ALE – TYPE MEASURES (ALE, FAIR, WHATEVER)

You don’t need to do anything.  You can say “We trust that this partner will have 10 incidents per year causing us between $50,000 and $2,000,000 in damage” or whatever.

There you go.  A Trust Program/Trust model for absolutely free.

16 comments on "The Only Trust Models You'll Ever Need"

  • You forgot “assurance” which has exactly the same problem.

  • PW says:

    I will preface that my opinion is currently an incomplete thought 🙂 but I had to throw my two cents in.

    Not sure that high trust = “low risk” or lack of trust = “high risk”. To me trust is somewhat a different construct to be applied to people/groups of people. Just because I perceive that my risk is low/high for a particular scenario doesn’t necessarily mean that I trust it will stay that way, I think for scenarios or abstract concepts (non-humans) that “confidence” is a better descriptor.

    From a abstract psychology perspective I can trust all sorts of people or groups of people to behave in a certain way, that doesn’t mean that the decisions made are all low-risk to me but rather I can trust that the behavior would be consistent with my expectations. From a non-abstract perspective trust is having the ability to be vulnerable to other people “trusting” them to be honest, benevolent, and competent – and I can trust all sorts of people with very little risk to me personally.

    But, I am not sure I can “trust” that a risk scenario or a complex computing machine can be honest, benevolent, or competent – but I CAN have a certain level of confidence in expected outcome or behavior.

    🙂

  • alex says:

    “Just because I perceive that my risk is low/high for a particular scenario doesn’t necessarily mean that I trust it will stay that way”

    I think you might be getting caught up in semantics/logic a bit. It can be tricky, believe me.

    So in statistics, “Trust” in what describes state (data quality) can be described as a confidence factor/interval/whatever. But confidence in the information, model, model selection/applicability is different than confidence that the other party won’t screw you in the transaction (trust/risk).

    • PW says:

      Semantics, maybe. What I am saying is that equating trust to risk levels is a lousy descriptor – you are saying the same thing I think 🙂 I just would not use the argument that certain levels of “trust” equal low/high risk.

      Also, there is a concept of “trust” in statistics? Are you really confident saying that “trust” is the same as stat confidence factor/interval? Haha!

  • alex says:

    @PW – I’m 90% confident that my Confidence determinations are a description of how much I trust that information 🙂

    • PW says:

      Maybe we need a Trustitician to weigh in here (the more honest brother of Statistician) 🙂

  • Dan Philpott says:

    The problem is that trust is not so simple a problem as described. Sure, if you can depend on past experiences or independent historic records you can model a quantitative trust. Unfortunately there are many situations where these are not present but a type of trust is. And trust varies by context, inter-personal trust has an entirely different dynamic than inter-organizational trust.

    On the first point, that trust often must exist without a history to base it on consider the supply chain. Organization A has a contract with supplier B and we have a certain level of trust because of our experience. But what about supplier B’s use of OEM C, D and E. OEM E has the lowest bid price and is a new company, this affects the trust I should have in the relationship with supplier B but as I am unaware of the new relationship my trust level does not vary. This type of chain of trust issue is a big issue with the Federal government. A more common scenario is when parent organization F mandates that organization A must trust supplier B as a vendor. The trust relationship exists but it is mediate through parent organization F and organization A may have no means by which to determine the amount of trust.

    On the second point, trust dynamics vary by context. Trust between people works much differently than trust between organizations. People change over time and past experience is not indicative of future performance. A guy who may not be depended upon to show up to every BBQ may be the most reliable friend when you need someone to tell you the truth about some difficult fact. Inter-personal trust relationships are multifaceted. Inter-organizational trust relationships tend to be a little more steady and be based on well defined obligations and expectations. The dynamics are simpler but by no means simple. And in either case these contexts can be completely turned on their heads by a change in the environment.

    So why care about trust relationships in these different contexts? Inter-personal trust can have a big impact on an organization. A trusted employee can become disgruntled, damaging assets and reputation or selling secrets to the competition. The trust relationship with a supplier can be exploited by other organizations down the supply chain. Without at least some basic understanding of the complexities of these different models companies and people accept trust blindly.

    That kind of trust is pure risk.

  • alex says:

    @Dan –

    Actually, I’ll argue that it is that simple. Think about what you just wrote. In each case, I fail to see how this isn’t a “risk” issue, and the amount of trust doesn’t change proportionally. Specifically:

    “But what about supplier B’s use of OEM C, D and E.”

    Aren’t those relationships part of the risk you perceive (past/present/future) in dealing with Supplier B?

    “OEM E has the lowest bid price and is a new company, this affects the trust I should have in the relationship with supplier B”

    And why wouldn’t it therefore similarly affect the risk? Why would it affect the risk any differently than inversely proportional? How is what you’re saying there NOT “I perceive more risk now because of E so my trust is less.”

    “organization F mandates that organization A must trust supplier B as a vendor. ”

    This is simply the assertion of F’s risk tolerance over A’s risk tolerance. This sort of assertion happens all the time. Think PCI. But any lack of trust A has with B over and above F’s assurances is expressed as addressing risk (new processes, controls, whatever).

    If A takes no further action, that *is* it’s implied risk tolerance of B.

    I don’t understand what you’re trying to say in paragraph 3.

    “People change over time and past experience is not indicative of future performance.”

    Not sure how that’s different than organizational risk perception. I don’t believe for one second that my vendors are static and unchanging. In fact, my worry is that their rate of change is much, much more than the entropy of my Vendor Management information.

    “A guy who may not be depended upon to show up to every BBQ may be the most reliable friend when you need someone to tell you the truth about some difficult fact.”

    Right, context is everything. I may trust/perceive low risk when my interactions with a vendor don’t have PII, but if you ask me to exchange PII with them, I may have a completely different view of my risk. Can’t see how this creates a trust != 1/risk proof.

    “Inter-personal trust relationships are multifaceted. Inter-organizational trust relationships tend to be a little more steady and be based on well defined obligations and expectations.”

    Inter-organizational relationships aren’t multifaceted? I’d also argue that organizational trust relationships tend to be more steady not because of well-defined obligations & expectations, but because nobody knows how to do risk management with any certainty. Vendor Mgmt *sounds* like a great idea, but at the end of the day, it’s not like there’s a great deal of certainty about current or future states of risk. And that’s precisely because it’s a multi-faceted problem!

    “A trusted employee can become disgruntled, damaging assets and reputation or selling secrets to the competition. The trust relationship with a supplier can be exploited by other organizations down the supply chain.”

    Again, state changes above that you attribute to changes in trust are, indeed, changes in risk. In other words, the moment an employee goes bad is the moment we have more risk, and therefore, should have proportionately less trust. Same with “supplier chains”.

    “Without at least some basic understanding of the complexities of these different models companies and people accept trust blindly. That kind of trust is pure risk.”

    edit:

    “Without at least some basic understanding of the complexities of these different models companies and people accept *risk* blindly. That kind of risk is pure trust.”

  • I think of trust this way.

    As the security person I have to trust that the execs are making the right decisions based on the information I provide them. Hopefully they trust the quality of my input. Hence my desire for a high quality risk framework (qualitative, quantitative or visual).

  • Kevin Kenan says:

    Ideally trust relationships would track risk assessments, but in many cases organizations create trust relationships with high risk parties. Trust could be seen as a measure of how much sensitive information is being exchanged with or exposed to another party while risk is, well, risk is the risk of that trust. Just a quick tought on the post.

  • Alex says:

    @Kevin – thanks for the comments.

    “Ideally trust relationships would track risk assessments, but in many cases organizations create trust relationships with high risk parties.”

    Right, but how much do you trust a high risk party? Not much, if you value your job.

    “Trust could be seen as a measure of how much sensitive information is being exchanged with or exposed to another party”

    Which I would argue is also implied in probable magnitude of loss (risk).

    “while risk is, well, risk is the risk of that trust. Just a quick tought on the post.”

    Again appreciate it! My point is that people want to measure trust. A simple but effective measure in terms of deductive modeling would be to inverse the risk they perceive.

  • Kevin Kenan says:

    Sometimes we decide to trust someone who is not very trustworthy. According to the model described in the post, this would imply low risk. To see this, in the formula for qualitative risk solve for risk given a fixed trust of high. 

    Clearly the amount of trust we place in people can vary independently of the risk of placing that trust. 

    🙂

    If I were asked to measure trust, my gut instinct would be to measure the amount of access to sensitive assets and define low access as low trust and high access as high trust. Then I would recommend that we focus on remediating cases where both the trust and risk are high. Remediation could be lowering the level of trust or strengthening other controls to lower the overall risk. I agree that cases of low trust and high risk aren’t possible.

    I guess I’m approaching trust as one of the controls that can be varied to adjust risk. But I agree that trust is a slippery concept and formally adding it to our repertoire is simply asking for trouble.

  • Glen says:

    IMHO, evaluating trust is evaluating the risk that whoever you’re dealing with is going to screw you. The more likely they are to screw you, the less you trust them. All posters seem to be saying that trust is earned. How is it earned? Well, if the other party doesn’t screw you this time, then the risk that they’ll screw you next time goes down (based on past performance) and inversely your trust in them goes up.

    For the scenario where A deals with and trusts B, and B deals with C, D and E, the risk to A is how B deals with those relationships. A is trusting that B will make good decisions and not screw them by blindly going with the lowest bidder.

    Obviously there’s a risk that B will make a bad decision which will ultimately screw A in some way. But, if B does make a bad decision on evaluating the risk of dealing with E and gets screwed by them, the trust that A has in B depends entirely on how B handles the situation. If B says “Well E screwed us and we’re going to pass that up to A” then for sure A’s trust in B will drop. But if B says “E screwed us and it’s our mistake and A shouldn’t suffer for it”, then A’s trust in B will remain high.

    I guess I’m saying that the equation should be modified slightly to TRUST = 1/(risk of getting screwed). There probably could be additional modifications based on the nature of “getting screwed” depending on the dollar amounts involved and how much pain it would cause if you got hit with it. But that’s still evaluating risk, right?

    In the case of trusting a partner with PII, the trust level needs to be higher with them because the cost of getting screwed is higher. Your competitors would love to see you hand over PII to someone who will sell it to the highest bidder because now you’ve screwed your customers and the risk to them that you’ll do it again is higher and therefore their trust in you goes down.

    Hopefully this all makes some sort of sense to someone besides me.

    Cheers!

  • Wordman says:

    While I agree with your general point, your model has one flaw. I buy the idea that “things that violate trust” can always be called “risk”, but not the idea that “all risk involves violation of trust”.

    If you look at risk in a financial transaction, for example, some risk can be connected to trust (“counterparty risk”, for example). Other risk cannot.

Comments are closed.