Lately there has been quite a bit of noise about the concept of “trust” in information security. This has always confused me, because I tend towards @bobblakley when he says:
“trust is for suckers.”
But security is keen on having trendy new memes, things to sell you, and I thought that I might as well weigh in because we’re seeing “trust models” in everything from OSSTMM to NIST 800 series to Cloud model thingies.
The problem I have getting all excited about “trust modeling” is that it’s basically yet.another.hypothetical.construct. We already have “security” and “risk” that our industry finds problematic to define and measure. Why are we soooo keen on creating another problem child?
And I have to wonder, is it really necessary? Think about it: my ability to “trust” – a person, connection, system, whatever – is simply an acknowledgement of the risk in transacting with them. I “trust” my good friends and certain relatives because I have a bunch of experience (priors) that lead me to believe that they are “trustworthy”, which is a nice way of saying “low risk”. I know these people will go out of their way *not* to hurt me without just cause.
Similarly, when dealing with car mechanics, salespeople, and politicians – I have very little “trust” because there is a high degree of risk in my transaction and I either have no prior experience with them, or really bad experiences with them.
So really, my amount of “trust” is the inverse of the amount of risk I perceive for whatever reason (past experience, lack of data, expected experiences given some trending data).
THE ONLY TRUST MODELS YOU’LL EVER NEED
So in 2011, if you’re sitting in a meeting and some GRC pusher decides that they need trust models for you to be really good at your jobs, you can use the following and explain to them you already have a very nice one, thanks.
IF YOU USE QUALITATIVE RISK STATEMENTS
Trust = Opposite of Risk
So “Low Risk” becomes “High Trust”.
IF YOU USE RISK SCORING WITHOUT MEASUREMENT SCALES
Trust = 1/Risk
So The larger the risk score, the smaller the trust score.
IF YOU USE QUANTITATIVE ALE – TYPE MEASURES (ALE, FAIR, WHATEVER)
You don’t need to do anything. You can say “We trust that this partner will have 10 incidents per year causing us between $50,000 and $2,000,000 in damage” or whatever.
There you go. A Trust Program/Trust model for absolutely free.