topic Re: What is Trust? in Governance, Risk, Compliance

What is Trust?

Caute_cautim — Mon, 09 Oct 2023 09:44:54 GMT

Hi All

I have been thinking about this subject for some time, and I cannot get a definitive statement which rings true, so far.

Here is part 1 of my thinking:

Part 1: I think we need to examine the word "Trust" carefully - from a human being context:
Trust is a central part of all human relationships, including romantic partnerships, family life, business operations, politics, and medical practices. If you don't trust your doctor or psychotherapist, for example, it is much harder to benefit from their professional advice.
But what is trust? Here are some possibilities:
Trust is a set of behaviors, such as acting in ways that depend on another.
Trust is a belief in a probability that a person will behave in certain ways.
Trust is an abstract mental attitude toward a proposition that someone is dependable.
Trust is a feeling of confidence and security that a partner cares.
Trust is a complex neural process that binds diverse representations into a semantic pointer that includes emotions.
The importance of trust is becoming more dependent on complex, often invisible, connected technologies, data streams and third parties. But people instinctively distrust things they can't see, touch or understand.

And yet, we are talking fundamentally about technical trust of machines, devices, networks, applications, users and data

I will publish Part 2 shortly, but think of the context of Zero Trust and Trust Access in connection with Zero Trust Network Architecture and Zero Trust Architect.

I am sure there is spades of comments and many thoughts from many others, which are worth sharing and debating?

Regards

Caute_cautim

Re: What is Trust?

Bowmann — Wed, 06 Jan 2021 10:42:42 GMT

@Caute_cautim wrote:
Hi All

I have been thinking about this subject for some time, and I cannot get a definitive statement which rings true, so far.

Here is part 1 of my thinking:

Part 1: I think we need to examine the word "Trust" carefully - from a human being context:
Trust is a central part of all human relationships, including romantic partnerships, family life, business operations, politics, and medical practices. If you don't trust your doctor or psychotherapist, for example, it is much harder to benefit from their professional advice.
But what is trust? Here are some possibilities:
Trust is a set of behaviors, such as acting in ways that depend on another.
Trust is a belief in a probability that a person will behave in certain ways.
Trust is an abstract mental attitude toward a proposition that someone is dependable.
Trust is a feeling of confidence and security that a partner cares.
Trust is a complex neural process that binds diverse representations into a semantic pointer that includes emotions.
The importance of trust is becoming more dependent on complex, often invisible, connected technologies, data streams and third parties. But people instinctively distrust things they can't see, touch or understand.
Download iMessage for PC
And yet, we are talking fundamentally about technical trust of machines, devices, networks, applications, users and data

I will publish Part 2 shortly, but think of the context of Zero Trust and Trust Access in connection with Zero Trust Network Architecture and Zero Trust Architect.

I am sure there is spades of comments and many thoughts from many others, which are worth sharing and debating?

Regards

Caute_cautim

If you trust someone, you believe that they are honest and sincere and will not deliberately do anything to harm you. Your trust in someone is your belief that they are honest and sincere and will not deliberately do anything to harm you. He destroyed me and my trust in men. You've betrayed their trust.

Re: What is Trust?

tmekelburg1 — Tue, 05 Jan 2021 15:13:26 GMT

I like the APA's definition on Trust:

trust
1. n. reliance on or confidence in the dependability of someone or something. In interpersonal relationships, trust refers to the confidence that a person or group of people has in the reliability of another person or group; specifically, it is the degree to which each party feels that they can depend on the other party to do what they say they will do. The key factor is not the intrinsic honesty of the other people but their predictability. Trust is considered by most psychologists to be a primary component in mature relationships with others, whether intimate, social, or therapeutic. American Psychological Association

I look forward to reading part 2!

Re: What is Trust?

rslade — Tue, 05 Jan 2021 15:53:18 GMT

In my first book I had a whole chapter just on trust. The copy editor sent me a
special message noting how important it was. (Copy editors *NEVER* comment
on the content of your manuscript ...)

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

Re: What is Trust?

Caute_cautim — Tue, 05 Jan 2021 22:13:43 GMT

@rslade I would be interested in whether your book is still in print, available via Amazon or in Kindle format?

Trust is an important subject - it is becoming far more important because the ordinary person cannot understand what is meant by "digital trust" or even Zero Trust.

Part 2 states:

For zero trust: For zero trust to be effective, it needs to consider not only the user, but the risks of the resources themselves. It does not. You would never grant access in a zero trust model if the assets have remotely exploitable critical flaws. Zero trust ignores the resources risk, while focusing inordinately on access controls. Hence we should not use the term "Trust Access", especially if the resources risk has been ignored or the assets have already been compromised aka Fireeye/Solarwinds lessons.

So fundamentally, if any component within the system is not secure, or cannot be implicitly trusted or is suspected to have been compromised, they Zero Trust cannot be achieved.

Also Zero Trust requires a policy engine, which constantly monitors and ensures that agreed, approved policies are centrally applied. So far this is not achievable, unless we engage the assistance of AI and ML to ensure objective compliance and enforcement for all components.

So very interested, what or how you interpret "Digital Trust" in terms of digital identity, which is a core subject in a Trusted Digital Identity system or even within Zero Trust, some interpret it as Trust Access, which implies everything is centred on Trust. Can Trust be applied via electronic, digital systems - because we put an awful lot of emphasis on it.

I would appreciate your thoughts and wisdom, and other thoughts too.

Regards

Caute_Cautim

Re: What is Trust?

Caute_cautim — Tue, 05 Jan 2021 22:14:43 GMT

@tmekelburg1

Part 2:

Part 2 states:

So fundamentally, if any component within the system is not secure, or cannot be implicitly trusted or is suspected to have been compromised, they Zero Trust cannot be achieved.

Regards

Caute_Cautim

Re: What is Trust?

jmikesmith — Wed, 06 Jan 2021 14:05:08 GMT

No one else has mentioned this yet, so I will...

Bruce Schneier published a book on the topic of trust in 2012: https://www.schneier.com/books/liars-and-outliers. I haven't read it yet, but I've read some of the essays and articles he's published over the years that touch on topics from the book.

Mike

Re: What is Trust?

rslade — Wed, 06 Jan 2021 19:09:47 GMT

> Caute_cautim (Community Champion) mentioned you in a post! Join the conversation

> @rslade I would be interested in whether your book is still in print,
> available via Amazon or in Kindle format?

I've just checked at
https://www.amazon.com/Robert-Slade/e/B001H6MUCW
and all of them (except "Viruses Revealed" and the dictionary) seem to be
available. (I guess since the copyrights have reverted to me on those, they aren't
still selling them.)

But then again, the dictionary does seem to be available as well ...
https://www.amazon.com/Dictionary-Information-Security-Robert-Slade-
ebook/dp/B001077CJ4

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

Re: What is Trust?

Caute_cautim — Wed, 06 Jan 2021 20:16:44 GMT

Hi All

From a Research-gate paper on Trust - they conclude:

"In sum, trust is a behavioral construct; to trust is to place one’s confidence in the other party to the relationship. Trust is preceded by perceived trustworthiness of the party, the expectation of trustor of the trustee’s behavior,and/or emotional bonds between the trustee and the trustor. Both cognitive and affective anticipations lead to a choice of placing or not placing one’s confidence in the other party. Such a decision or choice may lead to both instrumental and psychological outcomes as consequences of trust, including highly social and emotional outcomes. Trust conceived as such, incorporates all the essential components we can conceive; we expect that our effort will serve as a stepping stone for other researchers in their endeavors of exploring the nature of trust."

It is obvious, we simply do not have an agreed term for Trust in a digital context or even electronics, so if we cannot trust a system, how can we in fact have "trust" as in Zero Trust.

We need to examine this more closely, and ensure that there is an absolute agreement as to what is Trust in the context of digital Identity, Digital electronics, or that of Systems? Can we actually have a trustworthy system?

Regards

Caute_cautim

Re: What is Trust?

Caute_cautim — Wed, 06 Jan 2021 20:25:44 GMT

HI @jmikesmith You are of course correct:

https://www.schneier.com/essays/archives/2019/02/theres_no_good_reaso.html

But given that Bruce Schneier cannot himself put a good definition of trust for security systems or even Blockchain, then what chance do we have of explaining to a CEO whether a security system can be implicitly trusted given the recent circumstances, which undermined the supply chain i.e. Solarwinds, which now has a legal case raised against them.

Trust is very important in our day to day interactions, but if we cannot define it explicitly, do we mere mortal accept everything everyone states is actually trustworthy i.e. this is system can be trusted, but if one component is compromised, then potentially the whole system is render untrustworthy and has to be burnt down and re-built from scratch.

Regars

Caute_cautim

Re: What is Trust?

Caute_cautim — Wed, 06 Jan 2021 20:36:49 GMT

@rsladeDo we get signed autograph copies of your books?

So what exactly does your dictionary state and define "Trust"? Or even Zero Trust?

Regards

Caute_cautim

Re: What is Trust?

Caute_cautim — Wed, 06 Jan 2021 21:20:41 GMT

Hi All

Onward we go to under stand the word "Trust"

Trust Modeling for Security Architecture Development by Sun Microsystems 2003

Information technology architects must build applications, systems, and networks that match ordinary users' expectations of trust in terms of identity, authentication, service level agreements, and privacy. This article describes the vocabulary of trust relationships and demonstrates the practical importance of using trust modeling to formalize the threshold for risk.

Enterprise Security: Solaris Operating Environment, Security Journal, Solaris OEv2.51, 2.6, 7, and 8

Understanding Trust

As with many seemingly complex concepts, a good starting point is to consider the commonplace, everyday meaning of a word. Trust is an important part of our lives and it has numerous definitions. Consider questions like the following, which we deal with regularly even if we don't formalize a model:

What does it take to establish trust?
How do I determine the degree of trust to assign to an individual or process?
Would I trust a recommendation from an auto mechanic or a child care provider the same way?

Defining Trust

According to the ITU-T X.509, Section 3.3.54, trust is defined as follows:

"Generally an entity can be said to 'trust' a second entity when the first entity makes the assumption that the second entity will behave exactly as the first entity expects."

For the sake of defining trust and trust modeling relative to security architecture methodology, the following set of principles or elements are offered:

Trust is a characteristic and quality of a security architecture.
Trust is a balancing of liability and due diligence. For example, you must decide how much effort to expend to reduce liability to an acceptable level for a particular business proposition and stated security policy. You must establish an equilibrium of trust.
Trust is the enabling of confidence that something will or will not occur in a predictable or promised manner. The enabling of confidence that something will or will not occur in a predictable or promised manner. The enabling of confidence is supported by identification, authentication, accountability, authorisation and availability.
Trust is the binding of of unique attributes to a unique identity, for example, accountability. This is both a qualitative and a subjective measure of expectations regarding another's behaviour and relative to a defined security policy. Essentially a trust relationship is established when a satisfactory level of confidence in the attributes provided by an entity is achieved.
Trust is defined as a binary relationship, or set of componed binary relationship, based individual identity or unique characteristic validation. That is, trust is the establishment of a trust relationship through a validation process and the subsequent use of that relationship in some transactional context.

Do not focus solely on technical solutions. As with all aspects of a security architecture, a successful trust model must consider people, process, and technology.

Finally, if you remember nothing else from this article, do not forget the following:

Failure to understand what trust model (if any) is actually in effect can create a false sense of security that may lead to serious, even catastrophic, financial and legal problems.
Adversaries exploit weak trust models.

Source: https://www.informit.com/articles/article.aspx?p=31546&seqNum=6

Regards

Caute_Cautim

Re: What is Trust?

rslade — Wed, 06 Jan 2021 22:36:47 GMT

> Caute_cautim (Community Champion) mentioned you in a post! Join the conversation

> So what exactly
> does your dictionary state and define "Trust"?

trust
extent to which one can have confidence that the system meets its objectives,
that is, that the system does what it claims to do and does not perform unwanted
functions. This is in line with Gene Spafford's famous definition that a secure
computer is one that does what it is supposed to.

There are nine more related definitions.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
If you can't make a mistake, you can't make anything.- Marva Collins
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

Re: What is Trust?

Caute_cautim — Sun, 14 Feb 2021 21:06:27 GMT

@rslade So if any part of your system is compromised, trust would be lost. If you review Systemic systems, all components are trusted until the point in time, that one or more components cause a failure or compromise to occur. Nothing is static, and constant review and updates are required at all times.

Regards

Caute_Cautim

Re: What is Trust?

Caute_cautim — Mon, 15 Feb 2021 19:45:02 GMT

@rsladeHowever, witness the recent security breaches with Fireeye/Solarwinds and Accellion both of which were supply chain issues - so although the organisation may have had all its components tested and verified as a system. One external component or relationship failed, thus is it became a systemic failure. So if trust is based on all the components being aligned, verified and one fails, then you have a loss of trust as well as a systemic failure.

Regards

Caute_cautim