What does trust have to do with security anyway?
In a series of articles about our modern Cyborg Age, I’ve argued that our traditional understanding of trust is flawed. We’ve misunderstood its role as a moral imperative, when in fact it seems only to be a rough and ready predictor of attention costs (attentiveness to reliable outcomes) and benefits for processes involving our interactions with others. Evolution has equipped us with a low cost cognitive assessment. To use it properly, we need to rethink its use in the modern world. No doubt, some will prefer to hold on to the moral view of trust and disagree, but then one remains stuck with the usual dilemmas. There are solid reasons for wanting to understand trust better.
Trust and Security
If you work in IT or even in business, you might be forgiven for thinking that trust is the mortal enemy of security. This is simplistic and misleading. Most of us regard the old Cold War adage, “Trust, but verify…” as an ironic truism, but in fact what it really teaches us is something about the dual nature of trust. Trust has two parts: the assessment of trustworthiness and the decision to watch over and monitor our dealings with others, i.e. to manage our attention.
It requires only a small leap of the imagination to see that trust is an attention regulator, using the currency of mindspace or invested work as its currency. I believe the http://markburgess.org/trustproject.html has now shown that this view is fully consistent with all previous interpretations.
Trust has two parts: an assessment of trustworthiness and a policy for giving one’s attention to verify outcomes. Trust and verify. These are independent decisions, not at all mutually exclusive.
As I argued in detail, trust plays a role something like that of energy in physics: as an accounting tool for governing and tracking processes. It has both potential and kinetic forms. Potential trust is a guiding summary of the historical past. Kinetic trust is an attention management mechanism for the present. At least that’s what the research strongly seems to suggest.
In the security profession, trust quickly became regarded as a bad word. In IT, the disdain for trust probably began in the 1990s, when the Secure Shell introduced its half-baked hat-tip to the difficult problem of verification. When you connect to a machine you’ve never met…