Who do you really trust?
Of course, as security practitioners, we know the best policy is to trust no one, or at least trust no one blindly. However, this policy is not all that practical in real life. We must trust a growing number of people, companies and products just to function at a most basic level today. Personal relationships, employment, education, banking, investing, commerce, and even our health care require a significant amount of trust and a lot of that trust is going digital.
In a perfect world, we would carefully evaluate the inherent risk and consider the potential reward before engaging in any important relationship. In the physical world, this is actually happening to some degree as your tactile experience and “instinct” guides you. A myriad of inputs and mostly intuitive reasoning tell us that this person, place or situation posses a risk while another can be trusted. Although it may be horribly biased based on your life’s experience, we tend to trust a “first impressions” when we meet strangers and evaluate risk and rewards with some degree of confidence. We are, after all genetic survivors of a long path of natural selection. It’s a safe bet that the “trust everyone and everything all the time” line of the species dead-ended long ago
In the physical world, we see for ourselves important observable clues; clues that help us reflect and become more or less comfortable with our instinctive decisions. When you buy aspirin at a drugstore, you see (and eventually struggle with opening) the tamper-proof packaging. At a restaurant, you experience the cleanliness of the establishment, the caliber of the servers, and the sight (and even the smell) of the food before you take the first bite. This ability to deduce trustworthiness extends to complex fields outside our realm of expertise. When you board an airplane you see first-hand the condition of the plane, the pilots and how they conduct themselves. As you pass through security, you are painfully aware of the various FAA and TSA regulations in place intended to protect you and the other passengers from each other’s shoes. For the research inclined, you can view statistics of the airline and its track record on safety (http://www.ntsb.gov/investigations/reports_aviation.html). You do not need to be an airline expert in order to assess a dramatic difference in risk and trustworthiness boarding a TAM Airlines flight at Lagos airport vs. a Quantas flight at Changi Airport in Singapore. Humans do this, to varying degree of accuracy, all the time.
How about the online relationships that have become so critical to our personal relationships, employment, education, banking, investing, commerce, and health care in todays world? How do these inherent skills at risk assessment that have evolved over the millennia work for us?
Not so well, I am afraid.
Would it surprise you to learn that the average male online dating profile is actually 6 years older and 3” shorter than the average “real world” person it represents? Now before the women reading this cast dispersions on the men, it seems the effects of gravity also change online. The average female online dating profile represents a match that is 20 pounds lighter than the average potential match in the physical world. This data, from the online dating research blog OkCupid (www.okcupid.com), is a few years old but unlikely to have changed much. It also illustrates an important point. The innate senses and skills we use to evaluate trust are simply not as reliable and much more easily duped in the digital world.
In the digital world, we must apply more formal methods of evaluating trustworthiness than those we have come to rely upon via our experiences in the physical world. This is obvious when we consider the case of outright fraud and misrepresentation, where the party we are dealing with online is a stranger with criminal intent or someone masquerading as another. However, the issue of trust online is most challenging when dealing with people and companies online that have otherwise earned our “trust” in the physical world. The trust in a person or brand developed in the physical world may compel us to naively extend that trust to their skills in the domain of cyber security.
When it comes to protecting your data from attackers, most organizations are going to “do their best.” The problem is that “their best” has proven over and over to not be good enough.
Even if they have all the best intentions and use advanced technologies to protect your data, they still fail quite often. Unless you have spent the last decade living in a cave, you know that some of the best and most trusted brands have fallen down in their protection of your data. Companies that have been in the news due to cyber-related breaches are negligent to various degrees, and they’ve also been unlucky. An attacker hit just the right vulnerability with the right exploit when they weren’t looking. The victim companies made mistakes, but as long as humans are involved mistakes will occur. There is never going to be 100% assurance that the companies you work with won’t be a victim, no matter how much they spend on security personnel and technologies. In addition, modern software is so complex that it is impossible to write “perfect code.” In fact, according the Cenzic/Trustwave Application Vulnerability Trends Report: 2014, 96% of tested applications have vulnerabilities.
So how do we learn to trust in this environment? It can no longer be intuitive. We must be able to assess risk and assign trust in a more thoughtful manner based on some measurable data.
There are two unique aspects of trust to consider when engaging in an online relationship with an otherwise trusted party. Is this organization using my data appropriately and are they protecting it from third parties with malicious or unknown intent? In this regard, most of the essential elements of trust are simply invisible to you. You don’t have visibility into how your data is used, the information security investments that have been made or any insights into how effective those controls are being utilized. Rarely do you (or they) even know when there has been a compromise of your data.
It’s hard to rationally contemplate trust when all that you know is that everyone is doing his or her best and everyone eventually gets compromised. That knowledge makes one want to bury their head in the sand as most do regarding the protection of their data. Transparency is the key to evaluating risk effectively in the online world where we lose the direct experiential visibility that the real world affords us. I can’t smell rotten security when I browse tomatoes online and accepting that “everyone” eventually falls victim is just inviting more risk. The more we know, the better we can make informed decisions about who to trust.
If we are to have any hope of allowing trust to dictate behavior then companies need to become significantly more transparent in:
- Precisely what data they retain and how they will use your data – not with some document updated constantly by a team of lawyers that is incomprehensible to regular people, but clear enough so that anyone can grasp it.
- Precisely how they plan to protect your data and how effective they have been at this task.
Companies and elected official must take privacy and security more seriously not by “trying harder to protect our data” but in giving us the visibility we need to assess risk better. Data breach notification laws, derided by some, are actually one of the few tools we have to gain visibility into a problem, which affects us, but stems from someone else failure.
That being said, here are some ideas of what companies I do business with online can do to gain my trust:
- Don’t retain any of my data that is not directly related to providing the specific goods and services I am contracting from you.
- Anonymize any and all of my data that you do have to save in order for you to analyze your business and do reporting.
- Let me know what steps you undertake to protect my data. If you feel that may pose a risk, then let me know how you did on your PCI audits. According to the Verizon 2014 PCI Compliance Report, only 11.1% of companies passed all 12 PCI requirements. Of course passing all 12 does not ensure that you will not be breached; it does however show some form of competence and determination.
- PCI results too sensitive to share with the public? Surely there must be some metric you can share for people to gauge 3rd party trustworthiness online? Ironic that most companies are drowning in our private data, but can’t share information on what they are doing with it or how they are protecting it because that’s too “sensitive”. That does not seem fair at all.
To the elected officials… How about a little help here?
- Add a section on cyber capabilities as part of the annual reporting requirements for public companies.
- Also, I know you are the one exception that can be trusted with my data. But what happens when you leave office and someone else takes over? You really should not be collecting so much data on innocent people, its creepy.