Essential Trust Analysis

Tuesday, October 26, 2010

Pete Herzog


People are bad at trust.

If you could take a pill which would make you trust everyone and everything much more, would you?

Almost all people asked if they would take a pill to be more trusting clearly stated they would NOT want to take such a pill for fear of being used or abused. Well, one person said he would gladly take it if everyone else had to take it too.

Genetically we are hard-wired to trust. Brain scans indicate that we respond both positively and negatively to trusting certain people based on facial features as well as certain facial expressions.

Brain scans also indicate we are chemically encouraged by our own bodies to trust through a hormone called Oxytocin. Oxytocin disrupts the fear-processing of our amygdala and brain stem making us more trusting.

Furthermore, we can succumb to a trust sickness like Toxoplasma gondii which affects over 3 billion people worldwide hitting under-developed nations the hardest. However rates for developed nations are still between 20% and 30% of the population.

It is a parasite that appears to manipulate human personality by using the same adaptations that normally helps it complete its life cycle between cats and rats. Studies along with brain scans indicate that the infected person's behavior alters so that they become more active and less cautious thereby seriously affecting their trust decisions. Infected men are more jealous and suspicious. Infected women are more amorous and outgoing.

How we trust is even affected by childhood. Environments where children are punished for showing sadness or pain attributes to a lack of trust in oneself and an increase in such emotional reliance on others ("clinginess").

Abuse, deep sadness from tragedy, constant fighting between parents, domestic violence, war, poverty, and parental unemployment will also affect the child's ability to make good trust decisions later in life.

For fair balance (and a little irony), I should mention a fairly recent study at Yale University called "The Seductive Allure of Neuroscience Explanations" indicated that using neuroscience jargon made unlikely scientific claims more believable. By adding the claim that “Brain scans indicate...” even field professionals were more likely to believe strange claims that defy their field of study.

The paper is built on previous studies which showed:

  • People will believe explanations because they find them intuitively satisfying, not because they are accurate (Trout, 2002)
  • People have difficulty reasoning over explanations (Keil, 2006; Lombrozo, 2006)
  • People generally believed purpose or design in natural phenomenon explanations when these were not warranted (Lombrozo & Carey, 2006; Kelemen, 1999)
  • People tend to find longer explanations to be expert explanations (Kikas, 2003)
  • People often fail to recognize circular arguments (Rips, 2002),
  • People are very unaware of their own limits and abilities to explain many types of phenomena (Rozenblit & Keil, 2002)

We can probably say that trust impacts nearly every decision we make. Trust affects our relationships. Trust is a key component in our security and well being. But for all its importance, most everyone still approaches trust from “the gut”. We mostly let our bio-chemistry call the shots. And we can prove that WE ARE BAD AT DOING IT!

In operational trust analysis, you learn to use logic and reason instead to make a trust decision. It is a new practice developed by ISECOM to explore operational trust in Trusted Computing as part of the EU's Open Trusted Computing (OpenTC) project.

The factual parameters of trust discovered there were further developed into an analysis framework for the OSSTMM 3 and later by demand, into a learnable skill for critical decision making. Then we can gain the advantages which that brings such as improved penetration of deception and avoiding bad risks altogether.

This is where Trust Analysis comes in. It's the ability to analyze trust immediately based on information present and reasons to trust. That's why the Certified Trust Analyst is the fastest growing certification course at ISECOM because it's useful to EVERYONE.

In business trust is considered a good thing to establish because it reduces the cost or resources required to maintain security and controls. So when a trust is established in operations, defenses are lowered as the interacting agent is expected to be mostly harmless.

What this means is that the trusted agent is considered secure as long as it continues to behave as expected. However, the trusted agent can fall to an attack, make mistakes, or unknowingly assist an attacker all without maliciousness and in no way behaving unexpected.

Combine this with the fact that we are bad at making trust decisions and you understand why trust is most often just a hole in operational security rather than an advantage.

Under ISECOM's trust analysis, ten trust properties are quickly applied to a subject, action, or operation to determine how much you know to trust. So you will know if you have reason to trust and if not, what needs to change.

This means that if you were screening passengers to board an airplane, your screening technique does not need to rely on reading micro-expressions to see if they are evil (some studies place that practice at 55% accurate, just slightly more than chance) but rather reading the people's actions against the 10 trust properties to determine if you have reason to trust how they will act on the plane.

This is a step back from analyzing faces in line to a process which occurs sometimes before the person even gets to the airport. Additionally, since it is based only on facts which means there is nearly no human error and wrongly accused passengers due to a lack of information have more time to prove themselves.

Of course trust isn't a one-size-fits-all thing and so trust rules from the properties need to be created for wholly unique operations like passenger boarding. But then those same rules may also apply to nearly any entry-type access situation. As an example, the OSSTMM 3 uses the hiring process and provides multiple trust rules for each property specifically for this purpose.

This would allow an organization to determine not only if the person is trustworthy but exactly how trustworthy and how much access to the organization's resources they should have. Employees can then go through the trust analysis process again annually or even on demand to determine when they have proven themselves and given you more reason to trust them thereby gaining more privileges for themselves.

Now using reason to control trust will not change your feelings. You may still feel a certain way about something so it is an internal fight between mind and heart. However if you can let yourself analyze the trust then you can choose to accept a risk rather than jumping into the unknown.

While sometimes that may bring adventure, it will often just as likely bring pain. Luckily, humans have evolved the psychological ability to forget most of the misses and remember only the hits. Unfortunately, that's also something fraudsters, advertisers, and even political campaign managers depend on.

The number one question we field at ISECOM is if trust analysis can also be used introspectively to get people to trust you more. Many organizations would benefit from knowing how to mask themselves in some trust properties to appear more trustworthy to those who can't analyze what's wrong or missing.

Since most people only focus on one or two properties as to whether or not to trust, this can be used to cloak other intentions. For example, used in couples therapy, the trust properties can be used to examine all the reasons why a person in a relationship should trust their partner instead of the one or two things that makes them suspicious. Without that analysis technique, those one or two things may be enough to make someone lose trust.

This is especially hard because people don't all focus on the same things to require trust so where one partner may think they are behaving trustworthy, the other may not see it because they are looking at different actions. This is the same as when companies want to gain your trust. They need only figure out what their key market requires of trust and cloak themselves in it. That would then be enough for most people to accept them even after the trust has been repeatedly broken in other ways.

An interesting caveat happened at a recent conference on neurobiology where I had the honor to present trust analysis. One young lady asked if this can be used for self-help. Could she apply the trust properties to herself to see why she has low self-confidence?

So I asked her questions about herself from each of the appropriate trust properties and she was surprised at how quickly it showed her how much she ignored her own reality. By answering the questions truthfully to herself she was able to see through her own defense mechanisms.

Then again seeing it and doing something about it are very different things. But she had her start. I'm no therapist so I could only wish her luck from there.

Trust is a powerful thing. It affects so much of our lives and what we do. So we can either let the trust we feel ride us or else we learn to ride it. Visit the Certified Trust Analyst page or the OSSTMM 3 for more information.

Possibly Related Articles:
Security Awareness
Security Management OSSTMM Trust
Post Rating I Like this!
Rob Lewis I think you are breaking some new ground here Pete.

Question come to mind though. How do your trust property guidelines deal with the possibility that your most trusted staffer, might be compromised? You almost imply that fewer controls are needed when one determines that someone is very trustworthy, yet what if that person becomes a weak link? Do responses kick in for behaviors that are out of the norm?
Pete Herzog Thanks Rob, the trust metrics have had the broadest appeal yet of everything we do. To answer your question, your most trusted staffer may not be so trustworthy because "most trusted" could mean better than the rest but still too untrustworthy for you to give full access to without any controls. However, if your staffer makes it to 90% trustworthiness, which is really hard to get anyway, in which case you will have almost total reason to trust them. Of those 10 reasons to trust them, that includes knowing if they will change or how they can be corrupted. For example, the military already employs some of these properties in Basic Training to get soldiers to trust one another. Actually, they apply 5 of the 10 trust properties for this to break them all down to make them equals. Now we need only look in the news to see how far 50% will get you. On the other hand, I recently compared this with media reports of terrorist training camp techniques and they employ 7 or 8 of the trust properties. Now if I apply this same thing to an IT infrastructure, I take the prospect of 0-day and other "risks" into a whole new spectrum. I can rate my vendors, cloud providers, partners, and customers on trust and where it is lower than an acceptable value, I control the interactive environment of my infrastructure where they may access. So you get an idea of this and want to try it yourself, I have put up a little cheatsheet of the 10 trust properties here:
Rob Lewis Interesting. This really points out the myopic or shallow consideration that is too often to such trust issues.

For example, your reply touchs on "Transitive Trust", what Ranum calls the silent killer of IT security.
That is where company A is partners with company B, and B with company C, but A does not even know that company C even exists. Due to its relationship with company B - A may be at risk from company C through lax controls in company B, even though there may be no malintent from company B.

I can see this particularly useful in cloud security issues. Unfortunately, people are just not asking enough of these kinds of questions.
Pete Herzog True Rob. Transitive trust is specifically mentioned as a fallacy in the OSSTMM 3 chapter on trust analysis. So I can certainly agree there. I do know some companies have applied this metric to the cloud for themselves but that is far far too few. Oh well, maybe the OSSTMM 3 release will help get people to ask these questions.
Aashish Kunte Interesting! Very informative and nice article. Your 10 Trust properties are really interesting !

I was just wondering on the external factors like Motive and Purpose from human acts those are situational ?
For a first time association to the trust values and the behavior pattern change due to a threat or a weakness in the system and human mind ?

Pete Herzog Aashish, when we made the trust properties, we look at reasons to trust. This included motive and purpose. Actually, one of the things we really spent time with is people who trust because they feel they have no other choice, like the movie with the hero hanging on the ledge and only the bad guy is offering a hand to pull him up. Does he take his hand? The flames are getting higher, can he trust he will be pulled up? What does he do? This, for us, is an idealized situation of "motivation to find "reasons to trust" instead of relying on gut feelings.

The entire process is to look at acts as situational. Since trust is dynamic, so will be "reasons to trust". This way we can properly react to changes in the person from innocent to threat, even if they themselves don't realize it (they could be being used by the the threat). This is how people fall prey to transitive trusts and this method will not allow for that (I trust B and B trusts C but I don't trust C just because B says so). This is especially important when we use this to empower people in relationships who can't or won't see how the person they love is hurting them.
Rod MacPherson Another thought provoking article Pete. The more I go back and read your stuff the more I look forward to the chance to meet you at SecTor. Keep up the great work.
Pete Herzog Thanks Rod! I hope to meet you too. Actually, people rarely recognize me let alone talk to me at cons which is why I rarely stick around. So feel free to chat when you see me!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.