[BreachExchange] Why security is really all about trust

[Audrey McNeil]

http://www.infoworld.com/article/3041492/security/why-security-is-really-all-about-trust.html

Security isn’t black and white. It isn’t a choice between full security and
no security -- it’s a continuum with a lot of gray in between.

Full security, even if achievable, would “secure” things beyond the realm
of reasonable usability. But even then hackers would find a way in.

Usable security comes down to a single feeling: trust.

Trust makes our world mostly normal and livable. In one of Bruce Schneier’s
books (I forget which) he wrote about the societal trust in everyday acts
like ordering pizza. The pizza company trusts you’re going to pay when the
pizza is delivered. The driver trusts that you’re going to pay and tip, and
you won’t harm him or her. The customer trusts that the pizza will match
the order -- and trusts the delivery driver, a stranger, enough to open
their door. Without such pervasive trust, everyday life would be impossible.

The issue is dogging Uber and other tech companies right now: Uber wants
its customers to feel safe enough to hop into a stranger's car, despite
horror stories stemming from a few bad apples. Apple, and nearly every
other big name in the IT industry, is fighting the feds so that customers
feel they can safely store private information. Every software vendor works
hard against bugs and hackers to keep the trust of their customers.

Once trust is harmed, it can be impossible to regain. Ask anyone who’s ever
been cheated on.

To curry trust, companies have to address several components, including
security, compliance, privacy, and transparency.

Trust factor No. 1: Security

The base component of trust in the security world is, of course, good
security. Customers want to be assured that a product won’t open the door
to random hacking, harassment, and unauthorized activity. When a piece of
software or hardware gets hacked too many times, customers look elsewhere.

Security doesn’t have to be perfect. In fact, the product itself can
survive with hundreds to thousands of bugs, year after year. It all depends
on whether those defects result in harm to the customer. As long as
relatively few people get hacked or bothered, most people will keep on
using it. On the same note, you can have a secure product with only a few
bugs -- but if one them gets badly abused, it could be game over.

Security is rarely a selling point. Most people choose cool features over
security. But a lot of exploits over time or one bad exploit that impacts a
lot of people can damage a whole bunch of trust. Without security as the
foundation, trust is impossible.

Trust factor No. 2: Compliance

Computer products need to comply with basic societal norms, human rights,
national and local laws -- and government regulations if applicable.
Interestingly, different cultures have different expectations. In China,
people accept that it is legal for their government to monitor every
digital transaction they make (although some use proxies to get around the
country’s censoring firewalls).

In the United States, people accept far more business ownership of their
personal data, with few meaningful restrictions, than their European
counterparts. Other countries, such as India, accept that bribes are normal
way of doing business for everything from paying your taxes to operating a
business. Every country has its own idea of what is just and fair, but the
people expect that every vendor doing business in their country comply with
the federal and local laws.

Trust factor No. 3: Privacy

Customers expect that their private information will not be shared without
consent. This is true even of countries where the government and businesses
know almost everything about each individual. People may accept sharing
their information with business and government, but they don’t want their
friends and neighbors to have the same access.

This expectation of privacy is one of the newest components of trust, one
that many companies are only now coming to grips with. But it’s huge. Users
want to be able to control how much of their data is accessed and where it
goes. Many of the smartest companies, not directly in the data collection
business, are realizing that the smartest privacy strategy is to collect
the least amount of personal data possible. The less personal information
they have, the less they have to protect, and the less that can be stolen.

Trust factor No. 4: Transparency

More and more, people expect governments and companies to be more
transparent about what they collect and when. There's a growing expectation
that governments and companies must post their information collection
policies in an easily accessible place, though this applies more to
companies than to governments.

Other trust components

Security, compliance, privacy, and transparency are the foundations of
trust in computer security, but there are two more: expectations and
perception.

Overall, trust is a matter of expectations. Yes, different countries have
different expectations. But it’s the communication, transparency, and
acceptance of those guidelines that creates expectations, and it ultimately
determines whether trust succeeds or fails.

Perception is reality. Many businesses die failing to recognize this. It
doesn’t matter how trustworthy a product is if consumers view it as
untrustworthy.

Our world is replete with examples of a tiny fraction of vocal observations
turning into a global meme. It happens in politics all the time. A
politician or candidate does one little thing (spell "potato" wrong, yell
during a big win, speak Mandarin to Chinese people), and suddenly many
people see the politician through the lens of the one incident. No wonder
politicians give us canned, measured speech.

Perceptions can harm better security. I work at a software company where
occasionally an update patch will cause operational issues in a small
number of computers, often unrelated to the patch. But a few dozen
complaints get amplified in the media, including this publication, and the
next thing you know tens of millions of people stop applying the patch.

Gaining and keeping trust

A big part of gaining and keeping trust is to continuously foster an
environment where trust is valued and communicated to everyone
participating. Consumers will forgive occasional or even ongoing issues if
enough goodwill has been earned to show the company cares about the
customer.

The more I analyze computer security, the more I realize it’s not about
numeric bug counts ... or security at all. It’s more about intent and
trustworthiness, and every component that makes up that trustworthiness,
largely led by perceptions. Long-term, established trust sells, regardless
of the underlying security posture. Everything else is background noise.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160310/3579e9c8/attachment-0001.html>