The role and importance of trust: A study of the conditions that generate and undermine sensitive information sharing
This article evaluates the role of trust in a specific area of security activity, sensitive information sharing. It begins by exploring the nature of trust, and then moves on to highlight on the one hand some of the security benefits when trust is evident, and on the other the risks that can accrue when trust is misplaced. It then moves on to report the findings from an empirical study by discussing how three key elements: process issues, people issues and technology can, when done well improve the security of information sharing, indeed, it can create additional security opportunities, and when done badly can undermine it. In conclusion the article asserts that the generation of trust is fundamental to effective sensitive information exchange but this poses real challenges including in deciding how much trust is appropriate.
Keywordstrust sensitive information sharing information security
The project on which research for this study is based was funded by the Technology Strategy Board (Project TP/400206) and EPSRC. Project partners are: HP Labs, Perpetuity Research Limited, Oxford University, Birmingham University, Aberdeen University and University College London. We would like to thank colleagues from partner organisations who helped us develop the ideas in this article and specifically Philipp Reinecke (HP), Simon Arnell (HP), Ruth Crocker, Charlotte Howell, Sarah Webb (Perpetuity Research) and two anonymous referees for comments on earlier drafts of this article.
- Bailey, T. (2002) On trust and philosophy. The philosophy of trust, Open University Reith Lectures 2002, http://www.open2.net/trust/on_trust/on_trust1.htm, accessed March 2013.
- Beautement, A. et al (2008) Modelling the human and technological costs and benefits of USB memory stick security, http://homepages.abdn.ac.uk/d.j.pym/pages/pym-weis-2008.pdf, accessed 14 June 2013.
- Capelli, D., Moore, A. and Trzeciak, R. (2012) The Cert Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Upper Saddle River, NJ: Pearson Education.Google Scholar
- Cavanagh, T.E. (2005) Corporate Security Measures and Practices. The Conference Board, SR-05-01, Conference Board: London, March.Google Scholar
- Cofta, P. (2011) The Trustworthy and Trusted Web. Foundations and Trends in Web Science Vol. 2 No. 4 Delft: The Netherlands.Google Scholar
- Cook, K., Hardin, R. and Levi, M. (2005) Cooperation without Trust?. New York: Russell Sage Foundation.Google Scholar
- Crane, S. and Reinecke, P. (eds.) (forthcoming) Trust Domains Guide: A Guide to Identifying, Modelling, and Establishing Trust Domains.Google Scholar
- Eccles, R.G., Newquist, S.C. and Schatz, R. (2007, February) Reputation and its risks. Harvard Business Review 85(2): 104–114.Google Scholar
- Fukuyama, F. (1995) Trust: The social virtues, and the creation of prosperity. New York, NY: The Free Press.Google Scholar
- Gill, M.L. and Goldstraw-White, J.E. (2010) Theft and fraud by employees. In: F. Brookman, M. Maguire, H. Pierpoint and T. Bennett (eds.) Handbook of Crime. Uffculme, UK: Willan.Google Scholar
- Hamou-Lhadj, A. and Hamou-Lhadj, A. (2009) A governance framework for building secure IT systems. International Journal of Security and Its Applications 3(2): 15–20.Google Scholar
- Haralambos, M. and Cofta, P. (2010) Practitioner’s challenges in designing trust into online systems. Journal of Theoretical and Applied Electronic Commerce Research 5(3): 66.Google Scholar
- ISACA. (2009) An introduction to the business model for information security, http://www.isaca.org/Knowledge-Center/Research/Documents/Introduction-to-the-Business-Model-for-Information-Security_res_Eng_0109.pdf, accessed March 2013.
- Janes, P. (2012) People, process, and technologies impact on information data loss, http://www.sans.org/reading_room/whitepapers/dlp/people-process-technologies-impact-information-data-loss_34032, accessed 14 June 2013.
- Levi, M. (2008) The Phantom Capitalists: The Organisation and Control of Long-Firm Fraud. Aldershot, UK: Ashgate.Google Scholar
- Mcknight, D. and Chervany, N. (1996) The meanings of trust. Carlson School of Management, University of Minnesota, http://misrc.umn.edu/workingpapers/fullpapers/1996/9604_040100.pdf, accessed 12 July 2013.
- Newman, J. (1998) The dynamics of trust. In: A. Coulson (ed.) Trust and Contracts. Bristol, UK: Policy Press.Google Scholar
- Ponemon Institute. (2012) 2011 cost of data breach study United States, http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-us.en-us.pdf, accessed 14 June 2013.
- Sasse, A., Ashenden, D., Lawrence, D., Coles-Kemp, L., Fléchais, I. and Kearney, P. (2007) Human Factors Working Group White Paper: Human Vulnerabilities in Security Systems Knowledge Transfer Networks, University College London: London.Google Scholar
- Schneier, B. (2012) Liars and Outliers. New York: Wiley.Google Scholar
- Solomon, R.C. (2000) Trusting. In: M. Wrathall and J. Malpas (eds.) Heidegger, Coping, and Cognitive Science: Essays in Honor of Hubert L. Dreyfus. Vol. 2 Cambridge, MA: The MIT Press, pp. 229–244.Google Scholar