By Simon Arnell, Security Analytics Service Director
Over the last year, I've had the opportunity to engage with colleagues within HP Labs to enable the Trust Domains project to have access to select customers and to understand how we within HP Enterprise Security Services can utilize such research to shape our future services. The project has recently published an interim report of its early findings (available here).
How do organizations know they can trust each other – or even trust themselves! This is one of the fundamental questions that a Technology Strategy Board (TSB) funded project called Trust Domains, which HP Labs is leading with partners Perpetuity Research and Consultancy International, University of Aberdeen, University of Birminghamand University of Oxford, is attempting to answer.
Trust Domains is a three year project, with one year now completed. The overall project goals are to:
- Understand risk associated with information flows
- Contribute to the set of analytic and modeling tools that help stakeholders understand risk
- Improve understanding of risk tradeoffs associated with different security controls
- Develop approaches for mapping from information flows to trust domains
A first deliverable is an empirical study of how organizations think about trust. The findings make compelling reading, more so given that they draw on experiences of information security leaders from both public and private sector organizations.
So what have we learnt so far from the study? The research focuses on fundamental questions that underpin today’s security thinking:
- What are the main risks to organizations when engaging in information exchange
- What constitutes trust in the context of information exchange
- How is trust valued, and how exactly does it reinforces, or indeed undermine, security
- How do organizations use information about each other to enhance confidence and improve interactions
- and finally, how do organizations react when forced to share information in uncomfortable situations
Interim findings, which have recently been published (available here), may sound familiar; others you may find quite surprising. For example, the study tells us that many of the polices that organizations rely on don’t work because they are flawed or not followed. In some cases technology does not take sufficient account of human behavior, and that undermines the effectiveness of trust (domains). In fact, evidence suggests that there are sometimes real limits to the technology being deployed, including the fact that what exists is out-dated and/or is no longer (as) fit for purpose.
The development of effective trust domains is complicated by the finding that organizations often don’t know who they are dealing with. While the need to manage trust relationships is a given, the very nature of business entails relying on trust, a contradiction that is not always well thought through. Even organizations that considered themselves risk adverse often take risks with the management and exchange of data, not least because staff sometimes seek and find practical ways of circumventing rules they considered inhibited the process of doing business
The empirical study continues, and in Phase II specific instances of information sharing will be explored, in particular where trust underpins the effectiveness of the sharing process.
To learn more about the Trust Domains project visit the HP Labs website.
About the Trust Domains project
The Trust Domains Project is funded by the Technology Strategy Board (TSB). The Project’s aim is to develop “A Framework for Modeling and Designing E-Service Infrastructures for Controlled Sharing of Information.” The Project Partners are: Hewlett-Packard Ltd (Lead Partner), Perpetuity Research and Consultancy International, University of Aberdeen, University of Birmingham and University of Oxford.
About the Technology Strategy Board
The role of the Technology Strategy Board is to stimulate technology-enabled innovation in the areas which offer the greatest scope for boosting UK growth and productivity. The TSB advises the UK Government on how to remove barriers to innovation and accelerate the exploitation of new technologies.