Sat May 17 10:29:53 PDT 2014

Control Architecture: Trust model: How is trust assessed and managed?


{Businesses, Content, People, Systems} x based on {transparency, historical behavior, transitive trust chains, chain of custody, systematic background checks, psychological factors, external clearances, contracts, nationality, group membership, investigations, credentials, certifications, size, etc.} are trusted for {purposes}.


The parties are trusted for purposes that could result in the identified risk levels based on the identified bases:
Party Risk level (purposes) Trusted based on
Business Low Historic behavior (e.g., credit rating and internal experiences) and group memberships (i.e., chamber of commerce, business groups, exchange memberships) or convenience
Business Medium Contracts, historical behavior, size (deep pockets), legal suitability
Business High Contracts, transparency, historical behavior, size (deep pockets), legal suitability, systematic background checks, and executive risk acceptance
People Low Contracts and group membership or transitive trust chains
People Medium Historical behavior, systematic background checks, and contracts
People High Historical behavior, systematic background checks, psychological factors, external clearances, contracts, and sometimes nationality
Systems Low Historical behavior, contracts, transitive trust chains (someone told me it was good, a magazine review, etc.)
Systems Medium Historical behavior, transparency transitive trust chains (authors, reputations, reviews, etc. ), chain of custody, contracts
Systems High Historical behavior, transparency, transitive trust chains (authors), chain of custody, contracts, and certifications (CC, TCSEC, TCG, etc.)
Content Low Transitive trust chains, transparency
Content Medium Historic behavior (of the source), transparency, chain of custody, group memberships (of the author), credentials (of the author), contracts
Content High Investigation (scientific demonstrations), historic behavior (of the source), transparency, chain of custody, group memberships (of the author), credentials (of the author), contracts
Trust model - What is the basis for trust?


Businesses: Entities not within the direct control of the executive management making risk-related decisions.

Content: The meaningful utility that is being protected by the protection program.

People: Human beings, whether employees, other workers, customers, or anyone else.

Systems: Computers, mechanisms, equipment, and collections thereof, including the things that make them work.

Historical behavior: The history over time of behaviors demonstrated is used, often as the best predictor of future performance.

Transparency: The extent to which process, implementaitn, and history are available for inspection and the results of such inspection.

Transitive trust chains: The trust of someone you trust, the enemy of my enemy, a friend of a friend of a friend, etc.

Chain of custody: The custody and control of systems and/or content aver the life cycle.

Systematic background checks: Well-defined sets of checks undertaken to find and verify facts about individuals or companies in terms of their past.

Psychological factors: Liking, similarity, behavioral characteristics, looking like others, acting like others, and similar influence properties.

External clearances: Externally defined clearances, such as those granted by governments or partner organizations.

Contracts: Agreements between parties with force of law.

Nationality: Where someone or something originates from or has been determined to be a member of.

Group membership: Memberships of organizations or groups, such as military organizations, clubs, professional societies, award winners, political parties, etc.

Investigations: Detailed reviews of facts based on defined principles with identifiable error rates and reliability.

Credentials: Government credentials such as badges, licenses, etc., professional certificates, degrees, or other third party accreditations.

Certifications: Trusted Systems Evaluation Criteria (TCSEC), Trusted computing group (TCG), Common Criteria (CC), Certified examiners or other professional society or institutional certificates, training certificates, etc.

Size: Depth of financial capacity to handle liabilities, physical characteristics, or other measurable things that justify acceptability of proportional risk.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved