Sun Sep 14 19:45:16 PDT 2014

Control Architecture: Trust model: How is trust assessed and managed?


Options:

{Businesses, Content, People, Systems} x based on {transparency, historical behavior, expertise, transitive trust chains, chain of custody, systematic background checks, psychological factors, external clearances, contracts, nationality, group membership, investigations, credentials, certifications, size, metadata, form and format, diplomatic analysis, etc.} are trusted for {purposes}.

Decisions:

The parties are trusted for purposes that could result in the identified risk levels based on the identified bases:
Party Risk level (purposes) Trusted based on
Business Low Historic behavior (e.g., credit rating and internal experiences) and group memberships (i.e., chamber of commerce, business groups, exchange memberships) or convenience
Business Medium Contracts, historical behavior, size (deep pockets), legal suitability
Business High Contracts, transparency, historical behavior, size (deep pockets), legal suitability, systematic background checks, and executive risk acceptance
People Low Contracts and group membership, expertise, or transitive trust chains
People Medium Historical behavior,expertise, systematic background checks, and contracts
People High Historical behavior, expertise, systematic background checks, psychological factors, external clearances, contracts, and sometimes nationality
Systems Low Historical behavior, contracts, transitive trust chains (someone told me it was good, a magazine review, etc.)
Systems Medium Historical behavior, transparency transitive trust chains (authors, reputations, reviews, etc. ), chain of custody, contracts
Systems High Historical behavior, transparency, transitive trust chains (authors), chain of custody, contracts, and certifications (CC, TCSEC, TCG, etc.)
Content Low Transitive trust chains, transparency, metadata
Content Medium Historic behavior (of the source), transparency, chain of custody, group memberships (of the author), credentials (of the author), contracts, metadata, form and format
Content High Investigation (scientific demonstrations), historic behavior (of the source), transparency, chain of custody, group memberships (of the author), credentials (of the author), contracts, metadata, form and format, diplomatic analysis
Trust model - What is the basis for trust?

Basis:

Businesses: Entities not within the direct control of the executive management making risk-related decisions.

Content: The meaningful utility that is being protected by the protection program.

People: Human beings, whether employees, other workers, customers, or anyone else.

Systems: Computers, mechanisms, equipment, and collections thereof, including the things that make them work.

Historical behavior: The history over time of behaviors demonstrated is used, often as the best predictor of future performance.

Expertise: In the legal realm., this is identified with knowledge, experience, skill, training, and education.

Transparency: The extent to which process, implementaitn, and history are available for inspection and the results of such inspection.

Transitive trust chains: The trust of someone you trust, the enemy of my enemy, a friend of a friend of a friend, etc.

Chain of custody: The custody and control of systems and/or content aver the life cycle.

Systematic background checks: Well-defined sets of checks undertaken to find and verify facts about individuals or companies in terms of their past.

Psychological factors: Liking, similarity, behavioral characteristics, looking like others, acting like others, and similar influence properties.

External clearances: Externally defined clearances, such as those granted by governments or partner organizations.

Contracts: Agreements between parties with force of law.

Nationality: Where someone or something originates from or has been determined to be a member of.

Group membership: Memberships of organizations or groups, such as military organizations, clubs, professional societies, award winners, political parties, etc.

Investigations: Detailed reviews of facts based on defined principles with identifiable error rates and reliability.

Credentials: Government credentials such as badges, licenses, etc., professional certificates, degrees, or other third party accreditations.

Certifications: Trusted Systems Evaluation Criteria (TCSEC), Trusted computing group (TCG), Common Criteria (CC), Certified examiners or other professional society or institutional certificates, training certificates, etc.

Size: Depth of financial capacity to handle liabilities, physical characteristics, or other measurable things that justify acceptability of proportional risk.

Metadata: Trust in documentary content often relies on metadata, and this metadata should reasonably be used in all cases as a basis for such trust.

Form and format: The form and fomrat of content must be compatible with interpretive mechanisms in order to assure proper operation and verify identified assertions.

Diplomatic analysis: In-depth analysis of consistency with the methods of creation, use, ingestion, curation, storage, transmission, retention, transformation, disposition, and all other aspects of life cycles in context (i.e., nature of discourse relative to domain of discourse for form and content) are used to establish trust in content.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved