Trust and Trustworthiness
Trust is an important concept related to risk management. How organizations approach trust influences their behaviors and their internal and external trust relationships.
Trust is a belief that an entity will behave in a predictable manner in specified circumstances. The entity may be a person, process, object or any combination of such components. The entity can be of any size from a single hardware component or software module, to a piece of equipment identified by make and model, to a site or location, to an organization, to a nation-state. Trust, while inherently a subjective determination, can be based on objective evidence and subjective elements. The objective grounds for trust can include for example, the results of information technology product testing and evaluation. Subjective belief, level of comfort, and experience may supplement (or even replace) objective evidence, or substitute for such evidence when it is unavailable. Trust is usually relative to a specific circumstance or situation (e.g., the amount of money involved in a transaction, the sensitivity or criticality of information, or whether safety is an issue with human lives at stake). Trust is generally not transitive (e.g., you trust a friend but not necessarily a friend of a friend). Finally, trust is generally earned, based on experience or measurement. However, in certain organizations, trust may be mandated by policy.
Trustworthiness is an attribute of a person or organization that provides confidence to others of the qualifications, capabilities, and reliability of that entity to perform specific tasks and fulfill assigned responsibilities. Trustworthiness is also a characteristic of information technology products and systems. The attribute of trustworthiness, whether applied to people, processes, or technologies, can be measured, at least in relative terms if not quantitatively. The determination of trustworthiness plays a key role in establishing trust relationships among persons and organizations. The trust relationships are key factors in risk decisions made by senior leaders/executives.
Establishing Trust Among Organizations
Parties enter into trust relationships based on mission and business needs. Trust among parties typically exists along a continuum with varying degrees of trust achieved based on a number of factors. Organizations can still share information and obtain information technology services even if their trust relationship falls short of complete trust. The degree of trust required for organizations to establish partnerships can vary widely based on many factors including the organizations involved and the specifics of the situation (e.g., the missions, goals, and objectives of the potential partners, the criticality/sensitivity of activities involved in the partnership, the risk tolerance of the organizations participating in the partnership, and the historical relationship among the participants). Finally, the degree of trust among entities is not a static quality but can vary over time as circumstances change.
Organizations are becoming increasingly reliant on information system services and information provided by external organizations as well as partnerships to accomplish missions and business functions. This reliance results in the need for trust relationships among organizations. In many cases, trust relationships with external organizations, while generating greater productivity and cost efficiencies, can also bring greater risk to organizations. This risk is addressed by the risk management strategies established by organizations that take into account the strategic goals and objectives of organizations.
Effectively addressing the risk associated with the growing dependence on external service providers and partnerships with domestic and international public and private sector participants necessitates that organizations:
- Define the types of services/information to be provided to organizations or the types of information to be shared/exchanged in any proposed partnering arrangements;
- Establish the degree of control or influence organizations have over the external organizations participating in such partnering arrangements;
- Describe how the services/information are to be protected in accordance with the information security requirements of organizations;
- Obtain the relevant information from external organizations to determine trustworthiness and to support and maintain trust (e.g., visibility into business practices and risk/information security decisions to understand risk tolerance);
- Appropriately balance mission/business-based requirements to support information sharing while considering the risk of working with competing or hostile entities and the risk that other organizations, while neither competing or hostile, may be a path through which such entities
- Determine if the ongoing risk to organizational operations and assets, individuals, other organizations, or the Nation resulting from the continuing use of the services/information or the participation in the partnership, is at an acceptable level; and
- Recognize that decisions to establish trust relationships are expressions of acceptable risk.
The degree of trust that an organization places in external organizations can vary widely, ranging from those who are highly trusted (e.g., business partners in a joint venture that share a common business model and common goals) to those who are less trusted and may represent greater sources of risk (e.g., business partners in one endeavor who are also competitors or adversaries). The specifics of establishing and maintaining trust can differ from organization to organization based on mission/business requirements, the participants involved in the trust relationship, the criticality/sensitivity of the information being shared or the types of services being rendered, the history between the organizations, and the overall risk to the organizations participating in the relationship.
In many situations, the trust established between organizations may not allow a full spectrum of information sharing or a complete provision of services. When an organization determines that the trustworthiness of another organization does not permit the complete sharing of information or use of external services, the organization can:
(i) mitigate risk, transfer risk, or share risk by employing one or more compensating controls;
(ii) accept a greater degree of risk; or
(iii) avoid risk by performing missions/business functions with reduced levels of functionality or possibly no functionality at all.
The following trust models describe ways in which organizations can obtain the levels of trust needed to form partnerships, collaborate with other organizations, share information, or receive information system/security services. No single trust model is inherently better than any other model. Rather, each model provides organizations with certain advantages and disadvantages based on their circumstances (e.g., governance structure, risk tolerance, and criticality/sensitivity of organizational missions and business processes).
In the validated trust model, one organization obtains a body of evidence regarding the actions of another organization (e.g., the organization’s information security policies, activities, and risk-related decisions) and uses that evidence to establish a level of trust with the other organization. An example of validated trust is where one organization develops an application or information system and provides evidence (e.g., security plan, assessment results) to a second organization that supports the claims by the first organization that the application/system meets certain security requirements and/or addresses the appropriate security controls in NIST Special Publication 800- 53. Validated trust may not be sufficient—that is, the evidence offered by the first organization to the second organization may not fully satisfy the second organization’s trust requirements or trust expectations. The more evidence provided between organizations as well as the quality of such evidence, the greater the degree of trust that can be achieved. Trust is linked to the degree of transparency between the two organizations with regard to risk and information security-related activities and decisions.
In the direct historical trust model, the track record exhibited by an organization in the past, particularly in its risk and information security-related activities and decisions, can contribute to and help establish a level of trust with other organizations. While validated trust models assume that an organization provides the required level of evidence needed to establish trust, obtaining such evidence may not always be possible. In such instances, trust may be based on other deciding factors, including the organization’s historical relationship with the other organization or its recent experience in working with the other organization. For example, if one organization has worked with a second organization for years doing some activity and has not had any negative experiences, the first organization may be willing to trust the second organization in working on another activity, even though the organizations do not share any common experience for that particular activity. Direct historical trust tends to build up over time with the more positive experiences contributing to increased levels of trust between organizations. Conversely, negative experiences may cause trust levels to decrease among organizations.
In the mediated trust model, an organization establishes a level of trust with another organization based on assurances provided by some mutually trusted third party. There are several types of mediated trust models that can be employed. For example, two organizations attempting to establish a trust relationship may not have a direct trust history between the two organizations, but do have a trust relationship with a third organization. The third party that is trusted by both organizations, brokers the trust relationship between the two organizations, thus helping to establish the required level of trust. Another type of mediated trust involves the concept of transitivity of trust. In this example, one organization establishes a trust relationship with a second organization. Independent of the first trust relationship, the second organization establishes a trust relationship with a third organization. Since the first organization trusts the second organization and the second organization trusts the third organization, a trust relationship is now established between the first and third organizations (illustrating the concept of transitive trust among organizations).
In the mandated trust model, an organization establishes a level of trust with another organization based on a specific mandate issued by a third party in a position of authority. This mandate can be established by the respective authority through Executive Orders, directives, regulations, or policies (e.g., a memorandum from an agency head directing that all subordinate organizations accept the results of security assessments conducted by any subordinate organization within the agency). Mandated trust can also be established when some organizational entity is decreed to be the authoritative source for the provision of information resources including information technology products, systems, or services. For example, an organization may be given the responsibility and the authority to issue Public Key Infrastructure (PKI) certificates for a group of organizations.
In general, the trust models described above are not mutually exclusive. Each of the trust models may be used independently as a stand-alone model or in conjunction with another model. Several trust models may be used at times within the organization (e.g., at various phases in the system development life cycle). Also, since organizations are often large and diverse, it is possible that subordinate organizations within a parent organization might independently employ different trust models in establishing trust relationships with potential partnering organizations (including subordinate organizations). The organizational governance structure may establish the specific terms and conditions for how the various trust models are employed in a complementary manner within the organization.
Suitability of Various Trust Models
The trust models can be employed at various tiers in the risk management approach described in this publication. None of the trust models is inherently better or worse than the others. However, some models may be better suited to some situations than others. For example, the validated trust model, because it requires evidence of a technical nature (e.g., tests completed successfully), is probably best suited for application at Tier 3. In contrast, the direct historical trust model, with a significant emphasis on past experiences, is more suited for application at Tiers 1 or 2. The mediated and mandated trust models are typically more oriented toward governance and consequently are best suited for application at Tier 1. However, some implementations of the mandated trust model, for example, being required to trust the source of a PKI certificate, are more oriented toward Tier 3. Similarly, although the mediated trust model is primarily oriented toward Tier 1, there can be implementations of it that are more information system-, or Tier 3-oriented. An example of this application might be the use of authentication services that validate the authenticity or identity of an information system component or service.
The nature of a particular information technology service can also impact the suitability and the applicability of the various trust models. The validated trust model is the more traditional model for validating the trust of an information technology product, system, or service. However, this trust model works best in situations where there is a degree of control between parties (e.g., a contract between the government and an external service provider) or where there is sufficient time to obtain and validate the evidence needed to establish a trust relationship. Validated trust is a suboptimal model for situations where the two parties are peers and/or where the trust decisions regarding shared/supplied services must occur quickly due to the very dynamic and rapid nature of the service being requested/provided (e.g., service-oriented architectures).
- NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View