The word security is simple enough to understand. Something that is secure is often interpreted as safe from an undesirable event occurring to the subject. Simple, right? How do we establish security?
To create a level of security in a subject there needs to be a level of control in the way the subject behaves, essentially controlling their behaviour. If the behaviour is controlled inline with what actions are interpreted as being secure, then we can say it is secure or having a level of security. Of course the more we control the subject, the more we can say it is secure. When this occurs, we can say we trust the subject as it's behaviour is controlled in a desirable or intended manner.
Using an individual as the subject we can further demonstrate the concept of control establishing trust. I can rely on controls such as religion. If the person is of the catholic faith and their faith is strong, I can have some trust in them knowing that they are likely to behave in a manner which is in alignment with the beliefs of their religion, i.e. religion is influencing (controlling) their actions. Another example would be a person that has a good reputation for being honourable, established through a history of such behaviour which may be dictated by following a code of conduct. The code of conduct would be the control itself. Hence, we see control establishing trust.
Let’s tie this back to cyber security where the subject can be a system, application, component or entire solution. If we can control system A, we can have a level of trust in it. We may add controls in place to control traffic to and from system A, control who can log onto system A, control what actions a person can perform on system A, and/or what applications/services/executables can run on system A. The greater the controls, the greater one can trust that the system will behave in an expected manner. Now if the controls force system A to behave in a secure manner then we again say that we trust the system to be secure. We see that security equates to or is achieved through control. Control itself establishes trust, and trust leads back to security i.e. the higher the trust the higher the security.
Showing the relationship between security and trust is important when discussing the different trust models in cyber security. In other blog posts, I go onto explaining zero trust and zones of trust models.
by Security Truth
Comments