Assessment, trust, and cooperation in IT-security

• Main Author: Weissinger, Laurin Benedikt
• Other Authors: Varese, Federico ; Biggs, Michael ; Dupont, Benoît
• Published: University of Oxford 2018
• Online Access: https://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.757923

This is a study of how IT-Security experts build trust and cooperate within and across organisations. The key research questions are 1) how do these specialists learn to trust others, and 2) why their preferences and strategies evolved the way they did. Using qualitative interviews and quantitative network analysis, the project finds that in this microcosm of risk-aware specialists, cooperation is rational due to complexity and uncertainty, while social control mechanisms are overly costly. In order to ascertain who is trustworthy and skilled, IT-Security specialists take precautions and then screen and probe potential co-operators thoroughly by querying and triangulating multiple information sources. Experts believe that generally, trusting individuals is possible, while they tend not to trust organisations as such, due to their complexity, and their political and economic incentives. Thus, when having to rely on organisations, security experts combine bureaucratic means, like standard compliance and performing audits, with their preferred approach based on interpersonal trust, networks, and individual assessment. Nevertheless, IT-Security experts efficiently manage assessment means and comprehensiveness. The in-depth network study of a security team finds that advice is given based on shared experience and nationality, while friendship nominations are value-driven: besides a strong tendency to not nominate anyone, the smaller group of those who see value in official certifications and education tend to nominate fewer friends, distinctly shunning those who consider these signals unimportant. This finding speaks to the growing institutionalisation and professionalisation of IT-Security caused by sector growth and state in- volvement. Most interviewees oppose this development, which is seen to water down security objectives. This thesis is based on primary data: expert interviews with specialists from over 30 countries, and longitudinal network data from an IT-Security team. The interviews explore how trust and cooperation are established, while the network data are used to quantitatively investigate network evolution.