Trust as a Human Factor in Holistic Cyber Security Risk Assessment

Holistic assessment of cyber security risks is a complex multi-component and multi-level problem involving hardware, software, environmental, and human factors. As part of an on-going effort to develop a holistic, predictive cyber security risk assessment model, the characterization of human factors, which includes human behavior, is needed to understand how the actions of users, defenders, and attackers affect cyber security risk. The work group developing this new cyber security risk assessment model and framework has chosen to distinguish between trust and confidence by using “trust” only for human factors, and “confidence” for all non-human factors (e.g. hardware and software) in order to reduce confusion between the two concepts within our model. We have developed an initial framework for how to incorporate trust as a factor/parameter within a larger characterization of the human influences (users, defenders and attackers) on cyber security risk. Trust in the human factors is composed of two main categories: inherent characteristics, that which is a part of the individual, and situational characteristics, that which is outside of the individual. The use of trust as a human factor in holistic cyber security risk assessment will also rely on understanding how differing mental models and risk postures impact the level trust given to an individual and the biases affecting the ability to give said trust.