Are Mistrustful People Better at Information Security?

InfoSec professionals are paid to worry about all the ways in which security of data may be put at risk. As the result, people outside the security community sometimes see us as a paranoid bunch. Is being mistrustful a mandatory trait for people in our field? While a healthy dose of caution probably helps, overly-cautious people will eschew too many business-enabling activities for the sake of security.

Trustfulness and Lie Detection

A recent University of Toronto study explored whether mistrustful people ("low trusters") are better at detecting lies than their more trusting peers ("high trusters"). One might expect that trustful people would be more gullible; however, the research showed that the opposite was true: High trusters were much better lie detectors.

Mistrustful people are suspicious of everything and may shy away from experimentation to avoid exposing themselves to risks. This behavior limits low trusters’ participation in experiences that would develop the social skills to identify lies.

In contrast, high trusters’ less cautious nature allowed them to pursue a greater number of social opportunities. This helped them develop better sensitivity to lies, making it safer for them "to assume that others generally tell the truth because this sensitivity will help detect a lie before a person falls victim to it."

Mistrust and Information Security

I wonder whether similar characteristics apply to the field of information security. Some infosec professionals are more cautious than others. The more cautious ones probably support fewer business ventures than their more trusting peers. As the result, the mistrustful individuals don’t develop the skills for supporting projects with inherent security risks.

Information security professionals may be seen as paranoid because our default answer tends to be "no" whenever we are asked to approve a project that involves infosec risks. Those who learn how to provide safeguards for risky endeavors tend to provide more value than those who advocate avoiding any business activity with an element of a security risk.

If this is interesting to you, take a look at my related posting Are Anxious People More Vigilant in Information Security?

Updated

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more