One research study suggested that trusting people make better lie detectors than mistrustful ones, though a more rigorous replication later cast doubt on it. The more durable lesson applies in cybersecurity, where professionals who learn to enable risky projects with safeguards add more value than those who simply say "no."
Cybersecurity professionals are paid to worry about all the ways in which security of data may be put at risk. As the result, people outside the security community sometimes see us as a paranoid bunch. Is being mistrustful a mandatory trait for people in our field? While a healthy dose of caution probably helps, overly-cautious people will eschew too many business-enabling activities for the sake of security.
Trustfulness and Lie Detection
A University of Toronto study explored whether mistrustful people (“low trusters”) are better at detecting lies than their more trusting peers (“high trusters”). One might expect that trustful people would be more gullible; however, the research showed that the opposite was true: High trusters were much better lie detectors.
Mistrustful people are suspicious of everything and may shy away from experimentation to avoid exposing themselves to risks. This behavior limits low trusters’ participation in experiences that would develop the social skills to identify lies.
In contrast, high trusters’ less cautious nature allowed them to pursue a greater number of social opportunities. This helped them develop better sensitivity to lies, making it safer for them “to assume that others generally tell the truth because this sensitivity will help detect a lie before a person falls victim to it.”
A more rigorous study published years later didn’t replicate this finding, concluding that a person’s level of trust had little bearing on their ability to detect lies. The idea it raised is still worth considering, even if the data behind it didn’t hold up.
Mistrust and Cybersecurity
I wonder whether similar characteristics apply to the field of cybersecurity. Some of us are more cautious than others. The more cautious ones probably support fewer business ventures than their more trusting peers. As the result, the mistrustful individuals don’t develop the skills for supporting projects with inherent security risks.
Cybersecurity professionals may be seen as paranoid because our default answer tends to be “no” whenever we are asked to approve a project that involves cybersecurity risks. Those who learn how to provide safeguards for risky endeavors tend to provide more value than those who advocate avoiding any business activity with an element of a security risk.
