Are Mistrustful People Better at Information Security?

InfoSec professionals are paid to worry about all the ways in which security of data may be put at risk. As the result, people outside the security community sometimes see us as a paranoid bunch. Is being mistrustful a mandatory trait for people in our field? While a healthy dose of caution probably helps, overly-cautious people will eschew too many business-enabling activities for the sake of security.

Trustfulness and Lie Detection

A recent University of Toronto study explored whether mistrustful people (“low trusters”) are better at detecting lies than their more trusting peers (“high trusters”). One might expect that trustful people would be more gullible; however, the research showed that the opposite was true: High trusters were much better lie detectors.

Mistrustful people are suspicious of everything and may shy away from experimentation to avoid exposing themselves to risks. This behavior limits low trusters’ participation in experiences that would develop the social skills to identify lies.

In contrast, high trusters’ less cautious nature allowed them to pursue a greater number of social opportunities. This helped them develop better sensitivity to lies, making it safer for them “to assume that others generally tell the truth because this sensitivity will help detect a lie before a person falls victim to it.”

Mistrust and Information Security

I wonder whether similar characteristics apply to the field of information security. Some infosec professionals are more cautious than others. The more cautious ones probably support fewer business ventures than their more trusting peers. As the result, the mistrustful individuals don’t develop the skills for supporting projects with inherent security risks.

Information security professionals may be seen as paranoid because our default answer tends to be “no” whenever we are asked to approve a project that involves infosec risks. Those who learn how to provide safeguards for risky endeavors tend to provide more value than those who advocate avoiding any business activity with an element of a security risk.

If this is interesting to you, take a look at my related posting Are Anxious People More Vigilant in Information Security?


About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more