Are Mistrustful People Better at Information Security?

InfoSec professionals are paid to worry about all the ways in which security of data may be put at risk. As the result, people outside the security community sometimes see us as a paranoid bunch. Is being mistrustful a mandatory trait for people in our field? While a healthy dose of caution probably helps, overly-cautious people will eschew too many business-enabling activities for the sake of security.

Trustfulness and Lie Detection

A recent University of Toronto study explored whether mistrustful people (“low trusters”) are better at detecting lies than their more trusting peers (“high trusters”). One might expect that trustful people would be more gullible; however, the research showed that the opposite was true: High trusters were much better lie detectors.

Mistrustful people are suspicious of everything and may shy away from experimentation to avoid exposing themselves to risks. This behavior limits low trusters’ participation in experiences that would develop the social skills to identify lies.

In contrast, high trusters’ less cautious nature allowed them to pursue a greater number of social opportunities. This helped them develop better sensitivity to lies, making it safer for them “to assume that others generally tell the truth because this sensitivity will help detect a lie before a person falls victim to it.”

Mistrust and Information Security

I wonder whether similar characteristics apply to the field of information security. Some infosec professionals are more cautious than others. The more cautious ones probably support fewer business ventures than their more trusting peers. As the result, the mistrustful individuals don’t develop the skills for supporting projects with inherent security risks.

Information security professionals may be seen as paranoid because our default answer tends to be “no” whenever we are asked to approve a project that involves infosec risks. Those who learn how to provide safeguards for risky endeavors tend to provide more value than those who advocate avoiding any business activity with an element of a security risk.

If this is interesting to you, take a look at my related posting Are Anxious People More Vigilant in Information Security?

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more