Abstract
Important norms may evolve to be promoted, implemented, and enforced by policymakers; one current example is zero trust. This norm originally arose organically, as a trusted norm among cyber security practitioners. This paper explores a puzzling question; will zero trust continue to be trusted as it evolves as an enforced norm? By leveraging well-established theory on trust, this paper presents a novel approach to allow the study of how actors may trust an evolving norm such as zero trust. The paper first examines the emergence of zero trust. Next, following the SolarWinds breach, state-led policy responses enforcing the adoption of zero trust are reviewed. Key theory on norms and trust are revisited to help create a foundation. Expanding on the integrative processes in trust building together with a comparative assessment of the assumptions in presumptive trust and zero trust, the contribution of this paper lays a foundation through presenting a new approach that enables an assessment of trust in norms (ATiN). Thus, allowing study of the trust in discursive organic norms as compared with norms evolving as policy-enforced norms. Findings from a preliminary evaluation illustrate the ability of ATiN in disentangling the elements and processes involved during trust building in a policy-enforced norm. This paper invites other researchers’ interest and calls for a research agenda for trust and norms for cybersecurity, trust and zero trust.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Katzenstein, G.P.: The Culture of National Security: Norms, and Identity in World Politics. Columbia University Press, New York (1996)
Finnemore, M., Sikkink, K.: International norm dynamics and political change. Int. Organ. 52(4), 894–905 (1998)
United Nations (UN) General Assembly. Group of governmental experts on developments in the field of information and telecommunications in the context of national security. General Assembly, UN, July 2015. https://www.ilsa.org/Jessup/Jessup16/Batch%202/UNGGEReport.pdf
Truesec. The SolarWinds Orion SUNBUSRT supply chain attack. Truesec, December 2020. https://www.truesec.com/hub/blog/the-solarwinds-orion-sunburst-supply-chain-attack
Cybersecurity and Infrastructure Security Agency (CISA). Zero trust maturity model, June 2021. https://www.cisa.gov/sites/default/files/publications/CISA%20Zero%20Trust%20Maturity%20Model_Draft.pdf
National Cyber Security Centre (NCSC). Zero trust architecture design principles. NCSC, July 2021. https://www.ncsc.gov.uk/collection/zero-trust-architecture
UN Internet Governance Forum (IGF) BPF. Testing norms concepts against cybersecurity events. UN. IGF BPF, November 2022. https://www.intgovforum.org/en/filedepot_download/235/20025
UN IGF BPF Mapping and analysis of international cybersecurity norms agreements. UN. IGF BPF, November 2021. https://www.intgovforum.org/en/filedepot_download/235/19830
Wired. Netflix’s password sharing crackdown has a silver lining. WIRED, December 2021. https://www.wired.com/story/netflix-password-sharing-crackdown
Smith, J., Louis, W.R.: Do as we say and as we do: the interplay of descriptive and injunctive group norms in the attitude-behaviour relationship. Br. J. Soc. Psychol. 47, 647–666 (2008)
Cialdini, R., Kallgren, C.A., Reno, R.: A focus on normative conduct: a theoretical refinement and reevaluation of the role of norms in human behavior. In: Zanna, M.P., (Ed.) Advances in Experimental Social Psychology, pp. 201–234 (1991)
Ajzen, I.: The theory of planned behavior. Organ. Behav. Hum. Decis. Process. 50(2), 179–211 (1991)
Venkatesh, V., Davis, F.D.: A theoretical extension of the technology acceptance model: four longitudinal field studies. Manag. Sci. 46(2), 186–204 (2000)
Levin, A., M. Dato-on, M., C. and Manolis, C.: Deterring illegal downloading: the effects of threat appeals, past behavior, subjective norms, and attributions of harm. J. Consum. Behav. 6(2/3), 111–122 (2007). https://doi.org/10.1002/cb.210
Drew, A.: Securitising cyber-capability: an analysis of norm construction methods. PhD thesis. University of London, February 2019. https://core.ac.uk/download/pdf/294771701.pdf
Rose, S., Borchert, O., Mitchell, S., Connelly, S.: Zero trust architecture. NIST, August 2020. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
Deutsch, M.: Trust and suspicion. J. Confl. Resolut. 2(4), 265–279 (1958)
Mayer, R., Davis, J., Schoorman, F.: An integrative model of organizational trust. Acad. Manag. Rev. 20(3), 709–734 (1995)
Lewicki, R.J., McAllister, D., Bies, R.: Trust and distrust: new relationships and realities. Acad. Manag. Rev. 23(3), 438–458 (1998)
Fulmer, A., Gelfand, M.: At what level (and in whom) we trust: trust across multiple organizational levels. J. Manag. 38(4), 1167–1230 (2012)
Mcknight, D.H., Carter, M., Thatcher, J.B., Clay, P.: Trust in a specific technology: an investigation of its components and measures. ACM Trans. Manag. Inf. Syst. 2(2), 1–25 (2011)
Mcknight, D.H., Chervany, N.L.: The meanings of trust. Carlson School of Management, Univ. of Minnesota (1996)
NCSC. NCSC statement on the SolarWinds compromise. NCSC, December 2020. https://www.ncsc.gov.uk/news/ncsc-statement-on-solarwinds-compromise
Voltz, A.: In punishing Russia for SolarWinds, Biden upends US convention on cyber espionage. Wall Steet Journal, April 2021. https://www.wsj.com/articles/in-punishing-russia-for-solarwinds-biden-upends-u-s-convention-on-cyber-espionage-11618651800
CISA. CISA launches a new joint cyber defense collaborative. CISA, August 2021. https://www.cisa.gov/news/2021/08/05/cisa-launches-new-joint-cyber-defense-collaborative
Wylde, A.: Zero trust: never trust always verify. In: 7th International conference on Cyber Security for Trustworthy and Transparent Artificial Intelligence, (CYBER SA 2021), pp. 1–4. IEEE (2021)
Microsoft. Security: a guide to building resilience, solution guide Series. Microsoft, July 2020. https://clouddamcdnprodep.azureedge.net/gdc/gdcPJ9yCm/original
Acknowledgments
The author gives thanks to the anonymous reviewers for their insightful comments, which helped develop and improve this manuscript. Thank you also to BPF colleagues Fred Hansen and Barbara Marchiori de Assis for their valuable discussions. Any mistakes or omissions remain the sole responsibility of the author.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Wylde, A. (2022). Questions of Trust in Norms of Zero Trust. In: Arai, K. (eds) Intelligent Computing. SAI 2022. Lecture Notes in Networks and Systems, vol 508. Springer, Cham. https://doi.org/10.1007/978-3-031-10467-1_51
Download citation
DOI: https://doi.org/10.1007/978-3-031-10467-1_51
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-10466-4
Online ISBN: 978-3-031-10467-1
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)