There are quite a few talks at the FIRST conference this week about getting computers to automatically receive, process and distribute information about security events. However I was particularly interested in a session on the human issues that need to accompany any such information exchange.
Organisations, which ultimately means individuals, need to trust one another before information exchange can be effective. Providers of what may well be sensitive information need to trust that the recipients won’t misuse it; and recipients need to trust that providers have gathered and analysed the information accurately so they don’t feel the need to redo all the analysis and duplicate the providers’ efforts. Although anonymity is sometimes suggested as a way to start building trust, it was suggested that this actually produces a slower build-up of trust than if individuals know who is providing the information and who is using it. Instead, a trusted exchange may be easier to establish if it is (initially, at least) narrowly focussed on a common problem that all participants want to solve.
Even a collaboration towards a specific goal is likely to need support to establish and build trust. Using (and abiding by) a clear set of rules on how information may be shared is probably the best known tool. Non-Disclosure Agreements are one possibility, and may be needed if there are legal concerns about sharing, but can be too rigid. The ability to attach distribution rules to individual items using the Information Sharing Traffic Light Protocol may be sufficient to give providers confidence. A good complement to this is to let the provider of information see who has accessed it, both so that breaches of the rules are visible and, I would imagine, to encourage providers that others found their input useful. Having too many passive consumers (“lurkers” or “sinks”) in any information sharing partnership is unhelpful – if hosts can actively seek these out to find out what is preventing them contributing then this can increase both information flow and trust.
On the information consumer side it was suggested that one of the most useful, but also scarce, resources for any information sharing partnership is someone who can ask the right questions, prompting others to look at, and share, their own information in a new light. Having frequently said myself that sharing needs everyone to contribute, it strikes me that insightful questions might themselves be a significant contribution justifying an individual’s and an organisation’s participation. Recipients of information also need to trust the providers, especially if they are going to make technical or business decisions on the basis of the information they receive. That needs a high level of confidence in others’ human and technical abilities, which may well only be possible if organisations share not only their information, but knowledge of how it is gathered and used.
The goal of an effective information sharing partnership was nicely summarised: computers share data, humans share insights and questions.