Gilded Age. Trust Titans Economics and Economic Leaders of the Gilded Age.
Reinstating Trust in the Digital Age
-
Upload
university-of-geneva -
Category
Documents
-
view
104 -
download
6
Transcript of Reinstating Trust in the Digital Age
Prof. Jean-‐Henry Morin University of Geneva – CUI
Ins8tute of Informa8on Service Science Faculté des Sciences de la Société
Jean-‐[email protected]
@jhmorin
Reinsta(ng Trust in the Digital Age
PwC 5th Digital Trust Conference
Geneva
March 17, 2015
Who has NEVER « worked around » security policies to legitimately complete work that systems
Prevented from doing ?
3
Security is bypassed, not a2acked
Inspired by Adi Shamir, Turing Award lecture, 2002
Foreword Human Factor
Outline
• A bit of context and technology
• 3 eras of Trust
• Revisiting technology
• Co-Compliance Principle and Digital Responsibility
• Conclusions & Take Away
• Q & A
Organizations & Corporate Sector : Corporate Security Policies
53% admit circumventing corporate security policies to get the work done (EMC RSA Security, 2008)
Among the most cited reasons justifying circumventing corporate security policies (Cisco, 2008)
a) Doesn’t correspond to the operational reality nor to what is required to get the work done
b) Need to access applications not belonging to or authorized by corporate IT policies to work
Consequences : increase in risks and costs • Requires « creativity » to get the job done ! • Increased stress due to unauthorized actions • Inefficiencies • Untraceable transgressions / violations
Informa8on Protec8on & Control Today
Perimeter based and Access Control Lists (ACL). Beyond ? Not much…
?
Mobile Worker
Corporate Network
VPN
3 eras of trust
• Before – Suspicion
• Today – Breach of Trust
• Tomorrow – The rise of « informed Trust »
h_p://eloquentscience.com/wp-‐content/uploads/2012/05/past-‐present-‐future-‐sign1.jpg
A Paradox
We talked about Trust and Trusted Computing
in the digital age…
…but everything relied on a distrust assumption
http://zatoichi.homeip.net/~brain/TrustedComputing.jpg
Can IT be fixed ? • Acknowledging that :
• Security is necessary (managed content) • Total Security is neither realistic nor desirable • Given the right User Experience and Business Models
most users smoothly comply (e.g., iTunes) • Most users aren’t criminals
• We need to take a step back to : • Critically re-think Security, DRM, Trust • Reconsider the debate outside the either/or extremes of
total vs. no security • Factor in, by design, these issues for the development of
systems and services WE all use.
Rethinking & Redesigning
• Acknowledge the Central role of the User and User Experience • Reinstate Users in their roles & rights and Responsibilities • Presumption of innocence & the burden of proof
• Fundamental guiding principle to Rethink and Redesign DRM : Feltens’ “Copyright Balance” principle (Felten, 2005)
“Since lawful use, including fair use, of copyrighted works is in the public interest, a user wishing to make lawful use of copyrighted
material should not be prevented from doing so by any DRM system.”
• Claim and Proposition : • Put the trust back into the hands of the users • Reverse the distrust assumption
Requires a major paradigm shift
Rethinking & Redesigning DRM
• Exception Management in DRM environments, mixing water with fire ? Not necessarily !
• Reversing the distrust assumption puts the user “in charge”, facing his responsibilities
• Allow users to make Exception Claims, granting them Short Lived Licenses based on some form of logging and monitoring
• Use Credentials as tokens for logging to detect and monitor abuses
• Credential are Revocable in order to deal with abuse and misuse situations
• Mutually acknowledged need for managed content while allowing all actors a smooth usability experience
(Morin and Pawlak, 2007, 2008); (Morin 2008, 2009)
Excep8on Management in « managed content » environments
• Auditable model covering incident and abuse detec;on as well as revoca;on • Burden of proof on the party having a jus8fiable “claim” regarding abuse
or incidents & presump8on of innocence • Monitoring in (near) real 8me of security policies
Fasoo.com
Technology Transfer Academic partnership with Fasoo.com
• June 2011, Integration of the Exception Management model as « Provisional Licensing »
January 2015: 85% of companies using Fasoo Enterprise DRM
provide Excep8on Management
Perspec8ve… • Take into account the Human Factor by Design (People Centric Security, PCS [T. Scholtz, 2012])
• Data Protec8on in a digital economy : – Awareness raising and training – The EU Data Protec8on reform: re-‐appropria;on of data and personal informa;on by the people
• Public Policies and Digital Governance : Key success factors, Emergency!
To Trust or not to be …
http://world.edu/wp-content/uploads/2013/02/climate-change-skeptics.jpg
Digital Responsibility : Informed Trust & Transparency
Co-Compliance • Emerging principle relying on
« Informed Trust » and « Transparency »
• Co-Compliance (short for collaborative compliance):
collaborative, shared responsibility enabled by digital
technologies allowing both joint elaboration of a decision or
action and the shared evaluation of its result.
Cost : Major paradigm shift !
(Morin, 2014)
Digital Responsibility
Some Key characteristics (evolving) : • User Centered Design • Account for all stakeholders • Proportionality of the means to engage • Integrating the Human Factor • Openness and Transparency • Sharing and Collaboration • Limited and Humble use of the legal instrument • Leveraging sustainable public policies
(Morin, 2014)
Conclusion • Trust assumes leaving to humans the capacity to
make free moral decision (Exception by Design)
• Trust isn’t blind (managed, informed)
• We are facing a MAJOR challenge of our participative digital society
Is a socially responsible and sustainable approach to trust in the digital era possible ?
References
J.-H. Morin, “Rethinking DRM Using Exception Management”, chapter III in Handbook of Research on Secure Multimedia Distribution, S. Lian and Y. Zhang (Eds), Information Science Reference (ISR), ISBN: 978-1-60566-262-6, IGI Global, March 2009, pp 39-54.
http://www.igi-global.com/reference/details.asp?id=33143
J.-H. Morin, “Exception Based Enterprise Rights Management : Towards a Paradigm Shift in Information Security and Policy Management”, International Journal On Advances in Systems and Measurements, issn 1942-261x, vol. 1, no. 1, 2008, pp. 40-49.
http://www.iariajournals.org/systems_and_measurements/
J.-H. Morin, “La responsabilité numérique : Restaurer la confiance à l'ère du numérique“ FYP éditions, Avril 2014.
http://www.fypeditions.com/responsabilite-numerique/
Think(do)Tank on Service Science and Innovation http://thinkservices.info/ h_p://thinkdata.ch/
Swiss Digital Agenda Na8onal debate h_p://NumeriCH.ch/
L e t ’ s b e D i g i t a l l y R e s p o n s i b l e ! Q & A
Contacts: Prof. Jean-‐Henry Morin
University of Geneva – CUI Ins8tute of Informa8on Service Science
Faculté des Sciences de la Société h_p://iss.unige.ch/
Jean-‐[email protected]
@jhmorin
h_p://ch.linkedin.com/in/jhmorin
h_p://www.slideshare.net/jhmorin
h_p://jean-‐henry.com/
&