A Fragmented Whole: Cooperation and Learning in the Practice of Information Security

Of the many problems faced by the field of information security, two are particularly pressing: cooperation and learning. To effectively respond to threats and vulnerabilities, information security practitioners must cooperate to securely share sensitive information and coordinate responses across organizational and territorial boundaries. Yet there are insufficient numbers of personnel who have learned the competencies necessary to build information security teams.

Current policy responses to these issues treat cooperation and learning as independent problems to be dealt with through institutional arrangements. In this view, cooperation may be enabled by industry associations or government agencies that act as hubs for coordination and information sharing; and learning may be addressed by appropriate degree and certification programs. In contrast, we argue that cooperation and learning in information security are fundamentally connected problems which must be addressed together.

Through ethnographic and survey research, we found that information security relies to a significant degree upon interpersonal trust relationships - rather than only institutional arrangements - for both cooperation and learning. The more sensitive the information to be shared (as is typically the case with novel threats and vulnerabilities), the more likely it is that cooperation will take place within tightly bounded trust circles, in which participants know and trust each other. Learning the more sophisticated competencies of information security relies upon access to these bounded social contexts, in which skills and knowledge circulate securely. In order to cooperate effectively and engage in more sophisticated learning, information security practitioners must build their connections to the interpersonal trust relationships that structure the field of information security. Our research indicates that institutional arrangements can provide the foundations for interpersonal trust relationships, but cannot substitute for them; just as interpersonal trust relationships cannot substitute for the functions that institutional arrangements offer.

Information security is a fragmented whole, composed of strongly bounded, sparsely connected trust groups and organizations that seek to ensure the trustworthiness of participants. We suggest a substantially different set of policy interventions to support cooperation and learning in information security, focusing upon building interpersonal trust relationships, as much as on building institutional arrangements. Our recommendations include suggestions for stronger information sharing communities, for building relationships between educational institutions and information security practitioners, and for supporting diversity.