Trust as a factor in the information classification process

Abstract: Risk management is an important part of every business. In order to properly conduct it, risk assessment and within it, information classification is needed. The information classification produces a list of information assets and states how they are valued within the organization. That is then used as an important part of the risk assessment process. In order to conduct such a valuation, users are consulted as they often times understand the value of information. However, using the CIA-Triad when communicating has proved to be difficult for users not knowledgeable in information security. Trust as a concept has been proven to have some connection to the concepts of the CIA-Triad and has been proposed as a possible translator in order to ease the communication of information value in the process of information classification. Semi-structured interviews were held with information security professionals in order to further understand the connection between the CIA-triad concepts and trust as well as to gain further understanding in the important parts of information classification. A thematic analysis showed how confidentiality and integrity are prominent factors that connect to trust, with availability, while still being mentioned as having a connection, was not as prominent. Further, the empirical data was used to build a model based on trust and importance that allows for a translation of the CIA-triad concepts. This resulted in a classification-scheme based model that allows trust as a concept to be used as a translator of the CIA-concepts, thus including trust as a concept in the information classification process.