Characterising assurance: scepticism and mistrust in cyber security

This paper presents an analysis of recent transformations in cyber security assurance, a field of evaluation that aims to establish whether technical products are secure. I work from a set of narratives about problems with assurance, drawn from interviews with practitioners based in the UK. I focus on characterisation: the stories practitioners tell, the cast of characters that populate them, and how such stories act to problematise the domain. Mistrust, it is argued, can be understood in terms of the capacities of sceptical narratives to efface the power of security certifications to be taken on 'face value.' A text-based view of mistrust is thus developed that can be differentiated from the conventional disposition-centred view. Examining mistrust, then, leads us to ask not how to change dispositions to make them 'more trusting,' but rather to critical questions about the palette of characters that feature in cyber security. I close the essay by offering a commentary on the way characterisation leads to the anticipation of experts in formulations of policy and on the possible 'counter-characterisation' that might be developed, for instance around 'caring' characters.