In security circles we tend to view Trust as a Binary property – either we trust someone or we don’t. Our application of security controls tends to mirror this. Surely we should reflect that there are degrees of trust. I trust a very small number of intimate friends with some aspects of my personal well being – they do the same in a reciprocal manner. I engender lesser degrees of trust to those with whom I have a lesser relationship.
I may trust those I work with to keep information confidential but I’m sure that if many people were given sufficient incentive their trustworthiness would be depricated.
Effective security is rarely binary – it’s subjective.
Classification of the value and sensitivity of information enables appropriate levels of control to be applied via security controls. How many organisations classify information according to these principles? I’ve worked with some very large companies who’ve tried to classify data though rarely (outside the military) has it been successful.