The inherent assumption of security

This post is more of an observation than some of my other posts, its based around a theory that I have, which I call "the inherent assumption of security". Basically, as human beings, evolution has taught us to trust people, we seek out others who have the same social and moral standings that we hold, we seek friendship with people that have the same interests and as we spend more time with these people, we create bonds and ultimately we trust each other. It is only when we are cheated or tricked that we become more cautious and aware, which in turn leads us to be more careful in the future.

So what does this have to do with infosec? I often see the following scenario cropping up on my twitter feed - a person sitting across the table from you on the train gets up go to the toilet and asks you to keep an eye on their laptop, of course we are inclined to say yes. We say yes, because again, as human beings we want to help but also because, well its a train, and unless its about to be your stop, the chances of you trying to steal the laptop and run off the train is pretty slim. Now try to put yourself in the other persons shoes, why did they ask you in the 1st place? Was it because you looked trustworthy? (how do you determine who is and isn't trustworthy, because you cant simply go on looks alone). Was it because you chatted or made small talk across the table? Is it because you are also a computer user? I guess there is no hard or fast answer to these questions and the point I am trying to make, is that it doesn't matter where you are or what we are doing, there is always an inherent assumption of security whereby we trust people or they trust us.

To put things in context,during a visit to my local bank, I was invited to chat with an adviser about my current banking needs. This took place in an office away from the main bank tellers. As I was a customer of the bank, the adviser obviously did not view me as a risk or a threat, and as I result I was left alone for a period of approximately 5-10 minutes with access to a PC which had been left signed in and unlocked. Why not lock the PC, too much hassle to sign in again?, a simple mistake?, I wasn't viewed as a threat due to being a customer? Without actually asking, all I can assume is that I was deemed trustworthy in this situation as I was already a customer.

Like I said at the start, this post is more of an observation rather than a technical post, however I would encourage you to see if you can spot my theory when your out and about.