Modelling Trust and Trust-Building Among IT-Security Professionals How Do Practitioners Find Out Whom to Work With?

By analysing cyber-security as a private protection market, and linking it with technological aspects and the dominating risk-environment, valuable insights into its workings can be gained, particularly when it comes to non-or semi-technical factors. Using high-granularity, empirical interview data (n = 140) as input, this paper presents insights about trust, signalling and cooperation among practitioners in the context of a complex field. At the moment, trust-building in the cyber-protection business is very personalised. Due to complexity and uncertainty, cooperation is based on social networks and reputation, while institutional signals are less significant than in other high-risk areas. While more research is necessary to unpack this issue, the analysis provides some understanding of how the field and technological aspects shape protection-market conditions, and how preferences regarding signalling and assessment change in practice according to the actors and organisations involved in a given situation. Evaluating other actors is generally based on above-mentioned personal factors, rather than institutional signalling.