Statistical models of trust: TCBs vs. people

Abstract

The processes of granting security clearances to people and accrediting trusted computer systems are compared, both informally and using preliminary mathematical models of risk probabilities. The risk models support the validity of two hypotheses that were previously merely conjectures: (1) in determining an acceptable accreditation range for a computer one need only consider the highest classification of data on it and the least-cleared person using it, (2) that under suitable conditions a cascade (combination) of two trusted systems can be trusted more than either individually. In particular, it is shown that a cascade of two (independently built) B2 systems is as good as one B3 system.<>