The Most Sensitive Fact Is Often the Relationship

Ordinary facts become dangerous when they reveal who trusts whom, who can reach whom and where private authority actually sits.

The answer

Security programmes protect documents. Adversaries study relationships. The distinction is decisive. A travel itinerary may be sensitive, but the name of the person who can change it at midnight may be more useful.

Security programmes protect documents. Adversaries study relationships.

The distinction is decisive. A travel itinerary may be sensitive, but the name of the person who can change it at midnight may be more useful. A cap table matters, but the relationship between the principal, outside counsel and the administrator may reveal how an exception will be approved. A family photograph may disclose little on its own; the repeated presence of a particular aide, school or aircraft operator can expose the operating graph.

Why relationship data compounds

Most individual facts are ambiguous. Relationships reduce ambiguity. They reveal who is trusted, who is peripheral, which entity is active, how decisions move and where pressure can be applied. This is why a string of harmless observations can produce an actionable picture without any single system being breached.

Modern search and generative tools accelerate the assembly. They can connect archived biographies, corporate filings, image captions, leaked address books, event lists and social interactions into a plausible model of private authority. The model does not need to be perfectly correct. It only needs to be good enough to choose a convincing pretext.

The relationship attack path

A common sequence looks mundane:

- Observe a recurring relationship between the principal and a trusted operator.

- Identify a live event: travel, closing, dispute, medical issue or personnel change.

- Impersonate a peripheral participant who plausibly needs help.

- Use true relationship details to defeat normal scepticism.

- Escalate through urgency until an exception reveals access, money or more intelligence.

Controls aimed only at passwords will miss this. The decisive control may be a verification rule for unusual requests, a prohibition on relationship details in public biographies, or a staff habit of treating context as untrusted.

Map the graph that matters

Do not attempt to catalogue every acquaintance. Map relationships that carry authority or reveal routine. Start with five node types: principals, family, operators, advisers and institutions. For each edge, record what an observer could infer: money movement, travel control, identity recovery, legal instruction, medical access, calendar control or physical access.

Then identify the bridges—people who connect otherwise separate worlds. Executive assistants, chiefs of staff, family-office generalists, household managers and external counsel often carry extraordinary contextual power while receiving ordinary security treatment.

Relationship minimisation

The answer is not to erase every association. It is to reduce unnecessary proof. Remove stale biographies, avoid naming operational intermediaries without purpose, separate public and recovery contact details, and stop publishing organisational diagrams through event pages and copied email chains.

Internally, treat relationship context as a security factor. A request that correctly names three trusted people is not necessarily more credible; it may be evidence that the pretext was researched.

Relationship exposure card

For each critical relationship, answer four questions: What does the public know? What could a vendor infer? What would make an impersonation believable? Which independent channel can disprove it? If the fourth answer is “ask another person in the same compromised chain,” the relationship has no real control.

Sources

  1. Swiss NCSC — Social engineeringSwiss NCSC

    Primary authority

  2. Swiss NCSC — CEO fraudSwiss NCSC

    Primary authority

  3. NIST — Digital Identity GuidelinesNIST

    Primary authority

Ross BelhommePartner, Svperior / Legal

Jonathan P. De Collibus

Jonathan co-founded Svperior in 2014 and leads its cyber practice. His work sits where adversarial pressure, technical architecture, and consequential decisions meet, with experience across clinical, financial, public-sector, and private-client systems where confidentiality, continuity, and technical correctness carry material consequences.

Cyber strategy / Adversarial assessment / Security architecture / Private systems

Need to apply this to a specific situation?

Send us the initial context. If the matter fits, we will respond directly.

Send private inquiry