Trust. Most people understand the concept of “trust”, but most people are also at somewhat of a loss for words when asked to define that concept, especially in terms of on-line transactions and digital identities.
I mentioned recently that I’m involved with the Identity Ecosystem Steering Group (IdESG), part of the US government’s National Strategy for Trusted Identities in Cyberspace (NSTIC). What’s startling, when I think about it, is that the concept of “trust” hasn’t been discussed – or even alluded to – in the approximately 4 to 6 hours per week of meetings I’ve participated in over the past two months.
So, just what is “trust”?
Merriam-Webster on-line defines it as “Trust: assured reliance on the character, ability, strength, or truth of someone or something.” Most of us might agree with that, at least as we use the term “trust” in our daily, not-on-line life.
But currently, for the IdESG, the US National Institute for Standards and Technology (the government caretaker for NSTIC) has a more internet-oriented definition: “Trust: A characteristic of an entity that indicates its ability to perform certain functions or services correctly, fairly, and impartially, along with assurance that the entity and its identifier are genuine.” [NIST SP 800-130]
In life outside the ‘net, the concept of identity assurance of those entities we trust rarely comes up. We know and recognize our friends, relatives and institutions (bank, post office, workplace, church, school, etc.) because we see them, or visit them, frequently enough. On-line, though, it’s different - as New Yorker Magazine cartoonist Peter Steiner so famously pointed out back in 1993.
So people who are on line want to be able to instantly “trust” a web site they connect to. And the web sites want to instantly “trust” the people who connect to them. The Holy Grail of the internet is finding a way to indicate that that instant trust is warranted.
There are two attributes of trust that we should consider at this point, one is readily understood while the second is more honored in the breach.
First, trust is binary – either you trust someone or something or you don’t. There’s no partial trust. But, secondly, trust is not absolute – there are parameters, filters, boundaries to that trust. Often these are implied by the context in which you use the word “trust”. For example, you might say to your friend Jane: “would you pick up a housewarming present for Alice? I trust you implicitly.” What you’re trusting is: a) Jane’s taste in gifts is similar to your own; and 2) Jane knows Alice well enough to know what she would like. You’re not implying, though, that you would trust Jane to watch your plants/pets while you go away, have an intimate meal with your boyfriend, or write the report your boss is expecting tomorrow. Jane isn’t you and she won’t do everything exactly the way you would (well, except maybe that boyfriend dinner – but that wouldn’t be what you want, either!). The point is that there are limits on the trust we have in other entities.
Another example: when I go to the Post Office and hand a letter to the clerk, I trust it will be delivered to the addressee in a timely fashion, consistent with the class of service I’ve chosen. But I wouldn’t hand the clerk some money and ask him to pick out a birthday card, sign my name and send it to Bill.
One more example: when I go to the jewelry store I’ll often find the door is locked and I need to press a button to ring a bell. After a moment, the door unlocks and I enter – the jeweler has decided to trust that I will not try to rob him. This is much closer to what we’re looking for on the web.
It really isn’t “trust” – it’s risk assessment. The jeweler has watched me, seen my appearance and body language and decided that I am “trustworthy” or, at least, a low risk. It may be that my race, hair and dress meet some pre-conceived notion of trustworthy in his mind (i.e., what we call a prejudice), but that is how he evaluates risk.
Finally, when I go to the bank to take out a loan, the banker will examine my banking history, my credit score, perhaps Google my name to see what news or gossip is available about me – in a word, he looks at my reputation. From this he decides whether or not to issue the loan, that is, whether or not he believes I will repay the loan. It’s really another form of risk assessment.
Trust begins with risk management. At KuppingerCole, we’ve written quite a bit about risk management – from the recent posting by my colleague Martin Kuppinger, to an extensive report describing our view on a GRC (Governance, Risk and Compliance) Reference Architecture, so I won’t go into detail on that, but will say a bit more about the relationship of Risk Management and Trust.
Risk Management is an analog function – the amount of risk varies along a line. Trust, as we noted above, is a binary function – either you trust or you don’t. So how can we connect the two? It’s not really difficult. Risk assessment, according to Wikipedia, is “the determination of quantitative or qualitative value of risk related to a concrete situation and a recognized threat (also called hazard). Quantitative risk assessment requires calculations of two components of risk (R):, the magnitude of the potential loss (L), and the probability (p) that the loss will occur.” While it may seem simplistic to reduce risk to a mathematical function, this does in fact lend itself well to computational “trust”. It simply means setting the “trust threshold” as a number – if the calculated risk is below that number then Trust is extended. If not, then not.
See how easy that is?
Well, that is easy. But calculating “p”, the probability that a loss will occur, is the hard part. Yet we do it all the time in non-cyberspace. In the examples above, when I ask Jane to pick a gift for Alice I know approximately how much she’ll spend (L – the potential loss) and, based on previous experience, I know that the probability that the loss will occur is extremely small. Let’s say L = $50 and p = 1% so my risk would be (.01 x 50), 50 cents, well below my trust threshold.
When I visit a new website that asks for personal information, what’s the value of my potential loss? And how do I judge the probability of that loss? With Jane, I based the probability on experience, in other words on reputation. Can I form an opinion on the reputation of the website? Possibly – by visiting other web sites which review sites, rate sites or provide badging for sites. For example, go to Maimeo’s Memories, scroll down and on the bottom left click on the “upfront” button. You’ll see a popup with relevant information about the site and know that it’s been verified by “The Find,” an internet shopping and badging authority. Of course, if you aren’t familiar with The Find’s “Upfront” program, then the badge may mean nothing at all to you.
What’s it all mean?
In the end, we know that Trust is a binary condition that has attributes – you trust “an entity” for “a task”. Trust on-line can be calculated by doing a risk assessment (amount of loss times probability of loss) and seeing if the product of that assessment is lower than your pre-set “trust threshold”. Calculating the probability of loss involves factoring in experience or reputation. So, when you get to the bottom of it, trust is inextricably tied up with reputation.
But how can we assess or calculate reputation? Well, that’s a story for another day.