I was reading a post over at Layer8 and it got me thinking about trust. Shrdlu attended a talk by Larry Ponemon where he took away this little tidbit:

The trust given to an organization depends not only on how well it protects information, but also on how transparent it is.

A long time ago I spent some time thinking about trust and digital relationships. I broke it down into three components: Intent, Capability, and Communications:


  1. Intent: How an organization (or person) intends to act within a relationship. This is their true intent, not necessarily what they communicate as their intent. For example, we collect credit card data solely to perform online transactions, and will protect it from unauthorized disclosure.
  2. Capability: Does an organization have the capability to meet its intent? For example, does it collect card numbers and only use them for transactions, but use security which could not stop a targeted attack?
  3. Communications: Does an organization effectively and accurately communicate its intentions and capabilities?

If any of these factors fails, so does trust. Let’s look at some examples in the security world.

Some vendors, I don’t even need to bother naming them, make outlandish claims about the security of their products that do not reflect reality. Then, when breaches occur, they spin the facts rather than admitting to an honest mistake. Result? No one trusts those vendors anymore.

I remember our home town bank as a kid. We’d walk in and it was all marble and stone, with a huge walk-in vault surrounded by guards at the far end. Placing the vault where customers can see it doesn’t improve security, but it clearly communications of a capability to protect your money. These days, no one cares. Why? The world changed and with the FDIC and electronic banking we are far less concerned about a bad guy with a mask stealing our money. Heck, they could steal the entire bank, foundation and all, and we still wouldn’t be out a dime.

Breach disclosure is another example of trust. If a company loses my personal information and clearly communicates how it was protected, how it was lost, and a reasonable plan for preventing a recurrence, I am not very likely to leave them. If, on the other hand, they attempt to cover it up, shift blame, or clearly lie about their intent or capability to protect my information, I am far more likely to switch to another provider.

A privacy example? Years ago I cancelled my Amazon account after they changed their privacy policy and started sharing my data. The policy in effect when I signed up stated my information would be kept private. They then summarily changed it without my permission. They clearly either lied about, or changed, their intent, and lost me as a customer. It took me 5 years before I bought from them again.

It’s very simple: trust is built on what you intend to do, your ability to do it, and your ability to communicate both.