I was reading a post over at Layer8 and it got me thinking about trust. Shrdlu attended a talk by Larry Ponemon where he took away this little tidbit:
The trust given to an organization depends not only on how well it protects information, but also on how transparent it is.
A long time ago I spent some time thinking about trust and digital relationships. I broke it down into three components: Intent, Capability, and Communications:
- Intent: How an organization (or person) intends to act within a relationship. This is their true intent, not necessarily what they communicate as their intent. For example, we collect credit card data solely to perform online transactions, and will protect it from unauthorized disclosure.
- Capability: Does an organization have the capability to meet its intent? For example, does it collect card numbers and only use them for transactions, but use security which could not stop a targeted attack?
- Communications: Does an organization effectively and accurately communicate its intentions and capabilities?
If any of these factors fails, so does trust. Let’s look at some examples in the security world.
Some vendors, I don’t even need to bother naming them, make outlandish claims about the security of their products that do not reflect reality. Then, when breaches occur, they spin the facts rather than admitting to an honest mistake. Result? No one trusts those vendors anymore.
I remember our home town bank as a kid. We’d walk in and it was all marble and stone, with a huge walk-in vault surrounded by guards at the far end. Placing the vault where customers can see it doesn’t improve security, but it clearly communications of a capability to protect your money. These days, no one cares. Why? The world changed and with the FDIC and electronic banking we are far less concerned about a bad guy with a mask stealing our money. Heck, they could steal the entire bank, foundation and all, and we still wouldn’t be out a dime.
Breach disclosure is another example of trust. If a company loses my personal information and clearly communicates how it was protected, how it was lost, and a reasonable plan for preventing a recurrence, I am not very likely to leave them. If, on the other hand, they attempt to cover it up, shift blame, or clearly lie about their intent or capability to protect my information, I am far more likely to switch to another provider.
A privacy example? Years ago I cancelled my Amazon account after they changed their privacy policy and started sharing my data. The policy in effect when I signed up stated my information would be kept private. They then summarily changed it without my permission. They clearly either lied about, or changed, their intent, and lost me as a customer. It took me 5 years before I bought from them again.
It’s very simple: trust is built on what you intend to do, your ability to do it, and your ability to communicate both.
Reader interactions
3 Replies to “On Trust”
I understand what you mean but still I feel there is a difference between having the capability (or capacity) to do something, and actually doing it. People have the capability to pick up their laptops before leaving taxis, but still they sometimes forget and leave corporate assets on the back seat.
It’s just a matter of semantics really. Your points about trust are well put.
G.
@Gary. I think that failure to execute falls under Capability. After all you wouldn’‘t say that someone had capability it they bought a lot of gear and software and left them in the boxes….
I wonder if there ought to be a fourth side to your triangle (!) for ‘‘performance’’ (or something similar). An organization might have the *intent* and *capability* to secure PII but, for whatever reason, it doesn’‘t do so. Perhaps the security controls fail in practice, being overcome by an extraordinary threat or just a stroke of bad luck. Such incidents decimate trust.
Kind regards,
Gary